Hello.
I written a TMG rule that can let cell phone use specific protocols :
Cell phones can't Open Web pages and use Instagram but when they use VPN Everything is OK.
What is your idea?
Technology Tips and News
Hello.
I written a TMG rule that can let cell phone use specific protocols :
Cell phones can't Open Web pages and use Instagram but when they use VPN Everything is OK.
What is your idea?
I did Best Practice too :
and TMG show me Spoofed error :
How can I solve it?
As you see, Range address are added in Internal too. But problem not solved !!!!
You need to do live logging and see what happens when the a user tries to use the Instagram app from his/hers phone.
In the TMG MMC, go to Logs & Reports / Logging and press start. Then test from a client and see what is logged. That will show what is allowed or not. You can easily copy the logged data or make a screen dump. Are the alerts with regards to routing table/network definition for the internal network resolved?
Thank you.
But as you see TMG spoofed range 172.30.14.0-172.30.14.255 and they are Cell phone. PCs with other IP ranges are OK and this problem is just for Cell phone :(
Any idea?
All here are just educated guesses as there is not much information to work with here.
This blog post describes why packets are dropped as spoofed.
Make sure that traffic is received on the correct interface.
Make sure that there are routes defined for all IP networks added to the internal network. They must match. If the 172.30.14.0/24 network is reachable through the internal network adapter, a route to that network must exist. Default gateway is only for traffic to and from the Internet. All internal networks must have routes as well except for the subnet where the internal network adapter is connected to.
If the internal adapter is on 172.16.0.1 and your internal router through which you can reach the 172.30.14.0/24 network is 172.16.0.254 then add a route through TMG MMC or a persistent route using route command from a command prompt (on the TMG server), for example:
route -p add 172.30.14.0 MASK 255.255.255.0 172.16.0.254
Then check any new alerts and check the logs.
All here are just educated guesses as there is not much information to work with here.
This blog post describes why packets are dropped as spoofed.
Make sure that traffic is received on the correct interface.
Make sure that there are routes defined for all IP networks added to the internal network. They must match. If the 172.30.14.0/24 network is reachable through the internal network adapter, a route to that network must exist. Default gateway is only for traffic to and from the Internet. All internal networks must have routes as well except for the subnet where the internal network adapter is connected to.
If the internal adapter is on 172.16.0.1 and your internal router through which you can reach the 172.30.14.0/24 network is 172.16.0.254 then add a route through TMG MMC or a persistent route using route command from a command prompt (on the TMG server), for example:
route -p add 172.30.14.0 MASK 255.255.255.0 172.16.0.254
Then check any new alerts and check the logs.
IP addresses was just examples.
If the internal interface of TMG and phones are not on the same subnet, gateway must be defined on phone and a persistent route on TMG to point to the internal router.
If the TMG server is not in the default gateway path to reach the Internet, you must specify it as a web proxy on the clients.
As you have blurred the rule and don't show any other rule, I can't tell you why this rule doesn't work as you expect.
None of that is crystal clear from the above.
Because of that, there's only one thing at this point I can advice is the following:
Check the logs while trying to browse the Internet from a failing phone.
- Nothing in the log? Likely your network setup is wrong. See a few lines above.
- Something in the log? What? Deny? Error message?
You can also use the traffic simulator and see what it says.
I share some photos for you and I guess you can understand what is my problem :
As you see, HTTP blocked in "Phone-Nat" !!!!!!!!!!!!!!!
It is my NICs configuration :
I did Wireshark too :
What is your idea?
The rule does not block the request.
The log entry says that one of the connected parties (e.g. endpoints) did not respond in a timely fashion - within the TCP timeout thresholds. There's a big difference between block and a timeout.
Looking at the trace above, I see only traffic from a 172.30.14.x to TMG. NO return traffic. That indicates an issue with the traffic flow, most likely routing. As you seem to have the correct configuration in TMG, I would look at the router configuration.
I share some photos for you and I guess you can understand what is my problem :
As you see, HTTP blocked in "Phone-Nat" !!!!!!!!!!!!!!!
I share some photos for you and I guess you can understand what is my problem :
As you see, HTTP blocked in "Phone-Nat" !!!!!!!!!!!!!!!
I share some photos for you and I guess you can understand what is my problem :
As you see, HTTP blocked in "Phone-Nat" !!!!!!!!!!!!!!!
I share some photos for you and I guess you can understand what is my problem :
As you see, HTTP blocked in "Phone-Nat" !!!!!!!!!!!!!!!
Thank you so much.
What is you mean by "Router" ? router device or route configuration in Windows?
As you see, I attached "Route" configuration in Windows above. I use "Cisco" switches and in your idea can switched have any problem?
This problem occurred suddenly :(Thank you so much.
What is you mean by "Router" ? router device or route configuration in Windows?
As you see, I attached "Route" configuration in Windows above. I use "Cisco" switches and in your idea can switched have any problem?
This problem occurred suddenly :(Thank you so much.
What is you mean by "Router" ? router device or route configuration in Windows?
As you see, I attached "Route" configuration in Windows above. I use "Cisco" switches and in your idea can switched have any problem?
This problem occurred suddenly :(Thank you so much.
What is you mean by "Router" ? router device or route configuration in Windows?
As you see, I attached "Route" configuration in Windows above. I use "Cisco" switches and in your idea can switched have any problem?
This problem occurred suddenly :(Thank you so much.
What is you mean by "Router" ? router device or route configuration in Windows?
As you see, I attached "Route" configuration in Windows above. I use "Cisco" switches and in your idea can switched have any problem?
This problem occurred suddenly :(Any idea to solve it?
I can't understand "0x7007274C" !!!
The error message 0x8007274c is WSAETIMEDOUT.
This means that the connection to the phone (iow between TMG and the network where phones are located) host did not function properly due to an issue somewhere between TMG and the destination.
I meant that you should check the switch/router TMG is connected to on the internal interface and see what is (not) happening there.
If the phone manages to send requests to the TMG server but TMG is not able to respond but the routing looks correct then you need to look at the router on the internal interface - 172.30.9.254.