UAG Network Connector and configuration on Packaged TMG

Note: After working on this case, i got curious and did some lab work and found few interesting things, which tells that observations below are really rare and you dont have to do this as you run into following scenario very rarely. I will mention ny observations of lab work in next post that will explain that network connectors config is very simple and lot of work mentioned is not required.

I recently worked on a case, where UAG admin had configured Network connector for the windows clients earlier then windows 7, in this case windows XP clients for remote access. But windows XP clients were not able to make remote access connection. Admin has observed in the TMG live logs, for traffic coming from these windows XP clients, TMG was denying traffic explaining “network rules denied traffic”. Customer had configured Network connector settings properly in UAG.

He had also configured a TMG access rule as explained below and configured address range (IP address range) in TMG for windows XP clients.

To add a Forefront TMG access rule

  1. In the Forefront TMG Management console, click to expand Forefront TMG (server_name).
  2. In the tree, click the Firewall Policy node.
  3. On the Tasks tab, click Create Access Rule.
  4. On the Welcome page of the New Access Rule Wizard, type a name for the rule, and then click Next.
  5. On the Rule Action page, select Allow.
  6. On the Protocols page, in the This rule applies to list, select All Outbound Traffic.
  7. On the Malware Inspection page, select Do not enable malware inspection for this rule.
  8. On the Access Rule Sources page, click Add.
  9. On the Add Network Entities dialog box, click the New menu, and then click Address Range.
  10. On the New Address Range Rule Element dialog box, specify the Start Address and End Address of the IP address pool. Then click OK.
  11. On the Add Network Entities dialog box, click Close. In the Access Rule Sources page, click Next.
  12. On the Access Rule Destinations page, click Add.
  13. On the Add Network Entities dialog box, click the New Menu, and then click to expand Network. Select Internal, and then click Add. Click Close to close the Add Network Entities dialog box.
  14. On the Access Rule Destinations page, click Next.
  15. On the User Sets page, leave the default settings to allow access to all users. Alternatively, click Add to limit access to the VPN client user group only. Then click Next.
  16. On the final page of the wizard, click Finish

Address Range for Windows XP clients as shown below.

 This rule was also configured properly; still we had TMG logs saying traffic denied by network rules. Taking hint from this error in TMG logs, Checked TMG network rules and found there was no network rule in TMG to explain the network relationship between the Address range for windows XP client and internal network of TMG. For TMG it’s very important to first define networks and address ranges (for that matter any network object in TMG) and then define network relationship between them if we want to allow access between these network objects. In this case we needed to define route relationship between address range for windows XP clients and internal network of TMG as shown in snap shots below as example.

Note: Discussion about when to use NAT between two networks or network objects and when to use route is beyond the scope of this post but in general and in very few words for general access between two networks where source and destination machines can see each other’s source IP address you can use route relationship between them, in scenario where it’s important to hide one network’s machine’s source IP to other network e.g. a small internal network using private addressing(which is not routable on internet) 192.168.1.0-192.168.1.255, connected to internet through TMG whose external interface has public IP routable to internet, here we will use NAT between internal and external network, to hide all private IP addresses going out to internet through TMG as TMG will send out traffic with its own IP address as source IP.

Steps to create a network rule

  1.    We need to go to TMG console (packaged along with UAG), then on the left click on networking as marked in the snapshot below and then in the middle pane click on network rules and then on the right pane under tasks click in create a network rule as marked below

                

       2.  We will get network rule wizard as shown below where we can give name to this rule as shown below then click on next.

          

3.  We will get following screen where we will choose winxp clients address range as source then click on next

4.  We will get following screen where we will add internal networks as destination and then click next

5. We will get following screen where we will define relationship between the two network objects in this case Route relationship, then click on next

6. We will then get following screen to finish the network rule creation, After finishing this apply the changes on TMG.

Then we can see relationship between the network objects i.e. WinXp client address range and internal network in the network rules window as route.

Once we configured this relationship, windows XP clients were able to make remote access connection using network connectors.