Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1763
  • Last Modified:

Unable to browse a specific website

Hello,

We have TMG 2010 installed with 2 NICs ( Internal and External )

TMG Setup as follows

- External NIC configured with a default gateway
- Internal NIC configured with internal DNS server and no default gateway but a static route to internal network.
- It integrated with Websense.
- Its allowing only domain authenticated users

Now the problem is I am unable to access specific website. TMG throws it default error page
All other websites are working.

I have recorded some logs from the TMG saying and did some troubleshooting for instance

- Reinstalled Websense Webfilter
- Restarted TMG service
- Tried the accessing from TMG itself but failed.
- Tried accessing by creating a new rule with all users as authentication.


10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

Denied Connection TMG-PROXY 3/14/2014 5:18:47 PM
Log type: Web Proxy (Forward)
Status: 12209 Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.

Failed Connection Attempt TMG01  3/14/2014 5:18:47 PM
Log type: Web Proxy (Forward)
Status: 5 Access is denied.  


Please any help to resolve this issue.

Thank
0
cciedreamer
Asked:
cciedreamer
  • 3
  • 3
  • 2
  • +2
1 Solution
 
bbaoIT ConsultantCommented:
you are using the internal DNS for the TMG. if the internal DNS does not have DNS forwarding properly configured, some hosts even all internet hosts can't be resolved.

try seting up an external DNS such as 8.8.8:8 on the TMG and see how it goes.
0
 
cciedreamerAuthor Commented:
Internal Dns is already confihured with ISP Dns forwarders and also 8.8.8.8 is included but no luck.

Thnks
0
 
bbaoIT ConsultantCommented:
i mean, if possible, point the TMG's DNS to an external host like 8.8.8.8 and see if the TMG as well as its proxy clients can correctly resolve the domain names that had problems.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Craig BeckCommented:
Hi Samir,

What is the website you're trying to get to?

If you turn off proxy authentication does it work?
0
 
cciedreamerAuthor Commented:
Hi,
While ago I restarted the TMG service and website is working. Strange !!!

Anyhow I'll keep the post for sometime, the issue might occur again. However, I've encountered similar situations in the past on the same server that I am unable to a specific website

I don't what wrong. Anyway thanks craigbeck and bbao for your extending your help.
0
 
skullnobrainsCommented:
most likely the TMG keeps track of previous failures and will give the same error page for some time after a single unlucky attempt

websense's proxy (squid as far as i know) may do the same. the TMG might mask websense's error page and use it's own instead

it is likely that the corresponding site has connection problems from time to time, or may jsut be slow from time to time

---

if you find settings looking like "negative caching" in either TMG or websense, try and disable them

next time you have that same problem, try and access the sit through websense directly bypassing the TMG (if that is possible) so you can determine if websense is concerned (which is likely. my guess would be a long negative cache in websense and a short or likely none in TMG)
0
 
Craig BeckCommented:
AFAIK TMG doesn't keep a track of failures (it only logs them) - it processes each request according to its rules whether the last attempt was successful or not.

If the TMG gets a no back from the Websense it will redirect to the Websense block page, so it doesn't show its own error usually, and it definitely won't show the error Samir is seeing.

Status: 12209 Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
That means that there is an issue when authenticating to the proxy/Websense.  If the client is being asked to authenticate to the proxy when trying to get to the site in question, and it can't for whatever reason, you'll see this error.  It could also be that the Websense rule isn't quite right or the URL is configured in multiple rules.

I'd create a rule to allow the TMG server to get to the site itself directly (without the proxy) so you can check that part, then see if the issue still exists for web proxy clients.

If that works, create a rule for the URL on the TMG which allows anonymous access.  This should help you decide if the Websense is an issue or not.
0
 
skullnobrainsCommented:
oups, mybad, i did not read the error message properly : i only read

10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

if the websense is configured to do some specific authentication for this site, and it is misconfigured it would explain this mess. is that the case ? or does the site have some specificity such as running on https ? on an exotic port ? ...

but more likely the websense authenticator just failed that one time because of a timeout, a packet loss, contention on the authentication process or whatever similar random error. the above error may mean contention on the authenticator process. where do each of them come from ?

i'd still think of a cache issue that makes it repeat. if the tmg does not cache anything maybe the browser does. did the same site work on a nearby computer ?
0
 
SteveCommented:
What is different about this website?
Can you do an NSlookup and get the right IP? Does the domain belong to you? have you checked the IP it resolves to doesn't come within any of your own IP ranges?
0
 
cciedreamerAuthor Commented:
Thanks craigbeck for your help as always

This worked.

I'd create a rule to allow the TMG server to get to the site itself directly (without the proxy) so you can check that part, then see if the issue still exists for web proxy clients.

If that works, create a rule for the URL on the TMG which allows anonymous access.  This should help you decide if the Websense is an issue or not.
0
 
skullnobrainsCommented:
would you mind giving a couple of hints regarding what worked ?

i'd assume you determined the problem was websense related and ended up bypassing websense for this specific site. is that correct ? did you notice anything else ?

thanks for sharing
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now