• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

TMG Wierd DNS on Demand Dial Device?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> TMG Wierd DNS on Demand Dial Device? Page: [1]
Login
Message << Older Topic   Newer Topic >>
TMG Wierd DNS on Demand Dial Device? - 17.Jan.2011 5:40:22 PM   
rpainter

 

Posts: 21
Joined: 29.Aug.2001
Status: offline
Hi all.
I am having a strange issue that has been going on for a while since I migrated to TMG. I have a site to site VPN btwn our two offices and it works fine. The issue is with my internal clients and internet browsing.

There seems to be a real latency when opening and using a browser session. My understanding is that FW and Web Proxy clients rely on the TMG server for DNS. I have my internal DNS listed on the internal NIc...Also the binding order is set to internal on top...

I have gone over everything I can think of and it "appears" that the TMG server is using the VPN Demand Dial (DDD) interface to look for a DNS server, which I think means that the DNS request is going up to my other office!
I think this because when I run nslookup on the TMG server it says that the default server is a DNS server in the other office...yikes!

I saw that this was an issue with a couple of people who responded to a blog by Deb Shinder, but I did not see a response...? here is that link:

http://blogs.isaserver.org/shinder/2008/05/04/dns-settings-for-the-forefront-threat-management-gateways-tmg-interfaces/


I have tried a "cheat" by putting the internal DNS IP address into the advanced section of the demand dial device, but this seems like a band aid to me...Does anyone else have this issue, or know what is going on? Why is
TMG using the DDD for its DNS?

Sorry if I have just boneheaded something really simple...

Russell
Post #: 1
RE: TMG Wierd DNS on Demand Dial Device? - 18.Jan.2011 8:07:54 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

uncheck the option for TMG to register a record for its VPN interface on your internal DNS zone.
Make sure no other interface has DNS servers configured, but internal. Clear Windows DNS cache using ipconfig /flushdns and nbtstat -RR.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to rpainter)
Post #: 2
RE: TMG Wierd DNS on Demand Dial Device? - 18.Jan.2011 11:39:01 AM   
rpainter

 

Posts: 21
Joined: 29.Aug.2001
Status: offline
Hi and thanks for the reply!

I have tried the flushdns several times..
register DNS was unchecked already..
ran nbtstat -RR..
the DNS servers were only on internal NIC until i added my "fix" to the RRAS Site to Site Device...As soon as I added the DNS server IP to the RRAS Device, Internet browsing improved...

so, the problem still exists?


any help..?

(in reply to paulo.oliveira)
Post #: 3
RE: TMG Wierd DNS on Demand Dial Device? - 18.Jan.2011 11:40:58 AM   
rpainter

 

Posts: 21
Joined: 29.Aug.2001
Status: offline
I think the real question here is:

Why is TMG using an RRAS demand dial device for its DNS????!!!!

(in reply to rpainter)
Post #: 4
RE: TMG Wierd DNS on Demand Dial Device? - 18.Jan.2011 4:30:19 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,
quote:

the DNS servers were only on internal NIC until i added my "fix" to the RRAS Site to Site Device...As soon as I added the DNS server IP to the RRAS Device, Internet browsing improved...

TMG must have only one interface configured with DNS server and internal interface must be the first on bind order. Check this article: http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html

quote:


No matter how many network adapters you have, only assign DNS servers to a single adapter (it doesn’t matter which one).  There is no need to set up DNS on all network adapters.

Source: http://technet.microsoft.com/en-gb/library/cc302590.aspx

This article is pretty cool: http://www.isaserver.org/tutorials/DNS_for_ISA_Server.html

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to rpainter)
Post #: 5
RE: TMG Wierd DNS on Demand Dial Device? - 18.Jan.2011 5:57:31 PM   
rpainter

 

Posts: 21
Joined: 29.Aug.2001
Status: offline
Paulio, I appreciate your responses.

I am concerned that you do not understand my question. I feel that I have a good understanding of how to set up DNS for TMG. I have been administrating ISA-TMG since before ISA2000 came out (MS Proxy Server 2).

That is why I set up a new post with the issue re-stated with a simple question.
I hope you will read the question again. I also added a link to a blog by Deb Shinder that has 2 comments from 2 different people with the same issue. The issue was not addressed in that blog. here again is the link to that blog:

http://blogs.isaserver.org/shinder/2008/05/04/dns-settings-for-the-forefront-threat-management-gateways-tmg-interfaces/


I have a very typical setup with

1. An internal NIC (this has the internal DNS servers listed..I have a typical split brain DNS setup here)
2. An external NIC (no DNS)

I also have a site to site VPN set up with my second office. This is set up with a PPTP demand Dial interface (virtual...not a real piece of hardware..)...very typical...been doing this for years....

The issue is this:

TMG is using the Demand Dial Device to query DNS (On the TMG box, nslookup = default server = other office's DNS server!!) and when my internal clients try to browse the internet there is a long delay
because the DNS being used is in an office 1000 miles away....

(The VPN device is getting its info from the other side's TMG server ...using dhcp settings...)

Simply put, somehow, it seems that TMG has the VPN device in the top of the binding order...? As if it were a real NIC ...


If we can assume for a minute that I correctly set up DNS for the TMG, then the question is:

Why is TMG using IP settings from the VPN interface?

thanks again!


Russell

(in reply to paulo.oliveira)
Post #: 6
RE: TMG Wierd DNS on Demand Dial Device? - 19.Jan.2011 8:21:50 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Russel,

I got your point. I can´t think of another option other than network bind order. Maybe worth open a case with Microsoft.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to rpainter)
Post #: 7
RE: TMG Wierd DNS on Demand Dial Device? - 25.Jan.2011 9:26:58 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Is the problem that the VPN interface IP address is registered in DNS?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to paulo.oliveira)
Post #: 8
RE: TMG Wierd DNS on Demand Dial Device? - 25.Jan.2011 12:13:09 PM   
rpainter

 

Posts: 21
Joined: 29.Aug.2001
Status: offline
Hi Tom, thanks for the response. No, this Device is not registered in DNS....As a reminder, I am having the EXACT SAME ISSUE that two other people reported (as comments) in Deb's Blog here:

http://blogs.isaserver.org/shinder/2008/05/04/dns-settings-for-the-forefront-threat-management-gateways-tmg-interfaces/


If you could take a look at that and think about it that would be great!

in the meantime, I temp "fixed" this by manually adding a static IP for an internal DNS server in the advanced section of the Site to Site VPN device...(RRAS-Demand Dial Interfaces)

The real question seems to be: Why is TMG taking DNS info from the VPN device?

In my case, the VPN device gets its IP info from the other side's DHCP....And somehow, TMG is using this for its own DNS ?




Also, I wonder if this is related to another issue I saw with a VPN device added into a corrupted WPAD entry...But I don't use WPAD..I am in progress of researching that issue...


Russell

(in reply to tshinder)
Post #: 9
RE: TMG Wierd DNS on Demand Dial Device? - 25.Jan.2011 3:11:03 PM   
Frightener

 

Posts: 17
Joined: 11.Jan.2010
Status: offline
Hi Russell,

I think I have the same issue. I have TMG setup as VPN server. Once the first client connects, I'm no longer able to resolve external adresses. I noticed that IE was trying to connect to an unknown internal IP address which I found out was TMG's 'PPP adapter RAS (Dial IN) Interface'.

EDIT:
I found the following in my proxy script:
Here I found the PPP adapter's address 10.0.20.10! Can I simply change this address to TMG's internal address 10.0.254.254?

Florian

//Copyright (c) 1997-2006 Microsoft Corporation
BackupRoute="DIRECT";
UseDirectForLocal=true;
ConvertUrlToLowerCase=false;
function MakeIPs(){
this[0]= new IpSubnet("127.0.0.0", "255.0.0.0", "127.0.0.0/8");
this[1]= new IpSubnet("10.0.0.0", "255.255.0.0", "10.0.0.0/16");
}
DirectIPs=new MakeIPs();
cDirectIPs=2;
function MakeCARPExceptions(){
this[0]="*.windowsupdate.com";
this[1]="windowsupdate.microsoft.com";
this[2]="*.windowsupdate.microsoft.com";
this[3]="*.update.microsoft.com";
this[4]="download.windowsupdate.com";
this[5]="download.microsoft.com";
this[6]="*.download.windowsupdate.com";
this[7]="wustat.windows.com";
this[8]="ntservicepack.microsoft.com";
this[9]="forefrontdl.microsoft.com";
}
CARPExceptions=new MakeCARPExceptions();
cCARPExceptions=10;
function MakeNames(){
this[0]="*.brennerweb.tld";
this[1]="*.brennerweb.tld";
}
DirectNames=new MakeNames();
cDirectNames=2;
HttpPort="8080";
cNodes=1;
function MakeProxies(){
this[0]=new Node("10.0.20.10",2560083413,1.000000);
}
Proxies = new MakeProxies();
function Node(name, hash, load){
this.name = name;
this.hash = hash;
this.load = load;
this.score = 0;
return this;
}


< Message edited by Frightener -- 25.Jan.2011 3:34:17 PM >

(in reply to rpainter)
Post #: 10
RE: TMG Wierd DNS on Demand Dial Device? - 26.Jan.2011 8:04:08 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: Frightener

Hi Russell,

I think I have the same issue. I have TMG setup as VPN server. Once the first client connects, I'm no longer able to resolve external adresses. I noticed that IE was trying to connect to an unknown internal IP address which I found out was TMG's 'PPP adapter RAS (Dial IN) Interface'.

EDIT:
I found the following in my proxy script:
Here I found the PPP adapter's address 10.0.20.10! Can I simply change this address to TMG's internal address 10.0.254.254?

Florian

//Copyright (c) 1997-2006 Microsoft Corporation
BackupRoute="DIRECT";
UseDirectForLocal=true;
ConvertUrlToLowerCase=false;
function MakeIPs(){
this[0]= new IpSubnet("127.0.0.0", "255.0.0.0", "127.0.0.0/8");
this[1]= new IpSubnet("10.0.0.0", "255.255.0.0", "10.0.0.0/16");
}
DirectIPs=new MakeIPs();
cDirectIPs=2;
function MakeCARPExceptions(){
this[0]="*.windowsupdate.com";
this[1]="windowsupdate.microsoft.com";
this[2]="*.windowsupdate.microsoft.com";
this[3]="*.update.microsoft.com";
this[4]="download.windowsupdate.com";
this[5]="download.microsoft.com";
this[6]="*.download.windowsupdate.com";
this[7]="wustat.windows.com";
this[8]="ntservicepack.microsoft.com";
this[9]="forefrontdl.microsoft.com";
}
CARPExceptions=new MakeCARPExceptions();
cCARPExceptions=10;
function MakeNames(){
this[0]="*.brennerweb.tld";
this[1]="*.brennerweb.tld";
}
DirectNames=new MakeNames();
cDirectNames=2;
HttpPort="8080";
cNodes=1;
function MakeProxies(){
this[0]=new Node("10.0.20.10",2560083413,1.000000);
}
Proxies = new MakeProxies();
function Node(name, hash, load){
this.name = name;
this.hash = hash;
this.load = load;
this.score = 0;
return this;
}



This is a known issue and I don't think they have it fixed yet. If you call CSS it will increase the prioity of getting it fixed.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Frightener)
Post #: 11
RE: TMG Wierd DNS on Demand Dial Device? - 26.Jan.2011 8:05:10 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Russel,

Interesting! What DNS server is being picked up by the VPN interface?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to rpainter)
Post #: 12
RE: TMG Wierd DNS on Demand Dial Device? - 1.Feb.2011 2:23:08 PM   
rpainter

 

Posts: 21
Joined: 29.Aug.2001
Status: offline
Hi Tom, sorry for the delay...coming back around to this: when I first started this thread, the (site to site)VPN device was getting its info from the DHCP in the other office...so, the DNS server was from there. Also, here in my "home" office, nslookup on the local TMG server was giving the DNS server from the other office as it's default server. strange!...And, as a result (IMHO) ..my local internal web clients were getting a long delay in getting out to the internet for browsing...I assume because DNS resolution was coming from the other office's DNS server...?

I have added a static IP for a local-internal DNS server into the props of the (S2S)VPN device...
(other info is still from dhcp)...now, nslookup on the local TMG is the internal DNS server...?????..this is the main issue-question!!!



as a side note, the IP of the "function MakeProxies" setting in the routing script is NOT the IP of the internal NIC of the TMG server as I would have expected (which is also the GW)...it is another internal IP...actually it is the address of the "internal" device in RRAS...?

I do not use the routing script..meaning I have internal clients as secureNAT or FW-Proxy clients....NOT using a script(or wpad...)..

Everything seems to be a little jacked up...but maybe I am just messing some simple thing up..?


...sigh...

Russell

(in reply to tshinder)
Post #: 13
RE: TMG Wierd DNS on Demand Dial Device? - 4.Feb.2011 12:49:50 AM   
Frightener

 

Posts: 17
Joined: 11.Jan.2010
Status: offline
Hi Tom,

I finally got my problem solved by running a script found at MS replacing the IP with the FQDN in the above file.

Thanks for your help.

Florian

(in reply to tshinder)
Post #: 14
RE: TMG Wierd DNS on Demand Dial Device? - 8.Feb.2011 4:40:17 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Florian,

That's right - the problem you were having are related to the fact that after the VPN client connects to the TMG VPN server, the autoconfiguration script puts in the IP address of the VPN virtual interface of the TMG firewall - and then then web proxy clients try to connect to that address (if they are using the autoconfiguration script) and fail to connect to the TMG firewall's web proxy service because the web proxy listener isn't listening on that address, which may or may not be reachable to the internal clients.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Frightener)
Post #: 15
RE: TMG Wierd DNS on Demand Dial Device? - 21.Feb.2011 5:35:32 AM   
Marsdy

 

Posts: 15
Joined: 11.Apr.2005
Status: offline
Hi, I am having the exact same problem which is basically a TMG server with
- Internal NIC with DNS server set to itself and that NIC at top of binding order
- External NIC with no DNS config
- Site-2-Site VPNs
Running nslookup from the command line shows it connecting to the site-2-site VPN DNS servers.

Interestingly if I do an ipconfig /all then the VPN networks all appear at the top of the list

If I then change the DNS server on my Internal NIC to be 127.0.0.1 rather than the actual IP then that NIC appears at the top of the list and DNS works correctly (nslookup goes to 127.0.0.1)

However, if I then disconnect and reconnect one of the site-2-site VPNs it goes to the top of the list again and DNS goes down that VPN

So basically as soon as a VPN connects, it is put at the top of  the list of DNS servers to try

Not sure that helps anyone try and figure out a solution. 

BTW, I can't use your workaround of setting the DNS servers on the VPNs manually as the config in RRAS gets overwritten by the TMG server and I can't see a way of setting it in TMG.

(in reply to rpainter)
Post #: 16

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> TMG Wierd DNS on Demand Dial Device? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts