+ Post New Thread
Results 1 to 9 of 9
Internet Related/Filtering/Firewall Thread, TMG Publishing/Proxying in Technical; I have a site published now on port 2381, and it works fine from an external connecting computer. I now ...
  1. #1

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,529
    Thank Post
    513
    Thanked 2,406 Times in 1,862 Posts
    Blog Entries
    24
    Rep Power
    822

    TMG Publishing/Proxying

    I have a site published now on port 2381, and it works fine from an external connecting computer. I now want the internal connecting computers to also get to the site via the same address. I have a DNS record set up in our DNS server pointing the web address at our TMG server which is doing the publishing/forwarding, and this works - so long as the clients don't have that TMG server set up as their web proxy.

    If I set it up as their web proxy, it obviously then tries to act as a proxy - and ignores the publishing rule. Setting up exceptions in the proxy settings on the client, and tick the 'bypass for local addresses' works, but I don't want to have to do this!

    How can I get TMG to not proxy that address?
    Last edited by localzuk; 14th October 2010 at 09:31 AM.

  2. #2

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,631
    Thank Post
    890
    Thanked 1,314 Times in 798 Posts
    Blog Entries
    1
    Rep Power
    441
    Is the server internal?
    I would just put the internal ip as the dns entry rather then the external ip.

  3. #3

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,529
    Thank Post
    513
    Thanked 2,406 Times in 1,862 Posts
    Blog Entries
    24
    Rep Power
    822
    Quote Originally Posted by ZeroHour View Post
    Is the server internal?
    I would just put the internal ip as the dns entry rather then the external ip.
    It is internal, yes. But without a per-client rule stating to bypass the server for it, it proxies it. I want the proxy server to simply return the same thing it does when an external person connects.

  4. #4

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,529
    Thank Post
    513
    Thanked 2,406 Times in 1,862 Posts
    Blog Entries
    24
    Rep Power
    822
    Any ideas?

  5. #5

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,631
    Thank Post
    890
    Thanked 1,314 Times in 798 Posts
    Blog Entries
    1
    Rep Power
    441
    Quote Originally Posted by localzuk View Post
    It is internal, yes. But without a per-client rule stating to bypass the server for it, it proxies it. I want the proxy server to simply return the same thing it does when an external person connects.
    So does that mean you want it to route through TMG?
    Can you make a rule saying from Internal->The site allow and put it above the general rule allowing users onto the net?

  6. #6

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,529
    Thank Post
    513
    Thanked 2,406 Times in 1,862 Posts
    Blog Entries
    24
    Rep Power
    822
    Quote Originally Posted by ZeroHour View Post
    So does that mean you want it to route through TMG?
    Can you make a rule saying from Internal->The site allow and put it above the general rule allowing users onto the net?
    Doesn't seem to make a difference. The TMG box simply tries to proxy it via the upstream server, rather than just going direct to it.

    Just checked the log and I'm getting the following:

    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3 No Proxy portal.mineheadmiddle.somerset.sch.uk TCP
    Req ID: 0a25bc74; Compression: client=No, server=No, compress rate=0% decompress rate=0% Internet 0x0 0x0 65101 Web Proxy - - - 0 1153 0 -
    15/10/2010 14:20:40 0 0 0 0 - - - - - - - -
    15/10/2010 15:20:40 10.5.142.20 10.5.143.180 2381 SSL-tunnel Failed Connection Attempt Inspected
    12204 The specified Secure Sockets Layer (SSL) port is not allowed. Forefront TMG is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests.
    anonymous Internal
    portal.mineheadmiddle.somerset.sch.uk:2381 SERVICES Unknown Web Proxy Filter 0 - -
    So it just doesn't seem to like that it is HTTPS over port 2381. Any idea how to enable 2381 for SSL?

  7. #7

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,631
    Thank Post
    890
    Thanked 1,314 Times in 798 Posts
    Blog Entries
    1
    Rep Power
    441
    Ahh you need to put a reg key in to allow other ssl ports. A possible tip:
    Forefront TMG is not configured to allow SSL requests from this port. | Kiekeboe100's Blog
    http://robsilver.org/isatmg/trying-t...an-443-isatmg/
    I am not sure why TMG would route it to the proxy when it knows the ip is in the internal range...

  8. #8

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,529
    Thank Post
    513
    Thanked 2,406 Times in 1,862 Posts
    Blog Entries
    24
    Rep Power
    822
    I've now added a rule using the ISA tunnel tool, and now receive the following:

    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3 Yes Proxy proxy.swgfl.org.uk TCP Req ID: 09240d98; Compression: client=No, server=No, compress rate=0% decompress rate=0% Upstream 0x0 0x102 1154 Web Proxy - - - 0 0 0 - 15/10/2010 15:03:37 0 0 0 0 - - - - - - - Web service down - portal.mineheadmiddle.somerset.sch.uk 15/10/2010 16:03:37 10.5.142.20 213.18.249.14 8080 SSL-tunnel Failed Connection Attempt Inspected Allow Web Access for All Users 995 The I/O operation has been aborted because of either a thread exit or an application request. anonymous Internal Internal portal.mineheadmiddle.somerset.sch.uk:2381 SERVICES Unknown Web Proxy Filter Allowed No Violation Detected 1 - -

  9. #9
    bio
    bio is offline
    bio's Avatar
    Join Date
    Apr 2008
    Location
    netherlands
    Posts
    520
    Thank Post
    16
    Thanked 130 Times in 102 Posts
    Rep Power
    37
    did you try to add that DNS name to the internal network - properties - web browser tab ?

    Bypassing Forefront TMG for Web proxy client requests

    bio..

SHARE:
+ Post New Thread

Similar Threads

  1. TMG 2010 publishing
    By localzuk in forum Windows Server 2008 R2
    Replies: 5
    Last Post: 27th September 2010, 01:11 PM
  2. Apache2, Ubuntu and proxying
    By localzuk in forum *nix
    Replies: 5
    Last Post: 7th June 2008, 10:12 PM
  3. Squid transparent proxying
    By MK-2 in forum *nix
    Replies: 46
    Last Post: 4th June 2008, 11:26 AM
  4. Reverse proxying SSH...
    By Joedetic in forum Wireless Networks
    Replies: 7
    Last Post: 6th August 2007, 11:56 AM
  5. Reverse Proxying with Apache.
    By maniac in forum Web Development
    Replies: 7
    Last Post: 5th April 2007, 11:04 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •