Solved

TMG 2010 Standard - web publishing rule not processed

Posted on 2011-03-14
4
5,120 Views
Last Modified: 2012-05-11
Help please !!

Have configured a TMG 2010 server in a DMZ (domain-joined) with number 1 rule as ActiveSync web publishing rule, pointing to an Exchange 2010 CAS Array Farm, using an HTTPS Web Listener. The problem is that when I test this, the traffic is denied by the DEFAULT rule and the Web Publising rule is never evaluated. Since this contains details of how the clients should authenticate, the clients are unable to access the CAS Array.
The exact same config works fine on another TMG in a DMZ with the same rules, listeners etc.
The Certs are fine - the config is in sync, the Coonectivity verifiers are all green, the rule when tested shows all green.
The strange things are :-
The default deny says Denied Traffic
  - destination URL host name could not be resolved
The protocol says : BranchCache-Advertise ???
Checked the internal URL can be reolved to the exchange CAS Array.
The web publishing rule is set up for HTTPS traffic redirected to 443, basic authentication (checked IIS VS also match this). Looks to me that this rule is not being invoked (Simulations shows "This Web publishing rule was skipped for this packet.") because the traffic is shown in the simulation as BranchCache-Advertise instead of HTTPS ??
Anyone come across this and/or have suggestions/solutions please ?
0
Comment
Question by:TheGeezer2010
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 50 total points
ID: 35127743
It sounds like there is an issue with the web publishing rule or your web listener
Verify your configuration against a guide like the following
http://exchangemaster.wordpress.com/2010/04/09/publish-exchange-2010-with-tmg-forefront-threat-management-gateway/
0
 
LVL 11

Accepted Solution

by:
TheGeezer2010 earned 0 total points
ID: 35128764
Hi and thanks for replying

I have figured out why this was not working and, to be fair, it is something which would have been difficult to diagnose - certainly I have found the Traffic Simulator of no value when trying to troubleshoot this. The problem was this - the test site uses a temporary external URL (in fact an IP address) whereas by replicating the current environment, the external URL matched the current Production URL. I needed to edit the external URL to point to the IP address, set up a BranchCache-Advertise rule to allow HTTP from TMG to CAS Array servers, save the config and now it is finding the right target and of course, the rule correctly matches so that it is being processed. Still getting denied buty this is probably due to the ASA blocking Kerberos to/from the DCs.
Workede this out myself but will give some points to endital1097 for responding with broadly the correct area to look for.
0
 
LVL 11

Author Comment

by:TheGeezer2010
ID: 35128809
Please allocate 50 points to Enditall 1097 and close issue. I cannot find a way to refund 450 to myself.
0
 
LVL 11

Author Closing Comment

by:TheGeezer2010
ID: 35174478
Self-resolved but have raised another related ticket
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question