TMG 2010 Standard - web publishing rule not processed

Help please !!

Have configured a TMG 2010 server in a DMZ (domain-joined) with number 1 rule as ActiveSync web publishing rule, pointing to an Exchange 2010 CAS Array Farm, using an HTTPS Web Listener. The problem is that when I test this, the traffic is denied by the DEFAULT rule and the Web Publising rule is never evaluated. Since this contains details of how the clients should authenticate, the clients are unable to access the CAS Array.
The exact same config works fine on another TMG in a DMZ with the same rules, listeners etc.
The Certs are fine - the config is in sync, the Coonectivity verifiers are all green, the rule when tested shows all green.
The strange things are :-
The default deny says Denied Traffic
  - destination URL host name could not be resolved
The protocol says : BranchCache-Advertise ???
Checked the internal URL can be reolved to the exchange CAS Array.
The web publishing rule is set up for HTTPS traffic redirected to 443, basic authentication (checked IIS VS also match this). Looks to me that this rule is not being invoked (Simulations shows "This Web publishing rule was skipped for this packet.") because the traffic is shown in the simulation as BranchCache-Advertise instead of HTTPS ??
Anyone come across this and/or have suggestions/solutions please ?
LVL 11
TheGeezer2010Asked:
Who is Participating?
 
TheGeezer2010Connect With a Mentor Author Commented:
Hi and thanks for replying

I have figured out why this was not working and, to be fair, it is something which would have been difficult to diagnose - certainly I have found the Traffic Simulator of no value when trying to troubleshoot this. The problem was this - the test site uses a temporary external URL (in fact an IP address) whereas by replicating the current environment, the external URL matched the current Production URL. I needed to edit the external URL to point to the IP address, set up a BranchCache-Advertise rule to allow HTTP from TMG to CAS Array servers, save the config and now it is finding the right target and of course, the rule correctly matches so that it is being processed. Still getting denied buty this is probably due to the ASA blocking Kerberos to/from the DCs.
Workede this out myself but will give some points to endital1097 for responding with broadly the correct area to look for.
0
 
endital1097Connect With a Mentor Commented:
It sounds like there is an issue with the web publishing rule or your web listener
Verify your configuration against a guide like the following
http://exchangemaster.wordpress.com/2010/04/09/publish-exchange-2010-with-tmg-forefront-threat-management-gateway/
0
 
TheGeezer2010Author Commented:
Please allocate 50 points to Enditall 1097 and close issue. I cannot find a way to refund 450 to myself.
0
 
TheGeezer2010Author Commented:
Self-resolved but have raised another related ticket
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.