Newly added Network adapter not showing up in RRAS with Forefront TMG

 

Recently I came across a situation where one of our customers using Forefront TMG could not add a static route in RRAS based on a newly added network adapter.

In this post, I will describe the steps required to get the adapter available in RRAS.

Symptom

After adding a new network adapter (called LAN2 in this blog) to a server with Forefront TMG 2010 installed, the new adapter is listed in “Control Panel\Network and Internet\Network Connections” but it does not appear in “Network Interfaces” of the Routing and Remote Access (RRAS) console.

Therefore, it is not possible to add a new static route using the new interface (LAN2) as it is not available in the Interface list box (Figure 1).

image

Figure 1

Any other setting using the new added interface will not be possible in the RRAS.

How to get the new network adapter to show up?

Here is an example (Windows 2008 R2 / TMG 2010 SP2)

1. Before adding the extra network adapter, we have 2 NICs (LAN and WAN) (Figure 2)

image3

Figure 2

2. Right after adding the new LAN2 adapter and restarting the TMG server, LAN2 is showing up in the “Network Connections” (Figure 3) but not in the RRAS Network Interfaces (Figure 4).

image6

Figure 3

image

Figure 4

Note that you can see the 3 NICS in the TMG console (Networking\Network adapters).

To make the new network adapter LAN2 available in RRAS, follow the steps below.

3. Disable Routing and Remote Access (Figure 5)

image

Figure 5

4. Configure and Enable the Routing and Remote Access (Figure 6)

image

Figure 6

5. Then choose “Custom configuration” and “LAN routing” (Figure 7)

Note: What you choose is actually not really important as it is going to be overwritten by TMG later on.

image

Figure 7

image

Figure 8

6. If prompted agree to Start the service

image

Figure 9

7. The new network interface LAN2 is now available in the RRAS (Figure 10)

Therefore, adding a static route using LAN2 is possible.

image

Figure 10

8. The Routing and Remote Access is back online but the RRAS configuration was reset. Therefore we have to reapply the stored TMG RRAS settings.

As you may know, Forefront TMG takes over the Routing and Remote Access settings with its own configuration. (To know more about this behavior: http://technet.microsoft.com/en-us/library/ee796231.aspx#hbsdfghserrty5)

The trick here is to modify any setting in TMG configuration and then apply the change. For instance, you can just add a description to an Access rule.

Forefront TMG will overwrite the Routing and Remote Access settings with its own “good” configuration.

Now we have the “good” RRAS configuration and the possibility to use the new added interface in RRAS.

Author

Olivier Bertin

Support Engineer

Microsoft CSS Forefront Security Edge Team

Technical Reviewers

The “Escalation Engineers team”

Microsoft CSS Forefront Security Edge Team

Comments

  • Anonymous
    July 22, 2013
    I don't think TMG has anything to do with this at all.  I had this issue on a straight RRAS server.  Add another NIC and it didn't add it.  Removing/re-Adding the service didn't fix it because it didn't reconfigure the service.  That was on 2008 R2.

  • Anonymous
    December 16, 2013
    Agreed. TMG not part of the issue. This just plain RRAS doing this

  • Anonymous
    April 24, 2014
    I cannot believe that googleing for this show me this webpage... actually the issue still exists on Windows Server 2012 and 2012 R2.... Good job, only 2 years has passed and the problem is still there.... do you really listen to your customers or partners.... I began to think NO.

  • Anonymous
    August 16, 2015
    Problem still exists - thanks for the post, it got me going again.

  • Anonymous
    September 16, 2015
    Ok, muchas gracias, en un Win 2012 R2 me paso lo mismo.
    Gracias.

  • Anonymous
    September 28, 2016
    Hi Olivier,I have a unique situation I request for insights or assistance. We have a server (Win2k8 R2) with Forefront TMG configured (with a Firewall Policy) to allow networks over our WAN infrastructure (protocols FROM Internal TO External,Perimeter and Localhost) . However, when there's only one branch office that is not able to reach this TMG server to access a web application that has worked on all other branch offices. This branch office network is in the range of WAN networks allowed.The server has 2 NICs, Local Area Conn (LAC) 3 and 4. LAC3 is configured with no gateway (on networks with 172.16..) , and LAC 4 is configured with a different IP (192.168..) and with the default gateway of 0.0.0.0.Under TMG, on checking the properties of the above configured policy, under the FROM tab, I clicked on source Internal>Edit>Internal Properties>Addresses Tab>Add Adapter> to view the two LACs listed i.e. LAC 3 and LAC 4. Upon selecting on LAC 4 interface, I noticed a problem, LAC4 is not supposed to reach local area and WAN networks i.e. 172.16.. but it shows networks associated with it are the LAN/WAN networks. Question is, how do I stop LAC 4 from associating itself with LAN/WAN networks on 172...? I believe this will help in resolving the issue of this one branch network reaching the server web application. Is there anything outside TMG that I can do to dissociate LAC4 from and remain on 192.168..* and the default route? Pls helpGreg

  • Anonymous
    October 20, 2016
    Worked for me. 2012r2. Thanks!

    • Anonymous
      December 16, 2016
      Also for me. 2012R2