Solved

TMG 2010 Standard - web publishing rule not processed

Posted on 2011-03-14
4
4,969 Views
Last Modified: 2012-05-11
Help please !!

Have configured a TMG 2010 server in a DMZ (domain-joined) with number 1 rule as ActiveSync web publishing rule, pointing to an Exchange 2010 CAS Array Farm, using an HTTPS Web Listener. The problem is that when I test this, the traffic is denied by the DEFAULT rule and the Web Publising rule is never evaluated. Since this contains details of how the clients should authenticate, the clients are unable to access the CAS Array.
The exact same config works fine on another TMG in a DMZ with the same rules, listeners etc.
The Certs are fine - the config is in sync, the Coonectivity verifiers are all green, the rule when tested shows all green.
The strange things are :-
The default deny says Denied Traffic
  - destination URL host name could not be resolved
The protocol says : BranchCache-Advertise ???
Checked the internal URL can be reolved to the exchange CAS Array.
The web publishing rule is set up for HTTPS traffic redirected to 443, basic authentication (checked IIS VS also match this). Looks to me that this rule is not being invoked (Simulations shows "This Web publishing rule was skipped for this packet.") because the traffic is shown in the simulation as BranchCache-Advertise instead of HTTPS ??
Anyone come across this and/or have suggestions/solutions please ?
0
Comment
Question by:TheGeezer2010
  • 3
4 Comments
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 50 total points
Comment Utility
It sounds like there is an issue with the web publishing rule or your web listener
Verify your configuration against a guide like the following
http://exchangemaster.wordpress.com/2010/04/09/publish-exchange-2010-with-tmg-forefront-threat-management-gateway/
0
 
LVL 11

Accepted Solution

by:
TheGeezer2010 earned 0 total points
Comment Utility
Hi and thanks for replying

I have figured out why this was not working and, to be fair, it is something which would have been difficult to diagnose - certainly I have found the Traffic Simulator of no value when trying to troubleshoot this. The problem was this - the test site uses a temporary external URL (in fact an IP address) whereas by replicating the current environment, the external URL matched the current Production URL. I needed to edit the external URL to point to the IP address, set up a BranchCache-Advertise rule to allow HTTP from TMG to CAS Array servers, save the config and now it is finding the right target and of course, the rule correctly matches so that it is being processed. Still getting denied buty this is probably due to the ASA blocking Kerberos to/from the DCs.
Workede this out myself but will give some points to endital1097 for responding with broadly the correct area to look for.
0
 
LVL 11

Author Comment

by:TheGeezer2010
Comment Utility
Please allocate 50 points to Enditall 1097 and close issue. I cannot find a way to refund 450 to myself.
0
 
LVL 11

Author Closing Comment

by:TheGeezer2010
Comment Utility
Self-resolved but have raised another related ticket
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
how to add IIS SMTP to handle application/Scanner relays into office 365.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now