[isalist] Mac Connection Problem
- From: Rob Moore <RMoore@xxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 29 Sep 2011 11:51:01 -0400
Hello Everyone-
I'm using TMG Standard standalone running on Windows 2008 R2 SP1.
We're a mostly Windows organization, though since our new CEO is a Mac-o-phile,
Macs are becoming more common. Today I found a problem. First let me give you
some background. Our headquarters is here in Philadelphia. We have 30 remote
offices, each with a Linux-based firewall that also is a VPN endpoint. There is
another Linux-based firewall on our network here that all the remote ones VPN
to. (It's not ideal, but it works and is more affordable for us-a
non-profit-than what we'd like to have: a bunch of TMG boxes.)
Anyway, Macs here in Philly can connect to our local Windows (2003 or
2008)-based servers without issue. But when we try to connect a Mac here in
Philly to a remote Windows server share (the traffic traveling over our
Linux-based VPN), our TMG server appears to be blocking the traffic. (FWIW, our
Windows-based clients can connect to those remote servers without issue.) Also,
if a remote Mac connects to our VPN (PPTP, to a server here in Philly), they
also can't connect to our remote servers.
The Macs in question are running the latest Mac OSX (10.7.1).
The remote networks are defined on the TMG server as part of the Internal
network.
There is a TMG rule allowing internal-to-internal traffic (at least I think
that's what it's doing). The rule is Allow; All Outbound Traffic; From:
Internal, Local Host; To: Internal, Local Host; All Users. It doesn't seem to
be applied here, though, based on the error message.
I tried creating a specific rule just for this traffic, and put it at the top
of the rules (just below my "Block Slammer" rule). That rule is Allow;
Microsoft CIFS (TCP) and NetBios Session; From Internal, Local Host; To:
Internal, Local Host; All Users. I get the same error as above, though,
indicating no rule is applied.
Anyway, we get a lot of these two errors coming through the TMG console when
the Mac is trying to connect:
Client IP
Destination IP
Destination Port
Protocol
Action
Overridden Rule
NIS Scan Result
NIS Signature
NIS Application Protocol
Rule
Result Code
HTTP Status Code
Client Username
Source Network
Destination Network
172.17.201.39
192.168.9.2
445
Microsoft CIFS (TCP)
Denied Connection
-
None - see Result Code
0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED
Internal
Internal
172.17.201.39
192.168.9.2
139
NetBios Session
Denied Connection
-
None - see Result Code
0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED
Internal
Internal
Any help with what's going on? How can I stop TMG from blocking the Microsoft
CIFS and NetBios protocols over this internal connection? How did I incorrectly
configure my rule?
Thanks,
Rob
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rob Moore
Network Manager
215-241-7870
Helpdesk: 800-500-AFSC
Other related posts:
