jakobmarkussen
asked on
TMG proxy issue
Hi Experts-
We are having a problem regarding TMG proxy wpad.dat issue....
Every now and then (no particullar pattern) browsers are trying to connect to proxy using TMG RRAS ip addresses and then being blocked.
Opening a new browser window will use correct fqdn for TMG and internet access i OK.
We have run the CarpNameSystem.js on TMG server.
Any ideas why this happens on and off?
Thanks
We are having a problem regarding TMG proxy wpad.dat issue....
Every now and then (no particullar pattern) browsers are trying to connect to proxy using TMG RRAS ip addresses and then being blocked.
Opening a new browser window will use correct fqdn for TMG and internet access i OK.
We have run the CarpNameSystem.js on TMG server.
Any ideas why this happens on and off?
Thanks
ASKER
Hi. Thanks - didn't make it clear: That has been done.
If I run it again I just get a "nothing to correct" message.
I also tried running del /wpad*.dat /s on clients - that doesn't help.
If I run it again I just get a "nothing to correct" message.
I also tried running del /wpad*.dat /s on clients - that doesn't help.
Hi There,
When you set up the internal network, did you enter the IP addresses in manually or did you use the "add adapter" button?
What is your network topology on the TMG 2010 server, Single Network Adapter or Edge Firewall?
What IP address and subnet mask are on the external network?
When you set up the internal network, did you enter the IP addresses in manually or did you use the "add adapter" button?
What is your network topology on the TMG 2010 server, Single Network Adapter or Edge Firewall?
What IP address and subnet mask are on the external network?
Hi There,
Have you gone through link given below.
If No... Than it could help.
http://social.technet.microsoft.com/wiki/contents/articles/2702.forefront-threat-management-gateway-tmg-2010-troubleshooting-survival-guide.aspx
Have you gone through link given below.
If No... Than it could help.
http://social.technet.microsoft.com/wiki/contents/articles/2702.forefront-threat-management-gateway-tmg-2010-troubleshooting-survival-guide.aspx
ASKER
I will look at the link thanks.
Internal network I added adapter
It's Edge firewall
External adaptor has a couple of Public IP's
Internal network I added adapter
It's Edge firewall
External adaptor has a couple of Public IP's
How is the wpad entry in the dns defined? Is it a CNAME or is it an A record. It could be possible that TMG would register its RRAS Ip's with the DNS...
ASKER
I haven't a wpad dns entry.. Using DHCP.
Also no RRAS Ip's are in DNS.
Also no RRAS Ip's are in DNS.
ASKER
Ok - found that in Routing and remote Access the DHCP Relay Agent has the IP address that is given to the wpad clients. how can we 'stop' this ? thx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Not sure what to remove.. Sorry...
The TMG was setup like this at some point: http://www.isaserver.org/img/upl/vpnkitbeta2/dhcprelay.htm
When using the internal dhcp for vpn clients - I will need relay agent, right?
Thanks
The TMG was setup like this at some point: http://www.isaserver.org/img/upl/vpnkitbeta2/dhcprelay.htm
When using the internal dhcp for vpn clients - I will need relay agent, right?
Thanks
Go to the DHCP console, find the RRAS network, expand it, click on "Scope Options"
Find the 252 Option - WPad, then modify it or remove it. on the right screen.
New clients in that network will not get the WPAD IP.
Also make sure, that you consider possible consequences before performing this..
Find the 252 Option - WPad, then modify it or remove it. on the right screen.
New clients in that network will not get the WPAD IP.
Also make sure, that you consider possible consequences before performing this..
ASKER
We might need a major clean up ;)
We do not have a dedicated RRAS network - RRAS is using the interal adapter on TMG so also using the same scope as internal ...
Perhaps we would be better of using dns for auto disc?
Only thing here is that we have more sites with seperates TMG's sharing DNS ... So we would need to figure out how to force clients on each site to use correct TMG /wpad setting...
We do not have a dedicated RRAS network - RRAS is using the interal adapter on TMG so also using the same scope as internal ...
Perhaps we would be better of using dns for auto disc?
Only thing here is that we have more sites with seperates TMG's sharing DNS ... So we would need to figure out how to force clients on each site to use correct TMG /wpad setting...
ASKER
Okay - I removed 252 option from DHCP- fwctool testautodetect no longer find wpad in DHCP.
I set up DNS instead. Thing was fine for an hpur or two.. Now I once againt get the same error.
Any idead why this is happing when using DNS to distr. autodiscover settings?
Thanks
I set up DNS instead. Thing was fine for an hpur or two.. Now I once againt get the same error.
Any idead why this is happing when using DNS to distr. autodiscover settings?
Thanks
Does this happen on all machines, or just a set of machines?
What is the exact symptom, Are you using a Load Balanced TMG - Enterprise?
What is the exact symptom, Are you using a Load Balanced TMG - Enterprise?
ASKER
At the moment just 2 machines. One Windows 7 and one XP. I worried that more machines might start to fail.
The thing starts suddenly. Internet browsing might be fine for hours, then suddenly we get this error that TMG denies connection. We see that it replies on rras relay agent IP.
Opening a new browser window and it works again.
Not load Balanced - and Standard TMG
The thing starts suddenly. Internet browsing might be fine for hours, then suddenly we get this error that TMG denies connection. We see that it replies on rras relay agent IP.
Opening a new browser window and it works again.
Not load Balanced - and Standard TMG
If you monitoring the TMG traffic to and from that client, what do you see in that interval?
TMG console , Logs and reports, logging - check the traffic in the last hour ..
TMG console , Logs and reports, logging - check the traffic in the last hour ..
ASKER
I will setup logging for one of the machines tomorrow morning to se what happens around failure.. thx
I have attached a rras info on TMG.
Perhaps the issue make more sence then?
rras.png
I have attached a rras info on TMG.
Perhaps the issue make more sence then?
rras.png
ASKER
So it just happened.
Was browsing normally untill suddenly TMG denied access:
Technical Information (for support personnel)
Error Code: 403 Forbidden. Forefront TMG denied the specified Uniform Resource Locator (URL). (12202)
IP Address: 10.45.205.188
Date: 4/24/2012 6:32:41 AM [GMT]
Server: xx.yy.zzz
Source: proxy
Where 10.45.205.188 is rras ip ...
TMG log show nothing - normal traffic to TMG server IP - then it starts trying to use 10.45.205.188 as proxy out of nowhere.
Was browsing normally untill suddenly TMG denied access:
Technical Information (for support personnel)
Error Code: 403 Forbidden. Forefront TMG denied the specified Uniform Resource Locator (URL). (12202)
IP Address: 10.45.205.188
Date: 4/24/2012 6:32:41 AM [GMT]
Server: xx.yy.zzz
Source: proxy
Where 10.45.205.188 is rras ip ...
TMG log show nothing - normal traffic to TMG server IP - then it starts trying to use 10.45.205.188 as proxy out of nowhere.
What is in your WPAD entry for DNS? Hostname or IP?
ASKER
It was Hostname - I have changed to IP - will check if that changes anything
ASKER
Changing it to IP causes autodetect to fail...
You changed to one of TMGs IPs?
It doesn't really make sense it would fail, because the hostname points to the same IP?
Do the clients receive the Wpad.dat file from the TMG?
You can check this by entering http://xx.yyy.xxx.zzz/wpad.dat, where xx.yyy.xxx.zzz is the IP you changed it to.
And then monitor this from the TMG console.
Also if you do a Nslookup in your environment, how does it resolve this hostname?
It doesn't really make sense it would fail, because the hostname points to the same IP?
Do the clients receive the Wpad.dat file from the TMG?
You can check this by entering http://xx.yyy.xxx.zzz/wpad.dat, where xx.yyy.xxx.zzz is the IP you changed it to.
And then monitor this from the TMG console.
Also if you do a Nslookup in your environment, how does it resolve this hostname?
ASKER
Yes the clients recieve wpad from TMG.
I tried to change to IP number instead of fqdn .. Let's see if that is changing anything.
Thanks so far
I tried to change to IP number instead of fqdn .. Let's see if that is changing anything.
Thanks so far
ASKER
Lasted almost 24h. This morning wpad IP changed again for the affected clients.
This is driving me crazy :)
This is driving me crazy :)
ASKER
Restartet computer and the problem returned.
If I open another IE windows wpad is fine.
The IE window with "the wrong wpad IP" is still not getting the right IP..
nslookup is fine..
Thx
If I open another IE windows wpad is fine.
The IE window with "the wrong wpad IP" is still not getting the right IP..
nslookup is fine..
Thx
This may be a long shot, but can you try opening the wpad.dat that you download from a browser and check whether this IP is referenced in it?
Do the problematic clients have any entries in their hosts file?
Do the problematic clients have any entries in their hosts file?
ASKER
Hi Simon - been on vacation so haven't been able to update this untill now.
The last 2 days no clients have failed.
I'll accept your answers as solutions - but can't tell what did the trick.
Thanks for helping out - will "re-open" if the problem returns.
The last 2 days no clients have failed.
I'll accept your answers as solutions - but can't tell what did the trick.
Thanks for helping out - will "re-open" if the problem returns.
cscript carpnamesystem.js /set:DNS
It sets proxy address in the wpad.dat to FQDN instead of IP (which in our case is a RRAS one). you can get code of this file from link given below.
http://isatools.org/tools/carpnamesystem.js