I have a publishing issue with TMG

Hi,

Issue:
Whenever I try to access one of my published ressources from an external network, I get an error: Error Code: 408. The operation timed out

Configuration (simplified for visibility)
Internet-FW1-DMZ (web/ftp servers)-FW2-Intranet (LAN)

FW1 (TMG+DNS)
External
IP 192.168.1.254
DNS ISP DNS
DG router
Internal
IP 10.0.0.1
DNS 10.0.0.1
DG none

Web server (in DMZ)
IP 10.0.0.2
DNS 10.0.0.1
DG 10.0.0.1

FW2
External
IP 10.0.0.254
DNS 10.0.0.1
DG 10.0.0.1
Internal
IP 192.168.0.1
DNS 192.168.0.2
DG none

DC+DNS (LAN)
192.168.0.2

WEB, FW2 and DC are part of my domain
FW1 is NOT part of the domain

LAN => WEB: OK
DMZ => WEB: OK
WAN => WEB: error 408

The publishing rule for WEB is as simple as it can be.

Note: I have the exact same issue with the CAS server, the FTP server and the Sharepoint server.

There is obviously something wrong but cannot pinpoint what it is.

For the CAS server, I get the "TMG" logging screen and then get the same 408 error.

Given that I have the issue even on the web server, I'm wondering if I didn't miss a setting in the System policy on TMG?
rietschAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
You haven't setup the basics on Windows correctly yet.
Remove the DNS settings on the TMG external nic and put in the dns ip address of the INTERNAL dns instead. The internal DNS will resolve addresses for TMG through its forwarders.
Just make sure you have an access rule allowing DNS from internal to external.

As an aside, absolutely NOTHING - server or client - should have the ISP or external DNS ip addresses in their nic settings.
0
rietschAuthor Commented:
Hi,
Setting changes, ISP DNS is only in the forwarders and....same issue.

Any other idea?
0
rietschAuthor Commented:
Some more info egarding the NIC settings on the FW1 box:
Options checked:
Client for Microsoft Networks
Forefront TMG Packet Filter
QoS Packet Scheduler
File and Print Sharing

IPv6 is NOT enabled on any of my network's systems.

The web publishing rule:
From Anywhere
To www.contoso.com (10.0.0.2)
Request appear to come from the Forefront TMG computer
Traffic HTTP
Listener
                Networks: External, Internal
                Connections: HTTP port 80
                Certificates: none
                Authentication: No Authentication
Public Name: www.contoso.com
Path <same as internal> /*
Authentication Delegation: No delegation, but client may authenticate directly
Binding: web server, HTTP, 80
Users: All users
Link Translation: none
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

rietschAuthor Commented:
Looks like I'm not the only one having that issue:
http://social.technet.microsoft.com/Forums/en/ForefrontedgePub/thread/e88893f0-55bf-4195-9fe7-a2ba92e4facc?prof=required

Anyone has any idea what is going on?
0
Keith AlabasterEnterprise ArchitectCommented:
Sorry, have had some of my own stuff to deal with for a while.

Can you provide the output from an ipconfig /all from the TMG box?
0
rietschAuthor Commented:
Here you go:


Windows IP Configuration

   Host Name . . . . . . . . . . . . : FW1
   Primary Dns Suffix  . . . . . . . : contoso.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : contoso.com

Ethernet adapter DMZ:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #2
   Physical Address. . . . . . . . . : 00-50-56-B2-52-99
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.0.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter WAN:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-50-56-B2-0C-F5
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.254(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.5 (my router)
   DNS Servers . . . . . . . . . . . : 10.0.0.1 (also tried with 192.168.1.254 and nothing at all)
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes


Looking at that Microsoft forum question as well, it says not to install IIS.
However, as far as I remember it was requested by either TMG or Exchange.

Anyway, here are the installed IIS coponents (just in case it is relevant):
- Web Server
0
rietschAuthor Commented:
Cannot publish everything at once...!?

Episod 2

Looking at that Microsoft forum question as well, it says not to install IIS.
However, as far as I remember it was requested by either TMG or Exchange.

Anyway, here are the installed IIS components (just in case it is relevant):
- Web Server
  - Common HTTP Features
    - Default Document
  - Application Development
    - ASP.NET
    - .NET Extensibility
    - ISAPI Extensions
    - ISAPI Filters
  - Security
    - Request Filtering
0
rietschAuthor Commented:
Episod 3:

And finally a FYI:

c:\>netstat -ano | findstr :80
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    127.0.0.1:8008         0.0.0.0:0              LISTENING       4
  TCP    127.0.0.1:8080         0.0.0.0:0              LISTENING       4800
  TCP    127.0.0.1:8080         127.0.0.1:11433        ESTABLISHED     4800
  TCP    127.0.0.1:8080         127.0.0.1:11436        ESTABLISHED     4800
  TCP    127.0.0.1:11429        127.0.0.1:8080         TIME_WAIT       0
  TCP    127.0.0.1:11433        127.0.0.1:8080         ESTABLISHED     3800
  TCP    127.0.0.1:11436        127.0.0.1:8080         ESTABLISHED     3800
  TCP    192.168.1.254:10920    69.63.190.10:80        FIN_WAIT_1      4800
  TCP    192.168.1.254:11109    92.122.124.11:80       ESTABLISHED     4800
  TCP    192.168.1.254:11111    92.122.124.11:80       FIN_WAIT_1      4800
  TCP    192.168.1.254:11112    92.122.124.11:80       ESTABLISHED     4800
  TCP    192.168.1.254:11119    92.122.124.11:80       ESTABLISHED     4800
  TCP    192.168.1.254:11155    92.122.124.9:80        ESTABLISHED     4800
  TCP    192.168.1.254:11182    213.199.141.140:80     CLOSE_WAIT      4800
  TCP    192.168.1.254:11183    213.199.141.140:80     CLOSE_WAIT      4800
  TCP    192.168.1.254:11184    92.122.124.8:80        ESTABLISHED     4800
  TCP    192.168.1.254:11187    92.122.124.19:80       ESTABLISHED     4800
  TCP    192.168.1.254:11286    92.122.124.9:80        ESTABLISHED     4800
  TCP    192.168.1.254:11400    69.63.190.10:80        ESTABLISHED     4800
  TCP    192.168.1.254:11403    69.63.180.15:80        ESTABLISHED     4800
  TCP    192.168.1.254:11434    93.184.221.133:80      ESTABLISHED     4800
  TCP    192.168.1.254:11435    93.184.221.133:80      ESTABLISHED     4800
  TCP    192.168.1.254:48989    195.122.131.4:80       CLOSE_WAIT      1936
  TCP    192.168.1.254:48993    195.122.131.4:80       CLOSE_WAIT      1936
  TCP    192.168.1.254:48995    195.122.131.4:80       CLOSE_WAIT      1936
  TCP    192.168.1.254:48997    195.122.131.4:80       CLOSE_WAIT      1936
  TCP    192.168.1.254:48999    195.122.131.4:80       CLOSE_WAIT      1936
  TCP    192.168.1.254:49001    195.122.131.4:80       CLOSE_WAIT      1936
  TCP    192.168.1.254:49007    62.67.3.57:80          CLOSE_WAIT      1936
  TCP    192.168.1.254:49012    62.67.3.57:80          CLOSE_WAIT      1936
  TCP    192.168.1.254:49014    62.67.3.57:80          CLOSE_WAIT      1936
  TCP    192.168.1.254:49015    62.67.3.57:80          CLOSE_WAIT      1936
  TCP    192.168.1.254:49016    62.67.3.57:80          CLOSE_WAIT      1936
  TCP    192.168.1.254:49017    62.67.3.57:80          CLOSE_WAIT      1936
  TCP    192.168.1.254:49030    62.67.5.57:80          CLOSE_WAIT      1936
  TCP    192.168.1.254:63603    65.54.84.216:80        ESTABLISHED     4800
  TCP    192.168.1.254:63726    92.122.124.8:80        ESTABLISHED     4800
  TCP    [::]:80                [::]:0                 LISTENING       4
0
rietschAuthor Commented:
Anyone willing to try to find a fix for that?
0
Keith AlabasterEnterprise ArchitectCommented:
Been away for a few days so just catcjing up with my emails.
0
Keith AlabasterEnterprise ArchitectCommented:
You have IIS installed as well? What are you seeing in the ISA logs - anything along the line of ISA not being able to bind to the IP address? IIS always gets to start before ISA so can use the port that ISA would expect to grab.
have you run the best practice analyser?
0
rietschAuthor Commented:
When trying to connect to the website, here is what I get in the Logs&Reports with filter:
Log Recorded Type/Equals/Firewall or Web Proxy Filter
Log Time / Live
Action / Not Equal / Connection Status
Destination IP / Equals / 10.0.0.2

External, Internal & DMZ => web page: nothing at all
I only get something when connecvting from FW1 to the web server
Allowed Connection FW1 15/04/2010 13:56:17
Log type: Web Proxy (Forward)
Status: 200 OK.
Rule: [System] Allow all HTTP traffic from Forefront TMG to all networks (for CRL downloads)
Source: Local Host (10.0.0.1:52759)
Destination: Internal (10.0.0.2:80)
Request: GET http://10.0.0.2/ScriptResource.axd?d
Filter information: Req ID: 0eb0b819; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous


From the Best Practices Analyzer, it's another story:

Resource allocation failure

The Web Proxy filter failed to bind its socket to 10.0.0.1 port 80. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure.
 The failure is due to error: An attempt was made to access a socket in a way forbidden by its access permissions

Question are:
1) why is the system not listening on port 80 if it's used by someone else?
2) how do  fing who that is?
0
rietschAuthor Commented:
OK. Point 2 should read:

2) How to find out what service/program is using that port 80? IIS IS installed due to the .NET framework (I guess) but there are no sites published.
0
Keith AlabasterEnterprise ArchitectCommented:
port 80 can only be used once on an ip address. If IIS is using it then tmg cannot.

try stopping (and disabling) IIS for the moment. look at your netstat output - the first line shows that port 80 is being used by a service on ALL ip addresses (0.0.0.0)
Only one or two services will use 80 and it is likely that IIS is the culprit. Once stopped, stop and restart the ftmg services - do they now kick in? Does the BPA still report a conflict?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rietschAuthor Commented:
Hi,

I stopped the 3 .NET services (NET.Pipe Listener Adapter, Net.Tcp Listener Adapter and Net.Tcp Port Sharing Service).
I then restarted the Microsoft Forefront TMG Firewall service  and here is my latest netstat output:

c:\>netstat -ano | findstr :80
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    127.0.0.1:8008         0.0.0.0:0              LISTENING       4
  TCP    127.0.0.1:8080         0.0.0.0:0              LISTENING       3652
  TCP    127.0.0.1:8080         127.0.0.1:11015        ESTABLISHED     3652
  TCP    127.0.0.1:10995        127.0.0.1:8080         TIME_WAIT       0
  TCP    127.0.0.1:11005        127.0.0.1:8080         TIME_WAIT       0
  TCP    127.0.0.1:11015        127.0.0.1:8080         ESTABLISHED     3772
  TCP    127.0.0.1:63970        127.0.0.1:8080         TIME_WAIT       0
  TCP    192.168.1.254:10976    64.156.132.140:80      TIME_WAIT       0
  TCP    192.168.1.254:10978    69.63.190.22:80        ESTABLISHED     3652
  TCP    192.168.1.254:10982    69.63.176.182:80       ESTABLISHED     3652
  TCP    192.168.1.254:10986    69.63.190.22:80        ESTABLISHED     3652
  TCP    192.168.1.254:10987    69.63.176.182:80       ESTABLISHED     3652
  TCP    192.168.1.254:10990    64.4.34.214:80         ESTABLISHED     3652
  TCP    192.168.1.254:10992    66.220.153.15:80       ESTABLISHED     3652
  TCP    192.168.1.254:10994    69.63.176.182:80       TIME_WAIT       0
  TCP    192.168.1.254:11000    69.63.176.182:80       ESTABLISHED     3652
  TCP    192.168.1.254:11001    69.63.176.182:80       ESTABLISHED     3652
  TCP    192.168.1.254:11008    93.184.221.133:80      ESTABLISHED     3652
  TCP    192.168.1.254:11009    69.63.176.182:80       TIME_WAIT       0
  TCP    192.168.1.254:11013    69.63.176.182:80       TIME_WAIT       0
  TCP    192.168.1.254:11014    69.63.176.182:80       TIME_WAIT       0
  TCP    192.168.1.254:11018    64.156.132.215:80      ESTABLISHED     3652
  TCP    192.168.1.254:11019    64.156.132.215:80      ESTABLISHED     3652
  TCP    192.168.1.254:11021    69.63.176.182:80       LAST_ACK        3652
  TCP    192.168.1.254:63971    93.184.221.133:80      ESTABLISHED     3652
  TCP    192.168.1.254:63980    69.63.176.182:80       TIME_WAIT       0
  TCP    192.168.1.254:63990    64.4.9.190:80          ESTABLISHED     3652
  TCP    [::]:80                [::]:0                 LISTENING       4

Still no access to the website from thye web...

BPA is still complaining about port 80 and when I check the TMG monitor for destination IP 10.0.0.2 (the web server) nothing is detected.

What IIS services do I have to stop exactly?
0
Keith AlabasterEnterprise ArchitectCommented:
What else is installed on the server? What roles? What features?
0
rietschAuthor Commented:
Hi,

It's my front end firewall and mail edge server, therefore, installed rules are:
- AD LDS (koz the server is in a workgroup)
- TMG (obviously)
- Exchange 2010 (edge transport)
- Forefront Protection for Exchange
- DNS (as working with host files is funny but not effective)
- IIS (which I didn't installed from my choice. I can't remember but I'm almost sure that one of above asked my to have it installed as a prerequisite)
- I also have Sophos any virus but that one didn't ask me to install IIS, that's for sure.
0
Keith AlabasterEnterprise ArchitectCommented:
This is one of the reasons why FTMG and ISA should be a member of the domain. You then don't need to ponce artound having secure ldap, dns and the like installed on the box giving you all this sort of grief.

OK - here is what to do. The basic issue is that IIS has been told to listen for port 80 on the network card. FTMG also wants to listen on port 80 but obviously they can't both do it. I am unclear on what IIS is doing on the ftmg box - nothing you mention above requires IIS that I can see.

Go into the Server manager and select the web server/IIS feature and stop the services. Stop and restart the FTMG services and see how you get on. Lets see if this is an 'accidental install' for IIS or whether it is actually used for something. Remove the IIS if necessary.
0
rietschAuthor Commented:
2 questions:

1) isn't the point of having a DMZ in a back to back firewall config to actually secure the LAN by leaving the front end firewall and published servers outside of the domain?

2) for IIS, what services (names) are we talking about exactly? As I posted earlier today, I stopped 3 .net services which allowed the server to listen on port 80 again (as per the netstat attached). But the web site is still not accessible.

I can probably try to uninstall the IIS features alltogether and see what the outcome is...
0
rietschAuthor Commented:
IIS (i.e. .NET 3.5) has been uninstalled.

TMG has been rebooted and the webserver is FINALLY accessible again from the internet.

Before I close the question, I'd like to test till Tuesday.

Keith, can you please explain what you mean by having the edge server in the domain. What's then the point of having a back to back firewall in the first place? Only to filter the mails? I think I will be right by saying that MS is pushing for back to back configs. Or is that only to sell more licenses?
0
Keith AlabasterEnterprise ArchitectCommented:
Not at all, test away....  

1. No. Not with ISA Server and FTMG. This is what makes them such excellent (and from some peoples perspective more expensive) products. they are full blown reverse proxies and application gateways. When an external user access your published web site, they never get past the ISA/FTMG box. The FTMG box makes the internal calls on behalf of the external user and returns the required data. it is exactly the same as the forward proxy. Your users have the web proxy values set - when they request a web page, the FTMG goes and gets the content on behalf of the internal user, checks it is all OK, and then passes the data back to the internal requesting user. In addition, because FTMG can form the DMZ through additional interfaces, you can create that enviromnet directly and FTMG will STILL be a member of the domain.

2. You can see the IIS Services from within the IIS Manager.

FTMG can be created as a back-end firewall (and sets ists default configurations as route, or FTMG can be a front-end and defaults everything to a NAT environment. It can also be created using the three-legged (DMZ) implementation also.

ISA and FTMG are still - in my view - the best software firewalls available on the market. You get what you pay for in this life, you've paid your money but you are not getting maximum benefit from it. personally I will not deploy ISA or FTMG without a minimum of two nics.

0
rietschAuthor Commented:
Keith,

I originally intalled the back to back config to get eliminate the spams, and therefore using he exchange edge server.

IF I understand correctly, I include FW1 in the domain, use the DNS from the LAN, and happy days, right?

For IIS, the IIS Manager was not part of thefutures installed but then again, IIS has been uninstalledand it solved the issue.

Now I need to publish the Active sync and OWA correctly but that's another story.

Thanks for your help.
0
Keith AlabasterEnterprise ArchitectCommented:
You have it right - and you are welcome :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.