I wonder if anyone could assist me with the following. I've tried a bunch of things, but pulling my hair out now...
I have two internal networks connected to my TMG 2010 server, one for internal users and one for wireless guest access. The internal clients are web proxy clients and function OK. The guest network clients are secureNAT and have problems accessing certain websites. i.e. www.apple.com.www.bbc.co.uk/news returning a '400 bad request'
Both clients access the same upstream proxy (web chaining)
The internal to external relationship is NAT same as guest to external. Internal to guest is route. DNS servers are located in the internal network. Rules for guest to access DNS are in place and appear to function OK.
If I make the guest users a ‘web proxy’ client then everything works. Unfortunately this is for a public wireless system so tinkering with client settings isn't an option. I’ve googled and checked MS knowledge base but nothing seems relevant.
My guess is that your upstream proxy (squid maybe?) is unhappy about the way that TMG chooses to represent SNAT requests to the proxy. See for details:
The following is an IsaScript I made to make ISA/TMG compatible with squid-like upstream proxies:
function SetupContentMatching(args) args.SetupTextMatch( SIDE_SERVER, MODE_REQUEST, PART_HEADER, -- leave CONNECTS alone? "(?i)^(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE)\\s+https?://\\d+\\.\\d+\\.\\d+\\.\\d+/[^\r]*\\s+HTTP/\\d+\\.\\d+\\s*\r", "FixHeaderLine", true ) end
function FixHeaderLine(args) if routing == "UPSTREAM" then newtext = args.matchText:gsub("://%d+%.%d+%.%d+%.%d+", "://" .. host, 1) args.matchText = newtext end end
host = "" routing = "" function Initialize() host = "" routing = "" end
function OnPreprocHeaders(args) host = args.GetHeader("Host:") return SF_STATUS_REQ_NEXT_NOTIFICATION end
function OnRouting(args) routing = ISA.GetServerVariable("ROUTING") return SF_STATUS_REQ_NEXT_NOTIFICATION end
(edit: removed the "code" tag because this forum is just AWFUL)
< Message edited by ferrix -- 15.Nov.2010 10:23:04 AM >
Your summing up pretty much decribes what's happening.
I have a MS case open at present to establish if they can provide a (free) solution, if not i'll investigate the $604 option. Do I just need the IsaScript for TMG Server, a license & the script that you so kindly post? (I didn't get the bit about removing the CODE bit)
...let's see what MS come up with first though....?
Did anyone ever work out a way around this problem without the need for ISA Script? I'm trying to persuade our upstream guys to remove the Squid proxy but its proving difficult and being a school I'm finding it hard to get the cash for ISA Script.
Just to let you know we went with ISA Script in the end and it worked a treat. MS didn't offer a solution. For Ł375 you can't go wrong - product works and the technical support is spot on too. I put this in a school too. As they offered a 30 day trial you can test it for yourself before committing (like they did).
We've already tried the script and it works a treat it is just a matter of the money. Going to kick and scream at our LEA until the end of the trial and then might just see if we can grab the money from someplace.
My guess is that your upstream proxy (squid maybe?) is unhappy about the way that TMG chooses to represent SNAT requests to the proxy.
Hi,
We're also trying to setup TMG as a SecureNAT however we're having problems with sites that use HTTPS. We have a squid based upstream proxy (provided by RM/SEGfL) and have specified it as an upstream proxy for external connections (proxy.segfl.ifl.net). We've purchased IsaScript and entered the script posted by ferrix which seems to be working properly with HTTP traffic but we get timeouts when trying anything that uses HTTPS/SSL.
For the upstream proxy we've tried the default of 8443 for SSL and also changed it to 8080 but it doesn't seem to make any difference. We've also set TMG to route the traffic from our WiFi network to the External connection but this hasn't had any effect either. We've tried setting the connection to route instead of NAT, made no difference. Is there anything else we may need to change to get this working?
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> SecureNAT client Guest Access 
SecureNAT client Guest Access - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread