Techrunner
asked on
Unable to browse a specific website
Hello,
We have TMG 2010 installed with 2 NICs ( Internal and External )
TMG Setup as follows
- External NIC configured with a default gateway
- Internal NIC configured with internal DNS server and no default gateway but a static route to internal network.
- It integrated with Websense.
- Its allowing only domain authenticated users
Now the problem is I am unable to access specific website. TMG throws it default error page
All other websites are working.
I have recorded some logs from the TMG saying and did some troubleshooting for instance
- Reinstalled Websense Webfilter
- Restarted TMG service
- Tried the accessing from TMG itself but failed.
- Tried accessing by creating a new rule with all users as authentication.
10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Denied Connection TMG-PROXY 3/14/2014 5:18:47 PM
Log type: Web Proxy (Forward)
Status: 12209 Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
Failed Connection Attempt TMG01 3/14/2014 5:18:47 PM
Log type: Web Proxy (Forward)
Status: 5 Access is denied.
Please any help to resolve this issue.
Thank
We have TMG 2010 installed with 2 NICs ( Internal and External )
TMG Setup as follows
- External NIC configured with a default gateway
- Internal NIC configured with internal DNS server and no default gateway but a static route to internal network.
- It integrated with Websense.
- Its allowing only domain authenticated users
Now the problem is I am unable to access specific website. TMG throws it default error page
All other websites are working.
I have recorded some logs from the TMG saying and did some troubleshooting for instance
- Reinstalled Websense Webfilter
- Restarted TMG service
- Tried the accessing from TMG itself but failed.
- Tried accessing by creating a new rule with all users as authentication.
10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Denied Connection TMG-PROXY 3/14/2014 5:18:47 PM
Log type: Web Proxy (Forward)
Status: 12209 Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
Failed Connection Attempt TMG01 3/14/2014 5:18:47 PM
Log type: Web Proxy (Forward)
Status: 5 Access is denied.
Please any help to resolve this issue.
Thank
ASKER
Internal Dns is already confihured with ISP Dns forwarders and also 8.8.8.8 is included but no luck.
Thnks
Thnks
i mean, if possible, point the TMG's DNS to an external host like 8.8.8.8 and see if the TMG as well as its proxy clients can correctly resolve the domain names that had problems.
Hi Samir,
What is the website you're trying to get to?
If you turn off proxy authentication does it work?
What is the website you're trying to get to?
If you turn off proxy authentication does it work?
ASKER
Hi,
While ago I restarted the TMG service and website is working. Strange !!!
Anyhow I'll keep the post for sometime, the issue might occur again. However, I've encountered similar situations in the past on the same server that I am unable to a specific website
I don't what wrong. Anyway thanks craigbeck and bbao for your extending your help.
While ago I restarted the TMG service and website is working. Strange !!!
Anyhow I'll keep the post for sometime, the issue might occur again. However, I've encountered similar situations in the past on the same server that I am unable to a specific website
I don't what wrong. Anyway thanks craigbeck and bbao for your extending your help.
most likely the TMG keeps track of previous failures and will give the same error page for some time after a single unlucky attempt
websense's proxy (squid as far as i know) may do the same. the TMG might mask websense's error page and use it's own instead
it is likely that the corresponding site has connection problems from time to time, or may jsut be slow from time to time
---
if you find settings looking like "negative caching" in either TMG or websense, try and disable them
next time you have that same problem, try and access the sit through websense directly bypassing the TMG (if that is possible) so you can determine if websense is concerned (which is likely. my guess would be a long negative cache in websense and a short or likely none in TMG)
websense's proxy (squid as far as i know) may do the same. the TMG might mask websense's error page and use it's own instead
it is likely that the corresponding site has connection problems from time to time, or may jsut be slow from time to time
---
if you find settings looking like "negative caching" in either TMG or websense, try and disable them
next time you have that same problem, try and access the sit through websense directly bypassing the TMG (if that is possible) so you can determine if websense is concerned (which is likely. my guess would be a long negative cache in websense and a short or likely none in TMG)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
oups, mybad, i did not read the error message properly : i only read
if the websense is configured to do some specific authentication for this site, and it is misconfigured it would explain this mess. is that the case ? or does the site have some specificity such as running on https ? on an exotic port ? ...
but more likely the websense authenticator just failed that one time because of a timeout, a packet loss, contention on the authentication process or whatever similar random error. the above error may mean contention on the authenticator process. where do each of them come from ?
i'd still think of a cache issue that makes it repeat. if the tmg does not cache anything maybe the browser does. did the same site work on a nearby computer ?
10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
if the websense is configured to do some specific authentication for this site, and it is misconfigured it would explain this mess. is that the case ? or does the site have some specificity such as running on https ? on an exotic port ? ...
but more likely the websense authenticator just failed that one time because of a timeout, a packet loss, contention on the authentication process or whatever similar random error. the above error may mean contention on the authenticator process. where do each of them come from ?
i'd still think of a cache issue that makes it repeat. if the tmg does not cache anything maybe the browser does. did the same site work on a nearby computer ?
What is different about this website?
Can you do an NSlookup and get the right IP? Does the domain belong to you? have you checked the IP it resolves to doesn't come within any of your own IP ranges?
Can you do an NSlookup and get the right IP? Does the domain belong to you? have you checked the IP it resolves to doesn't come within any of your own IP ranges?
ASKER
Thanks craigbeck for your help as always
This worked.
I'd create a rule to allow the TMG server to get to the site itself directly (without the proxy) so you can check that part, then see if the issue still exists for web proxy clients.
If that works, create a rule for the URL on the TMG which allows anonymous access. This should help you decide if the Websense is an issue or not.
This worked.
I'd create a rule to allow the TMG server to get to the site itself directly (without the proxy) so you can check that part, then see if the issue still exists for web proxy clients.
If that works, create a rule for the URL on the TMG which allows anonymous access. This should help you decide if the Websense is an issue or not.
would you mind giving a couple of hints regarding what worked ?
i'd assume you determined the problem was websense related and ended up bypassing websense for this specific site. is that correct ? did you notice anything else ?
thanks for sharing
i'd assume you determined the problem was websense related and ended up bypassing websense for this specific site. is that correct ? did you notice anything else ?
thanks for sharing
try seting up an external DNS such as 8.8.8:8 on the TMG and see how it goes.