Solved

Unable to browse a specific website

Posted on 2014-03-14
11
1,661 Views
Last Modified: 2014-03-31
Hello,

We have TMG 2010 installed with 2 NICs ( Internal and External )

TMG Setup as follows

- External NIC configured with a default gateway
- Internal NIC configured with internal DNS server and no default gateway but a static route to internal network.
- It integrated with Websense.
- Its allowing only domain authenticated users

Now the problem is I am unable to access specific website. TMG throws it default error page
All other websites are working.

I have recorded some logs from the TMG saying and did some troubleshooting for instance

- Reinstalled Websense Webfilter
- Restarted TMG service
- Tried the accessing from TMG itself but failed.
- Tried accessing by creating a new rule with all users as authentication.


10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

Denied Connection TMG-PROXY 3/14/2014 5:18:47 PM
Log type: Web Proxy (Forward)
Status: 12209 Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.

Failed Connection Attempt TMG01  3/14/2014 5:18:47 PM
Log type: Web Proxy (Forward)
Status: 5 Access is denied.  


Please any help to resolve this issue.

Thank
0
Comment
Question by:cciedreamer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 39930880
you are using the internal DNS for the TMG. if the internal DNS does not have DNS forwarding properly configured, some hosts even all internet hosts can't be resolved.

try seting up an external DNS such as 8.8.8:8 on the TMG and see how it goes.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39931144
Internal Dns is already confihured with ISP Dns forwarders and also 8.8.8.8 is included but no luck.

Thnks
0
 
LVL 37

Expert Comment

by:bbao
ID: 39931165
i mean, if possible, point the TMG's DNS to an external host like 8.8.8.8 and see if the TMG as well as its proxy clients can correctly resolve the domain names that had problems.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 46

Expert Comment

by:Craig Beck
ID: 39931166
Hi Samir,

What is the website you're trying to get to?

If you turn off proxy authentication does it work?
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39931213
Hi,
While ago I restarted the TMG service and website is working. Strange !!!

Anyhow I'll keep the post for sometime, the issue might occur again. However, I've encountered similar situations in the past on the same server that I am unable to a specific website

I don't what wrong. Anyway thanks craigbeck and bbao for your extending your help.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39931312
most likely the TMG keeps track of previous failures and will give the same error page for some time after a single unlucky attempt

websense's proxy (squid as far as i know) may do the same. the TMG might mask websense's error page and use it's own instead

it is likely that the corresponding site has connection problems from time to time, or may jsut be slow from time to time

---

if you find settings looking like "negative caching" in either TMG or websense, try and disable them

next time you have that same problem, try and access the sit through websense directly bypassing the TMG (if that is possible) so you can determine if websense is concerned (which is likely. my guess would be a long negative cache in websense and a short or likely none in TMG)
0
 
LVL 46

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39931399
AFAIK TMG doesn't keep a track of failures (it only logs them) - it processes each request according to its rules whether the last attempt was successful or not.

If the TMG gets a no back from the Websense it will redirect to the Websense block page, so it doesn't show its own error usually, and it definitely won't show the error Samir is seeing.

Status: 12209 Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
That means that there is an issue when authenticating to the proxy/Websense.  If the client is being asked to authenticate to the proxy when trying to get to the site in question, and it can't for whatever reason, you'll see this error.  It could also be that the Websense rule isn't quite right or the URL is configured in multiple rules.

I'd create a rule to allow the TMG server to get to the site itself directly (without the proxy) so you can check that part, then see if the issue still exists for web proxy clients.

If that works, create a rule for the URL on the TMG which allows anonymous access.  This should help you decide if the Websense is an issue or not.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39931462
oups, mybad, i did not read the error message properly : i only read

10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

if the websense is configured to do some specific authentication for this site, and it is misconfigured it would explain this mess. is that the case ? or does the site have some specificity such as running on https ? on an exotic port ? ...

but more likely the websense authenticator just failed that one time because of a timeout, a packet loss, contention on the authentication process or whatever similar random error. the above error may mean contention on the authenticator process. where do each of them come from ?

i'd still think of a cache issue that makes it repeat. if the tmg does not cache anything maybe the browser does. did the same site work on a nearby computer ?
0
 
LVL 27

Expert Comment

by:Steve
ID: 39933992
What is different about this website?
Can you do an NSlookup and get the right IP? Does the domain belong to you? have you checked the IP it resolves to doesn't come within any of your own IP ranges?
0
 
LVL 3

Author Closing Comment

by:cciedreamer
ID: 39967771
Thanks craigbeck for your help as always

This worked.

I'd create a rule to allow the TMG server to get to the site itself directly (without the proxy) so you can check that part, then see if the issue still exists for web proxy clients.

If that works, create a rule for the URL on the TMG which allows anonymous access.  This should help you decide if the Websense is an issue or not.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39967925
would you mind giving a couple of hints regarding what worked ?

i'd assume you determined the problem was websense related and ended up bypassing websense for this specific site. is that correct ? did you notice anything else ?

thanks for sharing
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question