none
Few Users get Error Message while accessing Internet through FTMG 2010 SP1 Standard

    Domanda

  • Hi

    we have FTMG 2010 SP1 Standard on Windows Server 2008 R2 SP1. we have around 2200 Users at Present in a single location. (we are university in India)

    Basic with all users required authentication and web proxy has been configured.

    HTTPS Inspection is disabled. Malware inspection and Url Filtering is enabled.

    what is happening is some of the users are getting below error message when they tried to access the internet using their id and password.

    Explanation:

    If you believe you are getting this message by mistake, try contacting your administrator or Helpdesk.
    Technical Information (for support personnel)
    • Error Code: 403 Forbidden. Forefront TMG denied the specified Uniform Resource Locator (URL). (12232)
    • IP Address: 10.30.10.252
    • Date: 3/12/2012 10:04:38 AM [GMT]
    • Server: ISA.pdpu.ac.in
    • Source: proxy

    pls help if anybody has solution. we have do the migration two days ago from ISA 2006.

    Regards

    Devang Patel

    lunedì 12 marzo 2012 10:12

Tutte le risposte

  • Hello,

    It seems here that there is a firewall rule that is blocking them.

    Please enable logging to have more information about the rule that is blocking such traffic and the cause of that.



    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    lunedì 12 marzo 2012 15:24
  •  

    Hi,

    Thank you for the post.

    What is the firewall client type of the problematic machines? And what is TMG logging tell?

    Regards,


    Nick Gu - MSFT

    martedì 13 marzo 2012 05:33
    Moderatore
  • Thanks for the reply.

    There are only two Firewall Policy Rule created. One for Allowing Ping to the local host and one for taking Remote Desktop of local host.

    The Firewall Client type is Web Proxy as all of our users uses Browser based Proxy Settings for accessing Internet. Only 4 to 8 users are facing such problem others are easily accessing the internet.

    I have captured the log as below while trying to access the internet using one of the problematic user.

    Denied Connection ISA 3/13/2012 2:28:32 PM
    Log type: Web Proxy (Forward)
    Status: 12209 Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  
    Source: Internal (10.30.37.234:1573)
    Destination: 10.30.10.252:80
    Request: GET http://www.google.co.in/
    Filter information: Req ID: 0b5179f4; Compression: client=No, server=No, compress rate=0% decompress rate=0%
    Protocol: http
    User: anonymous
     Additional information
    Client agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0) Gecko/20100101 Firefox/10.0
    Object source: (No source information is available.)
    Cache info: 0x0
    Processing time: 1 MIME type:

    As per the log it is showing that because of no authentication is provided it has been consider that request as anonymous and blocked it but i have provided the users credential who is facing the problem.

    Thanks

    Devang

    martedì 13 marzo 2012 09:14
  • Hello again, try to uncheck the "Enforce strict RPC compliance" option Active Directory authentication section that you will find in the system policy and then check results.



    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    martedì 13 marzo 2012 15:35
  • hi

    thanks for the reply

    i have done the settings but it still not works. if i tried with other users who are able to access the internet from the browser it allows me but only users who are getting this problem not able to access yet.

    Regards

    Devang

    mercoledì 14 marzo 2012 12:28
  •  

    Hi,

    Thank you for the update.

    It seems like user credential issue. Did these problematic users belong to the same group of those worked users? If possible, would you please recreated these users and see if it works.

    Regards,


    Nick Gu - MSFT

    giovedì 15 marzo 2012 05:59
    Moderatore