Solved

TMG 2010 - configure server to bypass/passthru

Posted on 2011-03-14
13
5,366 Views
Last Modified: 2013-12-23
Really hoping to get some help here, as I'm stuck.

We have TMG 2010 installed on our system and all of our users' web browsers are configured to go thru port 8080 for both HTTP and HTTPS traffic on the TMG server.  The rule allows access for authenticated users - the traffic then gets routed through Google Postini for web filtering.

I'm installing a new Linux-based backup server that needs access to inbound and outbound traffic on ports 22, 123, and 143 (for off-site backups).  It also needs HTTP and HTTPS access.  It can access HTTP pages, but I'm getting an error when trying to access HTTPS:  SSL received a record that exceeded maximum possible length.

This condition is repeatable using a Windows laptop plugged into the network - :80 works fine :443 doesn't.

Is there an easy way to configure the server to pass straight thru TMG? The vendor states that the product does not support using a proxy server.

Spent a couple hours on the phone with support with no resolution on this :(  can anyone here help?
0
Comment
Question by:BigMonkeyHead
  • 6
  • 4
  • 3
13 Comments
 
LVL 10

Expert Comment

by:simonlimon
ID: 35136147
I would create an access rule, allowing ports 80 443, 22, 123 and 143. Allow it for all users, and source IP as that of the linux server. I would also place this rule to be processed before the web proxy rule using the "Move up" function...
0
 
LVL 29

Accepted Solution

by:
pwindell earned 250 total points
ID: 35140113
You can't "allow ports": in ISA/TMG.  That is just the wrong way to even think about it.  You have to think about it as allowing certain Sources to use certain Protocols to get to certain places.

There is no such thing as "inbound and outbound".   You can allow traffic outbound,....and you can allow traffic inbound,...but they are two entirely separate process that are performed separately.

What protocols is it using?  I don't what to hear anything about port numbers,...I want to know protocols.  Then I need to know which protocols are outbound and which ones are inbound (separately).  For example HTTP outbound is not the same protocol in ISA/TMG as HTTP comming inbound.

If the product is using Custom Protrocols on Custom Ports (like maybe the 22, 123, 143) then I need to know that in detail.
0
 
LVL 10

Assisted Solution

by:simonlimon
simonlimon earned 250 total points
ID: 35143042
Sorry about that, I should have been more specific,

Define protocol definitions, Define what ports are they and whether are they Inbound or outbound.

And then allow the protocols for all users object originating from a specific IP.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35147576
It's ok Simon. Wasn't targeting you,..was meant in a more general informational way.  I just like to help people clarify their thinking on that,..it helps with thinking through the config on ISA/TMG.

We haven't heard back from the OP on this.  Without more specifics not much can be done here.
0
 
LVL 1

Assisted Solution

by:BigMonkeyHead
BigMonkeyHead earned 0 total points
ID: 35152093
Turns out that the protocols for HTTP and HTTPS inside TMG were set to use the Web Proxy Filter (under Parameters tab for each protocol).  This had the effect of forcing all HTTP(S) traffic through TMG (even on the TMG host machine).

This wouldn't work because my Linux server has some PHP scripts that hit HTTPS addresses - and since the scripts aren't configured to use the TMG proxy, they'd always fail.  Unchecking the web proxy filter settings on the HTTP and HTTPS protocols in TMG fixed the problem.

Thanks for the heads up on specifying protocol vs ports.  I'm pretty new to TMG, so that's a good piece of info to have.  :)
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 35152280
but be aware you disabled web proxy for all your users now... create a new protocol definition for http w/o web proxy and link that protocol to this rule. that is, if you need the web proxy for the users. thanks for the point btw


0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 1

Author Comment

by:BigMonkeyHead
ID: 35156084
Internet Explorer is configured to use the proxy per group policy and can't be changed by the user.  I think we're ok.  ??
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35156265
You're going all wrong with this!!!!  It doesn't work like you are thinking and things are not happening the way you think they are for the reasons you think they are.

Stop what you are doing and put the HTTP Filer back on the Protocol!!!

It's going to take me maybe a half hour or so to come back to this and address it,...I'm right in the middle of something,...so hang on.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35156632
Turns out that the protocols for HTTP and HTTPS inside TMG were set to use the Web Proxy Filter (under Parameters tab for each protocol).  This had the effect of forcing all HTTP(S) traffic through TMG (even on the TMG host machine).

Supposed to be. Leave it that way. Don't change it.

This wouldn't work because my Linux server has some PHP scripts that hit HTTPS addresses - and since the scripts aren't configured to use the TMG proxy, they'd always fail.  Unchecking the web proxy filter settings on the HTTP and HTTPS protocols in TMG fixed the problem.

Couple misconceptions here.
1. Scripts don't access anything,...they are just text files.   It is the "web server" running on the Linux box that makes the communication according to what the scripts tell it to do when they are interpreted and executed by the script engine.  It is the running Web Server on the Linux box that needs to access the destiantion,...not the scripts.

2. The Web Service on the Linux box is not going to authenticate to the ISA and it is not, and never would be, expected to.  Therefore you have no HTTP/HTTPS Rule in place to allow this to happen because you said in the first Post that the Rule was set for Authenticated Users.   You can't do that.  You need dedicated anonymous HTTP/HTTPS Rules for just this Linux box all by itself.

3. There are some very rare cases where something won't work through the HTTP Application Filter,...most often because the HTTP being used is not RFC Comnpliant HTTP or is just not even true HTTP at all.   HTTPS is never "inspected" with ISA2004/2006 due to the encryption, HTTPS does not even have the Application Filter associated with it to begine with,...the Filter is only with HTTP.  With TMG, it has added the ability to inspect HTTPS,  but I don't have a copy of TMG in front of me to look that over to see how that is implemented.  If it gives you the ability to disable HTTPS Inspection on an individual Rule-by-Rule basis then you would do it in the Rule that you should have already created to be dedicated to the Linux box.

4. We haven't even touched on the inbound side of things yet,...and I am not really convinced yet that there really is any Inbound traffic in this to start with (from what I have read so far).  You have also not clearly described the TMG implementation as to if this is a normal multi-homed TMG operating as a true Firewall (as it was desgined to) or if this is a single-Nic implementation in a "web caching only" scenario which is pretty much a total waste of time.

5. The Google thing for "web filtering" is probably going to totally screw you over,...just give it time,...it will happen.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35156919
You should never use GPO to force proxy settings.  It is too rigid and cannot compansate for changing situations.

For automatcially configuring clients to use the proxy you need to use WPAD with both DNS and DHCP
0
 
LVL 1

Author Comment

by:BigMonkeyHead
ID: 35157146
1.  PHP can issue HTTP requests over proxy - yes, I realize that it's the web server doing the real work here, the main thing is that it would be a lot of programming to rewrite all the requests (and it's the vendor's code anyway).

2.  I think we're good to go here.  I have 2 web access rules - one for the Linux box itself and one for authenticated users.

4.  We have inbound traffic too.  I had to open other ports to both TCP and UDP traffic inbound and outbound for this device.

5.  We use Google Postini / ScanSafe primarily for email spam and virus filtering, but it can be good to curb web usage as well.

GPO proxy - *shrug* It works for us.  We're a pretty small shop.  Thanks for your help - I've climbed the TMG learning curve quite a bit in the last few days!!
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35158166
Ok,..good luck.
Post back if it doesn't go well.
0
 
LVL 1

Author Closing Comment

by:BigMonkeyHead
ID: 35321794
sorry for the delay - thought this had already been awarded
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Hyper-convergence systems have taken the IT world by storm and have quickly started to change our point of view of how the data center should and could be architected. In this article, I’ll explain the benefits of employing a hyper-converged system …
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now