locked
Exception while accessing Intranet services through VPN

    Question

  • We have built Windows Store (LOB) application, which requires access to our customers ERP and other critical systems. There's hardly any security build in to the software (authentication/authorization), since we rely on VPN-connections and firewalls, which would be sufficient. (We have no plans to allow access from the public internet)

    However... Now that the pilot is starting, our customer has bought his tablets and we are trying the system in the production environment, we have found out that Windows Store Applications cannot communicate within local network through VPN! It works fine if both devices are on the same (wired) Ethernet network, but not for example through mobile broadband/WLAN with VPN

    Exception that is thrown: "An attempt was made to access a socket in a way forbidden by its access permissions"

    Message from (security) event log: "The Windows Filtering Platform has blocked a packet."

    - Capabilities listed in Package.appxmanifest:

      <Capabilities>
        <Capability Name="internetClientServer" />
        <Capability Name="privateNetworkClientServer" />
        <Capability Name="internetClient" />
        <DeviceCapability Name="location" />
    </Capabilities>

           (I have also tried Enterprise Authentication - did not help)

     

    - Disabling Firewall has no effect

    - When Fiddler is running, everything works as it should. Without Fiddler it won't.

    - The same problem is on every computer I have tried this (three Windows 8.1 devices)

     

    The problem seems to be the same as in this thread:

    http://social.msdn.microsoft.com/Forums/windowsapps/en-US/d5fbc945-f597-483e-895c-4bb909e99b2f/error-0x2efd-from-xhr-when-accessing-intranet-services

     

    Quote:

    "No change with Windows Firewall off.

    FWIW, we are seeing the issue when:

    -connecting over VPN via WiFi

    -connecting over VPN via Ethernet (wired)

    -connecting on LAN via WiFi

    When connection on the LAN via Ethernet, it does not present. "

     

    And in this (except that disabling the firewall didn’t help):

    http://blogs.technet.com/b/askperf/archive/2014/02/18/network-isolation-of-windows-modern-apps-how-apps-work-with-akamai-internet-caching-servers-in-windows-8-8-1.aspx

     

    Can anyone help or suggest an easy alternative? Some lightweight software that works like Fiddler? (I really wouldn't like to suggest our customer to install Fiddler to all of their tablets, just to be able to use our software). To me this sounds like a bug in Windows or some quite serious compatibility problem.


    Tuesday, July 15, 2014 11:44 AM

All replies

  • No change with Windows Firewall off.

    FWIW, we are seeing the issue when:

    -connecting over VPN via WiFi

    -connecting over VPN via Ethernet (wired)

    -connecting on LAN via WiFi

    When connection on the LAN via Ethernet, it does not present. "

    I am not sure how the two highlighted test conditions different.

    What do you use to connect the internal server? Is it host name or Ip? Do you by any chance use direct access ? if so then client machine should be domain joined).

    The very first thing I will suggest is to use Hosts file entry (C:\Windows\System32\drivers\etc\hosts) refer How To Edit Hosts File in Windows 8


    -- Vishal Kaushik --

    Please 'Mark as Answer' if my post answers your question and 'Vote as Helpful' if it helps you. Happy Coding!!!

    Tuesday, July 15, 2014 12:57 PM
  • What's the VPN you're using?

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Tuesday, July 15, 2014 1:40 PM
    Moderator
  • The VPN software is Shrew VPN. IP Address is used to connect to the internal server and DirectAccess is not used.
    Tuesday, July 15, 2014 8:56 PM