Archive

Posts Tagged ‘alert’

IP Spoofing Alert from APIPA Address in Forefront TMG 2010

May 15, 2012 10 comments

Security administrators may encounter the following IP spoofing alert on their Forefront TMG 2010 firewall:

Alert: IP Spoofing

Description: Forefront TMG 2010 detected a possible spoof attack from the IP
address 169.254.x.x. A spoof attack occurs when an IP address that is not
reachable through the network adapter on which the packet was received. If 
logging for dropped packets is enabled, you can view the details of this
attack in the firewall log in Forefront TMG 2010 log viewer. If the IP
address belongs to a VPN client, this event may be ignored.

This alert occurs because the Forefront TMG 2010 firewall received a packet on its internal network interface from a client (server, workstation, or other host) that did not have a statically assigned IP address and was not able to obtain one from DHCP, so the client selected an IP address from the Automatic Private IP Address Assignment (APIPA) address range defined in RFC 3927.

You can safely ignore this alert, or you can resolve the issue by adding the APIPA reserved network 169.254.0.0/16 to the Internal network definition. This can be accomplished by opening the Forefront TMG 2010 management console and highlighting the Networking node in the navigation tree, then right-clicking the Internal network, selecting the Addresses tab, then clicking the Add Private button and choosing the address range 169.254.0.0 – 169.254.255.255.

Note: It is possible to resolve this issue by disabling alerts for IP spoofing attempts. However, this is considered bad security practice and is strongly discouraged.

You may recall from an earlier blog post I indicated that the best way to configure the Internal network definition in Forefront TMG 2010 is to choose the Add Adapter option. This still remains true. However, this is one of those rare cases in which you’ll want add an additional network address space to your Internal network definition to reduce the volume of IP spoofing alerts being raised by the Forefront TMG 2010 firewall.

The one side effect to implementing this change is that you will now receive a Configuration error alert informing you that your Internal network does not correlate with the network adapters that belong to it.

Essentially you have traded one annoying alert for another. However, the noise generated by IP spoofing alerts from clients with APIPA IP addresses might make this tradeoff worthwhile. In addition, it is much safer to disable the configuration error alert than it is the IP spoofing alert.

Categories: Forefront TMG 2010, Networking, Threat Management Gateway Tags: , , , , , , , ,

Hotfix Rollup 1 for Forefront TM 2010 SP2 Now Available

January 16, 2012 Comments off

A hotfix rollup for Forefront TMG 2010 SP2 is now available. The hotfix rollup resolves several reported issues with TMG, including:

KB2654016 – A client may be unsuccessful in accessing a Java SSO application published to the web by Forefront TMG 2010

KB2653703 – “Error: Subreport could not be shown” error message in the User Activity or Site Activity report in Forefront TMG 2010

KB2654585 – UDP packets may become backlogged when you increase the “maximum concurrent UDP sessions per IP address” setting in Forefront TMG 2010

KB2624178 – Forefront TMG 2010 administrators may be unable to generate reports

KB2636183 – Both sides of a TCP connection are closed when the client or remote application half-closes the TCP connection in Forefront TMG 2010

KB2653669 – Summary information for the Top Overridden URLs table and for the Top Rule Override Users table display incorrect information in Forefront TMG 2010

KB2617060 – Forefront TMG 2010 enables L2TP site-to-site connections in RRAS

KB2655951 – Japanese characters in the subject line of an Alert email message are not readable in the Japanese version of Forefront TMG 2010

KB2654068 – “The Web Listener is not configured to use SSL” warning message may occur when you configure a Web Listener to use a valid SSL certificate in Forefront TMG 2010

KB2654193 – You receive a “Bad Request” error message when you try to access Outlook Web App published by Forefront TMG 2010

KB2654074 – String comparison may become case-sensitive when you published a website using Forefront TMG 2010

KB2658903 – Forefront TMG 2010 firewall service (wspsrv.exe) may crash frequently for a published website secured by SSL after you install Service Pack 2.

Hotfix rollup 1 for Forefront TMG 2010 SP2 can be downloaded here. After applying this update, the new Forefront TMG 2010 build number will be 7.0.9193.515.

Categories: Forefront TMG 2010, Threat Management Gateway Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,