One more shot

One more shot (Full Version)

All Forums >> [Threat Management Gateway (TMG) 2010] >> General

Message

Crash28 -> One more shot (25.Nov.2011 12:00:45 PM)
before I contact MS for support. I've just rebuilt TMG, configured a single Web Access policy allowing http/https from internal to external for all users. That's it no other rules so it's as clean as a brazilian. If my TMG Client is configured to use this server and IE is configured with no automatic or proxy settings (everything unchecked) I can surf the internet as intended. This is an entry from the log: Allowed Connection Log type:Web Proxy (Forward) Status:204 No Content Rule:Allow Web Access for All Users Source:Internal (1.2.3.4:43589) Destination:External (iad04s01-in-f105.1e100.net 2.3.4.5:80) Request:GET http://72.14.204.105/csi? blahblahblah Filter information: Req ID: blahblahblah Protocol:http User:anonymous If I disable my TMG Client and configure proxy settings in IE to use this server. No surfing allowed. I get the following entry placed in the log: Denied Connection Log type:Firewall service Status:The policy rules do not allow the user request. Rule:Default rule Source:Internal (1.2.3.4:12332) Destination:Local Host (2.3.4.5:8080) Protocol:HTTP Proxy Anyone know why/what this is? I'm guessing I need a rule in place but for the life of me can't figure out what it should be. Please and thanks, Mark

dvizzle -> RE: One more shot (25.Nov.2011 12:49:00 PM)
Networking: Internal network properties Forefront TMG Client tab What do you have configured in the Client Computer Web Browser Configuration part?

Crash28 -> RE: One more shot (25.Nov.2011 1:11:13 PM)
Hi dvizzle, Here's the info requested: Checked - Automatically detect settings Checked - Use automatic configuration script Using default URL Checked - Use a Web proxy server My TMG server entered in field. Thanks.

dvizzle -> RE: One more shot (25.Nov.2011 1:24:21 PM)
On that page, your TMG server name should be listed 3 times. I found a bug where it will not work right if you click browse and select the server. You need to change it to fully qualify the server name. IE: Instead of "TMG-Server", change it to "TMG-Server.yourdomain.org" In IE are you using the configuration script exactly as shown on that properties page?

Crash28 -> RE: One more shot (25.Nov.2011 1:33:18 PM)
Thanks,it was set to servername and I've now changed to fqdn. Note, our current proxy solution (isa2004) is using a wpad entry. Would this have any effect on my issue? I'll test fqdn pdq and let you know the result. Thanks again.

Crash28 -> RE: One more shot (25.Nov.2011 1:46:25 PM)
Still no go with fqdn in place. [:@]

dvizzle -> RE: One more shot (25.Nov.2011 1:51:06 PM)
If you ping wpad from your client, what server responds back? If ISA is still generating your WPAD script, then you should only be using the proxy configuration script in your IE settings and disable auto detect in order to proxy through your TMG box.

Crash28 -> RE: One more shot (25.Nov.2011 2:00:15 PM)
Pinging wpad shows a response from my current isa2004 array. So I should only have a check marks like: Unchecked - Automatically detect settings Checked - Use automatic configuration script Using default URL Unchecked - Use a Web proxy server Is that correct?

dvizzle -> RE: One more shot (28.Nov.2011 8:14:32 AM)
Correct.

Page: [1]