Solved

Unable to browse a specific website

Posted on 2014-03-14
11
1,640 Views
Last Modified: 2014-03-31
Hello,

We have TMG 2010 installed with 2 NICs ( Internal and External )

TMG Setup as follows

- External NIC configured with a default gateway
- Internal NIC configured with internal DNS server and no default gateway but a static route to internal network.
- It integrated with Websense.
- Its allowing only domain authenticated users

Now the problem is I am unable to access specific website. TMG throws it default error page
All other websites are working.

I have recorded some logs from the TMG saying and did some troubleshooting for instance

- Reinstalled Websense Webfilter
- Restarted TMG service
- Tried the accessing from TMG itself but failed.
- Tried accessing by creating a new rule with all users as authentication.


10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

Denied Connection TMG-PROXY 3/14/2014 5:18:47 PM
Log type: Web Proxy (Forward)
Status: 12209 Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.

Failed Connection Attempt TMG01  3/14/2014 5:18:47 PM
Log type: Web Proxy (Forward)
Status: 5 Access is denied.  


Please any help to resolve this issue.

Thank
0
Comment
Question by:cciedreamer
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 39930880
you are using the internal DNS for the TMG. if the internal DNS does not have DNS forwarding properly configured, some hosts even all internet hosts can't be resolved.

try seting up an external DNS such as 8.8.8:8 on the TMG and see how it goes.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39931144
Internal Dns is already confihured with ISP Dns forwarders and also 8.8.8.8 is included but no luck.

Thnks
0
 
LVL 37

Expert Comment

by:bbao
ID: 39931165
i mean, if possible, point the TMG's DNS to an external host like 8.8.8.8 and see if the TMG as well as its proxy clients can correctly resolve the domain names that had problems.
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 45

Expert Comment

by:Craig Beck
ID: 39931166
Hi Samir,

What is the website you're trying to get to?

If you turn off proxy authentication does it work?
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39931213
Hi,
While ago I restarted the TMG service and website is working. Strange !!!

Anyhow I'll keep the post for sometime, the issue might occur again. However, I've encountered similar situations in the past on the same server that I am unable to a specific website

I don't what wrong. Anyway thanks craigbeck and bbao for your extending your help.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39931312
most likely the TMG keeps track of previous failures and will give the same error page for some time after a single unlucky attempt

websense's proxy (squid as far as i know) may do the same. the TMG might mask websense's error page and use it's own instead

it is likely that the corresponding site has connection problems from time to time, or may jsut be slow from time to time

---

if you find settings looking like "negative caching" in either TMG or websense, try and disable them

next time you have that same problem, try and access the sit through websense directly bypassing the TMG (if that is possible) so you can determine if websense is concerned (which is likely. my guess would be a long negative cache in websense and a short or likely none in TMG)
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39931399
AFAIK TMG doesn't keep a track of failures (it only logs them) - it processes each request according to its rules whether the last attempt was successful or not.

If the TMG gets a no back from the Websense it will redirect to the Websense block page, so it doesn't show its own error usually, and it definitely won't show the error Samir is seeing.

Status: 12209 Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
That means that there is an issue when authenticating to the proxy/Websense.  If the client is being asked to authenticate to the proxy when trying to get to the site in question, and it can't for whatever reason, you'll see this error.  It could also be that the Websense rule isn't quite right or the URL is configured in multiple rules.

I'd create a rule to allow the TMG server to get to the site itself directly (without the proxy) so you can check that part, then see if the issue still exists for web proxy clients.

If that works, create a rule for the URL on the TMG which allows anonymous access.  This should help you decide if the Websense is an issue or not.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39931462
oups, mybad, i did not read the error message properly : i only read

10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

if the websense is configured to do some specific authentication for this site, and it is misconfigured it would explain this mess. is that the case ? or does the site have some specificity such as running on https ? on an exotic port ? ...

but more likely the websense authenticator just failed that one time because of a timeout, a packet loss, contention on the authentication process or whatever similar random error. the above error may mean contention on the authenticator process. where do each of them come from ?

i'd still think of a cache issue that makes it repeat. if the tmg does not cache anything maybe the browser does. did the same site work on a nearby computer ?
0
 
LVL 27

Expert Comment

by:Steve
ID: 39933992
What is different about this website?
Can you do an NSlookup and get the right IP? Does the domain belong to you? have you checked the IP it resolves to doesn't come within any of your own IP ranges?
0
 
LVL 3

Author Closing Comment

by:cciedreamer
ID: 39967771
Thanks craigbeck for your help as always

This worked.

I'd create a rule to allow the TMG server to get to the site itself directly (without the proxy) so you can check that part, then see if the issue still exists for web proxy clients.

If that works, create a rule for the URL on the TMG which allows anonymous access.  This should help you decide if the Websense is an issue or not.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39967925
would you mind giving a couple of hints regarding what worked ?

i'd assume you determined the problem was websense related and ended up bypassing websense for this specific site. is that correct ? did you notice anything else ?

thanks for sharing
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question