[isalist] Re: Cannot access a particular website
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 20 Dec 2012 19:55:58 +0000
Ok - how many external IPs are you using and have you configured NAT rules?
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Tom Rogers
Sent: Thursday, December 20, 2012 08:19
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: Cannot access a particular website
Just one TMG, one Ext NIC.
Tom Rogers
Systems Administrator
Schneider Packaging Equipment
________________________________
This email and any files transmitted with it are
confidential and intended solely for the use of the
individual or entity to whom they are addressed.
If you have received this email in error please notify
the system manager. This message contains
confidential information and is intended only for the
individual named. If you are not the named addressee
you should not disseminate, distribute or copy this
e-mail. Please notify the sender immediately by e-mail
if you have received this e-mail by mistake and delete
this e-mail from your system. If you are not the
intended recipient you are notified that disclosing,
copying, distributing or taking any action in reliance
on the contents of this information is strictly prohibited.
P Please consider the environment before printing this email.
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Thursday, December 20, 2012 10:20 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Cannot access a particular website
That's a reasonable assumption, but there have been many cases where the fault
lies with the website, not the proxy.
For instance, I've run across several sites that would reject a request if it
saw the "proxy" header or if a request came from a "new" IP address for the
same session (not allowed for authenticated sessions).
How many TMG are you running; one or more than one (thinking CARP exception)?
Are you using multiple external IPs?
You may have to coordinate with the web site tech team to understand what's
happening.
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
Sent: Thursday, December 20, 2012 06:42
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: Cannot access a particular website
I thought it was from the website, but webmaster never responded, and when I
accessed it via our guest AP that bypasses TMG, I figured it was TMG
Tom Rogers
Systems Administrator
Schneider Packaging Equipment
________________________________
This email and any files transmitted with it are
confidential and intended solely for the use of the
individual or entity to whom they are addressed.
If you have received this email in error please notify
the system manager. This message contains
confidential information and is intended only for the
individual named. If you are not the named addressee
you should not disseminate, distribute or copy this
e-mail. Please notify the sender immediately by e-mail
if you have received this e-mail by mistake and delete
this e-mail from your system. If you are not the
intended recipient you are notified that disclosing,
copying, distributing or taking any action in reliance
on the contents of this information is strictly prohibited.
P Please consider the environment before printing this email.
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Thursday, December 20, 2012 9:29 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Cannot access a particular website
My immediate reaction is that this error is coming from the Web site, not TMG.
Do you have any 3rd-party plugins (such as WebSense or Chaperon) operating on
your TMG?
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
Sent: Wednesday, December 19, 2012 08:06
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Cannot access a particular website
None of my clients going through TMG 2010 can access
www.cnycentral.com<http://www.cnycentral.com>, but if we bypass the TMG 2010,
we are able to access the site. There are no other sites giving us a problem
(that I am aware of)
In IE we get the following error:
Access Denied
You don't have permission to access "http://www.cnycentral.com/"; on this server.
Reference #18.76341818.1355932796.1c0fea70
(This Reference # changes all the time)
I have not been able to track down where it is failing. The TMG log, when
accessing the site, returns the data below:
Allowed Connection
TMGSVR 12/19/2012 10:49:10 AM
Log type: Web Proxy (Forward)
Status: 403 Forbidden
Rule: Limited Outbound Access for all other protocols
Source: Internal (client.domain.net 192.168.1.30:63287)
Destination: External (24.24.52.89:80)
Request: GET http://www.cnycentral.com/
Filter information: Req ID: 0f5ce7ce; Compression: client=No, server=No,
compress rate=0% decompress rate=0%
Protocol: http
User: DOMAIN\trogers
[cid:image001.png@01CDDEA8.F8D0D500]Additional information
<javascript:ToggleList('AddInfoNode')>
** Client agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows
NT 6.1; Trident/6.0)<javascript:ToggleList('AddInfoNode')>
** Object source: Internet (Source is the Internet. Object was added to
the cache.)<javascript:ToggleList('AddInfoNode')>
** Cache info: 0x41000000 (Response includes the EXPIRES header. Response
should not be cached.)<javascript:ToggleList('AddInfoNode')>
** Processing time: 16 MIME type:
<javascript:ToggleList('AddInfoNode')>
This has to be in our TMG config, but not sure where. URL filtering is
disabled, HTTPS inspection is disabled, Web Caching is disabled, SafeSearch is
disabled. Looks like 10% of physical RAM is used for caching using a DEFAULT
CACHING rule.
Any advice, TIA.
Tom Rogers
Systems Administrator
Schneider Packaging Equipment
[cid:image002.jpg@01CDDEA8.F8D0D500] [cid:image003.jpg@01CDDEA8.F8D0D500]
PO Box 890
5370 Guy Young Road
Brewerton, NY 13029
Tel: 315-676-3035 x108 - Fax: 315-676-2875
E-mail: trogers@xxxxxxxxxxxxxxxxxx<mailto:trogers@xxxxxxxxxxxxxxxxxx>
Website: http://www.schneiderequip.com<http://http:/www.schneiderequip.com>
Follow us online
[cid:image004.gif@01CDDEA8.F8D0D500]<http://www.youtube.com/SchneiderPack>
[cid:image005.gif@01CDDEA8.F8D0D500]
<http://www.facebook.com/#!/SchneiderPackaging>
[cid:image006.gif@01CDDEA8.F8D0D500] <http://www.linkedin.com/company/659261>
________________________________
This email and any files transmitted with it are confidential and
intended solely for the use of the individual to whom they
are addressed. If you have received this email in error please
notify the system manager. This message contains confidential
information and is intended only for the individual named. If
you are not the named addressee you should not disseminate,
distribute or copy this e-mail. Please notify the sender immediately
by e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking
any action in reliance on the contents of this information is strictly
prohibited.
P Please consider the environment before printing this email.
Other related posts:
