Announcement

Collapse
No announcement yet.

Circumvent (or "ease") ForeFront TMG proxy?? Also, VPN oddities!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Circumvent (or "ease") ForeFront TMG proxy?? Also, VPN oddities!

    Hi all,

    I am the technology manager of a school. I have a newly installed ForeFront TMG running on an HP DL380 G4 with Server 2008 R2 x64. Largely, works fine. I know very little about it, but am learning!

    Item 1: I have setup a GPO from AD that forces each and every client to use this box as the proxy server. Works fine, but there are some problems I see.
    1. The first is me... I am a full time laptop user and use it to work from outside almost as much as I work inside. This causes problems because, for example, each time I go home I have to remove the proxy setting from IE before I can get online at home. Secondly (and this is something I totally don't understand), I mainly use Firefox. And I have manually configured FF to use the proxy at work. But even AFTER I remove the proxy when I'm home, it still barely works. I actually have to remove the setting in IE for FF to work properly! HUH??
    2. The second is that we have authentication required for use of the FF TMG. In other words, only authenticated domain users may use the proxy, and therefore get to the WWW at all. Now, if a user were to log on to a machine locally, they could still use the proxy, but would have to authenticate (upon opening IE) as a domain user. My domain, by the way, is "lfdcslan". So, for example, they would need to type "lfdcslan/username" and their password... The trouble here is that we are constantly having vendors, consultants, and other visitors coming to our school. Obviously, they are not domain members... Is there a way to circumvent the FF TMG so that such visitors could simply use the WWW simply by plugging into the LAN? Or is the best solution to create a "guest" domain user and have each & every visitor authenticate using that? I don't like the idea of that simply because it would require that knowledge to be disseminated to each person every time they visit... Plus, in all honesty, I would rather not have to go through the proxy myself for the reasons listed above... It's just annoying for me.

    Item 2: VPN access through the FF TMG. I've got this running, but, well, not fully. I CAN connect to the VPN from home, for example. I did so by simply creating a PPTP connection to my external IP address and using my domain credentials. It does connect. Nice! However... I can't actually do much of anything! Huh? Examples...
    1. I can open a Remote Desktop connection to anything I want, but only with IP address. Trying to use RD with names does not work.
    2. I cannot use RUN to go to \\anything, be it name OR IP address.
    3. I cannot open Outlook (which is connected to Exchange 2010). It tells me it cannot locate the Exchange Server and Outlook closes after not even really opening.
    4. I cannot connect to a manually-mapped drive I have.

    So in a nutshell, once actually connected to the VPN, the ONLY thing I can do is use RD to connect to a machine via IP address... Kind of useless as I need to get the rest working. Any thoughts, please?

    For now, methinks that's about it... I'd appreciate any input you pros have. THANKS!!!

    Chris

  • #2
    Re: Circumvent (or "ease&quot ForeFront TMG proxy?? Also, VPN oddities!

    I'm going to move this thread to the security forum, where our TMG expert (Hi Marcel ) lurks.

    With regard to Q1, I am sure there is a GPO setting that only applies the proxy in a domain environment, and removes it when you are connected elsewhere. Just NOT sure where to find it!
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Circumvent (or "ease&quot ForeFront TMG proxy?? Also, VPN oddities!

      Hi tom

      @worldbuilder, if you don't mind I'll keep it with a few short a answers since I'm writing this from my new cellphone

      1.1 use the autodetection mechanism supplied with ISA and TMG. Google for wpad and you will find a lot of articles about if.

      1.2 to authenticate or not to authenticate. If you are comfortable with vlans I suggest to add the contractors to a certain without authentication. so for TMG it a firewall rule with source vlan (that vlan) and destination the www (external)

      2 vpn. check your routing topology and your firewall rules. Keep in mind that you need t create custom firewall rules from your vpn clients to your internal networks.
      Marcel
      Technical Consultant
      Netherlands
      http://www.phetios.com
      http://blog.nessus.nl

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"

      Comment


      • #4
        Re: Circumvent (or "ease&quot ForeFront TMG proxy?? Also, VPN oddities!

        Hi fellas! Hey Marcel! We have a history. You've solved God-Only-Knows-How-Many of my problems...

        LOL!

        I hope you like the new phone, man.

        Lemme poke around some of the things you suggest and see what I can find. I'll post back. In the meantime, once off the phone, if you could elaborate more (feel free to walk me through things like I was a 5 year-old), I'd appreciate it. Thanks, guys!

        These forums are the best. No doubt.

        Chris

        Comment


        • #5
          Re: Circumvent (or "ease&quot ForeFront TMG proxy?? Also, VPN oddities!

          Hi again!

          OK, let's stick with VPN access for now and get back to the other stuff later. I checked on some FF rules and added a VPN rule which, in theory would allow access to DNS, SMTP, etc...

          Went home (am there now) and it doesn't work. So I'm quite sure I don't know what I'm doing... LOL!

          I can RD to the FF server, however, just like I always could. What would a rule look like to accomplish my goal? Would you like me to post my rules as they are now?

          Thanks!

          Chris

          Comment


          • #6
            Re: Circumvent (or "ease&quot ForeFront TMG proxy?? Also, VPN oddities!

            You need a firewall rule allowing access from the VPN Clients Network to Internal, with all the appropriate protocols for what you need VPN clients to do.

            If you're using Outlook then you'll need MAPI, not SMTP for that. MAPI is an RPC Protocol so you'll almost certainly have to allow all outbound from VPN Clients to Internal and also turn-off strict RPC Compliance on the rule. Personally I'd use Outlook Anywhere rather than a VPN for remote access though.

            Anyhoo, I think you also need to check your address assignments for VPN clients. Are you using DHCP or a static pool. What DNS Servers are being assigned to VPN Clients? Try doing an ipconfig /all with the VPN established and see what you get.

            For your contractors I would, as Marcel suggested, use a different network. I'd probably add a perimeter network with a wireless access point and allow unauthenticated access to HTTP, HTTPS and DNS over that network to the internet.
            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
            sigpic
            Cruachan's Blog

            Comment


            • #7
              Re: Circumvent (or "ease&quot ForeFront TMG proxy?? Also, VPN oddities!

              I have the firewall rule allowing access to the Internal network, which I think is why it connects at all.

              MAPI, got it. I'll try that. I had SMTP in there! I agree... OWA will be better, but I don't have that up and running yet. When I do, the MAPI can then go away.

              A perimeter network is a good idea, but I don't know if it's doable... No money for a good Cisco WAP solution and right now I only have a dinky little Linksys WAP. Can this be used as you suggest?

              Thanks!

              Chris

              Comment


              • #8
                Re: Circumvent (or "ease&quot ForeFront TMG proxy?? Also, VPN oddities!

                Can you try an nslookup from your client, eg nslookup mydc.domain.com?
                If it fails can you review if you received your DNS settings with an ipconfig /all command?

                Keep it with simple testing first. You might also allow all outbound traffic from your VPN clients to internal just for testing purposes.
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: Circumvent (or "ease&quot ForeFront TMG proxy?? Also, VPN oddities!

                  Originally posted by Dumber View Post
                  Can you try an nslookup from your client, eg nslookup mydc.domain.com?
                  If it fails can you review if you received your DNS settings with an ipconfig /all command?

                  Keep it with simple testing first. You might also allow all outbound traffic from your VPN clients to internal just for testing purposes.
                  Just tried an nslookup and it failed. Checked IP settings and they seem right. DHCP is disabled, but autoconfig is enabled. My VPN IP is valid and I did get the proper DNS servers (both of them).

                  Chris

                  PS. Pinging both IP and Name failed as well.
                  Last edited by WorldBuilder; 21st August 2010, 22:56. Reason: Added Info

                  Comment


                  • #10
                    Re: Circumvent (or "ease&quot ForeFront TMG proxy?? Also, VPN oddities!

                    Do you use DHCP for the cliŽnt adresses or a static range?
                    Have you tried tracert instead of ping? results will be the same but you can follow it's path.
                    Also did you configured a route relationship in the network rules?
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: Circumvent (or "ease&quot ForeFront TMG proxy?? Also, VPN oddities!

                      Hi Marcel,

                      OK, I am back in the office and looking directly at the ForeFront TMG. Might be here for a few hours.

                      I am using DHCP for the VPN clients, yes.

                      Here's what I have. Perhaps this will shed some light on the subject. I know, I've been lacking with information...

                      On the left is "Remote Access Policy (VPN)".
                      1. The "Address Assignment Method" is DHCP.
                      2. For the "VPN Clients Properties", I have set a maximum of 25, the VPN Group from AD, and a protocol of PPTP.
                      3. Quarantine Control is not enabled.


                      Clicking on "View Network Rules" takes me to the Networking page. There I see a rule named "VPN Clients to Internal Network".
                      1. It is enabled.
                      2. Source Network is VPN Clients and Quarantined VPN Clients with no Exceptions.
                      3. Destination Networks is Internal.
                      4. Network Relationship is set to Route.


                      So if I then return to "Remote Access Policy (VPN), I then click on View Firewall Policy for the VPN Clients Network". That takes me to Firewall Policy. I do NOT see anything in here specifically related to VPN. There are a few Exchange rules, some Web Access policies, and an RDP rule.

                      Remember, I deleted the rule I made earlier because it obviously wasn't working...

                      So, if the only problem here seems to be that I have no configured Firewall rules, what would this rule look like if I want to...
                      1. Access Exchange (through Outlook) over the VPN
                      2. Use RDP based on name (this already works via IP)
                      3. Access network drives, printers, and other LAN resources


                      How would I configure that? Is there anything else I am missing? Does everything except the firewall rules seem OK?

                      THANKS for all your help, Marcel.

                      Chris

                      Comment


                      • #12
                        Re: Circumvent (or "ease&quot ForeFront TMG proxy?? Also, VPN oddities!

                        If RDP works via IP it'll probasbly also work using the FQDN (I.e. computer.domain.local), you normally find that with VPNs. You'll need to allow CIFS for file and printer sharing, along with LDAP and Kerberos Sec if I remember rightly. Getting Outlook to work is probably going to be a PITA without allowing all outbound protocols, as it's an RPC protocol. You will also need to turn off strict RPC Compliance on the rule. If you are looking to keep protocols allowed by VPN clients to a minimum I'd use TMG to publish Outlook Anywhere to the internet.

                        So, to sum up, create an Access Rule that allows the required traffic from VPN Clients to Internal. Another way of locking this down is to allow all outbound but restrict the users in the rule, say to yourself and other members of the IT department.
                        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                        sigpic
                        Cruachan's Blog

                        Comment


                        • #13
                          Re: Circumvent (or "ease&quot ForeFront TMG proxy?? Also, VPN oddities!

                          Originally posted by cruachan View Post
                          If RDP works via IP it'll probasbly also work using the FQDN (I.e. computer.domain.local), you normally find that with VPNs. You'll need to allow CIFS for file and printer sharing, along with LDAP and Kerberos Sec if I remember rightly.
                          RDP works via IP address only. I'll try to create a firewall rule that allows the protocols you mention (CIFS, etc).

                          Originally posted by cruachan View Post
                          Getting Outlook to work is probably going to be a PITA without allowing all outbound protocols, as it's an RPC protocol. You will also need to turn off strict RPC Compliance on the rule. If you are looking to keep protocols allowed by VPN clients to a minimum I'd use TMG to publish Outlook Anywhere to the internet.
                          Is there a difference between "Outlook Anywhere" and "Outlook Web Access"? This IS the plan, to allow OWA to be accessed by our employees on the web. But for now, I just need remote access to e-mail for myself...

                          Originally posted by cruachan View Post
                          So, to sum up, create an Access Rule that allows the required traffic from VPN Clients to Internal. Another way of locking this down is to allow all outbound but restrict the users in the rule, say to yourself and other members of the IT department.
                          I will create a rule now and try to connect later today. I'll then post back. Thanks!

                          PS... The IT Department... LOL! I am the IT department.

                          Thanks to you both!

                          Chris

                          Comment


                          • #14
                            Re: Circumvent (or "ease&quot ForeFront TMG proxy?? Also, VPN oddities!

                            ***UPDATE***

                            I just created the following Firewall Policy Access Rule:
                            1. Action --> Allow
                            2. Selected Protocols --> DHCP (Request), DNS, HTTP, HTTPS, LDAP, LDAP (UDP), CIFS (TCP), CIFS (UDP), RDP (Terminal Services)
                            3. FROM --> Quarantined VPN Clients and VPN Clients
                            4. TO --> Internal
                            5. USERS --> All Users

                            Couldn't find MAPI, and after what you mentioned earlier, I may have to wait until we figure out how to publish OWA to the WWW. We have it working internally, but not externally yet... Treading on very new territory for me!

                            Does this look like it'll work when I try later? Did I overdo it? What will this allow/disallow?

                            Remember, guys... Feel free to explain this stuff to me as if I were a 5 year-old. LOL! Won't offend me one bit...

                            Chris

                            Comment


                            • #15
                              Re: Circumvent (or "ease&quot ForeFront TMG proxy?? Also, VPN oddities!

                              Your are missing some protocols like GC and RPC.
                              The rule looks fine though although I'm not really a fan of using DHCP for address assignment. Personally I prefer a static pool with a subnet outside your current scope. I've noticed that DHCP address assignments doesn't always work as expected.
                              Marcel
                              Technical Consultant
                              Netherlands
                              http://www.phetios.com
                              http://blog.nessus.nl

                              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                              "No matter how secure, there is always the human factor."

                              "Enjoy life today, tomorrow may never come."
                              "If you're going through hell, keep going. ~Winston Churchill"

                              Comment

                              Working...
                              X