?
Solved

TMG 2010 - configure server to bypass/passthru

Posted on 2011-03-14
13
Medium Priority
?
5,861 Views
Last Modified: 2013-12-23
Really hoping to get some help here, as I'm stuck.

We have TMG 2010 installed on our system and all of our users' web browsers are configured to go thru port 8080 for both HTTP and HTTPS traffic on the TMG server.  The rule allows access for authenticated users - the traffic then gets routed through Google Postini for web filtering.

I'm installing a new Linux-based backup server that needs access to inbound and outbound traffic on ports 22, 123, and 143 (for off-site backups).  It also needs HTTP and HTTPS access.  It can access HTTP pages, but I'm getting an error when trying to access HTTPS:  SSL received a record that exceeded maximum possible length.

This condition is repeatable using a Windows laptop plugged into the network - :80 works fine :443 doesn't.

Is there an easy way to configure the server to pass straight thru TMG? The vendor states that the product does not support using a proxy server.

Spent a couple hours on the phone with support with no resolution on this :(  can anyone here help?
0
Comment
Question by:BigMonkeyHead
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
13 Comments
 
LVL 10

Expert Comment

by:simonlimon
ID: 35136147
I would create an access rule, allowing ports 80 443, 22, 123 and 143. Allow it for all users, and source IP as that of the linux server. I would also place this rule to be processed before the web proxy rule using the "Move up" function...
0
 
LVL 29

Accepted Solution

by:
pwindell earned 1000 total points
ID: 35140113
You can't "allow ports": in ISA/TMG.  That is just the wrong way to even think about it.  You have to think about it as allowing certain Sources to use certain Protocols to get to certain places.

There is no such thing as "inbound and outbound".   You can allow traffic outbound,....and you can allow traffic inbound,...but they are two entirely separate process that are performed separately.

What protocols is it using?  I don't what to hear anything about port numbers,...I want to know protocols.  Then I need to know which protocols are outbound and which ones are inbound (separately).  For example HTTP outbound is not the same protocol in ISA/TMG as HTTP comming inbound.

If the product is using Custom Protrocols on Custom Ports (like maybe the 22, 123, 143) then I need to know that in detail.
0
 
LVL 10

Assisted Solution

by:simonlimon
simonlimon earned 1000 total points
ID: 35143042
Sorry about that, I should have been more specific,

Define protocol definitions, Define what ports are they and whether are they Inbound or outbound.

And then allow the protocols for all users object originating from a specific IP.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 29

Expert Comment

by:pwindell
ID: 35147576
It's ok Simon. Wasn't targeting you,..was meant in a more general informational way.  I just like to help people clarify their thinking on that,..it helps with thinking through the config on ISA/TMG.

We haven't heard back from the OP on this.  Without more specifics not much can be done here.
0
 
LVL 1

Assisted Solution

by:BigMonkeyHead
BigMonkeyHead earned 0 total points
ID: 35152093
Turns out that the protocols for HTTP and HTTPS inside TMG were set to use the Web Proxy Filter (under Parameters tab for each protocol).  This had the effect of forcing all HTTP(S) traffic through TMG (even on the TMG host machine).

This wouldn't work because my Linux server has some PHP scripts that hit HTTPS addresses - and since the scripts aren't configured to use the TMG proxy, they'd always fail.  Unchecking the web proxy filter settings on the HTTP and HTTPS protocols in TMG fixed the problem.

Thanks for the heads up on specifying protocol vs ports.  I'm pretty new to TMG, so that's a good piece of info to have.  :)
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 35152280
but be aware you disabled web proxy for all your users now... create a new protocol definition for http w/o web proxy and link that protocol to this rule. that is, if you need the web proxy for the users. thanks for the point btw


0
 
LVL 1

Author Comment

by:BigMonkeyHead
ID: 35156084
Internet Explorer is configured to use the proxy per group policy and can't be changed by the user.  I think we're ok.  ??
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35156265
You're going all wrong with this!!!!  It doesn't work like you are thinking and things are not happening the way you think they are for the reasons you think they are.

Stop what you are doing and put the HTTP Filer back on the Protocol!!!

It's going to take me maybe a half hour or so to come back to this and address it,...I'm right in the middle of something,...so hang on.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35156632
Turns out that the protocols for HTTP and HTTPS inside TMG were set to use the Web Proxy Filter (under Parameters tab for each protocol).  This had the effect of forcing all HTTP(S) traffic through TMG (even on the TMG host machine).

Supposed to be. Leave it that way. Don't change it.

This wouldn't work because my Linux server has some PHP scripts that hit HTTPS addresses - and since the scripts aren't configured to use the TMG proxy, they'd always fail.  Unchecking the web proxy filter settings on the HTTP and HTTPS protocols in TMG fixed the problem.

Couple misconceptions here.
1. Scripts don't access anything,...they are just text files.   It is the "web server" running on the Linux box that makes the communication according to what the scripts tell it to do when they are interpreted and executed by the script engine.  It is the running Web Server on the Linux box that needs to access the destiantion,...not the scripts.

2. The Web Service on the Linux box is not going to authenticate to the ISA and it is not, and never would be, expected to.  Therefore you have no HTTP/HTTPS Rule in place to allow this to happen because you said in the first Post that the Rule was set for Authenticated Users.   You can't do that.  You need dedicated anonymous HTTP/HTTPS Rules for just this Linux box all by itself.

3. There are some very rare cases where something won't work through the HTTP Application Filter,...most often because the HTTP being used is not RFC Comnpliant HTTP or is just not even true HTTP at all.   HTTPS is never "inspected" with ISA2004/2006 due to the encryption, HTTPS does not even have the Application Filter associated with it to begine with,...the Filter is only with HTTP.  With TMG, it has added the ability to inspect HTTPS,  but I don't have a copy of TMG in front of me to look that over to see how that is implemented.  If it gives you the ability to disable HTTPS Inspection on an individual Rule-by-Rule basis then you would do it in the Rule that you should have already created to be dedicated to the Linux box.

4. We haven't even touched on the inbound side of things yet,...and I am not really convinced yet that there really is any Inbound traffic in this to start with (from what I have read so far).  You have also not clearly described the TMG implementation as to if this is a normal multi-homed TMG operating as a true Firewall (as it was desgined to) or if this is a single-Nic implementation in a "web caching only" scenario which is pretty much a total waste of time.

5. The Google thing for "web filtering" is probably going to totally screw you over,...just give it time,...it will happen.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35156919
You should never use GPO to force proxy settings.  It is too rigid and cannot compansate for changing situations.

For automatcially configuring clients to use the proxy you need to use WPAD with both DNS and DHCP
0
 
LVL 1

Author Comment

by:BigMonkeyHead
ID: 35157146
1.  PHP can issue HTTP requests over proxy - yes, I realize that it's the web server doing the real work here, the main thing is that it would be a lot of programming to rewrite all the requests (and it's the vendor's code anyway).

2.  I think we're good to go here.  I have 2 web access rules - one for the Linux box itself and one for authenticated users.

4.  We have inbound traffic too.  I had to open other ports to both TCP and UDP traffic inbound and outbound for this device.

5.  We use Google Postini / ScanSafe primarily for email spam and virus filtering, but it can be good to curb web usage as well.

GPO proxy - *shrug* It works for us.  We're a pretty small shop.  Thanks for your help - I've climbed the TMG learning curve quite a bit in the last few days!!
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35158166
Ok,..good luck.
Post back if it doesn't go well.
0
 
LVL 1

Author Closing Comment

by:BigMonkeyHead
ID: 35321794
sorry for the delay - thought this had already been awarded
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
New style of hardware planning for Microsoft Exchange server.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question