[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6412
  • Last Modified:

Forefront TMG 2010 Windows Authentication (Active Directory) NetBIOS Access is not authenticated

Hello,

I have setup a Forefront TMG 2010 SP1 Update3 enterprise box as Domain member, I use two authentication mechanism, via source IP (All Users as auth condition) and via Domain Users to access Internet and Perimeter (3-Leg setup). Firewall rules are allowing all outgoing traffic from LAN to Perimeter.When I try to access to Perimeter and I authenticate traffic by source IP, everything is working fine (All users as authentication Condition). But when I use Some domain group or user as auth condition, Firewall drops my netbios traffic with status in logs: " The action cannot be performed because the session is not authenticated. ". But still I have access to the same machine via remote desktop. I tried to change TMG Client properties via enabling authentication for svchost (svchost disable 0), insert authentication for explorer, nothing helped. Traffic goes fine for All users and dropped for Domain Users. All other services (HTTP, FTP, RDP) works fine for the same destination.

Thank you in advance

Narek Gharibyan
0
synisys
Asked:
synisys
  • 5
  • 4
  • 3
1 Solution
 
Keith AlabasterCommented:
Not sure what the question is here - nothing mentioned sounds incorrect in terms of what it is doing. Clarify what you want to see as the result of anything changed.
0
 
synisysAuthor Commented:
I want to see as a result AUTHENTICATED Netbios connection to Perimeter. The interesting thing is VPN Clients can connect to Perimeter without problem (netbios access) despite Access rules for both LAN Clients and VPN clients are similar. Perimeter access from LAN is deined with reason "session is not authenticated".
0
 
Keith AlabasterCommented:
What is the network relationship between internal and perimeter in the TMG gui? NAT or routed?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
synisysAuthor Commented:
TMG is doing only routing despite the direction (VPN,EXTERNAL,INTERNAL,PERIMETER)
0
 
Keith AlabasterCommented:
Sorry - I have not asked clearly enough.

Open the TMG gui - select networking then network ruless. What is the relationship between internal and perimeter - is it set to NAT ot to 'route'?

0
 
pwindellCommented:
Make the Access Rule bi-directional.

To:  Internal, Perimeter
From: Internal, Perimeter
Protocol: <whatever>
Users: <whatever>
0
 
synisysAuthor Commented:
Route
0
 
synisysAuthor Commented:
TMG Client will not process SMB traffic. It is designed to process only Winsock traffic. Already answered in another forum.
0
 
pwindellCommented:
Would like to know what the "MS Specialist" actually said.
0
 
synisysAuthor Commented:
"As far as I know, the TMGC will not process any SMB traffic. In fact it does not see it since it is handled in Kernel Mode. The firewall client is designed to tunnel Winsock traffic and SMB is not using Winsock. Have a read here as well: http://technet.microsoft.com/en-us/library/cc302546.aspx"
0
 
pwindellCommented:
Ok, but what I'm looking for is "what to do about it".  I assume this means the machines involved would have to operate as SecureNAT Clients effectively, although there wouldn't really be any NAT involved in over a "routed" relationship.  So are they saying the Firewall CLient has to be uninstalled and just cannot be run on these machines?  You could probably disable the Firewall Client use centrally in the properties of the network definition but that might have very negative side effects.  So what is the recommendation MS solution?
0
 
pwindellCommented:
I am thinking that the Firewall Client will just ignore protocols that it does not handle,...that is what happens with ICMP and GRE for example,... so if a separate Rule for SMB was put into place and set the User Field to "All Users" it would be anonymous and should work,...or optionally change the existing "Allow-a-bunch-of-Stuff-Rule" between the network segments to anonymous ("All Users") then it would work.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now