While I am going to detail how to get an Xbox working with Xbox Live when your Internet connection is controlled by Forefront TMG Server 2010, you might find some helpful information in here even if you have a Linksys, or a Netgear box, so don’t despair yet. And since I considered as an alternate title; "Xbox, the game console slut of the LAN" I am going to have to tag this post as a rant as much as anything else, hence the icon. You see, we have had a Wii for over a year. It has built-in Wi-Fi, supports WPA2, acquires an ip.addr through DHCP, phones home to Nintendo for updates, plays well with others, and everything comes up smelling like roses. Our son bought himself an Xbox the other day…there’s a phrase…something about a fool and his money….well, no matter. He wanted to put it on the tubes so he could play against his peeps. No problem, except that it only has an Ethernet port, and we only have Wi-Fi. $30 for a Wi-Fi bridge later and he’s online. Or is he?
Seems that Microsoft took an entirely different approach to networking the Xbox. To successfully use an Xbox on the Internet you have to permit unsolicited inbound traffic, and when I say unsolicited…I mean if you look at a trace, you’ll be reminded of a LimeWire supernode, or a torrent seeder. From out of everywhere…bam! You’ll see more traffic than Jeff Goldblum sees ghosts. Did I go too fast? I go too fast. I did a fly by. If you haven’t seen Raines you have no idea what I mean. Make it a point to check out a series killed for being too smart. What I mean is that rather than approaching the problem of network game play by establishing central servers that all nodes check into (like every other game console, multi-player PC game, or MMORPG I’ve ever seen) the folks at Xbox decided to eliminate the latency of the middle-man and turn every console into a peer to peer node. While this is (in my not so humble opinion) a phenomenally bad idea, this post is more about how to get this working with TMG than it is with how not to design a networked device.
Okay, so before we get to the ‘how’ let’s throw some discussion at the wall to see what sticks, what makes for key words, etc. Your Xbox has some network diagnostics built-in that are going to bitch about "Strict NAT." Yes, you know full and well how much "I HATE NAT" but this takes the cake. Seems the engineers over at Team Xbox decided to coin some new vocabulary. They were so preoccupied with whether or not they could, they didn’t stop to think if they should. <sorry> I’m on a Jeff Goldblum trip today it seems </sorry> To summarise, and this is inferred information based on observation…
| type | explanation |
| open NAT | you are using NAT, and you are UPnP compliant so the Xbox can tell the router to port forward whatever it wants and the router will say "aye aye, captain!" Or, you have followed this article to the end and you are all set. |
| moderate NAT | you are using NAT, and you have configured port forwarding for the most of the required protocols to your Xbox, but you probably followed a KB article so you are missing something. |
| strict NAT | you are using NAT, and while you may be allowing all outbound traffic, you are not allowing any unsolicited inbound traffic to you Xbox. |
The ‘type’ of NAT you are using determines your ability to play games with other users. Here’s a matrix to help you understand that.
| Can two systems play? | To Open | To Moderate | To Strict |
| From Open | Yes | Yes | Yes |
| From Moderate | Yes | Yes | No |
| From Strict | Yes | No | No |
On your Xbox, there is a test to determine your NAT level. System Blade, Network Settings, Test Xbox Live Connection.
If you see a little yellow triangle you are in trouble. What is is telling you is that some or all of the ports that need to be forwarded in to your Xbox are not. Bummer dude. We want that yellow exclamation point to go away. Let’s fix this. To do so, do NOT consult the KB. The two articles 908874 and 979000 both lassoe the fail whale, as the ports listed are woefully incomplete, and the implications of what is required are misleading at best. Both list the following…
TCP 80
UDP 88
UDP 3074
TCP 3074
UDP 53
TCP 53
Seems the engineers at Xbox live forgot they use 5060 and 5061 (yeah, just like Live Messenger) and that they don’t need inbound HTTP or DNS…let alone DNS server (TCP 53.)
God help us, we’re in the hands of engineers. –Jeff Goldblum as Dr. Ian Malcolm in Jurassic Park
Here is what we actually need to make this work.
| protocol | port | direction | |
| DNS | UDP | 53 | outbound if you don’t have DNS services on your subnet |
| HTTP | TCP | 80 | outbound |
| Kerberos | UDP | 88 | inbound and outbound (yes, Xbox Live uses Kerberos for authentication.) |
| Xbox | UDP | 3074 | inbound and outbound |
| Xbox | TCP | 3074 | inbound and outbound |
| SIP | UDP | 5060-5061 | inbound and outbound |
So if you are allowing everything outbound, you still need to port forward UDP 88, UDP and TCP 3074, and UDP 5060-5061 in to your Xbox. If you are using a home router that support UPnP, make sure it is turned on and you should be done. If you are using other devices, and not TMG, you can check here to see if your hardware is listed and follow the directions. But if you are using TMG 2010, here is what to do.
- Make sure your Xbox has either a static ip.addr, or a DHCP reservation assigned. I trust you know how to do this on your network. I’m not going to cover it here.
- Log onto your TMG server and launch the TMG Management Console.
- Browse down to Firewall Policy.
- Right-click Firewall Policy, and select New Non-Web Server Protocol Publishing Rule…
- Give it a name, and click Next. I went simply with Xbox.
- Enter the ip.addr assigned to the Xbox. Click Next.
- On the Select Protocol page, click New… to launch the New Protocol Definition Wizard.
- Name your protocol and click Next. Again, I went simply with Xbox.
- Define your Kerberos, Xbox, and SIP as shown below.
- Click Next, leave it a No for secondary connections, click Next again, the click Finish to close the New Protocol Definition Wizard and return to your publishing rule.
- Click Next, select your External interface (click through to the address if you have multiple live addresses and pick the one you want to use.)
- Click Next, and the click Finish. Hit apply, and enter your change documentation.
And…done. Go re-run your network test on your Xbox and bask in the glory that is no yellow exclamation point, and listen to the fat lady sing. "Forget the fat lady! You’re obsessed with the fat lady! Drive us out of here!" Speaking of Goldblum, of all his great scenes, here’s the one I wind up quoting time and time again. Yes, he used a similar phrase in Independence Day too, and it might someday become his iconic phrase much like Schwarzenegger has "I’ll be back," but this scene is a classic. Must go faster! Though if you think about it, "Do you think they’ll have that on the tour?" is one of his best one-liners.
Direct link for RSS and email subscribers…http://www.hulu.com/watch/31360/jurassic-park-closer-than-they-appear?c=Drama
Did opening SIP fix your boggle? Leave a comment and let me know.
You might also enjoy:
{ 18 comments… read them below or add one }
This is interesting. I have tried everything with no luck. I have my xbox 360 behind a TMG firewall but can’t get it to say anything but Strict Nat. I would love to get this working bug alas it still fails.
Great article though.
Thanks for dropping by Chad. I’m sorry this setup didn’t work out for you. If you run the reporting against your Xbox as the client ip.addr, are you seeing any errors, or if you run a sniffer on the inside interface of the TMG, are you seeing any traffic not accounted for? My son’s Xbox for no apparent reason occasionally reports strict NAT again, but he reboots it and all is well. Since we’re not changing anything on the TMG, and haven’t seen anything new on captures or in the logs, we’ve just written this off to the Xbox being flaky.
Reply back in this thread if you have more information, and maybe we’ll either figure it out together or another visitor might have insight.
Ed
Yeah, as much as I wanted it to, it didnt work for me either.
All 4 of my servers run 2008R2, and the dc runs internal DNS and forwards the internet to TMG, and TMG does DNS and forwards requests to the internet on openDNS servers.
I think one of the things you didnt really account for is how TMG is configured. In your case, I would *assume* (and we all know what that means) that you are using it as an edge firewall. Mine is configured as a 3-leg perimeter, so that mail and web servers can be found on the tubes.
I’ll openly admit it… I’m really green to TMG and ISA deployment, and my purpose is more about learning enterprise technology and using TMG and GPO’s to keep my kids outta the bad neighborhoods.
Hi Troy,
Yes, my TMG is an edge firewall with two NICs. Can you port scan your live ip.addr from the outside (like from work) while sniffing on your external interface to to make sure that your ISP is passing the traffic through to you? I use TWC, which is just Road Runner, but when I was on Brighthouse they were blocking a lot of stuff at their perimetre long before it even got to my network.
If you can, let me know the results.
Ed
I will certainly give that a go. I dont have much time to work on it, so it may be this weekend. If I figure out what it takes to get things going I will post my notes as well.
The problems that I think I’m going to run into are the fact that the xbox360 is used for netflix, xbox live, and as a media extender also. Ever since going to servers and a domain, its been torture.
I was hoping this would work for my ISA 2006 set up. But it didn’t. I have ISA configured at a firewall (1 Internet NIC and one Internal NIC) I have been struggling with this for a little while now. Do you think it would matter if I upgraded to TMG? I looked at the ISA logging and it don’t see any traffic being listed as blocked… Any advice would be appreciated.
Regards,
Mark
Hi Mark,
I found this earlier in the week, and am planning to update my post with the extra rules for no HTTP inspection this weekend. Try this out and please let me know if it works for you. My set up works for me still, but Tristan’s has some extra joo-joo that might fix you up. His is also TMG based, but it might turn the trick for you. Let me know.
Ed
http://blogs.technet.com/b/tristank/archive/2010/05/07/xbox-live-vs-tmg.aspx
Hi Ed,
Thanks the for timely reply! I was optimistic when I read the blog post… But that soon turned in to more frustration. After configuring my ISA 2006 server with the recommended config I still have the dreaded yellow bang and Xbox telling me I have a ‘Strict NAT’ network set up… I am no ISA expert by any means, but taking a gander at the logs, I don’t see anything screaming out at me that ISA is blocking traffic to/from the Xbox… I’ll do some more research in between my 9 year old son whining about the voice chat and party features not working 8-(
Thanks again,
Mark
Still haven’t gotten it to work with ISA2006, but going to try with TMG2010 shortly. Hopefully some improvements since then.
I really wish the Microsoft KB Articles would be more detailed, telling you to open “port 80 OMG LOL” in a KB article feels a little bit too much like something you’d read on a internet forum from a guy with a 20 line signature listing his hardware specs.
lol hear that
With your rules the networktest works fine but we get no game content in Xbox Live. In every categorie there ist just a “no content available” notification. The movie section works fine but games and music are not working.
Any help of you would be nice.
Koppi,
My son has the Xbox at school, so I don’t have a way to test anything with this right now. I do think you may want to try this post http://blogs.technet.com/b/tristank/archive/2010/05/07/xbox-live-vs-tmg.aspx as Tristan got this working. I have not tried his, and won’t until he comes back from school, but it sounds like just the ticket for you.
Ed
5060 and 5061 did not help. Doing a troubleshooting trace it seems TMG blocks traffic on 88 because it is defined as Kerberos already.
Yes, and Xbox uses KRB to authenticate to Xbox Live. Did you add a permit for that like in the article? Don’t create a new protocol, just permit Kerberos.
Hi Ed,
I was hoping you might be able to assist me,
I have recently started university and have my xbox connected directly into the local network,
However when I play online my connection is impaired and I am stuck with Strick NAT,
I have been told there are ways around this by changing the “Peer-to-Peer” settings however I don’t even know where to Start.
Do you have any suggestions?
Sorry Matt, the little I know of that, it’s the game that needs to be built for peer to peer connections. Most multiplayer games will connect to a server, and it’s the NAT that breaks things like voice for you. If anyone else sees this and has a better suggestion, please leave a comment to help Matt out and school me on this topic.
Thanks
Just got an xbox kinect, and having these same issues. Followed your advice, even tried forwarding 53 and 80 (I’ve actually seen some microsoft IPs trying to connect to 53 right after the connection failed….?!) but to no avail. The warning sign stays.
My issue is not voice or multiplayer, i’m just trying to log into live for the first time! The connection test says i should be good except for nat issues, but i never can log in (i can get past the “checking network status” right before logging in – occasionally).
I checked the log monitors when i try to sign in, it seems to try to connect to some random high-number ports (which of course are not forwarded and get blocked). The other thing I’m noticing is a high number of denied connections: “A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer. ” I looked this up and it’s supposed to be under fragmented IP filtering but even when i down right turn this off, no dice.
I tried to also disable flood protection. I noticed some inconsistent behavior when i re-tried, and it seems when i wait a while it will get further again, but at the end fail.
I’ve also followed these instructions, and those at http://blogs.technet.com/b/tristank/archive/2010/05/07/xbox-live-vs-tmg.aspx but still can’t get Halo Reach to report anything other than ‘NAT Rating: Closed’. We don’t seem to be able to get voice chat to work in this state.
Geoff.