TMG PING (for preliminary setup) Denied by Default Rule despite PING Allow Rule

I am setting up TMG as prepatory for what will be a remote office firewall and site-to-site VPN to main office.  Specs: TMG 2010 SP2, Server 2008 R2, IBM x3550, LAN NIC for internal traffic, and WAN NIC for external.  WAN NIC is configured with ISP IP, GW, SNM and DNS.

I want to verify that the WAN NIC replies to PINGs in advance of setting up s-2-s VPN.  I have the Default Rule, and I have added a PING rule with:

Access rule Name:          Ping
Action:                            Allow
Protocol:                         PING
Acces Rule Source:          All Networks (and Local Host)
Access Rule Destination: All Networks (and Local Host)
User sets:                        All Users

Firewall Policy looks like this:

Order     Name             Action   Protocols      From/Listener ....

1            Ping               Allow     PING            All Networks (and local host) ....

Last       Default rule    Deny      All Traffice   All Networks (and local host)

When I start the server, I will receive PING responses from both internal and external computers for about 5 minutes, and then PING requests are denied.  Logging within TMG reveals the Default Rule is blocking the PING.

PING is not part of our long-term plan -- it is just what we thought would be an initial verification of the TMG setup.  Why would the Default Rule supersede the PING Rule that is above it?  Thanks in advance for your help!


  • Edited by gStorm Monday, January 30, 2012 7:13 PM
January 30th, 2012 10:13pm

Hi,

 

Thank you for the post.

 

“it is just what we thought would be an initial verification of the TMG setup” – you can run TMG BPA to verify the configuration. As for ping deny, is there any other device in front of TMG server?

 

Regards,

Free Windows Admin Tool Kit Click here and download it now
January 31st, 2012 11:58am

The ISP's Router in front of the TMG server, but the TMG Log is recording that the Default Rule is denying the PING.
January 31st, 2012 5:56pm

Add the machine you are running the ping from to the Remote Management Computers object in the toolbox.

See line 11 on this article: http://technet.microsoft.com/en-us/library/cc995288.aspx

Free Windows Admin Tool Kit Click here and download it now
February 1st, 2012 1:03am

Thanks for the input.  I added my machine to the Remote Management Computers.  The behavior hasn't changed on this server, however.  After rebooting, the server will reply to pings for several minutes, then TMG begins denying the pings (TMG logging captures the Default Rule explicity denying the PING messages).  After several minutes, the server will again reply to pings, and then stop replying to pings for good after several more minutes.

When it is replying to pings, I can also RDC to it from my box, but my RDC session is lost when TMG begins denying pings.

The behavior of the Default Rule superseding prior rules also occurs on Internet access from the LAN NIC.  Since my 1st post above, I created a rule to allow unrestricted Internet access from the Internal network.  When TMG is allowing ping requests, it is also allowing Internet access from the Internal network.  Internet access is blocked intermittently by the Default Rule in conjunction with it denying pings.

February 2nd, 2012 1:02am

If you have a look in the Alerts (Monitoring) is anything reported there when the TMG stops responding?
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2012 1:28am

Hi,

 

Thank you for the update.

 

“WAN NIC is configured with ISP IP, GW, SNM and DNS.” – please remove DNS setting on the wan NIC, and configure internal DNS on internal NIC.  Then create access rule to forward DNS request to ISP. In addition, do you get any error message after run TMG BPA?

 

Regards,

February 2nd, 2012 11:41am

BPA didn't give me any clues, but I was able to correlate "Configuration Storage Access Blocked" error messages, and "Revert to Last Known Configuration Succeeded" info messages within TMG to the stopage of PING replies.

So, it turns out that having an internal DNS on the internal NIC is what was missing.  Without the internal DNS, my added rules were not applied, so the Default Rule came in to play.

With the internal DNS, my added rules actually get applied to the configuration storage so that the Default Rule isn't able to get in the way.

Free Windows Admin Tool Kit Click here and download it now
February 7th, 2012 11:16pm

Why is internal DNS needed for firewall rules to apply??? I just don't understand how the DNS plays into the rules, can someone explain this for me? Are not the rules composed of IP addresses, Protocols, Time, and user information???


March 20th, 2013 10:05am

i did not work.......

I install TMG 2010 with edge firewall i can run the internet on client machine but after 3 to 4 min later it stop working. I checked my TMG so it is not able ot ping the local network.

Then after some time it pinging again automatically.... Please help me out with this

Thanks

Rahul Arora

Free Windows Admin Tool Kit Click here and download it now
October 14th, 2013 6:14am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics