Solved

TMG web proxy

Posted on 2012-03-13
12
1,645 Views
Last Modified: 2012-03-14
Hi all

When I'm putting TMG proxy settings like http://proxy:8080/wpad.dat in client IE no internet is available...

TMG log show that clients try to connect to http://"RRAS_IP":8080 ...

I have check NIC binding order and Internal is on top.. RRAS in bottom.

Any ideas on how to get the clients not to connect to TMG RRAS IP's ??

Thanks
0
Comment
Question by:jakobmarkussen
  • 5
  • 4
  • 3
12 Comments
 

Author Comment

by:jakobmarkussen
ID: 37713434
I found this in wpad:

DirectNames=new MakeNames();
cDirectNames=3;
HttpPort="8080";
cNodes=1;
function MakeProxies(){
this[0]=new Node("10.45.205.199",1443312282,1.000000);

10.45.205.4 should be 10.45.205.4 ..

So I found this:

After doing a little digging, I've found that this is actually a known issue with TMG.  If changing the binding order of the Network Interfaces doesn't help...either of the following can help with this issue.

1. Change to a static range of addresses for the VPN client.

...or...

2. Run the script found at the following link.  The blog references ISA 2006, but the script does work on TMG as well.  This script will force TMG to use it's fully qualified domain name in the autoconfig script (instead of IP).  


http://blogs.technet.com/isablog/archive/2008/06/26/understanding-by-design-behavior-of-isa-server-2006-using-kerberos-authentication-for-web-proxy-requests-on-isa-server-2006-with-nlb.aspx
 

Some things to note before trying this script.
-It will restart the Firewall service, so you may want to try it afterhours.
-It may take a few minutes for the change to apply.
-Verify TMG's FQDN and make sure that internal clients will resolve this name to 192.168.100.1 before running the script.

Regards,
Richard Barker (MSFT)

Will it be "safe" to run this script on TMG?
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 37717006
Yes - it is safe to do so but I am not fully informed on your whole setup so implications on your environment cannot be assessed or qualified here. That said, Richard is one of the good guys at MS, However, I have not personally used it on TMG as I do not use wpad files anymore.

Keith
0
 

Author Closing Comment

by:jakobmarkussen
ID: 37717068
Ok i will give it a go. Thanks. Could i ask why you don't use wpad?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37717219
Sure - we use a .pac file which we use through GPO. Like a wpdat entry, it only operates when on the LAN and ignored when laptop users etc go off-site. The plus is that it is applied when VPN users connect.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37717471
When I'm putting TMG proxy settings like http://proxy:8080/wpad.dat in client IE no internet is available...

Get rid of the "8080".
Change it to http://proxy/wpad.dat,...
In fact you should create a CNAME entry in DNS called "wpad" and point it at the A Record of the ISA Server.  So the url becomes:
http://wpad.AD-domain.loc/wpad.dat
Then create the Option 252 "WPAD" in DHCP using that same URL.
This way Autodetection will work with both DNS and DHCP instead of DHCP only.
The Browser will not require any settings at all except enabling the first Checkbox for Autodetection.

WPAD is not published on 8080,...it is published on 80.   Yes, there are Technet articlaes that say "8080",...yes, they are wrong,...yes, I have told MS about it multiple times,...no they haven't done anything about it,...it falls on deaf ears.

"8080" is used for Web Request from Web Proxy Clients,....not WPAD.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37717475
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37717491
Just for reference, I used to use 8080 for mine but no users were happy with the unfortunate delay that using the Auto detect option can introduce.
0
 

Author Comment

by:jakobmarkussen
ID: 37717580
Thanks. I'll look at port 80 instead.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37720055
Just for reference, I used to use 8080 for mine but no users were happy with the unfortunate delay that using the Auto detect option can introduce.

That left you with two things at once trying to listen on 8080.  Normal browser web requests are sent to ISA/TMG on 8080.  Maybe that was the cause of the delay.  My WPAD process happens in the "blink of an eye", keeping everything on the defaults.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37720069
Oh, wait...you were using a PAC file?  So it was stored on a different "web server" instead of the ISA/TMG,...that should have been ok.

There was an IE patch out that was supposed to fix the unreasonable autodetect delay.  I had to apply it on a few machines in the past,..but haven't seen the problem now in over a year.
0
 

Author Comment

by:jakobmarkussen
ID: 37720099
Hi..

No it was keith_alabaster that used PAC file...
I use (or try to use) wpad.

I tried running the script by Richard Barker on a test TMG server, and it seems to work.
I will change to port 80 as you mention.

By the way - publishing by DNS wouldn't that be a problem on clients in branch offices behind another TMG?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37720224
Only if they also are set to use WPAD too.   WPAD is global for everyone using the same AD/DNS structure.   If you have "exceptions" to that then you would continue to let the bulk of the Clienta use WPAD normally and then for the smaller groups of exceptions they would not use WPAD (disable the first auto detect checkbox in IE) but would still use proxy autodetection (enable only the second autodetect checkbox in IE,...the one that lets you give it a static URL to the script)

Remember that WPAD and Proxy Autodetection are two separate things.  WPAD autodetects the Script, not the Proxy,....it is the Script that then detects the proxy afterwards.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now