none
UAG PinSafe Integration Turing Image Not Being Displayed. RRS feed

  • Question

  • Hello,

    I have integrated PinSafe with UAG, following the guide from Swivel, but am not seeing the Turing image as expected. I have completed a number of integrations to date and have not had this issue before. I see no messages in Web Monitor relating to this problem and on the PinSafe appliance there are no log entries relating to attempted sessions from UAG. I can pull an image from the PinSafe appliance to a web browser on the UAG. Where I would normally expect to see the image I see part of the standard "The website cannot display the page most likely causes....." message. Any suggestions as to what I should check next to continue?

    Thanks.

     

    Thursday, May 5, 2011 6:03 AM

Answers

All replies

  • Hi Neil,

    Can you see the browser request traffic in the TMG logs when trying to access the image?

    I assume the browser on UAG has no proxy server definition?

    Can you telnet to the PINsafe server on 8443?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, May 5, 2011 1:16 PM
    Moderator
  • Hello Jason,

    Thanks for getting back to me.

    I can render an image in IE on the UAG without a problem.

    I can telnet to PINsafe on 8443.

    The only entries I see on TMG when I attempt to authenticate are as follows.

     Initiated Connection WGHUAG01 5/5/2011 4:08:45 PM
    Log type: Firewall service
    Status: The operation completed successfully. 
    Rule: PinSafe1
    Source: Local Host (192.168.101.68:60665)
    Destination: Internal (10.144.37.110:8443)
    Protocol: PinSafe HTTPS

    Closed Connection WGHUAG01 5/5/2011 4:08:45 PM
    Log type: Firewall service
    Status: A connection was abortively closed after one of the peers sent an RST packet. 
    Rule: PinSafe1
    Source: Local Host (192.168.101.68:60665)
    Destination: Internal (10.144.37.110:8443)
    Protocol: PinSafe HTTPS

    Denied Connection WGHUAG01 5/5/2011 4:08:45 PM
    Log type: Firewall service
    Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer. 
    Rule: None - see Result Code
    Source: Local Host (192.168.101.68:60665)
    Destination: Internal (10.144.37.110:8443)
    Protocol: PinSafe HTTPS 
     

    There are no entries on the PINsafe logs relating to sessions being started from UAG. 

    Hopefully this may mean more to you than it does to me.

    Thanks in advance.

    Thursday, May 5, 2011 3:18 PM
  • Are you sure the URL for the image is not handled by the remote client directly? E.g. the client accesses the PInsafe server to render the image

    This is how it works with the TMG integration...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, May 5, 2011 3:54 PM
    Moderator
  • Ignore that, just looked at the images.asp file ;)

    Should the URL in that file be https and not http??? 

    Are you using the correct FQDN in that URL that matches the SSL certificate common name on the PINsafe server?

    Are you using http or https in your browser tests?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, May 5, 2011 4:03 PM
    Moderator
  • Just checked my recent TMG swivel integration and the image URL is: https://pinsafe:8443/proxy/SCImage?username=

    Something to try... ;)


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, May 5, 2011 4:10 PM
    Moderator
  • Hi Jason,

    The image URL I am using is https:// PINsafe ip address:8443/proxy/SCImage?username=*****

    The same URL is being called by images.asp

    The PINsafe isn't my install, but I don't believe it has an SSL cert installed.

    Normally, since the PINsafe server and UAG are both behind corporate firewalls, I would use http and 8080, but this client has configured https.

     

    Thanks again,

    Neil.

    PS. Met Dennis Lee the other week, he said to say HI.

    Thursday, May 5, 2011 4:27 PM
  • How can it ever work if there is no SSL cert installed on PINsafe???

    Also, using an IP address in the URL is pretty likely to make it fail...it would be quite rare for the SSL cert to have been created with a common name which contains the IP address... 


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Thursday, May 5, 2011 4:38 PM
    Moderator
  • You may want to check out the TMG integration doc here: http://kb.swivelsecure.com/wiki/index.php/Microsoft_TMG_Integration as this has a section on troubleshooting SSL issues (at the bottom).

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, May 5, 2011 4:45 PM
    Moderator
  • You make a good point there. I just assumed......

    I've just checked with the client and PINsafe has no SSL nor does it have an entry in DNS.

    I think you may have hit the nail squarely on the head.

    I'll reconfigure on http 8080 and let you know.

    Regards.

    Thursday, May 5, 2011 4:50 PM
  • Sorry for the delay in responding.

    I've configured the PINSafe appliance to use http, this box can only be reached from the internal network, and all is working as expected.

    Thanks for the help Jason.

    Thursday, May 19, 2011 9:31 AM
  • Cool :)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, May 19, 2011 9:32 AM
    Moderator