Home > Forefront TMG 2010, Networking, Threat Management Gateway > Controlling Access to File Shares with Forefront TMG 2010

Controlling Access to File Shares with Forefront TMG 2010

May 21, 2012

Consider a scenario in which you have an IIS server located in a perimeter network protected by Forefront TMG 2010. The server is published to the Internet and is used to display product information for your company. Web content developers on your internal network need to have access to file shares on the IIS server to upload new web content. To facilitate this access you create an access rule to allow CIFS access to the IIS server. For security reasons you decide to restrict access to members of the Web Content Developers domain group. In addition, your workstations have the Forefront TMG Firewall Client installed. The access rule looks like this:

When users attempt to map a drive to the file share on the web server they receive the following error message:

System error 67 has occurred.
The network name cannot be found.

In addition, the Forefront TMG 2010 firewall log indicates the following:

Denied Connection
Log Type: Firewall Service
Status: The action cannot be performed because the session is not authenticated.

At this point you might be puzzled because you have the Forefront TMG Firewall Client is installed on the workstation. TMG Firewall Client communication is always authenticated, so why does the firewall log indicate otherwise? The answer is simple. The Forefront TMG 2010 Firewall Client is a Layered Service Provider (LSP) that listens for Winsock calls made by the operating system and applications. Any Winsock calls made for resources on a remote network will be transparently delivered to the proxy server by the Firewall Client. However, CIFS communication does not use Winsock, so the TMG Firewall Client does not handle this traffic. As such, the network requests are delivered to the Forefront TMG firewall as SecureNAT requests. Since the rule in question requires authentication, and SecureNAT traffic cannot be authenticated, the firewall appropriately denies the traffic and the request fails.

You can resolve this issue by removing authentication on the access rule and controlling access on the file share itself. If you want to enforce user and group authentication at the firewall, consider using another protocol such as FTP.

For more information about the Forefront TMG 2010 Firewall Client and CIFS connections, please review Microsoft Knowledge Base article 913782.

  1. Dave
    September 29, 2012 at 1:50 pm

    Hi Richard,
    Is allowing CIFS across TMG (albeit from the internal network to DMZ) a security concern or not?
    Is having File Sharing enabled on the IIS server an issue for this server?
    I ask because we are looking at implementing exactly this setup in our company but I am not entirely sure of the risks.

  2. October 1, 2012 at 8:42 am

    It is purely subjective, and depends entirely upon your specific security requirements. Generally speaking, following the principle of least privilege is a good place to start, as open file shares do present security risks, as SMB and CIFS can be an attack vector exploited by attackers and worms. If file share access is required, I’d suggest determining who needs that access and limit accordingly. This can be done on TMG with IP address restrictions or on the IIS server with share and file permissions.

  1. No trackbacks yet.
Comments are closed.