TMG Firewall Client and Auto Configuration Script
-
Friday, June 01, 2012 9:46 PM
We are currently running a setup in our environment where we have installed the TMG Firewall Client and have it auto configuring the web browser via a proxy auto configuration script. I have noticed something happening that I hope someone can shed some light on.
Now I know Google Drive does not support authentication required proxies, but with only using the TMG Firewall Client (and unchecking the web browser settings) Google Drive will connect without any issues, which makes sense because the users credentials will be passed automatically via the client. When I leave everything alone and let the firewall client auto configure the web browser Google Drive stops working and logs show that authentication is required.
I added the Google websites into the "Directly Access these servers or domains" within the Web Browser tab on the server, to which my understanding means the browser will try and bypass the TMG Proxy server for addresses in that list. I would also assume if the web browser is bypassing the proxy for addresses in that list then the Firewall Client would then pick that traffic up since the sites are not listed in the Domains tab. And in Google Drive's case it would then be able to authenticate since it would not be using the web proxy settings and the client would pass credentials. This is not happening in my testing of this situation.
I guess my question is if you have the TMG Firewall Client auto configuring the web browser, when will it pass user credentials automatically if the web proxy is always being used due to being configured? It seems that the web proxy filter is taking priority but is never "falling back" to the TMG Clients ability to seamlessly pass credentials when needed. I hope this makes sense....
Thanks!
All Replies
-
Saturday, June 02, 2012 5:09 AM
You need to implement Web Proxy Automatic Discovery protocol to define that the following domains should be accessing directly, bypassing the proxy (i.e. proxy authentication).
Web Proxy Automatic Discovery (WPAD) protocol: http://technet.microsoft.com/en-us/library/cc995258.aspx
Google Drive Firewall and Proxy Settings: https://support.google.com/drive/bin/answer.py?hl=en&answer=2589954&topic=14951&ctx=topic
Google Drive for your PC/Mac:
www.google.com:443/HTTPS
accounts.google.com:443/HTTPS
clients3.google.com:443/HTTPS
talk.google.com:5222/XMPP
drive.google.com:443/HTTPS
www.googleapis.com:443/HTTPS
ssl.gstatic.com:443/HTTPS
*.docs.google.com:443/HTTPS
*.drive.google.com:443/HTTPS
*.googleusercontent.com:443/HTTPS
Google Drive on the web:
s.ytimg.com:443/HTTPS
video.google.com:443/HTTPS
lh3.google.com:443/HTTPS
lh4.google.com:443/HTTPS
lh5.google.com:443/HTTPS
lh6.google.com:443/HTTPSNathan Storms | The Architect Evangelist
- Proposed As Answer by NathanStorms Saturday, June 02, 2012 5:09 AM
-
Monday, June 04, 2012 3:12 PM
I guess that's my point. We are using the installed TMG client, which detects the TMG server via the ADMarker process, which is then set to automatically configure the web browser using an auto configure script. Within the TMG server configuration options there is a Web Browser tab that allows you to set directly accessed websites. This tab is separate from the Domains tab which tells the Firewall Client which domains belong to the network and are to be accessed directly. I can verify that adding a site into the Web Browser directly accessed list does in fact update correctly into the auto-configure script that the computer uses.
But this does not seem to be bypassing the site correctly since the web traffic shows the computer is being denied due to needing to authenticate. If the computer is in fact receiving the script that is telling the web browser to directly access the google websites why would it still be hitting the TMG server as a web proxy client and being prompted for credentials? My thinking would be the web browser bypasses it but the firewall client would then pick up that traffic, since I didn't specify the google sites in the Domains tab on the server, and then be able to authenticate.
We do in fact have WPAD published on our network as well, but the auto-configuration script seems like the better solution at the moment for us.
-
Tuesday, June 05, 2012 6:35 AMModerator
Hi,
Thank you for the post.
Please also refer to this link to bypass TMG client: http://technet.microsoft.com/en-us/library/cc995133.aspx.
Regards,
Nick Gu - MSFT
- Marked As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Sunday, June 10, 2012 4:06 AM
- Unmarked As Answer by Brian635 Wednesday, June 13, 2012 3:14 PM
-
Monday, June 11, 2012 5:27 PM
Thanks for the link but I am still having this issue and am unable to resolve/figure it out. Everything seems to be correctly setup but the browser is still sending traffic to domains I've marked as wanting to bypass through the TMG server. I can add a domain exception into the Web Browser tab or the Domains tab in the TMG management console, verify those exceptions update into the autoconfiguration script, but still have the browser hit the TMG server when it goes to them.
Is there any special configuration that needs to be done to get this to work with truly external websites and domains? Is it supposed to be as easy as adding, for example, *.google.com into the Domain or Web Browser tab as an exception and the browser should then not pass traffic to any site under that domain through TMG? I'm just lost as to why this is not working since it seems like it should be a fairly straightforward using the TMG management console and its options.
.png)
