ForeFront TMG Blocks Broadcast on port 137

Posted on 2013-09-23
Medium Priority
Last Modified: 2013-11-13
Hi Everyone,

I have a newly installed Windows 2008 R2 SP2 server running Microsoft Forefront TMG 2010 with all latest SPs and rollups. On the same machine I have version 5.0.1 of Mcafee ePO. I am using the TMG server primarily as a filtering web proxy as my central firewall function is being performed by another device.

I am trying to configure ePO and during the configuration it contacts my AD and does a broadcast for all machines on my LAN. However it has been failing which I found is down to TMG blocking the broadcast (log screenshot attached). Now I have created rules in the firewall that allow NetBIOS sessions, names etc with no effect. I have tried enabling the configuration of the system policy and making sure the rule that allows NetBIOS from Local Host to the Internal network is set to allow but no effect.

I have seen many articles related to NetBIOS being blocked due to spoofed addresses but these don't seem to address my problem.

If I had any hair it would have fallen out by now so any help much appreciated.

Question by:steven_gould
LVL 66

Accepted Solution

btan earned 1500 total points
ID: 39516639
At least from ePO angle, the ports required for FW is as below, for LDAP connection to AD connection to look up computers, users, groups, and Organizational Units for User Based Policies, it is using 389 or 636 for LDAPS.

The UDP137 and 138 are for network discovery. McAfee ePolicy Orchestrator server must open Computer browser service in order to enumerate the domain/workgroup computers, without turning on this service administrator has to install the agents onto each and every domain/workgroup computers.

I saw this plugin doc and talks abt the TMG bypass list

Configure host bypass
Configure the host names, IP addresses, or domain names that will bypass filtering so that requests to
those names and addresses are always allowed.
1 Open the plugin settings:
a In the Microsoft Threat Management Gateway management console, select [your gateway] | System,
then click the Web Filters tab.
b Select the appropriate plugin.
c Right-click the plugin and select Properties.
2 Click the Bypass List tab.
3 In the Hosts to bypass field, enter one host per line.
Enter an exact host name, IP address, or domain name using the examples below as guidelines.
Wildcards are not valid (entering *example.com or example.com does not include all example.com domains).
• mail.example.com
• FD4A:A1B2:C3D4:0:0:0:0:E5F6
4 Click OK to save the configuration

I was also thinking abt the localLAT.txt

Microsoft Forefront Threat Management Gateway is designed to handle communications between different networks. Usually, clients on a specific network should not traverse Forefront TMG to reach hosts located in the same network. Instead, direct access should be used.

Direct access enables Firewall client computers to do the following:

Bypass the Microsoft Firewall Client configuration and connect directly to resources.

Make Web proxy requests that bypass the Web proxy filter.

This allows Firewall clients to access resources located in their local network without going through Forefront TMG and allows clients to make Web requests without going through Forefront TMG as a proxy.

Author Closing Comment

ID: 39645191
It isn't quite what I was after but it certainly gave me some good insights into how forefront handles traffic. Thanks.

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

There's never been a better time to become a computer scientist. Employment growth in the field is expected to reach 22% overall by 2020, and if you want to get in on the action, it’s a good idea to think about at least minoring in computer science …
A question that many companies need to answer until May 25th of 2018... Is your company ready for GDPR?
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question