locked
UAG Direct Access with External Proxy RRS feed

  • Question

  • I have a customer who would like to use Force Tunneling to route web traffic to their hosted proxy and filtering service for their DA clients.  I enabled the Force Tunneling feature and added the proxy address to the “use proxy server”  but for some reason the proxy is not seeing any traffic from the UAG server.  I would suspect there is a rule on the TMG that is preventing 8080 from passing.  Has anyone out there ever configured UAG this way?

    UPDATE:  I had to disable web proxy service on TMG as it was bound to port 8080.  I added a rule to allow http/s and  proxy traffic over 8080 to the external network and now the UAG interactively server can connect to the external proxy.  I disabled force tunneling in favor for a proxy.pac file that specifies the external proxy fqdn as well.  I also added a NRPT suffix for the proxy .scansafe.net and modified the GPO to use proxy for this dns suffix. But when I browse to the internet from outside the corpnet I get these errors bellow and no successful connection when browsing the internet.

    I can access my internal network fine from the internet via DA it's just this external proxy configuration that is giving me fits.


    Log type: Firewall service
    Status: The network rules do not allow the connection requested.
    Rule: None - see Result Code
    Source: External (2002:4236:f1e6:8100:3557:5187:e51a:79da:54391)
    Destination: External (2002:4236:f1e6:8001::45ae:3ac3:8080)



    Joseph Noga MCITP, MCSE, MCSA, MCTS CCNA,CCDA,CCVP Practice Manager Artemis Technology LLC


    • Edited by Joseph Noga Monday, October 22, 2012 5:58 PM UPDATE
    Friday, October 19, 2012 9:42 PM

Answers

All replies

  • This may help explain the traffic flow: http://blogs.technet.com/b/edgeaccessblog/archive/2012/06/08/directaccess-forced-tunneling-and-world-wide-ipv6-launch.aspx and provide a few other options to consider.

    I have used web proxies with force tunnelling, but these have always been internally presented corporate proxies, not external ones.

    Given the TMG logs, it sees both the source and destination as External and consequently denies the "hairpinning" connection. I am not sure if you can actually configure TMG to do what you need without adding an unorthodox network rule from External to External.

    Interesting question/topology! ;)

    Cheers

    JJ


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    • Marked as answer by Joseph Noga Tuesday, October 23, 2012 1:23 PM
    Tuesday, October 23, 2012 11:24 AM
  • Jason,

    Thank you for your response.  I appreciate your insight into my unique situation.  I came to the same conclusion yesterday and explained to my customer that the “hairpinning” would not work.  In the meantime we are going back to split tunneling and allowing the external users access to the internet.  I will be suggesting that we setup an internal proxy server and have it forward up to the hosted proxy service for policy management and reporting.

    Thanks again and have a great day!

    Joe Noga


    Joseph Noga MCITP, MCSE, MCSA, MCTS CCNA,CCDA,CCVP Practice Manager Artemis Technology LLC

    Tuesday, October 23, 2012 1:23 PM
  • ...I will be suggesting that we setup an internal proxy server and have it forward up to the hosted proxy service for policy management and reporting.


    That sounds like a good plan...

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Tuesday, October 23, 2012 2:33 PM