2

So, we just got word today that one of our clients firewall is blocking our HTTP requests because "The [software] is sending anonymous packets to our firewall (a Microsoft TMG firewall) so the firewall is dropping the packets as anonymous access is [not] allowed."

For our connection code we are using c++ with curl and we fallback to IEDownloadToFile if needed. I didn't write the original code nor am I really a network programmer so I came here for help. So, my questions are: What are anonymous packets? What am I doing in curl that could cause anonymous packets? Where can I find more information about solving this problem? Thanks!

zxcvbgfdsa8
  • 33
  • 2

3 Answers3

2

What they mean is your app has to authenticate with the firewall. That link provides a wealth of information concerning the TMG product. Your client probably has this configuration:

Require users to authenticate whenever they request Web access. Every Web session requires authentication.

When using this method, note the following:

Anonymous Web access is disabled.

Forefront TMG requests user credentials and validates them before it checks the request against the Firewall policy. If users fail to authenticate, their access request is denied.

This method is defined per network. Most non-interactive clients, such as, the Windows Update client, cannot authenticate, and are therefore denied access.

So when the user opens their web browser and tries to access a web page, they'll get a pop-up window asking for credentials because the firewall has intercepted their web request and sent its own authentication page. When the user authenticates, the firewall passes web traffic.

Your automated app does not authenticate with the firewall, so the firewall drops packets and your traffic is classified as anonymous.

Sorry, I don't know the solution on how to make your application authenticate with the firewall. If your app goes to specific URLs, the site operators could whitelist them.

According to this page, you should be getting error 407: proxy authentication required from curl. Try adding these options to the curl initialization, but you still have the problem of asking the user for their network credentials interactively:

CURLOPT_HTTPAUTH: add CURLAUTH_NTLM
CURLOPT_PROXYAUTH: add CURLAUTH_NTLM
set CURLOPT_FOLLOWLOCATION
indiv
  • 17,306
  • 6
  • 61
  • 82
  • They are indeed using Microsoft TMG. So we will contact them and see what we can work out. Thank you for your help! – zxcvbgfdsa8 Feb 07 '11 at 18:58
1

There is no such thing as an 'anonymous packet' in standard networking parlance. Your client's firewall is making up terms, or there was a miscommunication somewhere along the line before the message got to you. Either way, you're going to need to get clarification from your client or the firewall's vendor or documentation.

bdonlan
  • 224,562
  • 31
  • 268
  • 324
0

I agree with bdonlan. In the context of http requests, "anonymous packets" is vague and ambiguous at best. Maybe they mean there is no referrer code? Or they require http-authentication? Or you need to establish a session key before being able to access the specific url you are requesting? You need actual technical details from your client.

Alan
  • 4,897
  • 2
  • 24
  • 17