locked
Unable to access internal subnet's and browse servers RRS feed

  • Question

  • Hi, I have a challenge here. I have deployed SSL VPN with UAG, using SSTP as we only have Win7 clients.

    After reading lots of docs, I finally made it work to some degree. The problems is of 2 parts:

    1. I can not browse fileshares on internal servers, i only get a connection error. But I can ping them and even use AD Administrative tools like DNS and DHCP manager on my Win7 test computer with RSAT. So I guess UAG/TMG is blocking it, but I could not find anything in TMG logs that indicating it was blocking it.

    2. I have several internal network that I would like remote clients to connect to. But they can only access the same subnet as the nic on the UAG is on, that is, the same subnet as the internal nic.

     

    As for the setup, I have followed some instructions to include the other internal subnets and they appear both in UAG and TMG is internel networks.And when I check the traffic on my external firewall, it shows that traffic is going into the UAG server on the external interface. But I don't find anything on the logs on TMG that says its blocking the traffic for the VPN clients to the other internal subnets.

    UAG server: 192.168.2.35
    Internal subnets: 192.168.2.0/24  - 192.168.5.0/24 - 192.168.10.0./24.
    I can only access the first subnet (192.168.2.0/24).

    Any clues where I can start to start troubleshooting this?

     

    I have of course created a permanent route on the UAG also, like this:

    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0   87.246.173.129  Default
         192.168.10.0    255.255.255.0      192.168.2.1       1

     

     

    Thursday, July 28, 2011 11:55 AM

Answers

  • Hi MailMann,

    The most like cause of the issue is that u havent enabled NAT in TMG. Go to TMG select Networking, NetworkRules, VPN Clients To Internal Netwrok>>Properties ad Select on Network Relationship NAT. This should allow u to access all of your internal networks that the UAG server has access to.

    Tnx


    • Proposed as answer by ZarkoC Thursday, August 11, 2011 10:33 AM
    • Marked as answer by Erez Benari Friday, August 26, 2011 10:33 PM
    Thursday, August 11, 2011 10:33 AM

All replies

  • 1.) Could be a problem related to NetBIOS Name Resolution. Can the clients access the File Servers using \\server.domain.tld\share\? Did you deploy WINS and do your VPN clients receive the WINS Server IP addresses while connected?

     

    2.) Routing issues may have several causes. It strogly depends on how you have set up the VPN pool and integrated those IP addresses in your existing network infrastructure. Please elaborate a more detailed description of your infrastructure. What type of IP addresses are the VPN Clients are using (192.168.2.0/24 or a different scope)? Please post the routing table of the Router connecting the different networks? Post different TRACERT Outputs where 192.168.10.0/24 clients pathpinging the VPN Pool and also VPN Clients pathpinging the 192.168.10.0/24 subnets.

     

    -Kai Wilke

     

     

     

     

    Thursday, July 28, 2011 1:58 PM
  • Hi MailMann,

    The most like cause of the issue is that u havent enabled NAT in TMG. Go to TMG select Networking, NetworkRules, VPN Clients To Internal Netwrok>>Properties ad Select on Network Relationship NAT. This should allow u to access all of your internal networks that the UAG server has access to.

    Tnx


    • Proposed as answer by ZarkoC Thursday, August 11, 2011 10:33 AM
    • Marked as answer by Erez Benari Friday, August 26, 2011 10:33 PM
    Thursday, August 11, 2011 10:33 AM
  • Hi Zarko,

    your answer could solve the OPs problems on a very easy way^^

    But i have to note that using a NAT releationship to fix routing problems/missconfigurations is definitely not networking best practise, since enabling NAT will render your VPN into an unidirectional communication channel with limited functionality.

    If the network environment doesn't have internal core routers in place, your suggested solution would be the "Spare tire” to make it work. But every other environment with routers in place should rather then implement proper routes to forward the VPN pool IP addresses to the internal UAG interface. On this way you would get the bidirectional functionality out of your VPN connection.

    -Kai

     


    Thursday, August 11, 2011 11:05 PM