Solved

TMG 2010 Standard - web publishing rule not processed

Posted on 2011-03-14
4
5,085 Views
Last Modified: 2012-05-11
Help please !!

Have configured a TMG 2010 server in a DMZ (domain-joined) with number 1 rule as ActiveSync web publishing rule, pointing to an Exchange 2010 CAS Array Farm, using an HTTPS Web Listener. The problem is that when I test this, the traffic is denied by the DEFAULT rule and the Web Publising rule is never evaluated. Since this contains details of how the clients should authenticate, the clients are unable to access the CAS Array.
The exact same config works fine on another TMG in a DMZ with the same rules, listeners etc.
The Certs are fine - the config is in sync, the Coonectivity verifiers are all green, the rule when tested shows all green.
The strange things are :-
The default deny says Denied Traffic
  - destination URL host name could not be resolved
The protocol says : BranchCache-Advertise ???
Checked the internal URL can be reolved to the exchange CAS Array.
The web publishing rule is set up for HTTPS traffic redirected to 443, basic authentication (checked IIS VS also match this). Looks to me that this rule is not being invoked (Simulations shows "This Web publishing rule was skipped for this packet.") because the traffic is shown in the simulation as BranchCache-Advertise instead of HTTPS ??
Anyone come across this and/or have suggestions/solutions please ?
0
Comment
Question by:TheGeezer2010
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 50 total points
ID: 35127743
It sounds like there is an issue with the web publishing rule or your web listener
Verify your configuration against a guide like the following
http://exchangemaster.wordpress.com/2010/04/09/publish-exchange-2010-with-tmg-forefront-threat-management-gateway/
0
 
LVL 11

Accepted Solution

by:
TheGeezer2010 earned 0 total points
ID: 35128764
Hi and thanks for replying

I have figured out why this was not working and, to be fair, it is something which would have been difficult to diagnose - certainly I have found the Traffic Simulator of no value when trying to troubleshoot this. The problem was this - the test site uses a temporary external URL (in fact an IP address) whereas by replicating the current environment, the external URL matched the current Production URL. I needed to edit the external URL to point to the IP address, set up a BranchCache-Advertise rule to allow HTTP from TMG to CAS Array servers, save the config and now it is finding the right target and of course, the rule correctly matches so that it is being processed. Still getting denied buty this is probably due to the ASA blocking Kerberos to/from the DCs.
Workede this out myself but will give some points to endital1097 for responding with broadly the correct area to look for.
0
 
LVL 11

Author Comment

by:TheGeezer2010
ID: 35128809
Please allocate 50 points to Enditall 1097 and close issue. I cannot find a way to refund 450 to myself.
0
 
LVL 11

Author Closing Comment

by:TheGeezer2010
ID: 35174478
Self-resolved but have raised another related ticket
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question