locked
VPN Site to Site (TMG vrs TMG) RRS feed

  • Question

  • I explain my environment:

    Two TMG SP1 (both) connected by VPN site to site and dynamically assigned addresses (DHCP) on both sides.

    The TMG a sub network is 192.168.10.0/24

    The two sub TMG network is 192.168.20.0/24

    Both TMG's on Windows Server 2008 R2

    I noticed a strange behavior on my site to site VPN when processing certain requests the TMG 1, for example:

    When I synchronize RSS feeds, use the MSN or using bank pages which use JAVA to authenticate (from the client the only thing I see is an error) but from the loggin of TMG one I see is that this application want to go out AGT 2 and this blocks the traffic.

    The exact loggin says:

    Connection Failed Attempt TMG-01 8/23/2010 2:32:41 PM
    Log type: Firewall service
    Status: No Connection Could Be Made Because The Target Machine Actively Refused it.
    Rule: Allow access VPN1 Between Internal and
    Source: Internal (192.168.10.91:56624)
    Destination: Local Host (192.168.10.141:8080)>>> IP from TMG 2
    Protocol: HTTP Proxy
     
    Additional information
    Number of bytes sent: 0 Number of bytes received: 0
    Processing time: 999ms Original Client IP: 192.168.10.91

    What do you think??

    Thank you very much for your comments ...

    Sincerely,

    Jimcesse
    Monday, August 23, 2010 9:12 PM

Answers

  • Hi Jim

    Does your Internal rule have any authentication set at the Network rule level?
    Java apps can only understand Basic auth...
    can you tested with a FWC installed on the client?

    Monday, September 13, 2010 5:01 AM
    Moderator

All replies

  • Does this fail consistently or only occasionally?
    Saturday, August 28, 2010 12:04 AM
    Moderator
  • Hi Mohit

    No behavior is persistent.... You commented that my VPN is PPTP


    Jimcesse
    Saturday, August 28, 2010 3:09 AM
  • What do we have under USERS Tab on access rule "Rule: Allow access VPN1 Between Internal and ... "??

    If we have any Domain User Group there, then can you try replacing that with All Users and then see the behavior,

    Thx, Junaid

    Sunday, August 29, 2010 3:58 AM
  • Hi Junaid

    Thanks for your feedback...

    The rule applies to all users and the problem persists...


    Jimcesse
    Monday, August 30, 2010 12:37 AM
  • Hi Jim

    Does your Internal rule have any authentication set at the Network rule level?
    Java apps can only understand Basic auth...
    can you tested with a FWC installed on the client?

    Monday, September 13, 2010 5:01 AM
    Moderator