Forefront TMG 2010 Windows Authentication (Active Directory) NetBIOS Access is not authenticated
Hello,
I have setup a Forefront TMG 2010 SP1 Update3 enterprise box as Domain member, I use two authentication mechanism, via source IP (All Users as auth condition) and via Domain Users to access Internet and Perimeter (3-Leg setup). Firewall rules are allowing all outgoing traffic from LAN to Perimeter.When I try to access to Perimeter and I authenticate traffic by source IP, everything is working fine (All users as authentication Condition). But when I use Some domain group or user as auth condition, Firewall drops my netbios traffic with status in logs: " The action cannot be performed because the session is not authenticated. ". But still I have access to the same machine via remote desktop. I tried to change TMG Client properties via enabling authentication for svchost (svchost disable 0), insert authentication for explorer, nothing helped. Traffic goes fine for All users and dropped for Domain Users. All other services (HTTP, FTP, RDP) works fine for the same destination.
Thank you in advance
Narek Gharibyan
I have setup a Forefront TMG 2010 SP1 Update3 enterprise box as Domain member, I use two authentication mechanism, via source IP (All Users as auth condition) and via Domain Users to access Internet and Perimeter (3-Leg setup). Firewall rules are allowing all outgoing traffic from LAN to Perimeter.When I try to access to Perimeter and I authenticate traffic by source IP, everything is working fine (All users as authentication Condition). But when I use Some domain group or user as auth condition, Firewall drops my netbios traffic with status in logs: " The action cannot be performed because the session is not authenticated. ". But still I have access to the same machine via remote desktop. I tried to change TMG Client properties via enabling authentication for svchost (svchost disable 0), insert authentication for explorer, nothing helped. Traffic goes fine for All users and dropped for Domain Users. All other services (HTTP, FTP, RDP) works fine for the same destination.
Thank you in advance
Narek Gharibyan
Keith Alabaster
Not sure what the question is here - nothing mentioned sounds incorrect in terms of what it is doing. Clarify what you want to see as the result of anything changed.
ASKER
I want to see as a result AUTHENTICATED Netbios connection to Perimeter. The interesting thing is VPN Clients can connect to Perimeter without problem (netbios access) despite Access rules for both LAN Clients and VPN clients are similar. Perimeter access from LAN is deined with reason "session is not authenticated".
What is the network relationship between internal and perimeter in the TMG gui? NAT or routed?
ASKER
TMG is doing only routing despite the direction (VPN,EXTERNAL,INTERNAL,PER
Sorry - I have not asked clearly enough.
Open the TMG gui - select networking then network ruless. What is the relationship between internal and perimeter - is it set to NAT ot to 'route'?
Open the TMG gui - select networking then network ruless. What is the relationship between internal and perimeter - is it set to NAT ot to 'route'?
Make the Access Rule bi-directional.
To: Internal, Perimeter
From: Internal, Perimeter
Protocol: <whatever>
Users: <whatever>
To: Internal, Perimeter
From: Internal, Perimeter
Protocol: <whatever>
Users: <whatever>
ASKER
Route
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Would like to know what the "MS Specialist" actually said.
ASKER
"As far as I know, the TMGC will not process any SMB traffic. In fact it does not see it since it is handled in Kernel Mode. The firewall client is designed to tunnel Winsock traffic and SMB is not using Winsock. Have a read here as well: http://technet.microsoft.com/en-us/library/cc302546.aspx"
Ok, but what I'm looking for is "what to do about it". I assume this means the machines involved would have to operate as SecureNAT Clients effectively, although there wouldn't really be any NAT involved in over a "routed" relationship. So are they saying the Firewall CLient has to be uninstalled and just cannot be run on these machines? You could probably disable the Firewall Client use centrally in the properties of the network definition but that might have very negative side effects. So what is the recommendation MS solution?
I am thinking that the Firewall Client will just ignore protocols that it does not handle,...that is what happens with ICMP and GRE for example,... so if a separate Rule for SMB was put into place and set the User Field to "All Users" it would be anonymous and should work,...or optionally change the existing "Allow-a-bunch-of-Stuff-Ru