Note: After working on this case, i got curious and did some lab work and found few interesting things, which tells that observations below are really rare and you dont have to do this as you run into following scenario very rarely. I will mention ny observations of lab work in next post that will explain that network connectors config is very simple and lot of work mentioned is not required.
I recently worked on a case, where UAG admin had configured Network connector for the windows clients earlier then windows 7, in this case windows XP clients for remote access. But windows XP clients were not able to make remote access connection. Admin has observed in the TMG live logs, for traffic coming from these windows XP clients, TMG was denying traffic explaining “network rules denied traffic”. Customer had configured Network connector settings properly in UAG.
He had also configured a TMG access rule as explained below and configured address range (IP address range) in TMG for windows XP clients.
To add a Forefront TMG access rule
Address Range for Windows XP clients as shown below.
This rule was also configured properly; still we had TMG logs saying traffic denied by network rules. Taking hint from this error in TMG logs, Checked TMG network rules and found there was no network rule in TMG to explain the network relationship between the Address range for windows XP client and internal network of TMG. For TMG it’s very important to first define networks and address ranges (for that matter any network object in TMG) and then define network relationship between them if we want to allow access between these network objects. In this case we needed to define route relationship between address range for windows XP clients and internal network of TMG as shown in snap shots below as example.
Note: Discussion about when to use NAT between two networks or network objects and when to use route is beyond the scope of this post but in general and in very few words for general access between two networks where source and destination machines can see each other’s source IP address you can use route relationship between them, in scenario where it’s important to hide one network’s machine’s source IP to other network e.g. a small internal network using private addressing(which is not routable on internet) 192.168.1.0-192.168.1.255, connected to internet through TMG whose external interface has public IP routable to internet, here we will use NAT between internal and external network, to hide all private IP addresses going out to internet through TMG as TMG will send out traffic with its own IP address as source IP.
Steps to create a network rule
3. We will get following screen where we will choose winxp clients address range as source then click on next
4. We will get following screen where we will add internal networks as destination and then click next
5. We will get following screen where we will define relationship between the two network objects in this case Route relationship, then click on next
6. We will then get following screen to finish the network rule creation, After finishing this apply the changes on TMG.
Then we can see relationship between the network objects i.e. WinXp client address range and internal network in the network rules window as route.
Once we configured this relationship, windows XP clients were able to make remote access connection using network connectors.