[isalist] Re: Publishing proxy listener on TMG

• From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
• To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>, "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 15 Dec 2009 12:10:03 -0800

Cool water biscuit on a Sunday-go-to-meetin' bun.

So, this works:  If I force auth on the internal proxy listener and only allow 
Integrated then when I connect externally via the server pub rule it requires 
NTLM logon creds to be entered.  Yes, it is over HTTP, but it's NTLM and with 
the password I have it will take 1 million years to crack.   I don't really 
want to force auth on my REAL internal network, so I've created another virtual 
NIC with a separate subnet specifically for this so that I can just set that 
network to require auth.  Plus I can apply separate web rules to that network.  
Kewl.   Works like a beauty...

t

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thor (Hammer of God)
Sent: Tuesday, December 15, 2009 11:35 AM
To: isapros@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx
Subject: [isapros] Re: Publishing proxy listener on TMG

It's looking that way... I'm going back to the server pub rule and see if I can 
get "fancy" with some of the auth methods.    I feel an IE "run as" coming on...

t

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Tuesday, December 15, 2009 11:27 AM
To: isapros@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx
Subject: [isapros] Re: Publishing proxy listener on TMG

Thinking about that error, web publishing may not work for this effort.
WPR expect to be treated as if they were a Web app server; not a proxy.
I'll bet ISA/TMG Web listeners will choke on a WPAD request (by design).
easy enough to test...

________________________________
From: isapros-bounce@xxxxxxxxxxxxx [isapros-bounce@xxxxxxxxxxxxx] on behalf of 
Thor (Hammer of God) [thor@xxxxxxxxxxxxxxx]
Sent: Tuesday, December 15, 2009 11:18 AM
To: isapros@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx
Subject: [isapros] Re: Publishing proxy listener on TMG
So, this is where I was last night (I *did* try it).  I can't auth with the 
server pub rule unless I do so at the network web proxy config - doing that 
externally requires basic auth, which is poo poo.   But, it "works."

With a WPR, I set the listener for 8080 and bridge HTTP to 8080.  So far, no 
auth just to test.  I get this:

Error Code: 502 Proxy Error. The Uniform Resource Locator (URL) does not use a 
recognized protocol. Either the protocol is not supported
or the request was not typed correctly. Confirm that a valid protocol is in use 
(for example, HTTP for a Web request).

This is what I was getting last night with "appear to originate from TMG" and 
the current WPR config.  This is true both with "forward original header" and 
not.

t


From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Tuesday, December 15, 2009 10:58 AM
To: isapros@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx
Subject: [isapros] Re: Publishing proxy listener on TMG

I can't think of any reason why a WPR shouldn't work (and be more secure, in 
the effort because you can limit HTTP methods, etc.).
Using NTLM on the listener would be interesting, since the only auth you can 
delegate from that is KCD.
This would result in S4U2Self and S4U2Proxy for the same SPN. Can't see why 
this should fail, but it seems a little backwards.

Jim
________________________________
From: isapros-bounce@xxxxxxxxxxxxx [isapros-bounce@xxxxxxxxxxxxx] on behalf of 
Thor (Hammer of God) [thor@xxxxxxxxxxxxxxx]
Sent: Tuesday, December 15, 2009 10:52 AM
To: isapros@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx
Subject: [isapros] Re: Publishing proxy listener on TMG
Well, "typical" in that it's just another published service... there's really 
no difference (to me) in publishing that or RDP or whatever as long as you take 
the "proper" precautions...

Regardless, that was exactly it... I could have sworn that I tried that last 
night, but I obviously didn't.  So, right now it's a server pub rule with 8080 
as a custom inbound protocol and is currently all users.  Should I do the same 
thing with Web publishing rule instead so I can set NTLM auth on the listener?

t

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Tuesday, December 15, 2009 10:27 AM
To: isapros@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx
Subject: [isapros] Re: Publishing proxy listener on TMG

I wouldn't call this "typical" by any means, but neither is this a unique 
request.
I't s possible, but not exactly advisable for Joe Admin. No doubt you're using 
port pbfuscation and auth to keep the script kiddies at bay...
Make sure the rule is set to "requests from from the TMG computer" or TMG will 
try to respond via the routing table instead of the "internal-internal" socket 
map, causing the "non-SYN" log entry.

Jim

________________________________
From: isapros-bounce@xxxxxxxxxxxxx [isapros-bounce@xxxxxxxxxxxxx] on behalf of 
Thor (Hammer of God) [thor@xxxxxxxxxxxxxxx]
Sent: Tuesday, December 15, 2009 10:07 AM
To: isalist@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx
Subject: [isapros] Publishing proxy listener on TMG
Has anyone successfully published the internal network proxy listener to the 
external network on TMG?  This is trivial to do with ISA/TMG in hork mode 
(single nic) and though I *thought* I did it in ISA with the typical 
external/internal nic config, I can't get it working in TMG.  I'm either 
missing something simple, or it just no workie.

Basically, I want to be able to connect to my TMG proxy from the outside world. 
 Typical stuff.  In hork mode I was doing it just fine and using NTLM auth over 
HTTP with a strong password which is just fine.

I've tried web publishing on an alternate port listener to 8080 on the internal 
interface, but get "non-SYN" errors, even after creating a rule to allow 
External->Local for the proxy traffic, and I get "bad gateway" when I just 
server publish either 8080 to the internal or even a custom protocol.  
Something's just not right.  Anyone?  Beuller?  Anyone?

t

--------------------
"Tom Shinder has custom condoms made out of Chuck Norris' junk."
Timothy "Raging Haggis" Mullen
thor@xxxxxxxxxxxxxxx<mailto:thor@xxxxxxxxxxxxxxx>
www.hammerofgod.com<http://www.hammerofgod.com>

• References:
  • [isalist] Publishing proxy listener on TMG
    • From: Thor (Hammer of God)
  • [isalist] Re: Publishing proxy listener on TMG
    • From: Jim Harrison
  • [isalist] Re: Publishing proxy listener on TMG
    • From: Thor (Hammer of God)
  • [isalist] Re: Publishing proxy listener on TMG
    • From: Jim Harrison
  • [isalist] Re: Publishing proxy listener on TMG
    • From: Thor (Hammer of God)
  • [isalist] Re: Publishing proxy listener on TMG
    • From: Jim Harrison
  • [isalist] Re: Publishing proxy listener on TMG
    • From: Thor (Hammer of God)

Other related posts:

• » [isalist] Publishing proxy listener on TMG- Thor (Hammer of God)
• » [isalist] Re: Publishing proxy listener on TMG- Jim Harrison
• » [isalist] Re: Publishing proxy listener on TMG- Thor (Hammer of God)
• » [isalist] Re: Publishing proxy listener on TMG- Jim Harrison
• » [isalist] Re: Publishing proxy listener on TMG- Thor (Hammer of God)
• » [isalist] Re: Publishing proxy listener on TMG- Jim Harrison
• » [isalist] Re: Publishing proxy listener on TMG- Thor (Hammer of God)
• » [isalist] Re: Publishing proxy listener on TMG - Thor (Hammer of God)

1. Home
2. isalist
3. Archive
4. 12-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---