We're also trying to setup TMG as a transparent proxy however we're having problems with HTTPS traffic. We also have a squid based RM proxy (SEGfL) and have specified it as an upstream proxy for external connections (proxy.segfl.ifl.net). We've purchased IsaScript and entered the script recommended in the previous post which seems to be working properly with HTTP traffic but we get timeouts when trying anything HTTPS.
For the upstream proxy we've tried the default of 8443 for SSL and also changed it to 8080 but it doesn't seem to make any difference. We've also set TMG to route the traffic from our WiFi network to the External connection but this hasn't had any effect either. Is there anything else we may need to change to get this working?
Any ideas anyone?
I'm also trying to setup a transparent proxy with seperate VLAN network & IP range on an open SSID, when i direct the default gateway via DHCP to the forefront TMG server i get this on on an open client device:
We're using ubiquiti unifi APs and the physical server running the controller software has two network cards 10.11.216.1 (open) and 10.11.227.14 (secure) - its also my DHCP server for the open network of which the gateway is set to 10.11.216.2 that is the third network card i setup in my TMG server, should I at least be getting http traffic with this setup?
I can't remember where I read it, but I saw somewhere that TMG doesn't work as a Transparent proxy with web chaining is the upstream proxy is running squid. I'm assuming your on SWGfL who use squid.
Originally Posted by jwood
Have you setup a rule to NAT the traffic from the seperate VLAN to your external connection?
yes the source network is "sjwifi" and set to route relation
We have a similar problem with TMG acting as a transparent proxy for our guest wifi. We have a direct Internet connection so don't have any of the upstream issues that some are facing but still have an issue with SecureNAT clients accessing secure websites. http works fine. I wonder if Jamesfed or Jwood or anyone else who has this sorted are able to offer any assistance on this? We're beginning to think that we will have to require clients to enter proxy settings which as far as I can see would mean that Android users wouldn't be able to use the wifi.
Sorry I only have experiance with the problems that Squid gave us - maybe it would be worth getting a trial of ISA Script and seeing if the script thats in a link in my previous posts will work?
All the same over the past few months we've noticed a decline in the number of Droid users with phones that don't support proxys so I can imagine within the next 6months-1 year we will be rid of this problem anyway.
Thanks for responding. I will have a look at the script and see if that helps. We are already using some software called captivate by the same company to get the SecureNAT clients to authenticate before they access the Internet.
I had a look at what devices were using the guest network and only about 13% were running Android. My understanding is that it's only Ice Cream Sandwich that supports proxy settings on Android or have you found that earlier versions allow users to put in Proxy info?
I'm going to try and revive this thread, as I am having the EXACT same issues, but with no apparent solution.
I want to make TMG transparent so that users with mobile devices can simply "automatically detect settings" within their browsers without having to edit the LAN settings and populate it with proxy details (which isn't even possible on some mobile devices). When I do, it does the same as reported in here, whereby HTTPS pages simply do not work. I have contacted the local council that run the upstream proxy, and they have confirmed that it does indeed run SQUID. I have tried using the ISASCRIPT but I get the exact same result. I successfully completed the "Hello World" tutorial in the documentation but the script listed here doesn't seem to change anything. I have used HTTPWatch and it's still getting stuck on the SSL. Is there anything anyone can suggest, or does this NEED to be looked at by the council that provide the upstream server?
This is seriously keeping me up at night :)