locked
UAG & kerberos problem RRS feed

  • Question

  • Network diagram follows the narrative, but summarizing, it's Internet<-->NAT router with pinholes<-->UAG<-->TMG<-->Internal. UAG & TMG are domain members.

    Currently, UAG only provides an SSTP VPN...and that is working.

    However, when I log on to the UAG box itself, DFS shares are unavailable (except that SYSVOL is available).

    DFS is NOT configured to prevent off-site referrals, but regardless, 10.150.10.0/24 and 10.100.10.0/24 (see diagram) are on the same AD site.

    When I look at the TMG logs on the TMG and UAG boxes as I try to browse DFS shares, I see lots of the following events, which I suspect are related. Seems odd that a Kerberos problem would only affect DFS referrals, but that's all I've seen so far.

    Access to the computer shares underlying the DFS shares is successful. Accessing DFS shares on the TMG box is also successful.

    This one's from the UAG box:

    ___________________________

    Closed Connection

    01UAG001 9/21/2011 7:27:01 PM

    Log type: Firewall service

    Status: A connection was abortively closed after one of the peers sent an RST packet.

    Rule: [System] Allow Kerberos authentication from Forefront TMG to trusted servers

    Source: Local Host (10.150.10.2:17345)

    Destination: Internal (10.100.10.10:88)

    Protocol: Kerberos-Sec (TCP)

    Additional information

    Number of bytes sent:

    406 Number of bytes received: 418

    Processing time:

    0ms Original Client IP: 10.150.10.2

    _____________________________

    And here's what appears to be the same connection attempt on the TMG box:

    _____________________________

    Closed Connection

    01TMG001 9/21/2011 7:27:01 PM

    Log type: Firewall service

    Status: A connection was abortively closed after one of the peers sent an RST packet.

    Rule: [Enterprise] Allow all between UAG and Internal

    Source: TMG-UAG (10.150.10.2:17345)

    Destination: Internal (10.100.10.10:88)

    Protocol: Kerberos-Sec (TCP)

     

    Additional information

    Number of bytes sent:

    406 Number of bytes received: 418

    Processing time:

    0ms Original Client IP: 10.150.10.2

    _____________________________

    The (debugging) Access Rule on the TMG box (currently Rule 1) is as follows:

    _____________________________

    Action: Allow

    Protocols: All outbound traffic, Strict RPC turned off

    From: UAG Servers (Computer set including 10.150.10.2)

    All internal networks (Network Set including 10.100.10.0-10.100.10.255)

    To: Same as From

    Users: All Users

    Schedule: Always

    Content Types: All

    Malware Inspection: None

    _____________________________

    Network diagram:

     

    Thursday, September 22, 2011 1:18 AM

All replies

  • Weird.

    I just logged on the UAG box to see if I could make any progress. Made more than I expected...DFS shares now work. This is the 1st time I've logged on to this system since I posted yesterday. I did not do ANYTHING to fix it.

    So, the symptom is gone, but the RST events are still being logged by both machines for connections from the UAG machine.

    And I now see that there are other protocols that log the same event: CIFS and WSUS/TCP8531.

    Yet, Windows Update from WSUS, auth & file shares all seem to be working. Is the RST issue really a problem or is it cosmetic?

    Thursday, September 22, 2011 4:39 PM