One more shot (Full Version)

All Forums >> [Threat Management Gateway (TMG) 2010] >> General



Message


Crash28 -> One more shot (25.Nov.2011 12:00:45 PM)

before I contact MS for support.

I've just rebuilt TMG, configured a single Web Access policy allowing http/https from internal to external for all users. That's it no other rules so it's as clean as a brazilian.

If my TMG Client is configured to use this server and IE is configured with no automatic or proxy settings (everything unchecked) I can surf the internet as intended. This is an entry from the log:

Allowed Connection
Log type:Web Proxy (Forward)
Status:204 No Content
Rule:Allow Web Access for All Users
Source:Internal (1.2.3.4:43589)
Destination:External (iad04s01-in-f105.1e100.net 2.3.4.5:80)
Request:GET http://72.14.204.105/csi? blahblahblah
Filter information: Req ID: blahblahblah
Protocol:http
User:anonymous

If I disable my TMG Client and configure proxy settings in IE to use this server. No surfing allowed. I get the following entry placed in the log:

Denied Connection
Log type:Firewall service
Status:The policy rules do not allow the user request.
Rule:Default rule
Source:Internal (1.2.3.4:12332)
Destination:Local Host (2.3.4.5:8080)
Protocol:HTTP Proxy

Anyone know why/what this is? I'm guessing I need a rule in place but for the life of me can't figure out what it should be.

Please and thanks,
Mark




dvizzle -> RE: One more shot (25.Nov.2011 12:49:00 PM)

Networking:
Internal network properties
Forefront TMG Client tab

What do you have configured in the Client Computer Web Browser Configuration part?




Crash28 -> RE: One more shot (25.Nov.2011 1:11:13 PM)

Hi dvizzle,
Here's the info requested:

Checked - Automatically detect settings
Checked - Use automatic configuration script
Using default URL
Checked - Use a Web proxy server
My TMG server entered in field.

Thanks.




dvizzle -> RE: One more shot (25.Nov.2011 1:24:21 PM)

On that page, your TMG server name should be listed 3 times. I found a bug where it will not work right if you click browse and select the server. You need to change it to fully qualify the server name.

IE: Instead of  "TMG-Server", change it to "TMG-Server.yourdomain.org"


In IE are you using the configuration script exactly as shown on that properties page?




Crash28 -> RE: One more shot (25.Nov.2011 1:33:18 PM)

Thanks,it was set to servername and I've now changed to fqdn.

Note, our current proxy solution (isa2004) is using a wpad entry. Would this have any effect on my issue?

I'll test fqdn pdq and let you know the result.

Thanks again.




Crash28 -> RE: One more shot (25.Nov.2011 1:46:25 PM)

Still no go with fqdn in place.

[:@]




dvizzle -> RE: One more shot (25.Nov.2011 1:51:06 PM)

If you ping wpad from your client, what server responds back?

If ISA is still generating your WPAD script, then you should only be using the proxy configuration script in your IE settings and disable auto detect in order to proxy through your TMG box.




Crash28 -> RE: One more shot (25.Nov.2011 2:00:15 PM)

Pinging wpad shows a response from my current isa2004 array.

So I should only have a check marks like:

Unchecked - Automatically detect settings
Checked - Use automatic configuration script
Using default URL
Unchecked - Use a Web proxy server

Is that correct?




dvizzle -> RE: One more shot (28.Nov.2011 8:14:32 AM)

Correct.




Page: [1]