Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

TMG 2010 - configure server to bypass/passthru

Posted on 2011-03-14
13
5,527 Views
Last Modified: 2013-12-23
Really hoping to get some help here, as I'm stuck.

We have TMG 2010 installed on our system and all of our users' web browsers are configured to go thru port 8080 for both HTTP and HTTPS traffic on the TMG server.  The rule allows access for authenticated users - the traffic then gets routed through Google Postini for web filtering.

I'm installing a new Linux-based backup server that needs access to inbound and outbound traffic on ports 22, 123, and 143 (for off-site backups).  It also needs HTTP and HTTPS access.  It can access HTTP pages, but I'm getting an error when trying to access HTTPS:  SSL received a record that exceeded maximum possible length.

This condition is repeatable using a Windows laptop plugged into the network - :80 works fine :443 doesn't.

Is there an easy way to configure the server to pass straight thru TMG? The vendor states that the product does not support using a proxy server.

Spent a couple hours on the phone with support with no resolution on this :(  can anyone here help?
0
Comment
Question by:BigMonkeyHead
  • 6
  • 4
  • 3
13 Comments
 
LVL 10

Expert Comment

by:simonlimon
ID: 35136147
I would create an access rule, allowing ports 80 443, 22, 123 and 143. Allow it for all users, and source IP as that of the linux server. I would also place this rule to be processed before the web proxy rule using the "Move up" function...
0
 
LVL 29

Accepted Solution

by:
pwindell earned 250 total points
ID: 35140113
You can't "allow ports": in ISA/TMG.  That is just the wrong way to even think about it.  You have to think about it as allowing certain Sources to use certain Protocols to get to certain places.

There is no such thing as "inbound and outbound".   You can allow traffic outbound,....and you can allow traffic inbound,...but they are two entirely separate process that are performed separately.

What protocols is it using?  I don't what to hear anything about port numbers,...I want to know protocols.  Then I need to know which protocols are outbound and which ones are inbound (separately).  For example HTTP outbound is not the same protocol in ISA/TMG as HTTP comming inbound.

If the product is using Custom Protrocols on Custom Ports (like maybe the 22, 123, 143) then I need to know that in detail.
0
 
LVL 10

Assisted Solution

by:simonlimon
simonlimon earned 250 total points
ID: 35143042
Sorry about that, I should have been more specific,

Define protocol definitions, Define what ports are they and whether are they Inbound or outbound.

And then allow the protocols for all users object originating from a specific IP.
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 29

Expert Comment

by:pwindell
ID: 35147576
It's ok Simon. Wasn't targeting you,..was meant in a more general informational way.  I just like to help people clarify their thinking on that,..it helps with thinking through the config on ISA/TMG.

We haven't heard back from the OP on this.  Without more specifics not much can be done here.
0
 
LVL 1

Assisted Solution

by:BigMonkeyHead
BigMonkeyHead earned 0 total points
ID: 35152093
Turns out that the protocols for HTTP and HTTPS inside TMG were set to use the Web Proxy Filter (under Parameters tab for each protocol).  This had the effect of forcing all HTTP(S) traffic through TMG (even on the TMG host machine).

This wouldn't work because my Linux server has some PHP scripts that hit HTTPS addresses - and since the scripts aren't configured to use the TMG proxy, they'd always fail.  Unchecking the web proxy filter settings on the HTTP and HTTPS protocols in TMG fixed the problem.

Thanks for the heads up on specifying protocol vs ports.  I'm pretty new to TMG, so that's a good piece of info to have.  :)
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 35152280
but be aware you disabled web proxy for all your users now... create a new protocol definition for http w/o web proxy and link that protocol to this rule. that is, if you need the web proxy for the users. thanks for the point btw


0
 
LVL 1

Author Comment

by:BigMonkeyHead
ID: 35156084
Internet Explorer is configured to use the proxy per group policy and can't be changed by the user.  I think we're ok.  ??
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35156265
You're going all wrong with this!!!!  It doesn't work like you are thinking and things are not happening the way you think they are for the reasons you think they are.

Stop what you are doing and put the HTTP Filer back on the Protocol!!!

It's going to take me maybe a half hour or so to come back to this and address it,...I'm right in the middle of something,...so hang on.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35156632
Turns out that the protocols for HTTP and HTTPS inside TMG were set to use the Web Proxy Filter (under Parameters tab for each protocol).  This had the effect of forcing all HTTP(S) traffic through TMG (even on the TMG host machine).

Supposed to be. Leave it that way. Don't change it.

This wouldn't work because my Linux server has some PHP scripts that hit HTTPS addresses - and since the scripts aren't configured to use the TMG proxy, they'd always fail.  Unchecking the web proxy filter settings on the HTTP and HTTPS protocols in TMG fixed the problem.

Couple misconceptions here.
1. Scripts don't access anything,...they are just text files.   It is the "web server" running on the Linux box that makes the communication according to what the scripts tell it to do when they are interpreted and executed by the script engine.  It is the running Web Server on the Linux box that needs to access the destiantion,...not the scripts.

2. The Web Service on the Linux box is not going to authenticate to the ISA and it is not, and never would be, expected to.  Therefore you have no HTTP/HTTPS Rule in place to allow this to happen because you said in the first Post that the Rule was set for Authenticated Users.   You can't do that.  You need dedicated anonymous HTTP/HTTPS Rules for just this Linux box all by itself.

3. There are some very rare cases where something won't work through the HTTP Application Filter,...most often because the HTTP being used is not RFC Comnpliant HTTP or is just not even true HTTP at all.   HTTPS is never "inspected" with ISA2004/2006 due to the encryption, HTTPS does not even have the Application Filter associated with it to begine with,...the Filter is only with HTTP.  With TMG, it has added the ability to inspect HTTPS,  but I don't have a copy of TMG in front of me to look that over to see how that is implemented.  If it gives you the ability to disable HTTPS Inspection on an individual Rule-by-Rule basis then you would do it in the Rule that you should have already created to be dedicated to the Linux box.

4. We haven't even touched on the inbound side of things yet,...and I am not really convinced yet that there really is any Inbound traffic in this to start with (from what I have read so far).  You have also not clearly described the TMG implementation as to if this is a normal multi-homed TMG operating as a true Firewall (as it was desgined to) or if this is a single-Nic implementation in a "web caching only" scenario which is pretty much a total waste of time.

5. The Google thing for "web filtering" is probably going to totally screw you over,...just give it time,...it will happen.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35156919
You should never use GPO to force proxy settings.  It is too rigid and cannot compansate for changing situations.

For automatcially configuring clients to use the proxy you need to use WPAD with both DNS and DHCP
0
 
LVL 1

Author Comment

by:BigMonkeyHead
ID: 35157146
1.  PHP can issue HTTP requests over proxy - yes, I realize that it's the web server doing the real work here, the main thing is that it would be a lot of programming to rewrite all the requests (and it's the vendor's code anyway).

2.  I think we're good to go here.  I have 2 web access rules - one for the Linux box itself and one for authenticated users.

4.  We have inbound traffic too.  I had to open other ports to both TCP and UDP traffic inbound and outbound for this device.

5.  We use Google Postini / ScanSafe primarily for email spam and virus filtering, but it can be good to curb web usage as well.

GPO proxy - *shrug* It works for us.  We're a pretty small shop.  Thanks for your help - I've climbed the TMG learning curve quite a bit in the last few days!!
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35158166
Ok,..good luck.
Post back if it doesn't go well.
0
 
LVL 1

Author Closing Comment

by:BigMonkeyHead
ID: 35321794
sorry for the delay - thought this had already been awarded
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Best Server Board For The Money 19 101
HP DL160 G6 Hard Disk Question 3 77
Raid 6 or Raid 10? 19 274
Need network only 1 user? 10 68
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Hyper-convergence systems have taken the IT world by storm and have quickly started to change our point of view of how the data center should and could be architected. In this article, I’ll explain the benefits of employing a hyper-converged system …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question