anonymous access
-
Wednesday, April 11, 2012 1:42 PM
I have a strange problem and would like help from you guys,
Looking at the logs on my server TMG today, I came across something strange,
Some users here in the company access the emailthrough the web, and the rule http / https, this set withWebFilter,
and was created a group in AD, and consequently this group in TMG tab users of this rule, ie access will always be authenticated.
The Users can access normally, but the logs record,denied access to the PC client to the server as tmg
before those users get access, as follows:10/04/2012 18:57:17 Denied Connection HPML350
Log type: Web Proxy (Forward)
Status: 12209 Forefront TMG requires authorization toFulfill the request. Access to the Web Proxy filter is denied.
Rule: Acesso_Restrito
Source: Internal (192.168.0.144:54224)
Destination: External (192.168.0.4:8080)
Request: GET http://mail.terra.com.br/
Filter information: Req ID: 1374bfe2; Compression:client = No, server = No, compress rate = 0%decompress rate = 0%
Protocol: http
User: anonymous
Additional information
and then access is normally:
10/04/2012 18:57:18 Allowed Connection HPML350
Log type: Web Proxy (Forward)
Status: 200 OK.
Rule: Acesso_Restrito
Source: Internal (192.168.0.144:54224)
Destination: External (208.84.244.144:80)
Request: GET http://mail.terra.com.br/
Filter information: Req ID: 1374bfe4; Compression:client = No, server = Yes, compress rate = 0%decompress rate = 136%
Protocol: http
User: company \ Felipe
Additional informationwhich may be?
MCP
All Replies
-
Wednesday, April 11, 2012 2:32 PMThat's how internet explorer works, it will first try to send the request to the proxy assuming it won't require authentication. When that call fails it will authenticate, that's what yuou're seeing in the logs.
- Proposed As Answer by Anders Janson Wednesday, April 11, 2012 2:38 PM
- Unproposed As Answer by Daniel_Lima Wednesday, April 11, 2012 4:44 PM
-
Wednesday, April 11, 2012 4:44 PM
Thanks for the reply,
However it occurs and the first time, this situation has never happened on another occasion
How to solve?
MCP
-
Wednesday, April 11, 2012 6:19 PM
There is nothing to solve.
By default TMG will try anonymous access. Your rules are requiring authentication, so it tries the page again, passing the credentials, and loads successfully.
If you don't want to see that first rejection in the logs, then don't require auth to access the webpage. (Not a real answer)
-
Thursday, April 12, 2012 6:11 AMModerator
Hi,
Thank you for the post.
I agree with Dvizzle. A web proxy client makes its initial request anonymously. If there are no policies allowing anonymous access to the requested destination, the ISA firewall responds with a challenge for authentication in the form of an HTTP 407 response (proxy authentication required). The client then resubmits the request, this time providing credentials to the firewall. This transaction is completely transparent to the end user. The credentials supplied to the ISA firewall are that of the current logged on user. If the user does not have permission, the ISA firewall denies the request without prompting. This behavior is by design.
Regards,
Nick Gu - MSFT
- Proposed As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Friday, April 20, 2012 9:09 AM
-
Thursday, April 12, 2012 1:02 PM
I discovered a few things, among them, on my internal network (networks) in AutoDiscovery is configured to port 8080
and also the tab webproxy.
We also have the wpad.dat configured in dhcp as follows
http://HPML350.empresa.local:8080/wpad.dathpml350.empresa.loca is the server TMG
My doubts and if these settings are correct, but I saw the log in detail today, he tries to leave the port 8080
and then out the door 80
In configurations of IE also has customers that call
to port 8080
this is problem?MCP
-
Thursday, April 12, 2012 1:11 PM
Perhaps we don't understand you correctly. If you're actually having a problem you should try to explain it again, if you're just worried about the messages in the log: it's how it works, just check the rfc: http://www.ietf.org/rfc/rfc2068.txt
-
Thursday, April 12, 2012 2:19 PMok sorry
The internet access is slow and we think this problem and that is,before the page which wants to access a User appears, takes a few seconds, it first tries to access an anonymous and anonymousaccess to this and because of this configuration in wpad , configuredautomatically to client computers.
The configuration of the wpad entry in internet explorer add each client to try to access port 8080MCP
-
Thursday, April 12, 2012 2:32 PM
ok sorry
The internet access is slow and we think this problem and that is,before the page which wants to access a User appears, takes a few seconds, it first tries to access an anonymous and anonymousaccess to this and because of this configuration in wpad , configuredautomatically to client computers.
The configuration of the wpad entry in internet explorer add each client to try to access port 8080
MCP
Did You try to configure TMG that requires authentication?
Best regards
Dubravko Marak
MCP
Blog: Windows Server Administration
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Thursday, April 12, 2012 3:17 PM
Is this occuring on all pages or a specific one?
You could try the following to pinpoint the cause (check after each)
-Configure the proxy in IE instead of using wpad
-try connecting to the site without using tmg
-disable the rule with the group in it
-try using a different browser (older ie versions can be very slow on some sites, try chrome or firefox)
Lemme know the results of these tests.
-
Thursday, April 12, 2012 3:39 PM
Again I ask forgiveness,
I am Brazilian and maybe I'm not able to express myself very well.
Here in Brazil got no answers about this problem, so I'm quoting you guys.
In internet explorer each client is configured with the default port 8080.
In rule TMG client always asks for authentication to leave.
What happens when a client and will try to access a page, the TMG attempts to authenticate on port 8080, and not get access because this port is not on the rule, try to leave as anonymous, and after not getting access comes through the door 80 (http protocol) that exists in the rule.
During this time trying to authenticate on port 8080 there is a certain slowness.
However if I set up to explore the internet only to port 80, do not have this error.
But I have 500 users, and want to try this configuration automatically.
I do not know the difference port 8080 to port 80, also do not know if I can change this in TMG on my internal network, and also do not know if I can change this in wpad to configure the client on port 80 instead of port 8080.
I do not know the impact of such a change in terms of securityMCP
-
Tuesday, April 17, 2012 5:46 AMModerator
Hi,
Thank you for the update.
By default, ISA Server listens for outbound proxy requests from Web proxy clients in the Internal network on port 8080. Please refer to this link: http://www.isaserver.org/tutorials/Configuring-Web-Proxy-Automatic-Discovery-WPAD-Forefront-Threat-Management-Gateway-TMG-2010.html
Regards,
Nick Gu - MSFT
- Proposed As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Friday, April 20, 2012 9:09 AM
- Marked As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Sunday, April 22, 2012 5:42 AM
.png)
