ForeFront TMG Blocks Broadcast on port 137

Hi Everyone,

I have a newly installed Windows 2008 R2 SP2 server running Microsoft Forefront TMG 2010 with all latest SPs and rollups. On the same machine I have version 5.0.1 of Mcafee ePO. I am using the TMG server primarily as a filtering web proxy as my central firewall function is being performed by another device.

I am trying to configure ePO and during the configuration it contacts my AD and does a broadcast for all machines on my LAN. However it has been failing which I found is down to TMG blocking the broadcast (log screenshot attached). Now I have created rules in the firewall that allow NetBIOS sessions, names etc with no effect. I have tried enabling the configuration of the system policy and making sure the rule that allows NetBIOS from Local Host to the Internal network is set to allow but no effect.

I have seen many articles related to NetBIOS being blocked due to spoofed addresses but these don't seem to address my problem.

If I had any hair it would have fallen out by now so any help much appreciated.

Steve
broadcast-blocked.png
steven_gouldAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
At least from ePO angle, the ports required for FW is as below, for LDAP connection to AD connection to look up computers, users, groups, and Organizational Units for User Based Policies, it is using 389 or 636 for LDAPS.
https://kc.mcafee.com/corporate/index?page=content&id=KB66797

The UDP137 and 138 are for network discovery. McAfee ePolicy Orchestrator server must open Computer browser service in order to enumerate the domain/workgroup computers, without turning on this service administrator has to install the agents onto each and every domain/workgroup computers.
http://cyruslab.net/2013/06/09/mcafee-deploy-mcafee-agents-to-domain-computers/

I saw this plugin doc and talks abt the TMG bypass list
https://kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23241/en_US/mp_140_pg_tmg_7003222A00_en-us.pdf

Configure host bypass
Configure the host names, IP addresses, or domain names that will bypass filtering so that requests to
those names and addresses are always allowed.
Task
1 Open the plugin settings:
a In the Microsoft Threat Management Gateway management console, select [your gateway] | System,
then click the Web Filters tab.
b Select the appropriate plugin.
c Right-click the plugin and select Properties.
2 Click the Bypass List tab.
3 In the Hosts to bypass field, enter one host per line.
Enter an exact host name, IP address, or domain name using the examples below as guidelines.
Wildcards are not valid (entering *example.com or example.com does not include all example.com domains).
Examples:
www.example.com
• mail.example.com
• 192.168.254.22
• FD4A:A1B2:C3D4:0:0:0:0:E5F6
4 Click OK to save the configuration

I was also thinking abt the localLAT.txt
http://technet.microsoft.com/en-us/library/cc995133.aspx

Microsoft Forefront Threat Management Gateway is designed to handle communications between different networks. Usually, clients on a specific network should not traverse Forefront TMG to reach hosts located in the same network. Instead, direct access should be used.

Direct access enables Firewall client computers to do the following:

Bypass the Microsoft Firewall Client configuration and connect directly to resources.

Make Web proxy requests that bypass the Web proxy filter.

This allows Firewall clients to access resources located in their local network without going through Forefront TMG and allows clients to make Web requests without going through Forefront TMG as a proxy.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
steven_gouldAuthor Commented:
It isn't quite what I was after but it certainly gave me some good insights into how forefront handles traffic. Thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.