Solved

TMG 2010 Standard - web publishing rule not processed

Posted on 2011-03-14
4
5,023 Views
Last Modified: 2012-05-11
Help please !!

Have configured a TMG 2010 server in a DMZ (domain-joined) with number 1 rule as ActiveSync web publishing rule, pointing to an Exchange 2010 CAS Array Farm, using an HTTPS Web Listener. The problem is that when I test this, the traffic is denied by the DEFAULT rule and the Web Publising rule is never evaluated. Since this contains details of how the clients should authenticate, the clients are unable to access the CAS Array.
The exact same config works fine on another TMG in a DMZ with the same rules, listeners etc.
The Certs are fine - the config is in sync, the Coonectivity verifiers are all green, the rule when tested shows all green.
The strange things are :-
The default deny says Denied Traffic
  - destination URL host name could not be resolved
The protocol says : BranchCache-Advertise ???
Checked the internal URL can be reolved to the exchange CAS Array.
The web publishing rule is set up for HTTPS traffic redirected to 443, basic authentication (checked IIS VS also match this). Looks to me that this rule is not being invoked (Simulations shows "This Web publishing rule was skipped for this packet.") because the traffic is shown in the simulation as BranchCache-Advertise instead of HTTPS ??
Anyone come across this and/or have suggestions/solutions please ?
0
Comment
Question by:TheGeezer2010
  • 3
4 Comments
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 50 total points
ID: 35127743
It sounds like there is an issue with the web publishing rule or your web listener
Verify your configuration against a guide like the following
http://exchangemaster.wordpress.com/2010/04/09/publish-exchange-2010-with-tmg-forefront-threat-management-gateway/
0
 
LVL 11

Accepted Solution

by:
TheGeezer2010 earned 0 total points
ID: 35128764
Hi and thanks for replying

I have figured out why this was not working and, to be fair, it is something which would have been difficult to diagnose - certainly I have found the Traffic Simulator of no value when trying to troubleshoot this. The problem was this - the test site uses a temporary external URL (in fact an IP address) whereas by replicating the current environment, the external URL matched the current Production URL. I needed to edit the external URL to point to the IP address, set up a BranchCache-Advertise rule to allow HTTP from TMG to CAS Array servers, save the config and now it is finding the right target and of course, the rule correctly matches so that it is being processed. Still getting denied buty this is probably due to the ASA blocking Kerberos to/from the DCs.
Workede this out myself but will give some points to endital1097 for responding with broadly the correct area to look for.
0
 
LVL 11

Author Comment

by:TheGeezer2010
ID: 35128809
Please allocate 50 points to Enditall 1097 and close issue. I cannot find a way to refund 450 to myself.
0
 
LVL 11

Author Closing Comment

by:TheGeezer2010
ID: 35174478
Self-resolved but have raised another related ticket
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
exchange ,script 10 41
o365 Buy vs. Rent break-even: lifespan of office 2016? 6 31
ACTIVE DIRECTORY 18 44
Review of a VPN cert policy 4 27
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question