Welcome to ISAserver.org

One more shot

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> One more shot

Page: [1]

Message

<< Older Topic Newer Topic >>

One more shot - 25.Nov.2011 12:00:45 PM

Crash28

Posts: 33
Joined: 26.Nov.2009
Status: offline

before I contact MS for support.

I've just rebuilt TMG, configured a single Web Access policy allowing http/https from internal to external for all users. That's it no other rules so it's as clean as a brazilian.

If my TMG Client is configured to use this server and IE is configured with no automatic or proxy settings (everything unchecked) I can surf the internet as intended. This is an entry from the log:

Allowed Connection
Log type:Web Proxy (Forward)
Status:204 No Content
Rule:Allow Web Access for All Users
Source:Internal (1.2.3.4:43589)
Destination:External (iad04s01-in-f105.1e100.net 2.3.4.5:80)
Request:GET http://72.14.204.105/csi? blahblahblah
Filter information: Req ID: blahblahblah
Protocol:http
User:anonymous

If I disable my TMG Client and configure proxy settings in IE to use this server. No surfing allowed. I get the following entry placed in the log:

Denied Connection
Log type:Firewall service
Status:The policy rules do not allow the user request.
Rule:Default rule
Source:Internal (1.2.3.4:12332)
Destination:Local Host (2.3.4.5:8080)
Protocol:HTTP Proxy

Anyone know why/what this is? I'm guessing I need a rule in place but for the life of me can't figure out what it should be.

Please and thanks,
Mark

Post #: 1

Featured Links*

RE: One more shot - 25.Nov.2011 12:49:00 PM

dvizzle

Posts: 236
Joined: 20.Apr.2009
Status: offline

Networking:
Internal network properties
Forefront TMG Client tab

What do you have configured in the Client Computer Web Browser Configuration part?

(in reply to Crash28)

Post #: 2

RE: One more shot - 25.Nov.2011 1:11:13 PM

Crash28

Posts: 33
Joined: 26.Nov.2009
Status: offline

Hi dvizzle,
Here's the info requested:

Checked - Automatically detect settings
Checked - Use automatic configuration script
Using default URL
Checked - Use a Web proxy server
My TMG server entered in field.

Thanks.

(in reply to dvizzle)

Post #: 3

RE: One more shot - 25.Nov.2011 1:24:21 PM

dvizzle

Posts: 236
Joined: 20.Apr.2009
Status: offline

On that page, your TMG server name should be listed 3 times. I found a bug where it will not work right if you click browse and select the server. You need to change it to fully qualify the server name.

IE: Instead of "TMG-Server", change it to "TMG-Server.yourdomain.org"

In IE are you using the configuration script exactly as shown on that properties page?

(in reply to Crash28)

Post #: 4

RE: One more shot - 25.Nov.2011 1:33:18 PM

Crash28

Posts: 33
Joined: 26.Nov.2009
Status: offline

Thanks,it was set to servername and I've now changed to fqdn.

Note, our current proxy solution (isa2004) is using a wpad entry. Would this have any effect on my issue?

I'll test fqdn pdq and let you know the result.

Thanks again.

(in reply to dvizzle)

Post #: 5

RE: One more shot - 25.Nov.2011 1:46:25 PM

Crash28

Posts: 33
Joined: 26.Nov.2009
Status: offline

Still no go with fqdn in place.

(in reply to Crash28)

Post #: 6

RE: One more shot - 25.Nov.2011 1:51:06 PM

dvizzle

Posts: 236
Joined: 20.Apr.2009
Status: offline

If you ping wpad from your client, what server responds back?

If ISA is still generating your WPAD script, then you should only be using the proxy configuration script in your IE settings and disable auto detect in order to proxy through your TMG box.

(in reply to Crash28)

Post #: 7

RE: One more shot - 25.Nov.2011 2:00:15 PM

Crash28

Posts: 33
Joined: 26.Nov.2009
Status: offline

Pinging wpad shows a response from my current isa2004 array.

So I should only have a check marks like:

Unchecked - Automatically detect settings
Checked - Use automatic configuration script
Using default URL
Unchecked - Use a Web proxy server

Is that correct?

(in reply to dvizzle)

Post #: 8

RE: One more shot - 28.Nov.2011 8:14:32 AM