• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2009
  • Last Modified:

TMG OWA for internal users behind proxy has desintation port 8080 instead of 443

hi all,

i have created my OWA publishing rules which work fine externally, i followed this article exactly
http://www.testlabs.se/blog/?p=199 although my http redirect doesnt work from that, if i type http://mail.domain.com it times out, if i type https://mail.domain.com it works though

but anyway
my internal users are using TMG as a proxy so all their internet traffic goes to destination port 8080
so when they are trying to go to mail.domain.org they are going via port 8080 isntead of 80 or 443
can i do anything on the tmg to make mail.domain.org work on 8080 or soemthing?

must be a common problem

THanks
0
awilderbeast
Asked:
awilderbeast
  • 7
  • 7
1 Solution
 
Keith AlabasterEnterprise ArchitectCommented:
You are wrong - The port 8080 is only the web proxy port number that the users browser uses to talk to the FTMG server ie the request. It is the FTMG server that speaks to the external sites and the FTMG server talks outbound on port 80 as default or 443 or whatever the URL has asked for in respect to its protocol.

0
 
awilderbeastAuthor Commented:
ok so my OWA address is mail.domain.org for internal and external, internally i have used DNS to point mail.domain.org to my TMG servers internal address

i opend a users computer that sits behind the proxy and set up a log to view the details

i get denied connection from the default rule, but if i use a machine that doesnt use the TMG as its gateway and no proxy settings then i get access to the site

can you help me out?
email.PNG
0
 
Keith AlabasterEnterprise ArchitectCommented:
I assume you have added the exceptions in the browser proxy settings - advanced section to cover your internal IP addresses?

10.1.*; 192.168.16.* etc?

this would cover all internal IP addresses that began with either 10.1.x.y or 192.168.16.x for example and tell them to ignore the proxy server and go 'Direct' to the address given.
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
awilderbeastAuthor Commented:
i just did that now and it still doesnt let me in

just get diagnose connection problems on the users machine and on the TMG server

see screen

its denying it on the default rule for some reason
tmg.PNG
0
 
Keith AlabasterEnterprise ArchitectCommented:
Please give full details. Where are you making the call from - a client or the ISA itself?
Are you using the ISA firewall client?
After you added the exceptions, did you fully close the browser and re-open it again so the browser picked them up?

Your exceptions should obviously be 192.168.101.*

0
 
awilderbeastAuthor Commented:
from a client
not using the firewall client no just proxy settings in the browser

i closed and opened IE after changing the settings yes and my exception was 192.168.101.*
0
 
awilderbeastAuthor Commented:
ok heres results from isa logging

has the right port but its being blocked for some reason?
Denied Connection CH-FW 21/04/2010 13:39:06 
Log type: Web Proxy (Forward) 
Status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).  
Rule: Default rule 
Source: Internal (192.168.101.28:2059) 
Destination: Local Host (192.168.101.10:443) 
Request: mail.mydomain.org:443 
Filter information: Req ID: 09542052; Compression: client=No, server=No, compress rate=0% decompress rate=0% 
Protocol: SSL-tunnel 
User: anonymous 

Open in new window

0
 
Keith AlabasterEnterprise ArchitectCommented:
says the destination is the localhost - is this what it should be?
0
 
awilderbeastAuthor Commented:
Yeah well the exchange server is behind the tmg server and the tmg publishes it so that's right yes?
0
 
Keith AlabasterEnterprise ArchitectCommented:
No.

OWA will be responding to a request from outside and so the exchange server responses will be exactly that, return traffic. The entries in your log appear to be traffic originating from the Exchange box directly to the localhost. If you have setup your publishing rules weirdly - so that all traffic appears to come from the FTMG box then that MAY explain it (I have never set up a box that way, what would be the point?).
0
 
awilderbeastAuthor Commented:
yeah thats how i had the rules set up, so request appear to come from the TMG, i just changed it then so requests appaer to come from the orignal client and then i get the logon screen for the web app but then when i login it times out and the OWA rule i have denys the client

this is both internally and externally, they just time out forwarding from the orginal client, any ideas?

thanks
Failed Connection Attempt CH-FW 22/04/2010 09:20:00 
Log type: Web Proxy (Reverse) 
Status: 10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.  
Rule: OWA (NTLM) 
Source: External (xxx.xxx.xxx.xxx:56328) 
Destination: Local Host (192.168.101.2:443) 
Request: GET http://mail.domain.org/owa 
Filter information: Req ID: 09559ad0; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=yes, valid=yes, updated=no, logged off=no, client type=private, user activity=yes 
Protocol: https 
User: domain\MyName
 Additional information 
Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 62993 MIME type:  

Open in new window

0
 
Keith AlabasterEnterprise ArchitectCommented:
can you provide the output from both an ipconfig /all from the ftmg box and the output of a route print please.
0
 
awilderbeastAuthor Commented:
soon as you said that i knew where you were going with it

i needed to add some persistant routes to the firewalls routing table so it knew how to get to my internal ranges, it all works now :)

CHeers
0
 
Keith AlabasterEnterprise ArchitectCommented:
Lol - you got it. :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now