Thinking about that error, web publishing may not work for this effort. WPR expect to be treated as if they were a Web app server; not a proxy. I'll bet ISA/TMG Web listeners will choke on a WPAD request (by design). easy enough to test... ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [isapros-bounce@xxxxxxxxxxxxx] on behalf of Thor (Hammer of God) [thor@xxxxxxxxxxxxxxx] Sent: Tuesday, December 15, 2009 11:18 AM To: isapros@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx Subject: [isapros] Re: Publishing proxy listener on TMG So, this is where I was last night (I *did* try it). I can’t auth with the server pub rule unless I do so at the network web proxy config – doing that externally requires basic auth, which is poo poo. But, it “works.” With a WPR, I set the listener for 8080 and bridge HTTP to 8080. So far, no auth just to test. I get this: Error Code: 502 Proxy Error. The Uniform Resource Locator (URL) does not use a recognized protocol. Either the protocol is not supported or the request was not typed correctly. Confirm that a valid protocol is in use (for example, HTTP for a Web request). This is what I was getting last night with “appear to originate from TMG” and the current WPR config. This is true both with “forward original header” and not. t From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, December 15, 2009 10:58 AM To: isapros@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx Subject: [isapros] Re: Publishing proxy listener on TMG I can't think of any reason why a WPR shouldn't work (and be more secure, in the effort because you can limit HTTP methods, etc.). Using NTLM on the listener would be interesting, since the only auth you can delegate from that is KCD. This would result in S4U2Self and S4U2Proxy for the same SPN. Can't see why this should fail, but it seems a little backwards. Jim ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [isapros-bounce@xxxxxxxxxxxxx] on behalf of Thor (Hammer of God) [thor@xxxxxxxxxxxxxxx] Sent: Tuesday, December 15, 2009 10:52 AM To: isapros@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx Subject: [isapros] Re: Publishing proxy listener on TMG Well, “typical” in that it’s just another published service… there’s really no difference (to me) in publishing that or RDP or whatever as long as you take the “proper” precautions… Regardless, that was exactly it… I could have sworn that I tried that last night, but I obviously didn’t. So, right now it’s a server pub rule with 8080 as a custom inbound protocol and is currently all users. Should I do the same thing with Web publishing rule instead so I can set NTLM auth on the listener? t From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, December 15, 2009 10:27 AM To: isapros@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx Subject: [isapros] Re: Publishing proxy listener on TMG I wouldn't call this "typical" by any means, but neither is this a unique request. I't s possible, but not exactly advisable for Joe Admin. No doubt you're using port pbfuscation and auth to keep the script kiddies at bay... Make sure the rule is set to "requests from from the TMG computer" or TMG will try to respond via the routing table instead of the "internal-internal" socket map, causing the "non-SYN" log entry. Jim ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [isapros-bounce@xxxxxxxxxxxxx] on behalf of Thor (Hammer of God) [thor@xxxxxxxxxxxxxxx] Sent: Tuesday, December 15, 2009 10:07 AM To: isalist@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx Subject: [isapros] Publishing proxy listener on TMG Has anyone successfully published the internal network proxy listener to the external network on TMG? This is trivial to do with ISA/TMG in hork mode (single nic) and though I *thought* I did it in ISA with the typical external/internal nic config, I can’t get it working in TMG. I’m either missing something simple, or it just no workie. Basically, I want to be able to connect to my TMG proxy from the outside world. Typical stuff. In hork mode I was doing it just fine and using NTLM auth over HTTP with a strong password which is just fine. I’ve tried web publishing on an alternate port listener to 8080 on the internal interface, but get “non-SYN” errors, even after creating a rule to allow External->Local for the proxy traffic, and I get “bad gateway” when I just server publish either 8080 to the internal or even a custom protocol. Something’s just not right. Anyone? Beuller? Anyone? t -------------------- “Tom Shinder has custom condoms made out of Chuck Norris’ junk.” Timothy “Raging Haggis” Mullen thor@xxxxxxxxxxxxxxx<mailto:thor@xxxxxxxxxxxxxxx> www.hammerofgod.com<http://www.hammerofgod.com>