[isapros] Re: Publishing proxy listener on TMG

  • From: Jim Harrison <Jim@xxxxxxxxxxxx>
  • To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>, "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 15 Dec 2009 19:26:47 +0000

Thinking about that error, web publishing may not work for this effort.
WPR expect to be treated as if they were a Web app server; not a proxy.
I'll bet ISA/TMG Web listeners will choke on a WPAD request (by design).
easy enough to test...

________________________________
From: isapros-bounce@xxxxxxxxxxxxx [isapros-bounce@xxxxxxxxxxxxx] on behalf of 
Thor (Hammer of God) [thor@xxxxxxxxxxxxxxx]
Sent: Tuesday, December 15, 2009 11:18 AM
To: isapros@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx
Subject: [isapros] Re: Publishing proxy listener on TMG

So, this is where I was last night (I *did* try it).  I can’t auth with the 
server pub rule unless I do so at the network web proxy config – doing that 
externally requires basic auth, which is poo poo.   But, it “works.”

With a WPR, I set the listener for 8080 and bridge HTTP to 8080.  So far, no 
auth just to test.  I get this:

Error Code: 502 Proxy Error. The Uniform Resource Locator (URL) does not use a 
recognized protocol. Either the protocol is not supported
or the request was not typed correctly. Confirm that a valid protocol is in use 
(for example, HTTP for a Web request).

This is what I was getting last night with “appear to originate from TMG” and 
the current WPR config.  This is true both with “forward original header” and 
not.

t


From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Tuesday, December 15, 2009 10:58 AM
To: isapros@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx
Subject: [isapros] Re: Publishing proxy listener on TMG

I can't think of any reason why a WPR shouldn't work (and be more secure, in 
the effort because you can limit HTTP methods, etc.).
Using NTLM on the listener would be interesting, since the only auth you can 
delegate from that is KCD.
This would result in S4U2Self and S4U2Proxy for the same SPN. Can't see why 
this should fail, but it seems a little backwards.

Jim
________________________________
From: isapros-bounce@xxxxxxxxxxxxx [isapros-bounce@xxxxxxxxxxxxx] on behalf of 
Thor (Hammer of God) [thor@xxxxxxxxxxxxxxx]
Sent: Tuesday, December 15, 2009 10:52 AM
To: isapros@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx
Subject: [isapros] Re: Publishing proxy listener on TMG
Well, “typical” in that it’s just another published service… there’s really no 
difference (to me) in publishing that or RDP or whatever as long as you take 
the “proper” precautions…

Regardless, that was exactly it… I could have sworn that I tried that last 
night, but I obviously didn’t.  So, right now it’s a server pub rule with 8080 
as a custom inbound protocol and is currently all users.  Should I do the same 
thing with Web publishing rule instead so I can set NTLM auth on the listener?

t

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Tuesday, December 15, 2009 10:27 AM
To: isapros@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx
Subject: [isapros] Re: Publishing proxy listener on TMG

I wouldn't call this "typical" by any means, but neither is this a unique 
request.
I't s possible, but not exactly advisable for Joe Admin. No doubt you're using 
port pbfuscation and auth to keep the script kiddies at bay...
Make sure the rule is set to "requests from from the TMG computer" or TMG will 
try to respond via the routing table instead of the "internal-internal" socket 
map, causing the "non-SYN" log entry.

Jim

________________________________
From: isapros-bounce@xxxxxxxxxxxxx [isapros-bounce@xxxxxxxxxxxxx] on behalf of 
Thor (Hammer of God) [thor@xxxxxxxxxxxxxxx]
Sent: Tuesday, December 15, 2009 10:07 AM
To: isalist@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx
Subject: [isapros] Publishing proxy listener on TMG
Has anyone successfully published the internal network proxy listener to the 
external network on TMG?  This is trivial to do with ISA/TMG in hork mode 
(single nic) and though I *thought* I did it in ISA with the typical 
external/internal nic config, I can’t get it working in TMG.  I’m either 
missing something simple, or it just no workie.

Basically, I want to be able to connect to my TMG proxy from the outside world. 
 Typical stuff.  In hork mode I was doing it just fine and using NTLM auth over 
HTTP with a strong password which is just fine.

I’ve tried web publishing on an alternate port listener to 8080 on the internal 
interface, but get “non-SYN” errors, even after creating a rule to allow 
External->Local for the proxy traffic, and I get “bad gateway” when I just 
server publish either 8080 to the internal or even a custom protocol.  
Something’s just not right.  Anyone?  Beuller?  Anyone?

t

--------------------
“Tom Shinder has custom condoms made out of Chuck Norris’ junk.”
Timothy “Raging Haggis” Mullen
thor@xxxxxxxxxxxxxxx<mailto:thor@xxxxxxxxxxxxxxx>
www.hammerofgod.com<http://www.hammerofgod.com>

Other related posts: