We have a publishing rule on our TMG's for managing mobile devices. We have a mixture of iPhone's and Android phones that are connecting to Airwatch.
We recently enabled TLS 1.1 and 1.2 on our TMG servers. After we enabled these new protocols, all of our iPhones could no longer connect to our Airwatch server. Our Android phones continued working.
After some troubleshooting through the TMG, we see that with TLS 1.1/1.2 enabled, the iPhones no longer authenticate. The 'client username' shows anonymous. When we disable TLS 1.1/1.2, it authenticates with its AD credentials.
I have pasted the log entry showing an iPhone that could not connected. I sanitized the IP's, TMG name and Rule name.
Has anyone else seen anything similar?
Our TMG's are 2010, Service Pack 2 Rollup 3
The OS is Win2008 R2, sp1 DatacenterClient Agent,Authenticated Client,Service,Referring Server,Destination Host Name,Transport,HTTP Method,Filter Information,MIME Type,Object Source,Cache Information,Error Information,Source Port,Session Type,Bidirectional,Network Interface,Raw IP Header,Raw Payload,Processing Time,Bytes Sent,Bytes Received,Original Client IP,GMT Log Time,Authentication Server,UAG Array Id,UAG Version,UAG Module Id,UAG Id,UAG Severity,UAG Type,UAG Event Name,UAG Session Id,UAG Trunk Name,UAG Service Name,UAG Error Code,Internal Service Info Log Field,Client Application SHA1 Hash,Client Application Trust State,Client Application Internal Name,Client Application Product Name,Client Application Product Version,Client Application File Version,Client Application Original File Name,Client FQDN,URL Categorization Reason,Forefront TMG Client Version,URL Destination Host Name,Log Time,Client IP,Destination IP,Destination Port,Protocol,Action,Overridden Rule,Server Name,NIS Scan Result,NIS Signature,NIS Application Protocol,Rule,Result Code,HTTP Status Code,Client Username,Source Network,Destination Network,URL,URL Category,Log Record Type,Malware Inspection Action,Malware Inspection Result,Threat Name,Threat Level,Content Delivery Method,Malware Inspection Duration (msec),NAT Address,Client Application Path
Apple-iPhone6C1/1201.405,Yes,Reverse Proxy,,,TCP,POST,Req ID: 0c7096ea ,,,0x0,0x203,23391,Web Proxy,,-,-,-,0,0,375,-,10/15/2014 19:27,,,0,,0,,,,,,,0,0,-,,-,-,-,-,-,-,,-,,10/15/2014 15:27,188.8.131.52,184.108.40.206,443,,Failed Connection Attempt,,TMG-server1,Inspected,,,RuleforAirwatch,,0x80090326 ,anonymous,,,,-,Web Proxy Filter,,,,,,0,-,-
- Edited by BrianinNC Wednesday, October 15, 2014 9:14 PM