Well, "typical" in that it's just another published service... there's really no difference (to me) in publishing that or RDP or whatever as long as you take the "proper" precautions... Regardless, that was exactly it... I could have sworn that I tried that last night, but I obviously didn't. So, right now it's a server pub rule with 8080 as a custom inbound protocol and is currently all users. Should I do the same thing with Web publishing rule instead so I can set NTLM auth on the listener? t From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, December 15, 2009 10:27 AM To: isapros@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx Subject: [isapros] Re: Publishing proxy listener on TMG I wouldn't call this "typical" by any means, but neither is this a unique request. I't s possible, but not exactly advisable for Joe Admin. No doubt you're using port pbfuscation and auth to keep the script kiddies at bay... Make sure the rule is set to "requests from from the TMG computer" or TMG will try to respond via the routing table instead of the "internal-internal" socket map, causing the "non-SYN" log entry. Jim ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [isapros-bounce@xxxxxxxxxxxxx] on behalf of Thor (Hammer of God) [thor@xxxxxxxxxxxxxxx] Sent: Tuesday, December 15, 2009 10:07 AM To: isalist@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx Subject: [isapros] Publishing proxy listener on TMG Has anyone successfully published the internal network proxy listener to the external network on TMG? This is trivial to do with ISA/TMG in hork mode (single nic) and though I *thought* I did it in ISA with the typical external/internal nic config, I can't get it working in TMG. I'm either missing something simple, or it just no workie. Basically, I want to be able to connect to my TMG proxy from the outside world. Typical stuff. In hork mode I was doing it just fine and using NTLM auth over HTTP with a strong password which is just fine. I've tried web publishing on an alternate port listener to 8080 on the internal interface, but get "non-SYN" errors, even after creating a rule to allow External->Local for the proxy traffic, and I get "bad gateway" when I just server publish either 8080 to the internal or even a custom protocol. Something's just not right. Anyone? Beuller? Anyone? t -------------------- "Tom Shinder has custom condoms made out of Chuck Norris' junk." Timothy "Raging Haggis" Mullen thor@xxxxxxxxxxxxxxx<mailto:thor@xxxxxxxxxxxxxxx> www.hammerofgod.com<http://www.hammerofgod.com>