Wireless Access

Reply
Occasional Contributor II
Posts: 14
Registered: ‎10-01-2012

Activesync and Aruba

Hello,

 

We recently switched out Sidewinder firewalls and went with Check Point firewalls.  Since then, we've been having a lot of problems getting activesync to work on the Internal Wireless Network.  If we take our phones off of the Aruba WLAN network and just use our Cellular network, mail comes in just fine.  Once we connect back up to the Arubas, we can't even connect to our Exchange Server.  Firewall logs show no dropped packets at all for https connections to Activesync.  However, the interesting thing we are seeing is that it seems our phones are trying to contact our ISP's DNS servers looking for the front end exchange server.

 

Any thoughts on how we might be able to remedy this?

MVP
Posts: 401
Registered: ‎07-26-2011

Re: Activesync and Aruba

What DNS servers are the clients being provided and how are they being provided with these?

Might also be worth seeing what role the clients are assigned (#show user-table) and checking the permissions for this role (#show rights xxxxx)

ACMA, ACMP
If my post addresses your query, give kudos:)
MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Activesync and Aruba

 

 

You should also pick an address of one of the devices in question and run the following command :

 

show datapath session table <ip address>

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 14
Registered: ‎10-01-2012

Re: Activesync and Aruba

Thanks for the replies,

 

From the looks of the settings on the phone, they are pulling ISP DNS settings, unfortunately, I'm not exactly sure how this is getting assigned.  The guy prior to me was the one who put this all together.  As far as roles and permissions go it's every role that has this issue.  Permissions for the group that I'm in are "AllowAll" for the ACL.  It's not really restrictive at all because it's the SSID used for IT and our the company directors.

 

@VFabian

 

I ran the datapath command on my phone and it appears that it's communicating with google (Andriod phone) and that's it.

 

74.125.225.135      172.***.***.***        6      443       54394      0/0      0 0      12      tunnel      19      c1
172.***.***.***          125.225.135          6     54394   443          0/0      0 0      12      tunnel      19      c1     C
173.194.68.188      172.***.***.***        6      5228     51798     0/0      0 0       11      tunnel      19     578
172.***.***.***          173.194.68.188    6      51798  5228        0/0      0 0       12      tunnel      19     578 C

 

 

Again this is happening with every phone regardless of what SSID or Role it has.  I'm sure this is a firewall issue, but I have no clue where the issue is as the logs are showing no drops what-so-ever.

MVP
Posts: 401
Registered: ‎07-26-2011

Re: Activesync and Aruba

How are the users obtaining an IP address? Via the DHCP server on the controller or an external one. I expect this would be providing your DNS servers unless they are statically set.

ACMA, ACMP
If my post addresses your query, give kudos:)
Occasional Contributor II
Posts: 14
Registered: ‎10-01-2012

Re: Activesync and Aruba

Looks like our Juniper Switches are handling DNS.  We changed these to reflect our internal network and the only thing that changed was that now we're not able to get to the internet.  Still no connection to Activesync.

MVP
Posts: 401
Registered: ‎07-26-2011

Re: Activesync and Aruba

What does show datapath session table <ip address> show? Are you seeing any "D", i.e traffic being denied now?

ACMA, ACMP
If my post addresses your query, give kudos:)
MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Activesync and Aruba

 

 

Have you tried creating a rule in the checkpoint firewall to allow all for just one particular IP address ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 14
Registered: ‎10-01-2012

Re: Activesync and Aruba

The command shows that my phone was communicating with the internal DNS servers, but that's it.  I have no "D" traffic, just the 2 connections to the internal DNS servers.  I even tried re-setting up my activesync based on the server IP address instead of the DNS entry and it won't connect.  I also don't see traffic going to it while logged onto the WLAN controller, and the last entry for my phone's IP in the firewall was prior to making the DNS change on our Juniper core switch.

 

@VFabian

 

I have not done a rule for a single IP address, but I did add a rule, at the top, that would allow traffic from our wireless subnet range to communicate to our front end exchange server.  That rule has zero hits on it.

 

 

 

MVP
Posts: 401
Registered: ‎07-26-2011

Re: Activesync and Aruba

Do you see the traffic reaching the firewall? What does a tcpdump show? Do you see a reply? Might be worth checking your NAT's and routing on the firewall back to the wireless VLAN.

ACMA, ACMP
If my post addresses your query, give kudos:)
Search Airheads
Showing results for 
Search instead for 
Did you mean: