Solved

Unable to browse a specific website

Posted on 2014-03-14
11
1,594 Views
Last Modified: 2014-03-31
Hello,

We have TMG 2010 installed with 2 NICs ( Internal and External )

TMG Setup as follows

- External NIC configured with a default gateway
- Internal NIC configured with internal DNS server and no default gateway but a static route to internal network.
- It integrated with Websense.
- Its allowing only domain authenticated users

Now the problem is I am unable to access specific website. TMG throws it default error page
All other websites are working.

I have recorded some logs from the TMG saying and did some troubleshooting for instance

- Reinstalled Websense Webfilter
- Restarted TMG service
- Tried the accessing from TMG itself but failed.
- Tried accessing by creating a new rule with all users as authentication.


10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

Denied Connection TMG-PROXY 3/14/2014 5:18:47 PM
Log type: Web Proxy (Forward)
Status: 12209 Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.

Failed Connection Attempt TMG01  3/14/2014 5:18:47 PM
Log type: Web Proxy (Forward)
Status: 5 Access is denied.  


Please any help to resolve this issue.

Thank
0
Comment
Question by:cciedreamer
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 39930880
you are using the internal DNS for the TMG. if the internal DNS does not have DNS forwarding properly configured, some hosts even all internet hosts can't be resolved.

try seting up an external DNS such as 8.8.8:8 on the TMG and see how it goes.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39931144
Internal Dns is already confihured with ISP Dns forwarders and also 8.8.8.8 is included but no luck.

Thnks
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 39931165
i mean, if possible, point the TMG's DNS to an external host like 8.8.8.8 and see if the TMG as well as its proxy clients can correctly resolve the domain names that had problems.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39931166
Hi Samir,

What is the website you're trying to get to?

If you turn off proxy authentication does it work?
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39931213
Hi,
While ago I restarted the TMG service and website is working. Strange !!!

Anyhow I'll keep the post for sometime, the issue might occur again. However, I've encountered similar situations in the past on the same server that I am unable to a specific website

I don't what wrong. Anyway thanks craigbeck and bbao for your extending your help.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 26

Expert Comment

by:skullnobrains
ID: 39931312
most likely the TMG keeps track of previous failures and will give the same error page for some time after a single unlucky attempt

websense's proxy (squid as far as i know) may do the same. the TMG might mask websense's error page and use it's own instead

it is likely that the corresponding site has connection problems from time to time, or may jsut be slow from time to time

---

if you find settings looking like "negative caching" in either TMG or websense, try and disable them

next time you have that same problem, try and access the sit through websense directly bypassing the TMG (if that is possible) so you can determine if websense is concerned (which is likely. my guess would be a long negative cache in websense and a short or likely none in TMG)
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39931399
AFAIK TMG doesn't keep a track of failures (it only logs them) - it processes each request according to its rules whether the last attempt was successful or not.

If the TMG gets a no back from the Websense it will redirect to the Websense block page, so it doesn't show its own error usually, and it definitely won't show the error Samir is seeing.

Status: 12209 Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
That means that there is an issue when authenticating to the proxy/Websense.  If the client is being asked to authenticate to the proxy when trying to get to the site in question, and it can't for whatever reason, you'll see this error.  It could also be that the Websense rule isn't quite right or the URL is configured in multiple rules.

I'd create a rule to allow the TMG server to get to the site itself directly (without the proxy) so you can check that part, then see if the issue still exists for web proxy clients.

If that works, create a rule for the URL on the TMG which allows anonymous access.  This should help you decide if the Websense is an issue or not.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39931462
oups, mybad, i did not read the error message properly : i only read

10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

if the websense is configured to do some specific authentication for this site, and it is misconfigured it would explain this mess. is that the case ? or does the site have some specificity such as running on https ? on an exotic port ? ...

but more likely the websense authenticator just failed that one time because of a timeout, a packet loss, contention on the authentication process or whatever similar random error. the above error may mean contention on the authenticator process. where do each of them come from ?

i'd still think of a cache issue that makes it repeat. if the tmg does not cache anything maybe the browser does. did the same site work on a nearby computer ?
0
 
LVL 27

Expert Comment

by:Steve
ID: 39933992
What is different about this website?
Can you do an NSlookup and get the right IP? Does the domain belong to you? have you checked the IP it resolves to doesn't come within any of your own IP ranges?
0
 
LVL 3

Author Closing Comment

by:cciedreamer
ID: 39967771
Thanks craigbeck for your help as always

This worked.

I'd create a rule to allow the TMG server to get to the site itself directly (without the proxy) so you can check that part, then see if the issue still exists for web proxy clients.

If that works, create a rule for the URL on the TMG which allows anonymous access.  This should help you decide if the Websense is an issue or not.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39967925
would you mind giving a couple of hints regarding what worked ?

i'd assume you determined the problem was websense related and ended up bypassing websense for this specific site. is that correct ? did you notice anything else ?

thanks for sharing
0

Featured Post

How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now