[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2386
  • Last Modified:

Forefront TMG Cannot Authenticate

I am receiving "Cannot authenticate to Forefront TMG <My Server>" from non domain joined systems when running the Forefront TMG Client software.

I have a dedicated network for internet cafe, auditors, etc. Within Forefront this has been established with a separate subnet and set of web access rules. I have verified that the "Require all users to authenticate" checkbox for the Cafe network isn't checked.

When in the client I enter the server name and add the hostname to the HOSTS file - we use external DNS for this range - it appears that the Forefront client should work. I've also tried using just the IP address.

All the documentation I've seen has referred to SecureNAT clients having this problem. These systems are not yet configured to use Forefront as the gateway so I don't see how it can apply. Any suggestions on a route forward would be much appreciated.
0
timbrigham
Asked:
timbrigham
  • 4
  • 3
1 Solution
 
Suliman Abu KharroubIT Consultant Commented:
Do you have default gateway assigned on client ? if so, delete it and try...

CMD-->route print
0
 
timbrighamAuthor Commented:
I've now tried the following three configurations, all with the client enabled.
No gateway set on the test system
The gateway set as the PIX (192.168.10.1)
The gateway set as Forefront (192.168.10.254)

All three cases exhibit the same behavior. The route print commands display exactly what I would expect in all three cases.
Gateway set to PIX
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1    192.168.10.6       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
     192.168.10.0    255.255.255.0     192.168.10.6    192.168.10.6       20
     192.168.10.6  255.255.255.255        127.0.0.1       127.0.0.1       20
   192.168.10.255  255.255.255.255     192.168.10.6    192.168.10.6       20
        224.0.0.0        240.0.0.0     192.168.10.6    192.168.10.6       20
  255.255.255.255  255.255.255.255     192.168.10.6    192.168.10.6       1
Default Gateway:      192.168.10.1

No default gateway configured
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
     192.168.10.0    255.255.255.0     192.168.10.6    192.168.10.6       20
     192.168.10.6  255.255.255.255        127.0.0.1       127.0.0.1       20
   192.168.10.255  255.255.255.255     192.168.10.6    192.168.10.6       20
        224.0.0.0        240.0.0.0     192.168.10.6    192.168.10.6       20
  255.255.255.255  255.255.255.255     192.168.10.6    192.168.10.6       1

Gateway configured as Forefront
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   192.168.10.254    192.168.10.6       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
     192.168.10.0    255.255.255.0     192.168.10.6    192.168.10.6       20
     192.168.10.6  255.255.255.255        127.0.0.1       127.0.0.1       20
   192.168.10.255  255.255.255.255     192.168.10.6    192.168.10.6       20
        224.0.0.0        240.0.0.0     192.168.10.6    192.168.10.6       20
  255.255.255.255  255.255.255.255     192.168.10.6    192.168.10.6       1
Default Gateway:    192.168.10.254

Open in new window

0
 
Suliman Abu KharroubIT Consultant Commented:
OK then, what do you have on access rule on TMG under users tab ? all users? authenticated users ? what is the the rule order ? is there any allow rule above it ?

Please use traffic simulator in TMG server to simulate the traffic (specify a user there) ? is it allowed ...then we can look at client.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
timbrighamAuthor Commented:
I have all users under the relevant TMG rule. There are rules above in the chain, but the Outbound Cafe set are the only ones that do anything with this source subnet.
Using the simulator from 192.168.10.6 (my test system) all ports to http://www.google.com with anonymous traffic. The simulator and the traffic that passes when I manually set the system internet proxy settings - both use the 'Cafe Allow Web Access' rule (a copy of the rules from the Web Publishing Wizard).
0
 
Suliman Abu KharroubIT Consultant Commented:
windows cant authenticate against ISA/TMG using default gateway ( seureNAT). only firewall client and webproxy supports authentication...

you should use proxy or firewall client if you dont have "all users" under users tab on the access rule.
0
 
timbrighamAuthor Commented:
I understand that - that is exactly why I have the Forefront Firewall Client installed on this system.
This is also why I have the "All users" defined on the access rule.

The Firewall Client is still reporting the error authenticating. What I don't understand is why.
0
 
Suliman Abu KharroubIT Consultant Commented:
http://technet.microsoft.com/en-us/library/dd897048.aspx

"Firewall client requests automatically include user credentials. To authenticate these requests, Forefront TMG should belong to a domain. In a workgroup environment, you can authenticate requests with user accounts that are mirrored to accounts stored in the local Security Accounts Manager (SAM) on the Forefront TMG server, although this requires some administrative overhead for secure management. "
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now