TMG OWA for internal users behind proxy has desintation port 8080 instead of 443

hi all,

i have created my OWA publishing rules which work fine externally, i followed this article exactly although my http redirect doesnt work from that, if i type it times out, if i type it works though

but anyway
my internal users are using TMG as a proxy so all their internet traffic goes to destination port 8080
so when they are trying to go to they are going via port 8080 isntead of 80 or 443
can i do anything on the tmg to make work on 8080 or soemthing?

must be a common problem

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
You are wrong - The port 8080 is only the web proxy port number that the users browser uses to talk to the FTMG server ie the request. It is the FTMG server that speaks to the external sites and the FTMG server talks outbound on port 80 as default or 443 or whatever the URL has asked for in respect to its protocol.

awilderbeastAuthor Commented:
ok so my OWA address is for internal and external, internally i have used DNS to point to my TMG servers internal address

i opend a users computer that sits behind the proxy and set up a log to view the details

i get denied connection from the default rule, but if i use a machine that doesnt use the TMG as its gateway and no proxy settings then i get access to the site

can you help me out?
Keith AlabasterEnterprise ArchitectCommented:
I assume you have added the exceptions in the browser proxy settings - advanced section to cover your internal IP addresses?

10.1.*; 192.168.16.* etc?

this would cover all internal IP addresses that began with either 10.1.x.y or 192.168.16.x for example and tell them to ignore the proxy server and go 'Direct' to the address given.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

awilderbeastAuthor Commented:
i just did that now and it still doesnt let me in

just get diagnose connection problems on the users machine and on the TMG server

see screen

its denying it on the default rule for some reason
Keith AlabasterEnterprise ArchitectCommented:
Please give full details. Where are you making the call from - a client or the ISA itself?
Are you using the ISA firewall client?
After you added the exceptions, did you fully close the browser and re-open it again so the browser picked them up?

Your exceptions should obviously be 192.168.101.*

awilderbeastAuthor Commented:
from a client
not using the firewall client no just proxy settings in the browser

i closed and opened IE after changing the settings yes and my exception was 192.168.101.*
awilderbeastAuthor Commented:
ok heres results from isa logging

has the right port but its being blocked for some reason?
Denied Connection CH-FW 21/04/2010 13:39:06 
Log type: Web Proxy (Forward) 
Status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).  
Rule: Default rule 
Source: Internal ( 
Destination: Local Host ( 
Filter information: Req ID: 09542052; Compression: client=No, server=No, compress rate=0% decompress rate=0% 
Protocol: SSL-tunnel 
User: anonymous 

Open in new window

Keith AlabasterEnterprise ArchitectCommented:
says the destination is the localhost - is this what it should be?
awilderbeastAuthor Commented:
Yeah well the exchange server is behind the tmg server and the tmg publishes it so that's right yes?
Keith AlabasterEnterprise ArchitectCommented:

OWA will be responding to a request from outside and so the exchange server responses will be exactly that, return traffic. The entries in your log appear to be traffic originating from the Exchange box directly to the localhost. If you have setup your publishing rules weirdly - so that all traffic appears to come from the FTMG box then that MAY explain it (I have never set up a box that way, what would be the point?).
awilderbeastAuthor Commented:
yeah thats how i had the rules set up, so request appear to come from the TMG, i just changed it then so requests appaer to come from the orignal client and then i get the logon screen for the web app but then when i login it times out and the OWA rule i have denys the client

this is both internally and externally, they just time out forwarding from the orginal client, any ideas?

Failed Connection Attempt CH-FW 22/04/2010 09:20:00 
Log type: Web Proxy (Reverse) 
Status: 10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.  
Rule: OWA (NTLM) 
Source: External ( 
Destination: Local Host ( 
Request: GET 
Filter information: Req ID: 09559ad0; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=yes, valid=yes, updated=no, logged off=no, client type=private, user activity=yes 
Protocol: https 
User: domain\MyName
 Additional information 
Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 62993 MIME type:  

Open in new window

Keith AlabasterEnterprise ArchitectCommented:
can you provide the output from both an ipconfig /all from the ftmg box and the output of a route print please.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
awilderbeastAuthor Commented:
soon as you said that i knew where you were going with it

i needed to add some persistant routes to the firewalls routing table so it knew how to get to my internal ranges, it all works now :)

Keith AlabasterEnterprise ArchitectCommented:
Lol - you got it. :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.