Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Unable to browse a specific website

Posted on 2014-03-14
11
Medium Priority
?
1,727 Views
Last Modified: 2014-03-31
Hello,

We have TMG 2010 installed with 2 NICs ( Internal and External )

TMG Setup as follows

- External NIC configured with a default gateway
- Internal NIC configured with internal DNS server and no default gateway but a static route to internal network.
- It integrated with Websense.
- Its allowing only domain authenticated users

Now the problem is I am unable to access specific website. TMG throws it default error page
All other websites are working.

I have recorded some logs from the TMG saying and did some troubleshooting for instance

- Reinstalled Websense Webfilter
- Restarted TMG service
- Tried the accessing from TMG itself but failed.
- Tried accessing by creating a new rule with all users as authentication.


10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

Denied Connection TMG-PROXY 3/14/2014 5:18:47 PM
Log type: Web Proxy (Forward)
Status: 12209 Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.

Failed Connection Attempt TMG01  3/14/2014 5:18:47 PM
Log type: Web Proxy (Forward)
Status: 5 Access is denied.  


Please any help to resolve this issue.

Thank
0
Comment
Question by:cciedreamer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 39930880
you are using the internal DNS for the TMG. if the internal DNS does not have DNS forwarding properly configured, some hosts even all internet hosts can't be resolved.

try seting up an external DNS such as 8.8.8:8 on the TMG and see how it goes.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39931144
Internal Dns is already confihured with ISP Dns forwarders and also 8.8.8.8 is included but no luck.

Thnks
0
 
LVL 37

Expert Comment

by:bbao
ID: 39931165
i mean, if possible, point the TMG's DNS to an external host like 8.8.8.8 and see if the TMG as well as its proxy clients can correctly resolve the domain names that had problems.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 47

Expert Comment

by:Craig Beck
ID: 39931166
Hi Samir,

What is the website you're trying to get to?

If you turn off proxy authentication does it work?
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39931213
Hi,
While ago I restarted the TMG service and website is working. Strange !!!

Anyhow I'll keep the post for sometime, the issue might occur again. However, I've encountered similar situations in the past on the same server that I am unable to a specific website

I don't what wrong. Anyway thanks craigbeck and bbao for your extending your help.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39931312
most likely the TMG keeps track of previous failures and will give the same error page for some time after a single unlucky attempt

websense's proxy (squid as far as i know) may do the same. the TMG might mask websense's error page and use it's own instead

it is likely that the corresponding site has connection problems from time to time, or may jsut be slow from time to time

---

if you find settings looking like "negative caching" in either TMG or websense, try and disable them

next time you have that same problem, try and access the sit through websense directly bypassing the TMG (if that is possible) so you can determine if websense is concerned (which is likely. my guess would be a long negative cache in websense and a short or likely none in TMG)
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 2000 total points
ID: 39931399
AFAIK TMG doesn't keep a track of failures (it only logs them) - it processes each request according to its rules whether the last attempt was successful or not.

If the TMG gets a no back from the Websense it will redirect to the Websense block page, so it doesn't show its own error usually, and it definitely won't show the error Samir is seeing.

Status: 12209 Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
That means that there is an issue when authenticating to the proxy/Websense.  If the client is being asked to authenticate to the proxy when trying to get to the site in question, and it can't for whatever reason, you'll see this error.  It could also be that the Websense rule isn't quite right or the URL is configured in multiple rules.

I'd create a rule to allow the TMG server to get to the site itself directly (without the proxy) so you can check that part, then see if the issue still exists for web proxy clients.

If that works, create a rule for the URL on the TMG which allows anonymous access.  This should help you decide if the Websense is an issue or not.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39931462
oups, mybad, i did not read the error message properly : i only read

10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

if the websense is configured to do some specific authentication for this site, and it is misconfigured it would explain this mess. is that the case ? or does the site have some specificity such as running on https ? on an exotic port ? ...

but more likely the websense authenticator just failed that one time because of a timeout, a packet loss, contention on the authentication process or whatever similar random error. the above error may mean contention on the authenticator process. where do each of them come from ?

i'd still think of a cache issue that makes it repeat. if the tmg does not cache anything maybe the browser does. did the same site work on a nearby computer ?
0
 
LVL 27

Expert Comment

by:Steve
ID: 39933992
What is different about this website?
Can you do an NSlookup and get the right IP? Does the domain belong to you? have you checked the IP it resolves to doesn't come within any of your own IP ranges?
0
 
LVL 3

Author Closing Comment

by:cciedreamer
ID: 39967771
Thanks craigbeck for your help as always

This worked.

I'd create a rule to allow the TMG server to get to the site itself directly (without the proxy) so you can check that part, then see if the issue still exists for web proxy clients.

If that works, create a rule for the URL on the TMG which allows anonymous access.  This should help you decide if the Websense is an issue or not.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39967925
would you mind giving a couple of hints regarding what worked ?

i'd assume you determined the problem was websense related and ended up bypassing websense for this specific site. is that correct ? did you notice anything else ?

thanks for sharing
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question