• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6033
  • Last Modified:

TMG 2010 - configure server to bypass/passthru

Really hoping to get some help here, as I'm stuck.

We have TMG 2010 installed on our system and all of our users' web browsers are configured to go thru port 8080 for both HTTP and HTTPS traffic on the TMG server.  The rule allows access for authenticated users - the traffic then gets routed through Google Postini for web filtering.

I'm installing a new Linux-based backup server that needs access to inbound and outbound traffic on ports 22, 123, and 143 (for off-site backups).  It also needs HTTP and HTTPS access.  It can access HTTP pages, but I'm getting an error when trying to access HTTPS:  SSL received a record that exceeded maximum possible length.

This condition is repeatable using a Windows laptop plugged into the network - :80 works fine :443 doesn't.

Is there an easy way to configure the server to pass straight thru TMG? The vendor states that the product does not support using a proxy server.

Spent a couple hours on the phone with support with no resolution on this :(  can anyone here help?
0
BigMonkeyHead
Asked:
BigMonkeyHead
  • 6
  • 4
  • 3
3 Solutions
 
simonlimonCommented:
I would create an access rule, allowing ports 80 443, 22, 123 and 143. Allow it for all users, and source IP as that of the linux server. I would also place this rule to be processed before the web proxy rule using the "Move up" function...
0
 
pwindellCommented:
You can't "allow ports": in ISA/TMG.  That is just the wrong way to even think about it.  You have to think about it as allowing certain Sources to use certain Protocols to get to certain places.

There is no such thing as "inbound and outbound".   You can allow traffic outbound,....and you can allow traffic inbound,...but they are two entirely separate process that are performed separately.

What protocols is it using?  I don't what to hear anything about port numbers,...I want to know protocols.  Then I need to know which protocols are outbound and which ones are inbound (separately).  For example HTTP outbound is not the same protocol in ISA/TMG as HTTP comming inbound.

If the product is using Custom Protrocols on Custom Ports (like maybe the 22, 123, 143) then I need to know that in detail.
0
 
simonlimonCommented:
Sorry about that, I should have been more specific,

Define protocol definitions, Define what ports are they and whether are they Inbound or outbound.

And then allow the protocols for all users object originating from a specific IP.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
pwindellCommented:
It's ok Simon. Wasn't targeting you,..was meant in a more general informational way.  I just like to help people clarify their thinking on that,..it helps with thinking through the config on ISA/TMG.

We haven't heard back from the OP on this.  Without more specifics not much can be done here.
0
 
BigMonkeyHeadAuthor Commented:
Turns out that the protocols for HTTP and HTTPS inside TMG were set to use the Web Proxy Filter (under Parameters tab for each protocol).  This had the effect of forcing all HTTP(S) traffic through TMG (even on the TMG host machine).

This wouldn't work because my Linux server has some PHP scripts that hit HTTPS addresses - and since the scripts aren't configured to use the TMG proxy, they'd always fail.  Unchecking the web proxy filter settings on the HTTP and HTTPS protocols in TMG fixed the problem.

Thanks for the heads up on specifying protocol vs ports.  I'm pretty new to TMG, so that's a good piece of info to have.  :)
0
 
simonlimonCommented:
but be aware you disabled web proxy for all your users now... create a new protocol definition for http w/o web proxy and link that protocol to this rule. that is, if you need the web proxy for the users. thanks for the point btw


0
 
BigMonkeyHeadAuthor Commented:
Internet Explorer is configured to use the proxy per group policy and can't be changed by the user.  I think we're ok.  ??
0
 
pwindellCommented:
You're going all wrong with this!!!!  It doesn't work like you are thinking and things are not happening the way you think they are for the reasons you think they are.

Stop what you are doing and put the HTTP Filer back on the Protocol!!!

It's going to take me maybe a half hour or so to come back to this and address it,...I'm right in the middle of something,...so hang on.
0
 
pwindellCommented:
Turns out that the protocols for HTTP and HTTPS inside TMG were set to use the Web Proxy Filter (under Parameters tab for each protocol).  This had the effect of forcing all HTTP(S) traffic through TMG (even on the TMG host machine).

Supposed to be. Leave it that way. Don't change it.

This wouldn't work because my Linux server has some PHP scripts that hit HTTPS addresses - and since the scripts aren't configured to use the TMG proxy, they'd always fail.  Unchecking the web proxy filter settings on the HTTP and HTTPS protocols in TMG fixed the problem.

Couple misconceptions here.
1. Scripts don't access anything,...they are just text files.   It is the "web server" running on the Linux box that makes the communication according to what the scripts tell it to do when they are interpreted and executed by the script engine.  It is the running Web Server on the Linux box that needs to access the destiantion,...not the scripts.

2. The Web Service on the Linux box is not going to authenticate to the ISA and it is not, and never would be, expected to.  Therefore you have no HTTP/HTTPS Rule in place to allow this to happen because you said in the first Post that the Rule was set for Authenticated Users.   You can't do that.  You need dedicated anonymous HTTP/HTTPS Rules for just this Linux box all by itself.

3. There are some very rare cases where something won't work through the HTTP Application Filter,...most often because the HTTP being used is not RFC Comnpliant HTTP or is just not even true HTTP at all.   HTTPS is never "inspected" with ISA2004/2006 due to the encryption, HTTPS does not even have the Application Filter associated with it to begine with,...the Filter is only with HTTP.  With TMG, it has added the ability to inspect HTTPS,  but I don't have a copy of TMG in front of me to look that over to see how that is implemented.  If it gives you the ability to disable HTTPS Inspection on an individual Rule-by-Rule basis then you would do it in the Rule that you should have already created to be dedicated to the Linux box.

4. We haven't even touched on the inbound side of things yet,...and I am not really convinced yet that there really is any Inbound traffic in this to start with (from what I have read so far).  You have also not clearly described the TMG implementation as to if this is a normal multi-homed TMG operating as a true Firewall (as it was desgined to) or if this is a single-Nic implementation in a "web caching only" scenario which is pretty much a total waste of time.

5. The Google thing for "web filtering" is probably going to totally screw you over,...just give it time,...it will happen.
0
 
pwindellCommented:
You should never use GPO to force proxy settings.  It is too rigid and cannot compansate for changing situations.

For automatcially configuring clients to use the proxy you need to use WPAD with both DNS and DHCP
0
 
BigMonkeyHeadAuthor Commented:
1.  PHP can issue HTTP requests over proxy - yes, I realize that it's the web server doing the real work here, the main thing is that it would be a lot of programming to rewrite all the requests (and it's the vendor's code anyway).

2.  I think we're good to go here.  I have 2 web access rules - one for the Linux box itself and one for authenticated users.

4.  We have inbound traffic too.  I had to open other ports to both TCP and UDP traffic inbound and outbound for this device.

5.  We use Google Postini / ScanSafe primarily for email spam and virus filtering, but it can be good to curb web usage as well.

GPO proxy - *shrug* It works for us.  We're a pretty small shop.  Thanks for your help - I've climbed the TMG learning curve quite a bit in the last few days!!
0
 
pwindellCommented:
Ok,..good luck.
Post back if it doesn't go well.
0
 
BigMonkeyHeadAuthor Commented:
sorry for the delay - thought this had already been awarded
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

  • 6
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now