Friday, June 29, 2012 2:17 PM
I am trying to access a webserver from the internet and am getting 403 Forbidden errors from Forefront TMG 2010. Details on the rule I created are as follows:
Non-web publishing rule
To the internal IP of the server (Requests appear to come from the original client)
Networks - External - selected an external IP that nothing else uses (which was added to the NIC of the TMG box)
Schedule - Always
The TMG box can get to the webserver in question.
Friday, June 29, 2012 3:45 PM
in this scenario the published webserver must be a Secure NAT client when you select the Option "Requests appear to come from the original Client".
BTW: For webserver Publishing I recommend to use the Webserver Publishing feature of TMG instead of the non webpublishing rule
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
- Proposed As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Friday, July 06, 2012 8:04 AM
Sunday, July 01, 2012 5:47 AMModerator
Thank you for the post.
Agree with Marc, you may use web publishing rule for your internal web server. And if the issue still retains, please elaborate the publishing rule setting.
Nick Gu - MSFT
Monday, July 02, 2012 11:22 AM
Thanks for the post.
The reason that I am not using a web publishing rule is that the web server that I am using doesn't allow me to export it's private key.
Tuesday, July 03, 2012 3:57 AM
A server publishing rule for protocol 'HTTPS-Server' is more than fine in scenarios where you cannot import the certificate into the TMG box properly (which makes web publishing a real pain).
The issue here was that the server publishing rule was not going into effect because of port binding issues cause by other rules/protocols in the firewall policy. There were several other rules that were inadvertantly created that published port 443 across all external IP addresses, as opposed to specific IPs on the external network. Once these were all cleared up, the firewall services were bounced and no more port binding issues appeared in the Application log whenever the Firewall services were changed. The rule worked expected at this point. (Netstat -an | find "443" also finally showed the TMG box listenining on the individual external IP address for 443)
- Marked As Answer by TMERL Saturday, July 07, 2012 4:14 AM