Entrar
 
HomeBibliotecaWikiAprenderGaleriaDownloadsSuporte ComunidadeFóruns
Recursos para Profissionais de TI >
Publishing IIS WebDAV using TMG 2010

Answered Publishing IIS WebDAV using TMG 2010

  • sábado, 5 de maio de 2012 18:09
     
     
    Entrar para Votar
    0

    I have an internal 2008R2 server that I have hosted WebDAV on in IIS 7.5.  I have TMG 2010 SP2 installed on another server that has a WAN interface and an LAN interface.  When I use a WebDAV client internally on my iPhone I am able to access the WebDAV share absolutely perfectly.

    When I go external and try to hit my TMG interface I am getting an error.   On the iPhone I get a 403 error.  In the TMG log the error is saying that client cerficates are required and that the connection is blocked.  I would say that I have tried changing most settings available to me on the TMG rule but it simply will not get passed this client certificate error.

    Has anyone successfully published a WebDAV solution using their TMG 2010 services that could help me out?  I know I didn't put much info as of this time but I can supply anything that is required.

    WebDAV server is 2008 R2 SP1.  The webDAV server and the TMG server rule has the same HTTPS certificate.

     

Todas as Respostas

  • sábado, 5 de maio de 2012 18:59
     
     
    Entrar para Votar
    0

    Hi,

    use a Webserverpublishing rule on your TMG Server with HTTP authentication (Integrated) and KCD (Kerberos Constrained Delegation). On the WebDAV Server enable "require SSL" but select the radio butto "ignore client certificates".

    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

     
  • segunda-feira, 7 de maio de 2012 06:42
    Moderador
     
     
    Entrar para Votar
    0

    Hi,

    Thank you for the post.

    Please refer to this thread: http://social.technet.microsoft.com/Forums/en-US/Forefrontedgegeneral/thread/1671e393-12ac-4b1d-a7c0-d8307c4b8326.

    Regards,

    Nick Gu - MSFT

     
  • segunda-feira, 7 de maio de 2012 15:53
     
     
    Entrar para Votar
    0

    Hi,

    use a Webserverpublishing rule on your TMG Server with HTTP authentication (Integrated) and KCD (Kerberos Constrained Delegation). On the WebDAV Server enable "require SSL" but select the radio butto "ignore client certificates".

    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

    Thanks for the info.  I setup a rule based on what you say here and the rule tests GREEN in TMG.  However, upon hitting the WAN IP on my iPhone via cellular I get a DENY because no rule is matching the traffic from my iPhone.  It shows blocked traffic from my iPhone (External) to the WAN IP of my TMG server (Localhost).  This is blocked of course because External isn't allowed on 444 to the (localhost) external port of TMG.  Why is TMG not routing this properly with the rule I created?  Doesn't the TMG web publish rule know that it is covering itself?  That sounds stupid to ask but this doesn't make any sense to me.

    External DNS has the "FileWD" A record pointing to TMG WAN IP.  TMG rule is listening on port 444, and has Public Name requests for "FileWD" FROM WAN IP going to WebDAV server on port 444.  The certificate is the same on the WebDAV server and the TMG rule.  Listener is setup for HTTPS port 444, Integrated HTTP authentication, and delegation is KCD.  The request comes from the TMG server

    If I fire off a non-web port rule I can get this to work with no problems.  The TMG server is seeing the traffic hitting the WAN IP on port 444 and that is not OK because it doesn't match my rule that is listening on that IP and port to forward onward!?

     
  • terça-feira, 8 de maio de 2012 07:26
     
     Respondido
    Entrar para Votar
    0

    Have you extended the SSL tunnel port range to cater for the non-standard SSL port?

    If not, you need to follow the instructions in http://technet.microsoft.com/en-us/library/cc302450.aspx.

    This is because, by default, TMG (and ISA for that matter) does not listen on any other SSL port than 443 unless explicitly configured.

    Hth, Anders Janson Enfo Zipper

     
  • terça-feira, 8 de maio de 2012 13:12
    Moderador
     
     
    Entrar para Votar
    0

    Adrian did some good guides for ISA you can probably adapt for TMG: http://www.carbonwind.net/ISA/WebDav/WebDav1.htm

    Cheers

    JJ

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

     
  • terça-feira, 8 de maio de 2012 13:36
     
     
    Entrar para Votar
    0

    Oh wow that does ring a bell from ISA 2006...  the link that you provided however is broken.  I believe that was only for Web Proxy though, and upon trying it out here it isn't making a difference.

    Tha traffic is still coming into my WAN Interface on port 444 from an external IP and is seeing no rule matching this.  There technically is not a rule for this as the web publishing rule is setup to accept requests for "FileWD.domain.com" which is an internal network resource.

    Is this the problem... that TMG is not seeing the "to" as the internal website but is instead seeing it as the WAN interface?

     
  • domingo, 13 de maio de 2012 09:24
     
     
    Entrar para Votar
    0

    Here's the working link:

    http://technet.microsoft.com/en-us/library/cc302450.aspx

    Did you create a protocol definition for port 444? If needed you can connect the http filter to that definition to get http filtering.

    If I understand it correctly you are trying to publish an internal webdav resource externally on (SSL) port 444. To do so you need to

    - extend the ssl port range

    - publish the site with a custom protocol definition for port 444

    - make sure you have a ssl cert that works for your environment

    Hth, Anders Janson Enfo Zipper