TMG

TMG 2010 Site 2 Site IPSEC Tunnel and HTTP Traffic Fails to flow

Have come across this several times now so thought it warranted a post. In an environment where a site tunnel is established between a TMG to Cisco ASA (IPSec) websites that are on other side of the tunnel cannot be displayed and give the following:

Technical Information (for support personnel)
Error Code 10060: Connection timeout
Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties. 

The TMG log view the outgoing connection attempt in the log then shows the follow error:

Failed Connection Attempt
Log type: Web Proxy (Forward)
Status: 10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Rule: Allow access between Site A and Site B

The easiest fix was to open the HTTP protocol and disable the application filter. See eg:

This obviously disables some useful features; the better option is to create a custom HTTP protocol that is not associated to the web proxy filter. Then create a rule that applies to traffic between sites using this HTTP protocol.

Advertisements

Microsoft RDWeb Access , TMG 2010 & RSA Keys

A client recently needed to upgrade a  Server 2008 R2 RDWeb access to a two factor authentication solution. We decided to go down the TMG 2010 with RSA secure ID route.

After some googling I found this paper  http://www.scribd.com/doc/15682090/TS-Gateway-2008-RSA Its a great walk thru but leaves out some key steps. Also for 2008 R2 replace wherever he put TS with RDWeb. But the clients always need to logon twice once at the TMG and they are prompted with the RDweb Access form page. To remove this form page we will take a look at this C:\Windows\Web\RDWeb\Pages\web.config file scroll down to and you will find this, wow great! a few comments here and there and all of the sudden the

To turn on Windows Authentication:
              - uncomment <authentication mode="Windows"/> section
              - and comment out:
              1) <authentication mode="Forms"> section.
              2) <modules> and <security> sections in <system.webServer> section at the end of the file.
              3) Optional: Windows Authentication will work in https.  However, to turn off https, disable 'Require SSL' for both RDWeb and RDWeb/Pages VDIR.
                 Launch IIS Manager UI, click on RDWeb VDIR, double click on SSL Settings in the middle pane, uncheck 'Require SSL' and
                 click Apply in the top right in the right pane.  Repeat the steps for RDWeb/Pages VDIR.

After completing the comments restart the IIS session and tada! the forms based logon is gone.