TMG 2010 Name Resolution

HI All,

  I cannot update the Windows Server directly or via the WSUS. 

 Internale Nic got the LAN DNS Server but it cannot resolve to outside?

C:\Users\Administrator>nslookup www.google.com
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  10.1.1.5

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.

LAN WSUS Server IP: 10.1.1.10

External Interface got the Internet connectivity

As

May 25th, 2015 6:31am

either your DNS is not working properly, in terms of configuration. Or, traffic/ports are blocked..

So, and have a look to see if the tmg server are allowed to access the LAN dns

Free Windows Admin Tool Kit Click here and download it now
May 25th, 2015 11:34am

Hi Jesper,

    Even i set to external DNS i cannot browse the Internet? But i can resolve the name?

As

May 26th, 2015 6:26am

As,

Always configure your TMG Server and DNS Server as following:

  • Make sure your TMG Server uses an internal DNS Server through its internal interface.
  • Make sure your internal DNS Server is configured with a DNS Conditional Forwarder (for unknown queries) that point to DNS Servers from your ISP. Or use DNS root-hints. Of course your TMG Server must have an Access Rule that allows outbound DNS traffic from your internal DNS Server.
  • Also make sure that a TMG cache rule "Windows Update cache Rule" is enabled.


When your Firewall Policy on TMG allows unauthenticated outbound HTTP/HTTPS traffic, you should be able to connect with Windows Update without issues. But when your Firewall Policy requires authentication you have to configure a Proxy Server, and you are only able to do it interactively.

IMPORTANT: Never configure an external DNS Server on the external interface of your TMG S

Free Windows Admin Tool Kit Click here and download it now
May 27th, 2015 9:15am

HI,

When i  set to internal DNS name not resolving ? Even with google DNS name not resolving except cloud provider dns is the only one resove the name but cannot browse?

C:\Users\Administrator>nslookup www.google.com.au
Server:  58-162-66-11.static.cloud.telstra.net
Address:  58.162.66.11

Non-authoritative answer:
Name:    www.google.com.au
Addresses:  2404:6800:4006:801::2003
          216.58.220.99

C:\Users\Administrator>nslookup www.google.com.au
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  10.1.178.5

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 second



C:\Users\Administrator>nslookup
DNS request timed out.
    timeout was 2 seconds.
Default Server:  UnKnown
Address:  10.1.178.5

> server 8.8.8.8
DNS request timed out.
    timeout was 2 seconds.
Default Server:  [8.8.8.8]
Address:  8.8.8.8

> www.google.com
Server:  [8.8.8.8]
Address:  8.8.8.8

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.

NO DNS in External and all other seems to be correct.

This Server in Cloud  like this

Internet---->DMZ Cloud Hosting------------>IP WAN---->LAN

As

May 28th, 2015 1:23am

Ok, let's on that issue. Normally, you don't have to add an Access Rule to allow TMG do DNS resolving to internal DNS Servers, because TMG already has a built-in System Policy Rule. Please check if this is configured properly:

  • Navigate to Forefront TMG > Firewall Policy
  • Right-click on Firewall Policy and select All Tasks > System Policy > Edit System Policy
  • In the System Policy Editor navigate to Network Service > DNS
  • Select the tab To
  • Make sure you have an object that includes your internal DNS Servers. The default object is "All Networks (and Local Host)".


Also make sure that you configured your internal DNS Servers on the Internal Network interface of TMG. There should be no DNS Servers configured on the external network interface, very important.

Also make sure that your internal DNS Servers can resolve external DNS-records. This requires an Access Rule in TMG to allow the DNS traffic.

External DNS Servers
  |
TMG
  |
Internal DNS Servers

TMG should use your internal DNS Servers. If your internal DNS gets a DNS-request for an unknown DNS Zone it will forward it to an external DNS Server which needs to pass through your TMG. Of course this is the case when your TMG is in between with a multi-homed configur

Free Windows Admin Tool Kit Click here and download it now
May 28th, 2015 3:25am

HI ,

If you are using internal DNS server for DNS

and If TMG is configured as secureNAT / As gateway / Default route

then

you need a rule that allows DNS from internal DNS server to internt allow rule

May 29th, 2015 6:59am

HI,

  i have set Allows DNS from internal DNS server to internt allow rule  ( external) not to external DNS Servers?

  In my LAN we use our Squid Proxy to go via different link not via TMG . None of internal clients go via TMG.

 I have two Servers  (DMZ) that are going direct to internet no issues. Only this TMG box (DMZ) cannot connect to internet?

As

 

     


Free Windows Admin Tool Kit Click here and download it now
June 1st, 2015 1:36am

As,

This is now a bit more confusing, since your scenario is different than described at first. Can you provide us a bit more specific information

  • You say you't update through WSUS or Windows Update. Are you using the TMG or Squid as the Proxy Server?
  • Is your TMG in between your internal and external (internet) network?

Btw, DNS cannot be provided through a Proxy Server. If you are using the squid as a Proxy Server and you cannot go to WSUS or Windows Update, then you have to check the config of your Squid Proxy Server.

June 1st, 2015 3:11am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics