SMB traffic not received for App Proxy on macOS

Question

Created Feb ’23

Replies 3

Boosts 0

Participants 2

Hi, we have been trying to tunnel SMB traffic using App Proxy on macOS. Observed that NetAuthSysAgent is responsible for originating the traffic. So, we flagged the below app for Per App VPN on macOS, but when we try to access the SMB domain from Finder, the App Proxy plugin doesn't seem to receive the traffic from this binary. Is this a known issue OR any other way to get SMB to work on Per-App App Proxy VPN on macOS?

Executable=/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent
designated => identifier "com.apple.NetAuthAgent" and anchor apple

Executable=/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent
designated => identifier "com.apple.NetAuthSysAgent" and anchor apple

Boost

Answer 1

DTS Engineer OP

Apple

Feb ’23

NetAuthAgent handles the authentication side of SMB; see the NetAuthAgent man page for a summary. The actual networking is done by the smbfs KEXT. I don’t think such traffic is visible to NE app proxies. Consider this:

% sudo tcpdump -n -k A port 445
…
09:49:04.158389 (en0, proc kernel_task:0:, svc BE, out, so, flowid 0x877f8d1c, ttag 0x0) IP 192.168.1.71.59723 > 192.168.1.106.445: Flags [P.], seq 855760:855862, ack 26746, win 57856, options [nop,nop,TS val 180900942 ecr 2433515951], length 102
09:49:04.163477 (en0, proc kernel_task:0:, svc BE, in, so, flowid 0x877f8d1c, ttag 0x0) IP 192.168.1.106.445 > 192.168.1.71.59723: Flags [.], ack 855862, win 24875, options [nop,nop,TS val 2433515957 ecr 180900942], length 0
…

Note how the proc metadata is kernel_task. I can’t see any way to craft a DR for that.

Have you tried doing this using a transparent proxy? I’m not sure whether that’ll work either, but at least you don’t fall at the first hurdle of crafting a DR.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

akochhar OP

Feb ’23

Hi Eskimo, Thanks for your reply. We figured out the NetAuthAgent requirement using transparent proxy itself. But transparent proxy is primarily for unmanaged device, and we have managed customers asking for this capability using App Proxy. Is there a way to get this working for managed device using App Proxy?

0

Answer 3

DTS Engineer OP

Apple

Feb ’23

Is there a way to get this working for managed device using App Proxy?

Not that I can see.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0