[isalist] Re: Mac Connection Problem

  • From: Steven Comeau <scomeau@xxxxxxxxxxxxxxxxxx>
  • To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 3 Oct 2011 14:39:43 -0400

Rob, we don't use TMG, however, between our sites (ISA2006 site to site VPNs), 
we have rules that allow ALL traffic to flow - no restrictions.  Only traffic 
to external sites (and that coming in) is restricted.  I just tested my Macbook 
to an external site server with no issues.  Did you try a rule to allow SMB 

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-4623 (fax)


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Rob Moore
Sent: Friday, September 30, 2011 1:22 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Mac Connection Problem

I've continued to think about this issue and try various other things. Oddly, I 
can do other things from the Macs to the remote servers, such as ping them or 
open an RDP session to them. I see ping and RDP traffic allowed on the TMG 
console. But I can't open the equivalent of an Explorer window to the remote 
servers from a Mac. The TMG server seems to be blocking just that one sort of 
traffic. So how can I tell TMG not to block it? It doesn't SEEM reasonable to 
me (I'm NOT a networking expert) that the problem is the sort of network 
problem Jim described if all kinds of traffic but one can successfully pass.


From: Rob Moore
Sent: Friday, September 30, 2011 10:28 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: RE: Mac Connection Problem

If this is true, though, wouldn't it affect all clients at a given site? PCs 
work just fine used from the same locations. It's only the Macs that are 

I guess your last point would explain why the internal-internal rule didn't do 
anything.  :)


From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
 On Behalf Of Jim Harrison
Sent: Friday, September 30, 2011 9:22 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Mac Connection Problem


Typically, communication failure coupled with those log entries indicates some 
sort of split routing or a response path that is different from the initial 
traffic path.
There are a couple of ways this can occur:

1.       The Linux firewall isn't doing source-NAT and the internal target host 
uses TMG as the default route

2.       The VPN client at the Linux firewall get assigned an IP address that 
is not specified in the target host routing table and the target host uses TMG 
as the default route
In both cases, the initial TCP:SYN will be received by the internal host from 
the Linux FW and its TCP:SYN_ACK response will be sent to TMG; resulting in 
traffic rejection and the log entries you see.

TMG is a stateful firewall and as such, will reject "first seen" TCP traffic 
that fails to abide by RFC-793.

BTW, I hope your "internal-internal" rule is only for testing, as it's 
generally non-functional. Unless TMG is actually separating different subnet 
with individual NICS and both networks have been defined as "internal" to TMG, 
this is a wasted rule.

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
 On Behalf Of Rob Moore
Sent: Thursday, September 29, 2011 8:51 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Mac Connection Problem

Hello Everyone-

I'm using TMG Standard standalone running on Windows 2008 R2 SP1.

We're a mostly Windows organization, though since our new CEO is a Mac-o-phile, 
Macs are becoming more common. Today I found a problem. First let me give you 
some background. Our headquarters is here in Philadelphia. We have 30 remote 
offices, each with a Linux-based firewall that also is a VPN endpoint. There is 
another Linux-based firewall on our network here that all the remote ones VPN 
to. (It's not ideal, but it works and is more affordable for us-a 
non-profit-than what we'd like to have: a bunch of TMG boxes.)

Anyway, Macs here in Philly can connect to our local Windows (2003 or 
2008)-based servers without issue. But when we try to connect a Mac here in 
Philly to a remote Windows server share (the traffic traveling over our 
Linux-based VPN), our TMG server appears to be blocking the traffic. (FWIW, our 
Windows-based clients can connect to those remote servers without issue.) Also, 
if a remote Mac connects to our VPN (PPTP, to a server here in Philly), they 
also can't connect to our remote servers.

The Macs in question are running the latest Mac OSX (10.7.1).

The remote networks are defined on the TMG server as part of the Internal 

There is a TMG rule allowing internal-to-internal traffic (at least I think 
that's what it's doing). The rule is Allow; All Outbound Traffic; From: 
Internal, Local Host; To: Internal, Local Host; All Users. It doesn't seem to 
be applied here, though, based on the error message.

I tried creating a specific rule just for this traffic, and put it at the top 
of the rules (just below my "Block Slammer" rule). That rule is Allow; 
Microsoft CIFS (TCP) and NetBios Session; From Internal, Local Host; To: 
Internal, Local Host; All Users. I get the same error as above, though, 
indicating no rule is applied.

Anyway, we get a lot of these two errors coming through the TMG console when 
the Mac is trying to connect:
Client IP

Destination IP

Destination Port



Overridden Rule

NIS Scan Result

NIS Signature

NIS Application Protocol


Result Code

HTTP Status Code

Client Username

Source Network

Destination Network


Microsoft CIFS (TCP)

Denied Connection


None - see Result Code





NetBios Session

Denied Connection


None - see Result Code




Any help with what's going on? How can I stop TMG from blocking the Microsoft 
CIFS and NetBios protocols over this internal connection? How did I incorrectly 
configure my rule?


Rob Moore
Network Manager
Helpdesk: 800-500-AFSC

***  This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be 
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses.  The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com *** 

PNG image

JPEG image

Other related posts: