Whew...I can get to sleep now. Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image001.png@01CC9BD7.C99438F0] [cid:image002.jpg@01CC9BD7.C99438F0] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Saturday, November 05, 2011 3:15 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Mac Connection Problem ..and a month later, we have the answer... First off, public apologies to Rob for the terrible delay in responding... Second, based on the data Rob so kindly trusted me with (posted on my FB page for anyone who wants it :)), it's clear that his Linux firewall isn't maintaining TCP state. Initiation packets flow to the file server just fine, but response packets get routed directly back to the MAC instead of through TMG where they should have gone. The reason TMG logs a reject is because the MAC sees the response traffic from the file server IP address using the wrong MAC address and TCP SEQ# and sends a RST to TMG (default route, remember?). Because the RST uses a SEQ# that TMG has not seen in any conversation with the MAC, it closes the connection and logs "someone is being stupid" (don't you wish I could have written the TMG error messages?). I know there are some critical details missing, but I'll leave it to Rob as to whether he wants those made public. Jim From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, October 04, 2011 3:00 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Mac Connection Problem You're already allowing it. Unless you have other TMG logs for those hosts and that traffic, what you're indicating is not TMG blocking valid traffic. From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx]<mailto:[mailto:isalist-bounce@xxxxxxxxxxxxx]> On Behalf Of Rob Moore Sent: Tuesday, October 04, 2011 8:18 AM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: Mac Connection Problem How do I allow SMB, given that all the remote subnets are configured as Internal? Rob From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx]<mailto:[mailto:isalist-bounce@xxxxxxxxxxxxx]> On Behalf Of Steve Moffat Sent: Saturday, October 01, 2011 6:45 AM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: Mac Connection Problem Are you allowing SMB or AFP? From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx]<mailto:[mailto:isalist-bounce@xxxxxxxxxxxxx]> On Behalf Of Rob Moore Sent: Friday, September 30, 2011 6:32 PM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: Mac Connection Problem I've continued to think about this issue and try various other things. Oddly, I can do other things from the Macs to the remote servers, such as ping them or open an RDP session to them. I see ping and RDP traffic allowed on the TMG console. But I can't open the equivalent of an Explorer window to the remote servers from a Mac. The TMG server seems to be blocking just that one sort of traffic. So how can I tell TMG not to block it? It doesn't SEEM reasonable to me (I'm NOT a networking expert) that the problem is the sort of network problem Jim described if all kinds of traffic but one can successfully pass. Thanks, Rob From: Rob Moore Sent: Friday, September 30, 2011 10:28 AM To: 'isalist@xxxxxxxxxxxxx' Subject: RE: Mac Connection Problem If this is true, though, wouldn't it affect all clients at a given site? PCs work just fine used from the same locations. It's only the Macs that are affected. I guess your last point would explain why the internal-internal rule didn't do anything. :) Thanks, Rob From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx]<mailto:[mailto:isalist-bounce@xxxxxxxxxxxxx]> On Behalf Of Jim Harrison Sent: Friday, September 30, 2011 9:22 AM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: Mac Connection Problem Rob, Typically, communication failure coupled with those log entries indicates some sort of split routing or a response path that is different from the initial traffic path. There are a couple of ways this can occur: 1. The Linux firewall isn't doing source-NAT and the internal target host uses TMG as the default route 2. The VPN client at the Linux firewall get assigned an IP address that is not specified in the target host routing table and the target host uses TMG as the default route In both cases, the initial TCP:SYN will be received by the internal host from the Linux FW and its TCP:SYN_ACK response will be sent to TMG; resulting in traffic rejection and the log entries you see. TMG is a stateful firewall and as such, will reject "first seen" TCP traffic that fails to abide by RFC-793. BTW, I hope your "internal-internal" rule is only for testing, as it's generally non-functional. Unless TMG is actually separating different subnet with individual NICS and both networks have been defined as "internal" to TMG, this is a wasted rule. From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx]<mailto:[mailto:isalist-bounce@xxxxxxxxxxxxx]> On Behalf Of Rob Moore Sent: Thursday, September 29, 2011 8:51 AM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Mac Connection Problem Hello Everyone- I'm using TMG Standard standalone running on Windows 2008 R2 SP1. We're a mostly Windows organization, though since our new CEO is a Mac-o-phile, Macs are becoming more common. Today I found a problem. First let me give you some background. Our headquarters is here in Philadelphia. We have 30 remote offices, each with a Linux-based firewall that also is a VPN endpoint. There is another Linux-based firewall on our network here that all the remote ones VPN to. (It's not ideal, but it works and is more affordable for us-a non-profit-than what we'd like to have: a bunch of TMG boxes.) Anyway, Macs here in Philly can connect to our local Windows (2003 or 2008)-based servers without issue. But when we try to connect a Mac here in Philly to a remote Windows server share (the traffic traveling over our Linux-based VPN), our TMG server appears to be blocking the traffic. (FWIW, our Windows-based clients can connect to those remote servers without issue.) Also, if a remote Mac connects to our VPN (PPTP, to a server here in Philly), they also can't connect to our remote servers. The Macs in question are running the latest Mac OSX (10.7.1). The remote networks are defined on the TMG server as part of the Internal network. There is a TMG rule allowing internal-to-internal traffic (at least I think that's what it's doing). The rule is Allow; All Outbound Traffic; From: Internal, Local Host; To: Internal, Local Host; All Users. It doesn't seem to be applied here, though, based on the error message. I tried creating a specific rule just for this traffic, and put it at the top of the rules (just below my "Block Slammer" rule). That rule is Allow; Microsoft CIFS (TCP) and NetBios Session; From Internal, Local Host; To: Internal, Local Host; All Users. I get the same error as above, though, indicating no rule is applied. Anyway, we get a lot of these two errors coming through the TMG console when the Mac is trying to connect: Client IP Destination IP Destination Port Protocol Action Overridden Rule NIS Scan Result NIS Signature NIS Application Protocol Rule Result Code HTTP Status Code Client Username Source Network Destination Network 172.17.201.39 192.168.9.2 445 Microsoft CIFS (TCP) Denied Connection - None - see Result Code 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED Internal Internal 172.17.201.39 192.168.9.2 139 NetBios Session Denied Connection - None - see Result Code 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED Internal Internal Any help with what's going on? How can I stop TMG from blocking the Microsoft CIFS and NetBios protocols over this internal connection? How did I incorrectly configure my rule? Thanks, Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Rob Moore Network Manager 215-241-7870 Helpdesk: 800-500-AFSC *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com ***