TMG Learning (1), Web proxy client

 

TMG default situation:

1. http/https is enabled by default after the TMG wizard is completed.

2. By default, TMG's system policy has enabled DNS traffic for TMG (local host ).

2. After TMG is installed by default, the client cannot ping the local TMG host.

 

Objectives:

Win7 Web proxy client can access the Internet

 

Solution:

1. DC is configured as a SecureNAT client, and dc dns points to itself by default. The DNS configured for DC is forwarded to the public network DNS server, because the SecureNAT client cannot forward DNS requests to TMG by default, therefore, the firewall needs to create a new firewall policy to open the internal network to external DNS traffic, also to ping the external network to open the ping, so as to test the network

2. The win7 client has already added domain DNS to direct to the DC, so there is no problem with DNS resolution.

3. The Web proxy is enabled for TMG by default, and the win7 client is configured as a Web proxy client, so that win7 can access the Internet.

 

Configure dc dns forwarding

 

Allow the internal network to ping the local TMG host and directly open the system policy.

 

This option configures the ping from the selected host to TMG.

 

Add internal network

 

Open the DNS traffic and Ping from the internal network to the external network

 

Make sure that the Web Proxy of TMG is enabled.

 

Configure win7 client to Web proxy client

 

DNS of Win7 Client points to DC

 

Win7 is a Web proxy client. Therefore, after accessing Baidu, it directly establishes a connection with TMG instead of external Baidu.

 

 

For example, to access Baidu on DC, Because DC is a SecureNAT client, it is directly connected to port 80 of Baidu.

 

Conclusion: The Access to Baidu is the same, but the connections established by different clients are indeed different. In addition, the Web proxy client has DNS traffic forwarding, which means that the Web proxy client can not be configured with DNS, by default, TMG's system policy opens its own DNS traffic. Therefore, the Web proxy client can access the website without configuring DNS.