locked
Web Server Publishing Rule

    Question

  • Good Morning All.

    I'm having issues with TMG and my Web Server Publishing rules. Most of the time the logs show 'Status: The Policy Rules do not allow the user request'.  Strangely from time to time I can access the server. 

    Regards,

    Steve.
    mardi 9 mars 2010 12:27

Réponses

  • Good Morning.

    I have checked and rechecked the web listener and it makes no difference if it's configured for all external IP's or  the external selected .82 address.
    Again there is nothing listening on port 80 via netstat.


    I brought a new identically configured TMG H-VM guest up in parallel, on the same host on an adjacent public IP.
    It functions perfectly with the rules imported from the original TMG guest and the original .82 public IP.

    ***

    C:\Users\Administrator>netstat -ano | findstr :80
      TCP    ***.***.***.82:80        0.0.0.0:0              LISTENING       2424
      TCP    ***.***.***.89:80        0.0.0.0:0              LISTENING       2424


    ***

    I have no idea what the difference is between the broken and the new functional TMG.

    Regards,

    Steve.

    mercredi 17 mars 2010 10:55

Toutes les réponses

  • Steve,
    More info required on this one...
    What's the actual client experience?  What exactly do you mean by "having issues".  Does the client reach the page at all?  Only parts of the page load?  Certain links have issues? Is there a particular error message the client sees?  If you refresh, does the page load?

    On the TMG server...
    Is this an SSL site you're publishing?  Is the site Sharepoint, OWA, other website? Are you publishing other sites and do they experience this issue...or just this one published site?  If you require authentication, what authentication method are you using on the Web Listener?
    Also, can you provide more details on the log entry?

    Regards,
    Richard Barker (MSFT)
    mardi 9 mars 2010 15:20
  • Hi Richard.

    The HTTP (non SSL webmail) server is internally reachable via FQDN and passes the TMG pathping. Public DNS resolves properly via nslookup.   When I type my public server website address in an external clients browser I usually receive 'Error Code 10060: Connection timeout'.  In parallel when I look at the TMG, logs they state 'Policy Rules do not allow the user request' along side the clients public address.  The link is barley used, SMTP rules with same public adresses are fine.  No authentication is required or used.

    TMG log:
    ***
    Denied Connection FTMG 09/03/2010 17:53:36
    Log type: Firewall service
    Status: The policy rules do not allow the user request. 
    Rule: Default rule
    Source: External (***.***.***.250:24087)
    Destination: Local Host (***.***.***.82:80)
    Protocol: HTTP
    ***

    Regards,

    Steve.
    mardi 9 mars 2010 17:55
  • Sounds like you have one Web Listener...and presumably only one Web Publishing rule.  There are many possible causes for this one.  Essentially, it's claiming that the inbound request does not match any of the policy rules.  Also misconfigured TMG Network objects can possibly cause this.

    Some things to check:
    -If the TMG is a single-nic, make sure all IP ranges are included in TMG's Internal network object.
    -If the TMG is multi-homed, make sure the Local Host address (***.***.***.82) shown in the log is not included in the address range<s> specified in TMGs' Internal network object.
    -Properties of Web Listener-Connections tab-Enable HTTP connections is checked and set to 80
    -Properties of Web Listener-Networks tab has the proper network selected..and correct IP if selected
    -IIS (or other web server) is not running on the machine
    -Publishing rule properties-Listener-correct listener is selected (if more than one listener is configured).
    -Publishing rule properties-Public Name tab contains the correct domain name for the request
    -Publishing rule properties-Paths tab contains the proper path entry/entries to allow the request


    Regards,
    Richard Barker (MSFT)
    mercredi 10 mars 2010 20:34

  • Good Morning Richard.

    I have 1 web listener for 5 web publishing rules. 
    The .82 address is not part of the internal network and is the TMG's public address
    The Web listener is on the external network (selected IP ***.***.***.82) and HTTP is enabled with port 80 selected.
    IIS is not installed on the TMG Hyper-V VM.  Netstat shows there is NOTHING listening on port 80.
    Publishing rules have correct domain and path entries.

    Occasionally when I can connect TMG logs show:

    ***
    Allowed Connection FTMG 11/03/2010 09:53:54
    Log type: Web Proxy (Reverse)
    Status: 302 Moved Temporarily
    Rule: HTTP Webmail someurl.co.uk <-
    Source: External (***.***.***.250:54788)
    Destination: Local Host (172.16.1.25:80)
    Request: GET http://someurl.uk/ <-
    Filter information: Req ID: 09789179; Compression: client=No, server=No, compress rate=0% decompress rate=0%
    ***

    When there is successfull connect, netsat shows something like:  'TCP ***.***.***.82:80  ***.***.***.***:54320 ESTABLISHED'


    Regards,

    Steve.

    jeudi 11 mars 2010 10:16
  • Interesting...
    So if you run:

    netstat -ano | findstr :80

    You do not see <externalIP>:80 set to LISTENING?

    Also, you have 4 other web publishing rules.  Are those sites working?

    Regards,
    Richard Barker (MSFT)
    jeudi 11 mars 2010 15:05

  • Hello Richard.

    ***
    netstat -ano | findstr :80
    C:\>netstat -ano | findstr :80
      TCP    ***.***.***.82:10479   65.54.89.16:80     CLOSE_WAIT      2420
      TCP    127.0.0.1:8008             0.0.0.0:0              LISTENING          4
      TCP    127.0.0.1:8080             0.0.0.0:0              LISTENING          2420
      TCP    172.16.1.129:8080        0.0.0.0:0              LISTENING          2420
    ***

    All of the web server publishing rules don't function.  No internal sites are raeachable through TMG.
    All sites function properly (internally) via FQDN.
    I would have expected  to see a netstat entry similiar to '***.***.***.82:80 LISTENING' per HTTP listener?
    I can bring up another TMG VM on the same host (bulit from scratch) to see if it exhibits the same behaviour.

    Regard,

    Steve.



    jeudi 11 mars 2010 16:23
  • Hi,

     

    Please check the publish rule and confirm the Web listener is on the external network (.82). if you publish correctly, you will find like: “TCP  ***.***.***.82:80 LISTENING ”

     

    Regards,


    Nick Gu - MSFT
    mercredi 17 mars 2010 09:42
    Modérateur
  • Good Morning.

    I have checked and rechecked the web listener and it makes no difference if it's configured for all external IP's or  the external selected .82 address.
    Again there is nothing listening on port 80 via netstat.


    I brought a new identically configured TMG H-VM guest up in parallel, on the same host on an adjacent public IP.
    It functions perfectly with the rules imported from the original TMG guest and the original .82 public IP.

    ***

    C:\Users\Administrator>netstat -ano | findstr :80
      TCP    ***.***.***.82:80        0.0.0.0:0              LISTENING       2424
      TCP    ***.***.***.89:80        0.0.0.0:0              LISTENING       2424


    ***

    I have no idea what the difference is between the broken and the new functional TMG.

    Regards,

    Steve.

    mercredi 17 mars 2010 10:55
  • Is anything showing up in the Alerts tab? Anything about a Resource Allocation Conflict?
    mercredi 17 mars 2010 14:36
    Auteur de réponse
  • Hello Keith.

    Nothing relating to resource allocation, with Alerts or reporting.
    I'm currently migrating rules from the broken TMG to the functioning server.
    I still would like to investigate the publishing issue.

    Regards,

    Steve.

    jeudi 18 mars 2010 12:50
  • hi Badger,

    one more question do you have IIS installed on the TMG ?


    Charbel Hanna
    vendredi 2 avril 2010 15:52
  • Hi,

     

    Sorry to jump into the discussion here but I do have the EXACT same issue.

    I have 2 HTTP websites, 1 FTP, 1 Sharepoint, 1 OWA and 1 active sync.

    Everything works internally (LAN + DMZ) using FQDN, and NOTHING from the WAN.

    On OWA, I get the TMG loging screen and then the usual 408 Time out error.

    As I have the Edge Exchange server on my TMG as well, I'd like to find a fix as rebuilding the box is not quite an options...

    mercredi 7 avril 2010 14:11
  • Hi,

     

    I also have the same issue (currently on another thread) which I can't solve: listener not listening, nothing showing on netstat, although apparently correctly configured.

     

    The difference is that I also have IIS on the same machine.

     

    I have two things to share/ask:

    - For those with only 1 combined ISA and web server machine: add a server publishing rule for all HTTP and HTTPS. As such, you don't need the web publishing rules anymore. This worked for me (untill now, because now I have more than just 1 server)

    - As a clean VM solved the issue: should I do the same? On the same server, run 2 VM's: One with only ISA, and the other with all the rest?

    As I've never used VM ware: where /how do I start? Do I need additional SBS licenses for 2 images on the same machine?

     Badger: can you give me some basic high level steps/instructions, and which software to use?

    Cheers,

    Christof

    jeudi 8 avril 2010 10:44
  • Hi Christof,

    you should not install IIS on your TMG server, since the TMG will not be able to successfully bind and web publishing rule, it is preferable to have a seperate machine and configure it as a web server, then configure web pulishing on your TMG machine.

     

    regards,


    Charbel Hanna
    vendredi 9 avril 2010 17:47
  • Hi Badger,

    It's been a while since this thread has been opened. Did you figure out what went wrong with your first TMG server?


    Shijaz Abdulla | Microsoft Qatar | Blog: microsoftnow.com
    jeudi 19 août 2010 11:07
    Propriétaire
  •  

    Hello Shijaz.

    I'm afraid I could nto sucessfully resolve the isssue and rebuilt the TMG slice.

     

    Regards,

     

    Steve.

    mardi 24 août 2010 15:18
  • Hi,

     

    I managed to uninstall IIS on the TMG box and since then, I have full access to the web servers in the DMZ.

    For OWA and ActiveSync, it's under way but having a back to back config doesn't help...

    Finally, the FTP is still not working though.

    Regards,

    mercredi 25 août 2010 14:10