内部网络无法到达 TMG Forefront 2010(Hyper-V 环境)

tag-icon tag-icon routing hyper-v-server-2008-r2 microsoft-forefront microsoft-forefront-2010
内部网络无法到达 TMG Forefront 2010(Hyper-V 环境)

以下是我的环境:

我有一台运行 Windows 2008 R2 的物理机,具有 Hyper-V 角色。这台机器有 3 个物理网卡:

  • 一个用于互联网
  • 一个用于内部网络
  • 无线网络专用

所有 3 个虚拟机在 Hyper-V 中都有各自的虚拟网络,并且我有一个额外的私有虚拟机网络作为 DMZ 网络。
在其中一台虚拟机中,我安装了 TMG Forefront 2010 SP1,并且所有 4 个网络都可用。以下是防火墙上的 IPCONFIG /ALL:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : FRW-EXP1-02
   Primary Dns Suffix  . . . . . . . : exp1.eti.br
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : exp1.eti.br

Ethernet adapter Internet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter #4
   Physical Address. . . . . . . . . : 00-15-5D-01-06-0E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::6d05:6033:4cfc:bdf5%15(Preferred)
   IPv4 Address. . . . . . . . . . . : 189.100.110.xxx(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Lease Obtained. . . . . . . . . . : quarta-feira, 5 de janeiro de 2011 11:17:24
   Lease Expires . . . . . . . . . . : quarta-feira, 5 de janeiro de 2011 16:07:02
   Default Gateway . . . . . . . . . : 189.100.96.xxx
   DHCP Server . . . . . . . . . . . : 201.6.2.43
   DHCPv6 IAID . . . . . . . . . . . : 436213085
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-6D-75-6F-00-15-5D-01-06-0B
   DNS Servers . . . . . . . . . . . : 201.6.2.163
                                       201.6.2.43
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Rede Interna:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter #3
   Physical Address. . . . . . . . . : 00-15-5D-01-06-0C
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::51ff:4723:ce4c:bbc3%14(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.50.75.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 352327005
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-6D-75-6F-00-15-5D-01-06-0B
   DNS Servers . . . . . . . . . . . : 10.50.75.1
                                       10.50.75.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter DMZ:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter #2
   Physical Address. . . . . . . . . : 00-15-5D-01-06-0A
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::d4c5:75cf:e9aa:73e1%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.10.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 301995357
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-6D-75-6F-00-15-5D-01-06-0B
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Wireless:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-01-06-0B
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::459:8ca6:d02:8da1%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 234886493
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-6D-75-6F-00-15-5D-01-06-0B
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

我在 Forefront 有以下网络:

External: IP addresses external to the Forefront TMG Networks
Internal: 10.50.75.0 - 10.50.75.255
Local Host:
Perimiter: 192.168.10.0 - 192.168.10.255
Wireless: 192.168.1.0 - 192.168.1.255

在网络规则中,我有:

1 => Route => Local Host => All Networks
2 => Route => Quarantined; VPN => Internal
3 => NAT => Internal; VPN => Perimiter
4 => NAT => Internal; Perimiter; Quarantined; VPN; Wireless => External

我的问题是,我只能与内部和外部网络通信。如果从 Forefront VM ping www.google.com 或 10.50.75.21,我会毫无问题地得到答复。如果我尝试 ping 外围网络或无线网络上的一台机器,它不会被路由回 Forefront,它是所有网络上的默认网关。以下是 ping 示例:

PS C:\Users\Administrator.TPB1> ping www.google.com

Pinging www.l.google.com [64.233.163.104] with 32 bytes of data:
Reply from 64.233.163.104: bytes=32 time=11ms TTL=58
Reply from 64.233.163.104: bytes=32 time=8ms TTL=58

Ping statistics for 64.233.163.104:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 8ms, Maximum = 11ms, Average = 9ms
Control-C
PS C:\Users\Administrator.TPB1> ping 10.50.75.21

Pinging 10.50.75.21 with 32 bytes of data:
Reply from 10.50.75.21: bytes=32 time=1ms TTL=128
Reply from 10.50.75.21: bytes=32 time=1ms TTL=128
Reply from 10.50.75.21: bytes=32 time=1ms TTL=128
Reply from 10.50.75.21: bytes=32 time=1ms TTL=128

Ping statistics for 10.50.75.21:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms
PS C:\Users\Administrator.TPB1> ping 192.168.10.3

Pinging 192.168.10.3 with 32 bytes of data:
Reply from 192.168.10.1: Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.10.3:
    Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),
PS C:\Users\Administrator.TPB1>

对 192.168.10.3 执行 ping 操作后,发现目标主机无法访问。以下是外围虚拟机的 ipconfig:

PS C:\Users\Administrator.Administrator> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : app-exp1-02
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Unkown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-01-06-08
   DHCP Enabled. . . . . . . . . . . : No
   IPv4 Address. . . . . . . . . . . : 192.168.10.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.10.1
   DNS Servers . . . . . . . . . . . : 201.6.2.163
                                               201.6.2.43

尝试从 DMZ 计算机 ping 192.168.10.1(网关)也不起作用。当我使用日志和报告监控来自无线网络和外围网络的数据包时,我没有收到我尝试发送的任何 PING 或 HTTP 链接数据包。但我确实收到了很多 NETBIOS 广播的欺骗消息……就好像 Forefront 认为它来自不同的网络,但我不知道为什么。请帮忙!

谢谢

答案1

当一切看起来都正确时,很可能就是如此!!!
我通过从 Forefront 中删除无线和外围网络,然后关闭虚拟机,然后从 Forefront 虚拟机中删除网卡,然后启动、关闭、重新添加网卡、启动、使用不同的子网(不知道这一步是否必要,但我还是这么做了),启动,将网络重新添加到 Forefront 解决了这个问题。
经过这么长时间,它开始正常工作了。外围和无线的流量开始被 Forefront 识别,数据包开始按应有的方式流动,配置与以前相同

相关内容