• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SecureNAT client Guest Access

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> SecureNAT client Guest Access Page: [1]
Login
Message << Older Topic   Newer Topic >>
SecureNAT client Guest Access - 13.Nov.2010 6:18:46 PM   
gallowgate

 

Posts: 3
Joined: 13.Nov.2010
Status: offline
Hello guys

I wonder if anyone could assist me with the following. I've tried a bunch of things, but pulling my hair out now...

I have two internal networks connected to my TMG 2010 server, one for internal users and one for wireless guest access. The internal clients are web proxy clients and function OK. The guest network clients are secureNAT and have problems accessing certain websites. i.e. www.apple.com. www.bbc.co.uk/news returning a '400 bad request'

Both clients access the same upstream proxy (web chaining)

The internal to external relationship is NAT same as guest to external. Internal to guest is route.
DNS servers are located in the internal network.
Rules for guest to access DNS are in place and appear to function OK.

If I make the guest users a ‘web proxy’ client then everything works. Unfortunately this is for a public wireless system so tinkering with client settings isn't an option.
I’ve googled and checked MS knowledge base but nothing seems relevant.

Anyone came across this before?

Thanks
Post #: 1
RE: SecureNAT client Guest Access - 15.Nov.2010 10:21:10 AM   
ferrix

 

Posts: 547
Joined: 16.Mar.2005
Status: offline
My guess is that your upstream proxy (squid maybe?) is unhappy about the way that TMG chooses to represent SNAT requests to the proxy.  See for details:

http://forums.isaserver.org/m_2002051675/mpage_1/key_/tm.htm#2002051675
and
http://forums.isaserver.org/m_2002047721/mpage_1/key_/tm.htm#2002047721

The following is an IsaScript I made to make ISA/TMG compatible with squid-like upstream proxies:

function SetupContentMatching(args)
args.SetupTextMatch(
  SIDE_SERVER,
  MODE_REQUEST,
  PART_HEADER,
  -- leave CONNECTS alone?
  "(?i)^(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE)\\s+https?://\\d+\\.\\d+\\.\\d+\\.\\d+/[^\r]*\\s+HTTP/\\d+\\.\\d+\\s*\r",
  "FixHeaderLine",
  true
)
end

function FixHeaderLine(args)
if routing == "UPSTREAM" then
  newtext = args.matchText:gsub("://%d+%.%d+%.%d+%.%d+", "://" .. host, 1)
  args.matchText = newtext
end
end

host = ""
routing = ""
function Initialize()
host = ""
routing = ""
end

function OnPreprocHeaders(args)
host = args.GetHeader("Host:")
return SF_STATUS_REQ_NEXT_NOTIFICATION
end

function OnRouting(args)
routing = ISA.GetServerVariable("ROUTING")
return SF_STATUS_REQ_NEXT_NOTIFICATION
end

(edit: removed the "code" tag because this forum is just AWFUL)

< Message edited by ferrix -- 15.Nov.2010 10:23:04 AM >

(in reply to gallowgate)
Post #: 2
RE: SecureNAT client Guest Access - 15.Nov.2010 11:31:52 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Nice

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to ferrix)
Post #: 3
RE: SecureNAT client Guest Access - 15.Nov.2010 11:40:41 AM   
gallowgate

 

Posts: 3
Joined: 13.Nov.2010
Status: offline
Hi ferrix

Your summing up pretty much decribes what's happening.

I have a MS case open at present to establish if they can provide a (free) solution, if not i'll investigate the $604 option. Do I just need the IsaScript for TMG Server, a license & the script that you so kindly post? (I didn't get the bit about removing the CODE bit)

...let's see what MS come up with first though....?

Thanks for you prompt reply

(in reply to ferrix)
Post #: 4
RE: SecureNAT client Guest Access - 17.Jun.2011 8:17:04 AM   
jamesfed

 

Posts: 3
Joined: 16.Jun.2011
Status: offline
Did anyone ever work out a way around this problem without the need for ISA Script?
I'm trying to persuade our upstream guys to remove the Squid proxy but its proving difficult and being a school I'm finding it hard to get the cash for ISA Script.

(in reply to gallowgate)
Post #: 5
RE: SecureNAT client Guest Access - 17.Jun.2011 11:48:18 AM   
gallowgate

 

Posts: 3
Joined: 13.Nov.2010
Status: offline
Hi jamesfed

Just to let you know we went with ISA Script in the end and it worked a treat. MS didn't offer a solution. For Ł375 you can't go wrong - product works and the technical support is spot on too. I put this in a school too. As they offered a 30 day trial you can test it for yourself before committing (like they did).

Good luck.

(in reply to jamesfed)
Post #: 6
RE: SecureNAT client Guest Access - 17.Jun.2011 12:03:54 PM   
jamesfed

 

Posts: 3
Joined: 16.Jun.2011
Status: offline
We've already tried the script and it works a treat it is just a matter of the money.
Going to kick and scream at our LEA until the end of the trial and then might just see if we can grab the money from someplace.

(in reply to gallowgate)
Post #: 7
RE: SecureNAT client Guest Access - 7.Feb.2012 12:09:35 PM   
matthewc

 

Posts: 1
Joined: 7.Feb.2012
Status: offline
quote:

ORIGINAL: ferrix

My guess is that your upstream proxy (squid maybe?) is unhappy about the way that TMG chooses to represent SNAT requests to the proxy.


Hi,

We're also trying to setup TMG as a SecureNAT however we're having problems with sites that use HTTPS. We have a squid based upstream proxy (provided by RM/SEGfL) and have specified it as an upstream proxy for external connections (proxy.segfl.ifl.net). We've purchased IsaScript and entered the script posted by ferrix which seems to be working properly with HTTP traffic but we get timeouts when trying anything that uses HTTPS/SSL.

For the upstream proxy we've tried the default of 8443 for SSL and also changed it to 8080 but it doesn't seem to make any difference. We've also set TMG to route the traffic from our WiFi network to the External connection but this hasn't had any effect either. We've tried setting the connection to route instead of NAT, made no difference. Is there anything else we may need to change to get this working?

Cheers

(in reply to ferrix)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> SecureNAT client Guest Access Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts