[isalist] Re: https wireless traffic blocked through TMG forthe iPhone,

  • From: Jim Harrison <Jim@xxxxxxxxxxxx>
  • To: "Ruba Al-Omari, Eng." <romari@xxxxxxxxxx>, "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 3 Jan 2012 14:52:45 +0000

You couldn’t simply configure the “core” to route all traffic through TMG 
original internal interface?
That would have been a less complicated solution.

From: Ruba Al-Omari, Eng. [mailto:romari@xxxxxxxxxx]
Sent: Tuesday, January 03, 2012 01:18
To: isalist@xxxxxxxxxxxxx; Jim Harrison
Subject: RE: [isalist] Re: https wireless traffic blocked through TMG forthe 
iPhone,

Hi Jim,

Thanks for all your help offline, the problem is solved, I am posting the 
solution here for anyone else who faces the same problem:



all worked perfectly, had to install a physical interface on the TMG and assign 
an ip from the wireless vlan to it, then configure the core to have all 
wireless vlan traffic gateway to be the new physical interface,



this was the only way to get non-windows non-http traffic to pass,



thanks again,

ruba


From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx]<mailto:[mailto:isalist-bounce@xxxxxxxxxxxxx]>
 On Behalf Of Jim Harrison
Sent: Sunday, December 25, 2011 11:47 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: https wireless traffic blocked through TMG forthe iPhone,


Ruba,





That log entry by itself is typical of a broken conversation between the client 
and TMG.

Rob knows all about this now <VBG>.



You'll want to observe the entire log sequence between the client and TMG for 
the failing case.

You may need to gather some netcaps at the client, TMG and the destination (if 
possible).



If you don't feel comfy analyzing those, I'm happy to help (Rob knows this, too 
<VBG>)




From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx]<mailto:[mailto:isalist-bounce@xxxxxxxxxxxxx]>
 On Behalf Of Jim Harrison
Sent: Sunday, December 25, 2011 09:04
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: https wireless traffic blocked through TMG forthe iPhone,



sorry :( its 11 PM here and was replying from the convenient of my bed, I am 
quoting the reply from the desktop now, hope it appears:



"You are absolutely right :) after i arrived in the office in the morning, i 
checked the rule again and it appeared its not set to all users, so i changed 
it back to all users, and the prompt stopped but the problem stayed, with the 
gmail on the mac os, it keeps saying "checking for email" and the error shown 
below, this error is from one of ios 5.0.1 ips at the time of the error, now 
how do i go about it?"



thanks for your help,


From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx]<mailto:[mailto:isalist-bounce@xxxxxxxxxxxxx]>
 On Behalf Of Jim Harrison
Sent: Sunday, December 25, 2011 11:28
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: https wireless traffic blocked through TMG forthe iPhone,

Your iPood is messing things up.
Pls respond from another client?

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx]<mailto:[mailto:isalist-bounce@xxxxxxxxxxxxx]>
 On Behalf Of Jim Harrison
Sent: Sunday, December 25, 2011 09:04
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: https wireless traffic blocked through TMG forthe iPhone,

That won’t cause authentication prompts.
What you need to do is get the IP address from one of the failing clients and 
filter the logs from that client IP.
Since the listener is not configured to require authentication, your clients 
must be hitting an authenticated rule or they’re lying about the response they 
get from TMG.

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx]<mailto:[mailto:isalist-bounce@xxxxxxxxxxxxx]>
 On Behalf Of Ruba Al-Omari, Eng.
Sent: Saturday, December 24, 2011 22:52
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: https wireless traffic blocked through TMG forthe iPhone,

This is the error I receive in the logs when trying to check gmail from the 
iPhone through the wireless: it says HTTP Proxy denied connection:

Denied Connection

kkk-111 12/25/2011 9:49:53 AM

Log type: Firewall service

Status: A non-SYN packet was dropped because it was sent by a source that does 
not have an established connection with the Forefront TMG computer.

Rule: None - see Result Code

Source: Internal (10.40.61.201:50030)



From: Ruba Al-Omari, Eng.
Sent: Sunday, December 25, 2011 9:50 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: RE: [isalist] Re: https wireless traffic blocked through TMG forthe 
iPhone,

The problem is only with gmail traffic, exchange traffic is passing and web 
browsing is passing through, twitter is working as well,

Its only for https traffic,

Thanks,
Ruba

From: Ruba Al-Omari, Eng.
Sent: Sunday, December 25, 2011 9:14 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: RE: [isalist] Re: https wireless traffic blocked through TMG forthe 
iPhone,

Looool I sent it in the morning from my iPad!
I have TMG am just so used to saying ISA ☺
The Web proxy authentication options are Integrated, and Basic, it does not 
require all users to authenticate, the wireless rule allows all users, is this 
the right way to set it up?
Thanks jim, any hint is greatly appreciated,

[cid:image001.png@01CCC9E4.3DB9E060]

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx]<mailto:[mailto:isalist-bounce@xxxxxxxxxxxxx]>
 On Behalf Of Jim Harrison
Sent: Sunday, December 25, 2011 8:30 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: https wireless traffic blocked through TMG forthe iPhone,

Yeh, that didn't work too well.

From my mangophone
________________________________
From: Ruba Al-Omari, Eng.
Sent: 12/24/2011 20:05
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Cc: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: https wireless traffic blocked through TMG forthe iPhone,

��i��0������z�+�M���䁥�́Q5�褰���܁͡�ձ����͕����ѡ��ݕ���ɽ�䁱��ѕ��ȁѼ�ͽ�ٔ�ѡ�́�ɽ������$��ѥ�����������䁵��͕�́Ѽ��͔�ѡ��ݥɕ���́������Ё��役�����ͥ���ѡ�����ݽɬ�4(4)Q����̰4)IՉ�4)M��Ё�ɽ���䁥A����4(4)=������԰����İ��Ѐ���́4���)���!��ɥͽ����)���ͅѽ��̹�ɜ񵅥�Ѽ�)���ͅѽ��̹�ɜ����ɽє�4(4)]��Ё�́���%M
________________________________
��ȁQ5���%Ё����[1]eЁ�����ѣ�[1]����4)%��ѡ���ձ���͕́ЁѼ�����܁�����͕�̰�ѡ���ѡ���ɽ������́ѡ�Ёѡ��]����ɽ�䁱��ѕ��ȁ�͕́ЁѼ��[1]qɕ�եɔ������͕�́Ѽ���ѡ��ѥ��ї�[1]t�4(4)ɽ�聥ͅ���е��չ���ɕ�����̹�ɜ񵅥�Ѽ�ͅ���е��չ���ɕ�����̹�ɜ��m����Ѽ�ͅ���е��չ���ɕ�����̹�ɝt�=��
 
������=��IՉ����=��ɤ�����4)M����M���ɑ�䰁������Ȁ�а����Ā�����4)Q�聥ͅ�����ɕ�����̹�ɜ񵅥�Ѽ�ͅ�����ɕ�����̹�ɜ�4)MՉ�����m�ͅ����t�����́ݥɕ���́�Ʌ�������������ѡɽ՝��Q5���ȁѡ���A�����4(4)��ȁ����4(4)$���ٔ���ݥɕ���́���ݽɬ�������ѥ���ѡɽ՝��Q5�Ѽ���M0�����������ݥɕ���́������́�ɔ�ݽɭ�����ɽ��ɱ䰁ѡ���ɽ������́ݥѠ�ѡ���A��������A������͕�̰�ѡ������́�Ʌ������́�������������������������������ѡ��ѥ��ѥ���ݥ���܁����́�����ɥ���Ѽ�ѡ���͕�̸4(4)Q����ձ���Ёѡ��%M
________________________________
�ѡ�Ё���͕́ѡ���Ʌ������͕́ЁѼ�����܁�����Ʌ����������ѡ��=L��Ёѡ���A������A����̀Ը��İ4(4)Q����ɽ����������������䁅�����́ݡ����������́�������ɕ�����ѡ�����������ݥ���܁����́�������������ȁ����́��ѡ��ѥ��ѥ���4(4)�䁡�����́�ɕ�ѱ䁅��ɕ���ѕ��4(4)Q����̰4)IՉ�4(
��@��b��!���
0~���+-�����܆+޳��jX���'����{
%z�^�m�����jǫ����j��w��W���ڲ�'�����؜�����j[!���
0�Ƭz�ޮ������^�ۭ������H
________________________________
����Z �m��ۖ�,�Ƭz�ޮ���X����r��,\�g�j+z)ߢ���*'i�.�����^�ȭz�m����
-y�`zx�r����칻�&޾+"�m�����jǫ����j��+�+-j�Qz�+����h�+-i٢�+���z�+

PNG image

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 01-2012