[isalist] Re: Can't get my DPM servers to communicate over TMG-based VPN

  • From: Rob Moore <RMoore@xxxxxxxx>
  • To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 27 Mar 2012 11:16:16 -0400

Hi all-

Well, the good news is the problem is solved. The bad news is, it was not a 
routing problem. Sorry, Jim. (I never really believed that anyway, since I 
could do everything-ping, RDP, open shared folders, etc.-across the VPN, except 
get DPM to communicate.)

I ended up calling MS Support. They spent about four hours working on it, 
figuring out what the problem was, and then another hour or so implementing the 
fix. The problem was the RPC filter. If we disabled the filter, the problem 
went away. But obviously we didn't want to disable the RPC filter. But there 
was no indication of a problem in the TMG console when monitoring the traffic 
in Logs & Reports. So the MS tech captured the traffic while we tried to sync. 
He figured out that he needed to edit the RPC filter and add in a bunch of 
UUIDs. Then we had to stop and restart the VPN. Finally everything worked.

I can't tell you why nothing appeared in the TMG console when monitoring.

Anyway, it's working now.

Thanks,
Rob

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Monday, March 19, 2012 4:18 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Can't get my DPM servers to communicate over TMG-based 
VPN

Rob,

Glad you find the book useful...
Have you tried using a netcap tool to see if the traffic from DPM1 is reaching 
DPN2 and vice versa?
99 times out of 10, if nothing is obviously being blocked by TMG, it's a 
routing issue.

Jim

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx]<mailto:[mailto:isalist-bounce@xxxxxxxxxxxxx]>
 On Behalf Of Rob Moore
Sent: Monday, March 19, 2012 11:25 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Can't get my DPM servers to communicate over TMG-based VPN

Any idea why my two DPM servers (the primary here in the home site and the 
secondary at a remote site) won't communicate over my TMG VPN? I can RDP to the 
remote DPM server, I can ping both ways on the VPN, but when I try to get the 
remote DPM server to talk with the primary DPM server, the secondary DPM says 
the primary agent is "Unavailable." I can't see any errors on TMG, but I may 
not be monitoring the right thing.

I set the VPN up according to Jim's book, Microsoft Forefront Threat Management 
Gateway (TMG) Administrator's Companion. The VPN seems to be working.

Thanks,
Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rob Moore
Network Manager
215-241-7870
Helpdesk: 800-500-AFSC

Other related posts: