We recently switched out Sidewinder firewalls and went with Check Point firewalls. Since then, we've been having a lot of problems getting activesync to work on the Internal Wireless Network. If we take our phones off of the Aruba WLAN network and just use our Cellular network, mail comes in just fine. Once we connect back up to the Arubas, we can't even connect to our Exchange Server. Firewall logs show no dropped packets at all for https connections to Activesync. However, the interesting thing we are seeing is that it seems our phones are trying to contact our ISP's DNS servers looking for the front end exchange server.
Any thoughts on how we might be able to remedy this?
What DNS servers are the clients being provided and how are they being provided with these?
Might also be worth seeing what role the clients are assigned (#show user-table) and checking the permissions for this role (#show rights xxxxx)
Thanks for the replies,
From the looks of the settings on the phone, they are pulling ISP DNS settings, unfortunately, I'm not exactly sure how this is getting assigned. The guy prior to me was the one who put this all together. As far as roles and permissions go it's every role that has this issue. Permissions for the group that I'm in are "AllowAll" for the ACL. It's not really restrictive at all because it's the SSID used for IT and our the company directors.
I ran the datapath command on my phone and it appears that it's communicating with google (Andriod phone) and that's it.
126.96.36.199 172.***.***.*** 6 443 54394 0/0 0 0 12 tunnel 19 c1172.***.***.*** 125.225.135 6 54394 443 0/0 0 0 12 tunnel 19 c1 C188.8.131.52 172.***.***.*** 6 5228 51798 0/0 0 0 11 tunnel 19 578172.***.***.*** 184.108.40.206 6 51798 5228 0/0 0 0 12 tunnel 19 578 C
Again this is happening with every phone regardless of what SSID or Role it has. I'm sure this is a firewall issue, but I have no clue where the issue is as the logs are showing no drops what-so-ever.
How are the users obtaining an IP address? Via the DHCP server on the controller or an external one. I expect this would be providing your DNS servers unless they are statically set.
Looks like our Juniper Switches are handling DNS. We changed these to reflect our internal network and the only thing that changed was that now we're not able to get to the internet. Still no connection to Activesync.
What does show datapath session table <ip address> show? Are you seeing any "D", i.e traffic being denied now?
Have you tried creating a rule in the checkpoint firewall to allow all for just one particular IP address ?
The command shows that my phone was communicating with the internal DNS servers, but that's it. I have no "D" traffic, just the 2 connections to the internal DNS servers. I even tried re-setting up my activesync based on the server IP address instead of the DNS entry and it won't connect. I also don't see traffic going to it while logged onto the WLAN controller, and the last entry for my phone's IP in the firewall was prior to making the DNS change on our Juniper core switch.
I have not done a rule for a single IP address, but I did add a rule, at the top, that would allow traffic from our wireless subnet range to communicate to our front end exchange server. That rule has zero hits on it.
Do you see the traffic reaching the firewall? What does a tcpdump show? Do you see a reply? Might be worth checking your NAT's and routing on the firewall back to the wireless VLAN.
I imaging that your wired users are able to reach the exchange server with no issues ?
Yes, oddly enough I can see my phone traffic hitting the front end exchange. So perhaps it is something on the way back that is not making it through. I'll do a tcpdump and see what comes of that. NAT had also come to my mind as well.
Yes, everything from a desktop PC or Laptop to exchange is good. Everything works great in Activesync when we're on the cellular network outside the company (Tested on lunch) It's just when we're connected to the internal wireless that it craps out.
So I ran a TCPDUMP on the firewall for my phone's IP Address on the wireless network. Ran TCPDUMP as the src and the dst.
I saw all kinds of traffic from my phone hitting the front end exchange server, however I saw absolutely zero traffic coming back to my phone from the server. Our consultant is telling us that it's because we're going outside to the internet and then coming back in to get to exchange, however this is defitienly done by design. The wireless networks aren't supposed to be communicating internally with the servers, their entire purpose is just to provide mobile devices internet access. So this makes sense why it's acting this way. The consultant tells us that the Check Point firewall doesn't like it when this happens.
There has to be a way to make this work, I can't imagine that we're the only ones running into this. It worked on our Sidewinder Firewalls, there has to be some way, without having to do any drastic network redesigns.
So this should work similiar to hairpin routing?
We actually got this working. It appears it was an ICMP redirect that was causing the issue.
We had to add a static route to the exchange server telling it to go out our firewall interface for our wireless network instead of the core switch. Apparently Checkpoint hates ICMP redirects. Which is something we need to fix on a greater scale as apparently Server 2008 and server 2012 also don't like it.Thanks for all your suggestions and help guys! Much appreciated.
You should also pick an address of one of the devices in question and run the following command :
show datapath session table <ip address>
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.