mardi 9 mars 2010 12:27Good Morning All.
I'm having issues with TMG and my Web Server Publishing rules. Most of the time the logs show 'Status: The Policy Rules do not allow the user request'. Strangely from time to time I can access the server.
Toutes les réponses
mardi 9 mars 2010 15:20Steve,
More info required on this one...
What's the actual client experience? What exactly do you mean by "having issues". Does the client reach the page at all? Only parts of the page load? Certain links have issues? Is there a particular error message the client sees? If you refresh, does the page load?
On the TMG server...
Is this an SSL site you're publishing? Is the site Sharepoint, OWA, other website? Are you publishing other sites and do they experience this issue...or just this one published site? If you require authentication, what authentication method are you using on the Web Listener?
Also, can you provide more details on the log entry?
Richard Barker (MSFT)
mardi 9 mars 2010 17:55Hi Richard.
The HTTP (non SSL webmail) server is internally reachable via FQDN and passes the TMG pathping. Public DNS resolves properly via nslookup. When I type my public server website address in an external clients browser I usually receive 'Error Code 10060: Connection timeout'. In parallel when I look at the TMG, logs they state 'Policy Rules do not allow the user request' along side the clients public address. The link is barley used, SMTP rules with same public adresses are fine. No authentication is required or used.
Denied Connection FTMG 09/03/2010 17:53:36
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: External (***.***.***.250:24087)
Destination: Local Host (***.***.***.82:80)
mercredi 10 mars 2010 20:34Sounds like you have one Web Listener...and presumably only one Web Publishing rule. There are many possible causes for this one. Essentially, it's claiming that the inbound request does not match any of the policy rules. Also misconfigured TMG Network objects can possibly cause this.
Some things to check:
-If the TMG is a single-nic, make sure all IP ranges are included in TMG's Internal network object.
-If the TMG is multi-homed, make sure the Local Host address (***.***.***.82) shown in the log is not included in the address range<s> specified in TMGs' Internal network object.
-Properties of Web Listener-Connections tab-Enable HTTP connections is checked and set to 80
-Properties of Web Listener-Networks tab has the proper network selected..and correct IP if selected
-IIS (or other web server) is not running on the machine
-Publishing rule properties-Listener-correct listener is selected (if more than one listener is configured).
-Publishing rule properties-Public Name tab contains the correct domain name for the request
-Publishing rule properties-Paths tab contains the proper path entry/entries to allow the request
Richard Barker (MSFT)
jeudi 11 mars 2010 10:16
Good Morning Richard.
I have 1 web listener for 5 web publishing rules.
The .82 address is not part of the internal network and is the TMG's public address
The Web listener is on the external network (selected IP ***.***.***.82) and HTTP is enabled with port 80 selected.
IIS is not installed on the TMG Hyper-V VM. Netstat shows there is NOTHING listening on port 80.
Publishing rules have correct domain and path entries.
Occasionally when I can connect TMG logs show:
Allowed Connection FTMG 11/03/2010 09:53:54
Log type: Web Proxy (Reverse)
Status: 302 Moved Temporarily
Rule: HTTP Webmail someurl.co.uk <-
Source: External (***.***.***.250:54788)
Destination: Local Host (172.16.1.25:80)
Request: GET http://someurl.uk/ <-
Filter information: Req ID: 09789179; Compression: client=No, server=No, compress rate=0% decompress rate=0%
When there is successfull connect, netsat shows something like: 'TCP ***.***.***.82:80 ***.***.***.***:54320 ESTABLISHED'
jeudi 11 mars 2010 15:05Interesting...
So if you run:
netstat -ano | findstr :80
You do not see <externalIP>:80 set to LISTENING?
Also, you have 4 other web publishing rules. Are those sites working?
Richard Barker (MSFT)
jeudi 11 mars 2010 16:23
netstat -ano | findstr :80
C:\>netstat -ano | findstr :80
TCP ***.***.***.82:10479 126.96.36.199:80 CLOSE_WAIT 2420
TCP 127.0.0.1:8008 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:8080 0.0.0.0:0 LISTENING 2420
TCP 172.16.1.129:8080 0.0.0.0:0 LISTENING 2420
All of the web server publishing rules don't function. No internal sites are raeachable through TMG.
All sites function properly (internally) via FQDN.
I would have expected to see a netstat entry similiar to '***.***.***.82:80 LISTENING' per HTTP listener?
I can bring up another TMG VM on the same host (bulit from scratch) to see if it exhibits the same behaviour.
- Modifié BadgerBlack mercredi 17 mars 2010 10:58
mercredi 17 mars 2010 09:42Modérateur
Please check the publish rule and confirm the Web listener is on the external network (.82). if you publish correctly, you will find like: “TCP ***.***.***.82:80 LISTENING ”
Nick Gu - MSFT
mercredi 17 mars 2010 10:55
I have checked and rechecked the web listener and it makes no difference if it's configured for all external IP's or the external selected .82 address.
Again there is nothing listening on port 80 via netstat.
I brought a new identically configured TMG H-VM guest up in parallel, on the same host on an adjacent public IP.
It functions perfectly with the rules imported from the original TMG guest and the original .82 public IP.
C:\Users\Administrator>netstat -ano | findstr :80
TCP ***.***.***.82:80 0.0.0.0:0 LISTENING 2424
TCP ***.***.***.89:80 0.0.0.0:0 LISTENING 2424
I have no idea what the difference is between the broken and the new functional TMG.
- Marqué comme réponse Shijaz AbdullaMicrosoft Employee, Owner jeudi 19 août 2010 11:06
mercredi 17 mars 2010 14:36Auteur de réponseIs anything showing up in the Alerts tab? Anything about a Resource Allocation Conflict?
jeudi 18 mars 2010 12:50Hello Keith.
Nothing relating to resource allocation, with Alerts or reporting.
I'm currently migrating rules from the broken TMG to the functioning server.
I still would like to investigate the publishing issue.
vendredi 2 avril 2010 15:52
one more question do you have IIS installed on the TMG ?
mercredi 7 avril 2010 14:11
Sorry to jump into the discussion here but I do have the EXACT same issue.
I have 2 HTTP websites, 1 FTP, 1 Sharepoint, 1 OWA and 1 active sync.
Everything works internally (LAN + DMZ) using FQDN, and NOTHING from the WAN.
On OWA, I get the TMG loging screen and then the usual 408 Time out error.
As I have the Edge Exchange server on my TMG as well, I'd like to find a fix as rebuilding the box is not quite an options...
jeudi 8 avril 2010 10:44
I also have the same issue (currently on another thread) which I can't solve: listener not listening, nothing showing on netstat, although apparently correctly configured.
The difference is that I also have IIS on the same machine.
I have two things to share/ask:
- For those with only 1 combined ISA and web server machine: add a server publishing rule for all HTTP and HTTPS. As such, you don't need the web publishing rules anymore. This worked for me (untill now, because now I have more than just 1 server)
- As a clean VM solved the issue: should I do the same? On the same server, run 2 VM's: One with only ISA, and the other with all the rest?
As I've never used VM ware: where /how do I start? Do I need additional SBS licenses for 2 images on the same machine?
Badger: can you give me some basic high level steps/instructions, and which software to use?
vendredi 9 avril 2010 17:47
you should not install IIS on your TMG server, since the TMG will not be able to successfully bind and web publishing rule, it is preferable to have a seperate machine and configure it as a web server, then configure web pulishing on your TMG machine.
jeudi 19 août 2010 11:07Propriétaire
It's been a while since this thread has been opened. Did you figure out what went wrong with your first TMG server?
Shijaz Abdulla | Microsoft Qatar | Blog: microsoftnow.com
mardi 24 août 2010 15:18
I'm afraid I could nto sucessfully resolve the isssue and rebuilt the TMG slice.
mercredi 25 août 2010 14:10
I managed to uninstall IIS on the TMG box and since then, I have full access to the web servers in the DMZ.
For OWA and ActiveSync, it's under way but having a back to back config doesn't help...
Finally, the FTP is still not working though.