Sign in
 
HomeProductsLibraryLearnDownloadsSupportForums
Microsoft Forefront TechCenter >
Proxy chaining not working for https?

Answered Proxy chaining not working for https?

  • Thursday, December 13, 2012 6:24 PM
     
     
    Sign In to Vote
    0

    I am running TMG version 7.0.9193.540 and am having some trouble with my proxy chaining: the rule I have in place works fine for all http pages, but any requests for an https page get sent out directly instead of being forwarded to the upstream proxy. Is there a way to allow https to be sent as well and if so, what could I have misconfigured to be causing it to cause this behavior?

    In my environment, the TMG has 2 NIC's. One NIC is on our internal network and the other NIC is Internet facing. The Web chaining rule:

    is enabled

    the action is set to "Redirect them to a specified upstream proxy" which is set to the DNS name of the internal NIC of a Bluecoat appliance on the same external and internal subnet as my TMG (both "Port and "SSL port" are set to send on port 8080.)

    The "To" is set for the pre-defined "External" network object

    The "Bridging" is set to redirect both http and https as http requests.



    • Edited by John_M_is_me Thursday, December 13, 2012 6:25 PM
    •  
     

All Replies

  • Friday, December 14, 2012 1:34 PM
     
     Proposed
    Sign In to Vote
    0

    As far I know this only happens when the client operate as SecureNAT clients. If your clients use the TMG by using a default gateway only, that occurs. You need to configure your clients to use the TMG as a Proxy Server. The only problem is, to force those clients your need to require authenticion on outbound web traffic.

    Boudewijn Plomp, BPMi Infrastructure & Security

     
  • Friday, December 14, 2012 7:59 PM
     
     
    Sign In to Vote
    0
    Oops, sorry about not specifying the connection method! We are seeing this behavior for clients that use the Microsoft "Firewall client for ISA server" to direct traffic to the TMG servers.
     
  • Saturday, December 15, 2012 9:45 AM
     
     Answered
    Sign In to Vote
    0

    Ok, then I must dissapoint you. Forefront TMG does not support firewall chaining. Please refer to the following link for all unsupported configurations.

    TMG Unsupported configurations
    http://technet.microsoft.com/en-us/library/ee796231.aspx#j56ej5ej56j

    Search for "firewall chaining". This is exactly what is stated. (Please not that they note Web Chaining as an alternative. Which would expect it to work for your HTTPS traffic.)

    Forefront TMG does not support firewall chaining

    Issue: Forefront TMG does not support firewall chaining.

    Cause: Firewall chaining has been deprecated and is no longer supported by Forefront TMG.

    Solution: Configure your downstream servers as SecureNAT clients of the upstream server, or use Web chaining.

     

    Boudewijn Plomp, BPMi Infrastructure & Security