locked
UAG only passes ICMP traffic & windows firewall RRS feed

  • Question

  • A while back Jackal99 had a thread going on which had exactly my problem which was nevery resolved and I thinkn was the problem I had (http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/a679f007-4daa-4cfb-88bb-21f958c3d383).   I found that everything **looked** fine, my clients would connect and I could route traffic (IE: ONLY ping internal hosts).  External DNS did not function at all nor accessing internal resources.   It seemed like the IPSEC tunnel was an issue.  What seems to have solved my days of troubleshooting was turning off all 3 in windows firewall profiles on the UAG. 

    Suddently DA functions properly.   If you look in the windows firewall on the UAG it says "These settings are being managed by vendor application TMG"...  Is this the unrecommended way of fixing this problem?  It is normally suposed to be turned off before you perform a UAG installation?  I don't want to comprimise security and I'm not all that familiar with how TMG interacts with WF. 

    Monday, March 15, 2010 3:23 PM

Answers

  • Hi Eric,

    Don't turn off the Windows Firewall or remove the firewall settings from the profiles.
    After running the UAG DA wizard, and after you complete the wizard and click "Activate" all the settings on the DA server are correct and you do not need to go into the Windows Firewall for Advanced Security to configure things, they will "just work"

    You might want to run the DA wizard again and reapply the configuration to the DA server and the DA clients.
    Make sure you use gpupdate /force on both the client and server to confirm that the new GPO settings were applied.
    Go to the DA server and confirm that the connection security rules are applied, do the same thing on the client.

    After you make the connection to the DA server, check the Monitoring section in the client's Windows Firewall for Advanced Security console. You should see Main Mode connections that use NTLMv2 and Keberos (Kerberos will be used if you connect to resources that aren't on the management servers list)

    HTH,
    Tom
    MS ISDUA/UAG DA Anywhere Access Team
    Monday, March 15, 2010 6:46 PM

All replies

  • Hi Eric,

    Don't turn off the Windows Firewall or remove the firewall settings from the profiles.
    After running the UAG DA wizard, and after you complete the wizard and click "Activate" all the settings on the DA server are correct and you do not need to go into the Windows Firewall for Advanced Security to configure things, they will "just work"

    You might want to run the DA wizard again and reapply the configuration to the DA server and the DA clients.
    Make sure you use gpupdate /force on both the client and server to confirm that the new GPO settings were applied.
    Go to the DA server and confirm that the connection security rules are applied, do the same thing on the client.

    After you make the connection to the DA server, check the Monitoring section in the client's Windows Firewall for Advanced Security console. You should see Main Mode connections that use NTLMv2 and Keberos (Kerberos will be used if you connect to resources that aren't on the management servers list)

    HTH,
    Tom
    MS ISDUA/UAG DA Anywhere Access Team
    Monday, March 15, 2010 6:46 PM
  • Thanks Tom!

    I dont know why it stuck this time but after doing that sequence it took.  IPHTTPS is working fine.  Teredo and 6to4 are still problematic, I can ping by hostname but can't access resources.

    I've done this install 4 times now with the exact configuration...  the only thing I noticed that was different was that the DirectAccess rules in TMG were now all at the bottom (previously 1 was at the top and two were close to the bottom). 

    In any case, almost there. 
    Tuesday, March 16, 2010 1:30 PM
  • Hi Eric,

    You're making progress! Great!

    You should never need to look at the TMG console when working with DA. There are some preconfigured rules that are created in the background, but there's nothing there that the admin can do that will fix things.

    What's interesting is that IP-HTTPS is working, but Teredo and 6to4 are giving your problems.

    How are you testing the IP-HTTPS connection? The Teredo connection? The 6to4 connection?

    Thanks!
    Tom
    MS ISDUA/UAG DA Anywhere Access Team
    Wednesday, March 17, 2010 1:55 PM