TMG 2010 Name Resolution

HI All,

  I cannot update the Windows Server directly or via the WSUS. 

 Internale Nic got the LAN DNS Server but it cannot resolve to outside?

C:\Users\Administrator>nslookup www.google.com
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  10.1.1.5

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.

LAN WSUS Server IP: 10.1.1.10

External Interface got the Internet connectivity

As

May 25th, 2015 2:32am

either your DNS is not working properly, in terms of configuration. Or, traffic/ports are blocked..

So, and have a look to see if the tmg server are allowed to access the LAN dns

Free Windows Admin Tool Kit Click here and download it now
May 25th, 2015 7:35am

Hi Jesper,

    Even i set to external DNS i cannot browse the Internet? But i can resolve the name?

As

May 26th, 2015 2:27am

As,

Always configure your TMG Server and DNS Server as following:

  • Make sure your TMG Server uses an internal DNS Server through its internal interface.
  • Make sure your internal DNS Server is configured with a DNS Conditional Forwarder (for unknown queries) that point to DNS Servers from your ISP. Or use DNS root-hints. Of course your TMG Server must have an Access Rule that allows outbound DNS traffic from your internal DNS Server.
  • Also make sure that a TMG cache rule "Windows Update cache Rule" is enabled.


When your Firewall Policy on TMG allows unauthenticated outbound HTTP/HTTPS traffic, you should be able to connect with Windows Update without issues. But when your Firewall Policy requires authentication you have to configure a Proxy Server, and you are only able to do it interactively.

IMPORTANT: Never configure an external DNS Server on the external interface of your TMG S

Free Windows Admin Tool Kit Click here and download it now
May 27th, 2015 9:15am

HI,

When i  set to internal DNS name not resolving ? Even with google DNS name not resolving except cloud provider dns is the only one resove the name but cannot browse?

C:\Users\Administrator>nslookup www.google.com.au
Server:  58-162-66-11.static.cloud.telstra.net
Address:  58.162.66.11

Non-authoritative answer:
Name:    www.google.com.au
Addresses:  2404:6800:4006:801::2003
          216.58.220.99

C:\Users\Administrator>nslookup www.google.com.au
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  10.1.178.5

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 second



C:\Users\Administrator>nslookup
DNS request timed out.
    timeout was 2 seconds.
Default Server:  UnKnown
Address:  10.1.178.5

> server 8.8.8.8
DNS request timed out.
    timeout was 2 seconds.
Default Server:  [8.8.8.8]
Address:  8.8.8.8

> www.google.com
Server:  [8.8.8.8]
Address:  8.8.8.8

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.

NO DNS in External and all other seems to be correct.

This Server in Cloud  like this

Internet---->DMZ Cloud Hosting------------>IP WAN---->LAN

As

May 28th, 2015 1:23am

Ok, let's on that issue. Normally, you don't have to add an Access Rule to allow TMG do DNS resolving to internal DNS Servers, because TMG already has a built-in System Policy Rule. Please check if this is configured properly:

  • Navigate to Forefront TMG > Firewall Policy
  • Right-click on Firewall Policy and select All Tasks > System Policy > Edit System Policy
  • In the System Policy Editor navigate to Network Service > DNS
  • Select the tab To
  • Make sure you have an object that includes your internal DNS Servers. The default object is "All Networks (and Local Host)".


Also make sure that you configured your internal DNS Servers on the Internal Network interface of TMG. There should be no DNS Servers configured on the external network interface, very important.

Also make sure that your internal DNS Servers can resolve external DNS-records. This requires an Access Rule in TMG to allow the DNS traffic.

External DNS Servers
  |
TMG
  |
Internal DNS Servers

TMG should use your internal DNS Servers. If your internal DNS gets a DNS-request for an unknown DNS Zone it will forward it to an external DNS Server which needs to pass through your TMG. Of course this is the case when your TMG is in between with a multi-homed configur

Free Windows Admin Tool Kit Click here and download it now
May 28th, 2015 3:25am

HI ,

If you are using internal DNS server for DNS

and If TMG is configured as secureNAT / As gateway / Default route

then

you need a rule that allows DNS from internal DNS server to internt allow rule

May 29th, 2015 3:00am

HI,

  i have set Allows DNS from internal DNS server to internt allow rule  ( external) not to external DNS Servers?

  In my LAN we use our Squid Proxy to go via different link not via TMG . None of internal clients go via TMG.

 I have two Servers  (DMZ) that are going direct to internet no issues. Only this TMG box (DMZ) cannot connect to internet?

As

 

     


Free Windows Admin Tool Kit Click here and download it now
June 1st, 2015 1:37am

As,

This is now a bit more confusing, since your scenario is different than described at first. Can you provide us a bit more specific information

  • You say you't update through WSUS or Windows Update. Are you using the TMG or Squid as the Proxy Server?
  • Is your TMG in between your internal and external (internet) network?

Btw, DNS cannot be provided through a Proxy Server. If you are using the squid as a Proxy Server and you cannot go to WSUS or Windows Update, then you have to check the config of your Squid Proxy Server.

June 1st, 2015 3:11am

HI,

  i have set Allows DNS from internal DNS server to internt allow rule  ( external) not to external DNS Servers?

  In my LAN we use our Squid Proxy to go via different link not via TMG . None of internal clients go via TMG.

 I have two Servers  (DMZ) that are going direct to internet no issues. Only this TMG box (DMZ) cannot connect to internet?

As

 

     


  • Edited by AUSSUPPORT Monday, June 01, 2015 5:38 AM
Free Windows Admin Tool Kit Click here and download it now
June 1st, 2015 5:35am

HI,

  i have set Allows DNS from internal DNS server to internt allow rule  ( external) not to external DNS Servers?

  In my LAN we use our Squid Proxy to go via different link not via TMG . None of internal clients go via TMG.

 I have two Servers  (DMZ) that are going direct to internet no issues. Only this TMG box (DMZ) cannot connect to internet?

As

 

     


  • Edited by AUSSUPPORT Monday, June 01, 2015 5:38 AM
June 1st, 2015 5:35am

HI,

  i have set Allows DNS from internal DNS server to internt allow rule  ( external) not to external DNS Servers?

  In my LAN we use our Squid Proxy to go via different link not via TMG . None of internal clients go via TMG.

 I have two Servers  (DMZ) that are going direct to internet no issues. Only this TMG box (DMZ) cannot connect to internet?

As

 

     


  • Edited by AUSSUPPORT Monday, June 01, 2015 5:38 AM
Free Windows Admin Tool Kit Click here and download it now
June 1st, 2015 5:35am

HI,

  

This TMG Server is in Cloud  connectivity like this

Internet<---->DMZ Cloud Hosting ( TMG Server)/10.254.2.x<------------>IP WAN( ISP)<---->LAN(10.1.150.x) -<--->Proxy Server (10.150.10)

This TMG Box never update So i need to patch this server via WU or WSUS 

So far tired both but didn't work.

You say you't update through WSUS or Windows Update. Are you using the TMG or Squid as the Proxy Server?

TMG is Not use as Proxy in Internal Clients

Is your TMG in between your internal and external (internet) network?

Yes but internal NIC is not directly connected its in cloud and route to our internal

Do u need the route print?


 

 

June 2nd, 2015 10:50pm

Hi All,

  How do i tracing out to see why my internal DNS not  able to resolve public names from TMG Server?

As

 

Free Windows Admin Tool Kit Click here and download it now
June 3rd, 2015 7:32pm

Hi All,

  How do i tracing out to see why my internal DNS not  able to resolve public names from TMG Server?

As

 

First of all you have to make sure you have the following Access Rules in the TMG Firewall Policy:

  • Source: Internal (or other source DNS Server object(s))
  • Destionation: External (or other destination DNS Server object(s))
  • Protocol: DNS

When you are sure you have such Access Rule in place you first check if it work on your internal DNS Servers. There are a few options:


NSLOOKUP:

  1. Open a command-prompt from your internal DNS Server:
  2. Enter "nslookup www.microsoft.com." Check the result..


DNS Console:

  1. Open the DNS console on your DNS Server.
  2. Right-click on the DNS Server and select Properties.
  3. Select the tab "Monitoring".
  4. Click Test. Check if you have a pass for both tests...

If the result still show you it still isn't working then use the Logs console within TMG to monitor the traffic:

  1. Open the TMG Management console:
  2. Navigate to Forefront TMG > Logs and Reports
  3. Select the tab "Logging"
  4. On the right-pane click Edit Filter
  5. On the Edit Filter windows make sure you filter on protocol DNS and such to filter the output.
  6. When you are done, click Start Query.

These are the tools you can use. And you should be able to pinpoint your problem.

June 4th, 2015 4:08am

Thank you.

  Internal DNS can resolve external name correctly.

  TMG Monitor shows  followings

Closed Connection XCELI0002 10/06/2015 4:54:59 PM 

Log type: Firewall service 
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.  
Rule: [System] Allow DNS from Forefront TMG to selected servers 
Source: Local Host (10.5.2.5:44888) 
Destination: Internal (10.1.1.5:53) 
Protocol: DNS 
 Additional information  
 

Free Windows Admin Tool Kit Click here and download it now
June 10th, 2015 3:00am

Thank you.

  Internal DNS can resolve external name correctly.

  TMG Monitor shows  followings

Closed Connection XCELI0002 10/06/2015 4:54:59 PM 

Log type: Firewall service 
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.  
Rule: [System] Allow DNS from Forefront TMG to selected servers 
Source: Local Host (10.5.2.5:44888) 
Destination: Internal (10.1.1.5:53) 
Protocol: DNS 
 Additional information  
 


A gracefull shutdown is a normal behavior. But the source is from your Local Host, not your Internal Network.

June 10th, 2015 5:48pm

So how do i set correctly? 
Free Windows Admin Tool Kit Click here and download it now
June 10th, 2015 11:32pm

Asuming your TMG is in between your internal network and the internet, you must have an Access Rule:

  • Source: Internal (or specific internal DNS Servers)
  • Destination: External (or specific external DNS Servers)
  • Protocol: DNS
  • Action: Allow


All you clients/servers should use your internal DNS Servers. And your internal DNS Servers should be configured with DNS Forwarders to external DNS Servers (e.g. your Internet Service Provider).

So all DNS queries should go to your internal DNS Servers. And if your internal DNS Servers can't answer it, they should forward it to external DNS Servers. And this is where your TMG must pass-through that outbound DNS traffic.

You can use the logging in TMG and filter on the above criteria.

June 11th, 2015 3:59am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics