VirtualBox

Opened 8 years ago

Last modified 8 years ago

#14833 closed defect

NAT doesn't work behind Microsoft Forefront TMG server — at Version 3

Reported by: Giangi Owned by:
Component: network/NAT Version: VirtualBox 5.0.10
Keywords: Cc:
Guest type: other Host type: other

Description (last modified by Valery Ushakov)

I have upgraded my VB from 4.3.12 directly to 5.0.10 and now none of my guests configured as NAT are able to navigate.

This ticket is related to this forum post: https://forums.virtualbox.org/viewtopic.php?f=1&t=74498#p344920 I have found this bug report #13292 but is for an older VB release (v4)

I'm primarily using VB on a network which has Microsoft Forefront TMG as proxy/firewall. I do have full admin access on TMG and enabling the logging I do not see any errors but I do not see any "real traffic" too, just the start/close session

On my pc I have the Forefront TMG Client installed and enabled, could it be that its DLLs are being blocked?

In the logs there are many references to these DLLs, like the following. 

1388.1bb0: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Program Files\Forefront TMG Client\FwcWsp.dll) WinVerifyTrust
1388.1bb0: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Program Files\Forefront TMG Client\FwcWsp.dll

1388.1bb0: supR3HardenedMonitor_LdrLoadDll: pName=C:\Program Files\Forefront TMG Client\FwcWsp.dll (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=007c7b5c:C:\Program Files\Oracle\VirtualBox;C:\Windows\system32 [calling]
1388.1bb0: supR3HardenedScreenImage/NtCreateSection: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume2\Program Files\Forefront TMG Client\FwcWsp.dll
1388.1bb0: supR3HardenedDllNotificationCallback: load 74bb0000 LB 0x001fc000 C:\Program Files\Forefront TMG Client\FwcWsp.dll [fFlags=0x0]
1388.1bb0: supR3HardenedScreenImage/LdrLoadDll: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume2\Program Files\Forefront TMG Client\FwcWsp.dll

The guest NIC is configured as: 

Configurazione IP di Windows
        Nome host . . . . . . . . . . . . . . : TESTXP1NEW
        Suffisso DNS primario  . . . . . . .  :
        Tipo nodo . . . . . . . . . . . . . .  : Ibrido
        Routing IP abilitato. . . . . . . . . : No
        Proxy WINS abilitato . . . . . . . .  : No
        Elenco di ricerca suffissi DNS. . . . : master.local
Scheda Ethernet Lan:
        Suffisso DNS specifico per connessione: master.local
        Descrizione . . . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter
        Indirizzo fisico. . . . . . . . . . . : 08-00-27-BB-9E-71
        DHCP abilitato. . . . . . . . . . . . : Sì
        Configurazione automatica abilitata   : Sì
        Indirizzo IP. . . . . . . . . . . . . : 10.0.2.15
        Subnet mask . . . . . . . . . . . . . : 255.255.255.0
        Gateway predefinito . . . . . . . . . : 10.0.2.2
        Server DHCP . . . . . . . . . . . . . : 10.0.2.2
        Server DNS . . . . . . . . . . . . .  : 10.0.2.3
        Lease ottenuto. . . . . . . . . . . . : lunedì 16 novembre 2015 13.39.27
        Scadenza lease . . . . . . . . . . .  : martedì 17 novembre 2015 13.39.27

DNS resolution is working... 

C:\Documents and Settings\Utente>nslookup
*** Impossibile trovare nome server per l'indirizzo 10.0.2.3: Non-existent domain
*** I server predefiniti non sono disponibili
Server predefinito:  UnKnown
Address:  10.0.2.3
> set q=any
> google.com
Server:  UnKnown
Address:  10.0.2.3
Risposta da un server non di fiducia:
google.com      internet address = 173.194.112.137
google.com      internet address = 173.194.112.133
google.com      internet address = 173.194.112.130
google.com      internet address = 173.194.112.131
google.com      internet address = 173.194.112.136
google.com      internet address = 173.194.112.142
google.com      internet address = 173.194.112.134
google.com      internet address = 173.194.112.135
google.com      internet address = 173.194.112.128
google.com      internet address = 173.194.112.132
google.com      internet address = 173.194.112.129
google.com      nameserver = ns1.google.com
google.com      nameserver = ns3.google.com
google.com      nameserver = ns4.google.com
google.com      nameserver = ns2.google.com
google.com
        primary name server = ns1.google.com
        responsible mail addr = dns-admin.google.com
        serial  = 107925622
        refresh = 900 (15 mins)
        retry   = 900 (15 mins)
        expire  = 1800 (30 mins)

On my home network all the guests are connecting to internet without problems.

Change History (5)

by Giangi, 8 years ago

Attachment: VBox.zip added

by Giangi, 8 years ago

Attachment: VBoxHardening.zip added

in reply to:  description comment:1 by Giangi, 8 years ago

Replying to Giangi:

I have upgraded my VB from 4.3.12 directly to 5.0.10 and now none of my guests configured as NAT are able to navigate.

I forgot to mention that I have installed the current test build 5.0.11 but nothing changed

comment:2 by Valery Ushakov, 8 years ago

You are probably running into hardening problems. Hardening on Windows was introduced in 4.3.14, so #13292 is relevant.

comment:3 by Valery Ushakov, 8 years ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.

© 2023 Oracle
ContactPrivacy policyTerms of Use