0

Below is my environment:

I have 1 physical machine running Windows 2008 R2, with the Hyper-V role. This machine has 3 physical NICs:

  • One for Internet
  • One for Internal Network
  • One for Wireless Network

All 3 have their respective Virtual Networks in Hyper-V, and I have an extra Private virutal machine network for a DMZ Network.
In one of the virtual machines, I have TMG Forefront 2010 SP1 installed, with all 4 networks available to it. Below is the IPCONFIG /ALL at the firewall:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : FRW-EXP1-02
   Primary Dns Suffix  . . . . . . . : exp1.eti.br
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : exp1.eti.br

Ethernet adapter Internet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter #4
   Physical Address. . . . . . . . . : 00-15-5D-01-06-0E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::6d05:6033:4cfc:bdf5%15(Preferred)
   IPv4 Address. . . . . . . . . . . : 189.100.110.xxx(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Lease Obtained. . . . . . . . . . : quarta-feira, 5 de janeiro de 2011 11:17:24
   Lease Expires . . . . . . . . . . : quarta-feira, 5 de janeiro de 2011 16:07:02
   Default Gateway . . . . . . . . . : 189.100.96.xxx
   DHCP Server . . . . . . . . . . . : 201.6.2.43
   DHCPv6 IAID . . . . . . . . . . . : 436213085
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-6D-75-6F-00-15-5D-01-06-0B
   DNS Servers . . . . . . . . . . . : 201.6.2.163
                                       201.6.2.43
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Rede Interna:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter #3
   Physical Address. . . . . . . . . : 00-15-5D-01-06-0C
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::51ff:4723:ce4c:bbc3%14(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.50.75.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 352327005
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-6D-75-6F-00-15-5D-01-06-0B
   DNS Servers . . . . . . . . . . . : 10.50.75.1
                                       10.50.75.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter DMZ:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter #2
   Physical Address. . . . . . . . . : 00-15-5D-01-06-0A
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::d4c5:75cf:e9aa:73e1%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.10.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 301995357
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-6D-75-6F-00-15-5D-01-06-0B
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Wireless:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-01-06-0B
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::459:8ca6:d02:8da1%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 234886493
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-6D-75-6F-00-15-5D-01-06-0B
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

I have the Networks below at Forefront:

External: IP addresses external to the Forefront TMG Networks
Internal: 10.50.75.0 - 10.50.75.255
Local Host:
Perimiter: 192.168.10.0 - 192.168.10.255
Wireless: 192.168.1.0 - 192.168.1.255

In the Networks Rules, I have:

1 => Route => Local Host => All Networks
2 => Route => Quarantined; VPN => Internal
3 => NAT => Internal; VPN => Perimiter
4 => NAT => Internal; Perimiter; Quarantined; VPN; Wireless => External

My problem is that I can only communicate with the Internal and External networks. If a ping www.google.com or 10.50.75.21 from the Forefront VM, I get answer backs without a problem. If I try to ping a machine at the Perimiter network or the Wireless network, it doesn't get routed back to Forefront, and it's the default gateway on all Networks. Here as ping samples:

PS C:\Users\Administrator.TPB1> ping www.google.com

Pinging www.l.google.com [64.233.163.104] with 32 bytes of data:
Reply from 64.233.163.104: bytes=32 time=11ms TTL=58
Reply from 64.233.163.104: bytes=32 time=8ms TTL=58

Ping statistics for 64.233.163.104:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 8ms, Maximum = 11ms, Average = 9ms
Control-C
PS C:\Users\Administrator.TPB1> ping 10.50.75.21

Pinging 10.50.75.21 with 32 bytes of data:
Reply from 10.50.75.21: bytes=32 time=1ms TTL=128
Reply from 10.50.75.21: bytes=32 time=1ms TTL=128
Reply from 10.50.75.21: bytes=32 time=1ms TTL=128
Reply from 10.50.75.21: bytes=32 time=1ms TTL=128

Ping statistics for 10.50.75.21:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms
PS C:\Users\Administrator.TPB1> ping 192.168.10.3

Pinging 192.168.10.3 with 32 bytes of data:
Reply from 192.168.10.1: Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.10.3:
    Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),
PS C:\Users\Administrator.TPB1>

The ping to the 192.168.10.3 gets the Destination host unreachable. Below is the ipconfig for the perimiter VM:

PS C:\Users\Administrator.Administrator> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : app-exp1-02
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Unkown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-01-06-08
   DHCP Enabled. . . . . . . . . . . : No
   IPv4 Address. . . . . . . . . . . : 192.168.10.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.10.1
   DNS Servers . . . . . . . . . . . : 201.6.2.163
                                               201.6.2.43

Trying to ping 192.168.10.1 ( the gateway ) from the DMZ machine also does not work. When I use Log & Reports to monitor packets from Wireless network and Perimiter network, I don't get any packets link PING or HTTP that I try to send. But I do get a lot of spoofing messages for NETBIOS broadcasts... it's like Forefront thinks it's coming from a different network, but I don't know why. Please Help!

Tks

Pascal
  • 133
  • 1
  • 5
  • 11

1 Answers1

0

When everything seems to be right, it's because it probably is!!!
I solved this issue by removing the Wireless and Perimiters networks from Forefront, then shutdown the VM, then remove the Network cards from the Forefront VM, then start, shutdown, add the cards back, start, use different subnets (don't know if this step is necessary, but I did it anyways), boot, re-add the networks to Forefront.
After this marathon, it started working. Traffic from Perimeter and Wireless started to being recognized by Forefront, and the packets started flowing as they should, with the same configuration as before

Pascal
  • 133
  • 1
  • 5
  • 11