Some TMG protocols not worked properly.

Hello.

I written a TMG rule that can let cell phone use specific protocols :

Cell phones can't Open Web pages and use Instagram but when they use VPN Everything is OK.

What is your idea?

August 16th, 2015 3:09am

I did Best Practice too :

and TMG show me Spoofed error :

How can I solve it?

Free Windows Admin Tool Kit Click here and download it now
August 16th, 2015 7:14am

As you see, Range address are added in Internal too. But problem not solved !!!!

August 16th, 2015 7:44am

I did "http://social.technet.microsoft.com/wiki/contents/articles/3197.recommended-network-adapter-configuration-for-forefront-tmg-enterprise-edition-servers.aspx" too but problem not solved :(
Free Windows Admin Tool Kit Click here and download it now
August 16th, 2015 1:33pm

You need to do live logging and see what happens when the a user tries to use the Instagram app from his/hers phone.

In the TMG MMC, go to Logs & Reports / Logging and press start. Then test from a client and see what is logged. That will show what is allowed or not. You can easily copy the logged data or make a screen dump. Are the alerts with regards to routing table/network definition for the internal network resolved?

August 19th, 2015 8:51am

Thank you.

But as you see TMG spoofed range 172.30.14.0-172.30.14.255 and they are Cell phone. PCs with other IP ranges are OK and this problem is just for Cell phone :(

Any idea?

Free Windows Admin Tool Kit Click here and download it now
August 19th, 2015 9:58am

All here are just educated guesses as there is not much information to work with here.

This blog post describes why packets are dropped as spoofed.

Make sure that traffic is received on the correct interface.

Make sure that there are routes defined for all IP networks added to the internal network. They must match. If the 172.30.14.0/24 network is reachable through the internal network adapter, a route to that network must exist. Default gateway is only for traffic to and from the Internet. All internal networks must have routes as well except for the subnet where the internal network adapter is connected to.

If the internal adapter is on 172.16.0.1 and your internal router through which you can reach the 172.30.14.0/24 network is 172.16.0.254 then add a route through TMG MMC or a persistent route using route command from a command prompt (on the TMG server), for example:

route -p add 172.30.14.0 MASK 255.255.255.0 172.16.0.254

Then check any new alerts and check the logs.

August 19th, 2015 12:03pm

All here are just educated guesses as there is not much information to work with here.

This blog post describes why packets are dropped as spoofed.

Make sure that traffic is received on the correct interface.

Make sure that there are routes defined for all IP networks added to the internal network. They must match. If the 172.30.14.0/24 network is reachable through the internal network adapter, a route to that network must exist. Default gateway is only for traffic to and from the Internet. All internal networks must have routes as well except for the subnet where the internal network adapter is connected to.

If the internal adapter is on 172.16.0.1 and your internal router through which you can reach the 172.30.14.0/24 network is 172.16.0.254 then add a route through TMG MMC or a persistent route using route command from a command prompt (on the TMG server), for example:

route -p add 172.30.14.0 MASK 255.255.255.0 172.16.0.254

Then check any new alerts and check the logs.

Free Windows Admin Tool Kit Click here and download it now
August 19th, 2015 2:37pm

IP addresses was just examples.

If the internal interface of TMG and phones are not on the same subnet, gateway must be defined on phone and a persistent route on TMG to point to the internal router.

If the TMG server is not in the default gateway path to reach the Internet, you must specify it as a web proxy on the clients.

As you have blurred the rule and don't show any other rule, I can't tell you why this rule doesn't work as you expect.

None of that is crystal clear from the above.

Because of that, there's only one thing at this point I can advice is the following:

Check the logs while trying to browse the Internet from a failing phone.

- Nothing in the log? Likely your network setup is wrong. See a few lines above.

- Something in the log? What? Deny? Error message?

You can also use the traffic simulator and see what it says.

August 20th, 2015 4:04am

I share some photos for you and I guess you can understand what is my problem :

As you see, HTTP blocked in "Phone-Nat" !!!!!!!!!!!!!!!


Free Windows Admin Tool Kit Click here and download it now
August 21st, 2015 1:51am

It is my NICs configuration :

August 21st, 2015 2:10am

I did Wireshark too :

What is your idea?

Free Windows Admin Tool Kit Click here and download it now
August 21st, 2015 3:06am

The rule does not block the request.

The log entry says that one of the connected parties (e.g. endpoints) did not respond in a timely fashion - within the TCP timeout thresholds. There's a big difference between block and a timeout.

Looking at the trace above, I see only traffic from a 172.30.14.x to TMG. NO return traffic. That indicates an issue with the traffic flow, most likely routing. As you seem to have the correct configuration in TMG, I would look at the router configuration.

August 21st, 2015 3:31am

I share some photos for you and I guess you can understand what is my problem :

As you see, HTTP blocked in "Phone-Nat" !!!!!!!!!!!!!!!


Free Windows Admin Tool Kit Click here and download it now
August 21st, 2015 5:51am

I share some photos for you and I guess you can understand what is my problem :

As you see, HTTP blocked in "Phone-Nat" !!!!!!!!!!!!!!!


August 21st, 2015 5:51am

I share some photos for you and I guess you can understand what is my problem :

As you see, HTTP blocked in "Phone-Nat" !!!!!!!!!!!!!!!


Free Windows Admin Tool Kit Click here and download it now
August 21st, 2015 5:51am

I share some photos for you and I guess you can understand what is my problem :

As you see, HTTP blocked in "Phone-Nat" !!!!!!!!!!!!!!!


August 21st, 2015 5:51am

Thank you so much.

What is you mean by "Router" ? router device or route configuration in Windows? 

As you see, I attached "Route" configuration in Windows above. I use "Cisco" switches and in your idea can switched have any problem?

This problem occurred suddenly :(
Free Windows Admin Tool Kit Click here and download it now
August 21st, 2015 6:06am

Thank you so much.

What is you mean by "Router" ? router device or route configuration in Windows? 

As you see, I attached "Route" configuration in Windows above. I use "Cisco" switches and in your idea can switched have any problem?

This problem occurred suddenly :(
August 21st, 2015 10:05am

Thank you so much.

What is you mean by "Router" ? router device or route configuration in Windows? 

As you see, I attached "Route" configuration in Windows above. I use "Cisco" switches and in your idea can switched have any problem?

This problem occurred suddenly :(
Free Windows Admin Tool Kit Click here and download it now
August 21st, 2015 10:05am

Thank you so much.

What is you mean by "Router" ? router device or route configuration in Windows? 

As you see, I attached "Route" configuration in Windows above. I use "Cisco" switches and in your idea can switched have any problem?

This problem occurred suddenly :(
August 21st, 2015 10:05am

Thank you so much.

What is you mean by "Router" ? router device or route configuration in Windows? 

As you see, I attached "Route" configuration in Windows above. I use "Cisco" switches and in your idea can switched have any problem?

This problem occurred suddenly :(
Free Windows Admin Tool Kit Click here and download it now
August 21st, 2015 10:05am

Any idea to solve it?

I can't understand "0x7007274C" !!!

August 21st, 2015 4:17pm

It just blocked HTTP and HTTPS because when we allow cell phones to use all protocol, This problem solved.
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2015 3:36am

Any idea?
September 6th, 2015 3:25am

The error message 0x8007274c is WSAETIMEDOUT.

This means that the connection to the phone (iow between TMG and the network where phones are located) host did not function properly due to an issue somewhere between TMG and the destination.

I meant that you should check the switch/router TMG is connected to on the internal interface and see what is (not) happening there.

If the phone manages to send requests to the TMG server but TMG is not able to respond but the routing looks correct then you need to look at the router on the internal interface - 172.30.9.254.

Free Windows Admin Tool Kit Click here and download it now
September 7th, 2015 2:56am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics