locked
Publish anonyous site using TMG when UAG is also used RRS feed

  • Question

  • Is it possible to publish a standard Web Site (Tasks > Publish Web Site) using TMG on external port 80 when there also is trunks using external port 80 set up in the UAG interface.

    It seems that UAG sets up a new protocol called PublishingRule::Tcp80 that overrides the standard HTTP protocol so that the rules created in TMG never gets hit.

    If I delete all trunks using port 80 it seems that the TMG rule is hit.
    Friday, January 22, 2010 1:57 PM

Answers

  • I think the problem is likely "socket pooling" in IIS and the ability of TMG to bind to port 80, rather than the rules.   See the following article which is written about IAG, but I suspect is similar for UAG.

    http://www.ssl-vpn.de/wiki/Publish%20HTTP%2c%20HTTPS%20with%20ISA%20and%20IAG%20at%20the%20same%20time.ashx

    • Marked as answer by Erez Benari Thursday, January 28, 2010 9:12 PM
    Friday, January 22, 2010 2:55 PM
  • Niklas,

    Please read the TechNet Support boundaries article about TMG scenarios supported on UAG, and you will see that this is not a supported scenario.

    Regards,
    -Ran
    • Marked as answer by Erez Benari Thursday, January 28, 2010 9:12 PM
    Saturday, January 23, 2010 8:09 AM
  • Hi Pronichkin,
    My understanding is that you are interested in knowing when should one choose to publish an application through UAG vs. publishing it through TMG. If the question is about which product to BUY for this purpose, then the generic answer is that UAG is designed to publicly publish internal websites. TMG can do this as well, but UAG allows you to do this with improved security, as well as some more flexibility of IP/Port usage (because using  a portal, you can publish multiple internal sites on a single public hostname and port). The answer for your specific needs may have other factors and considerations, so I can't give you a complete answer - if this is indeed what you are trying to decide, please contact your Microsoft sales contact or 3rd party consultant, who would be more equipped to investigate the specifics for your company and help you make an informed decision.

    If, on the other hand, your already have a UAG server, and the question is wether to publish some site using UAG application template or by configuring a TMG publishing rule directly, the answer is to use UAG, as configuring TMG directly is highly unrecommended, and officially unsupported. If you have a site that needs publishing, and UAG cannot do it, then the proper thing to do would be to get another server, with just TMG, and use it to publish that site. Naturally, the decision of wether UAG can or cannot do something is not simple, so if you feel that UAG cannot do something, I would recommend you consult your Microsoft sales contact or 3rd party consultant.
    Ben Ari
    Microsoft CSS IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Thursday, January 28, 2010 9:12 PM
    Thursday, January 28, 2010 9:12 PM

All replies

  • I think the problem is likely "socket pooling" in IIS and the ability of TMG to bind to port 80, rather than the rules.   See the following article which is written about IAG, but I suspect is similar for UAG.

    http://www.ssl-vpn.de/wiki/Publish%20HTTP%2c%20HTTPS%20with%20ISA%20and%20IAG%20at%20the%20same%20time.ashx

    • Marked as answer by Erez Benari Thursday, January 28, 2010 9:12 PM
    Friday, January 22, 2010 2:55 PM
  • Niklas,

    Please read the TechNet Support boundaries article about TMG scenarios supported on UAG, and you will see that this is not a supported scenario.

    Regards,
    -Ran
    • Marked as answer by Erez Benari Thursday, January 28, 2010 9:12 PM
    Saturday, January 23, 2010 8:09 AM
  • Please read the TechNet Support boundaries article about TMG scenarios supported on UAG, and you will see that this is not a supported scenario.

    Hi Ran,

    Thanks for your reply. Unfortunately there's a lot of confusion on where it's supposed to use TMG only and where UAG could be a better choise. For example please see another (still unanswered) thread in this forum: UAG/TMG Confusion.

    So let me clarify this once more please.

    • If a customer wants to publish some intranet portal or web application for his employees and vendors he could take advantage of the new UAG features.
      This includes Sharepoint and the whole range of Exchange services (with two exceptions which, I believe, are Exchange Autodiscover and Email Protection, though simple STMP Service publishing is still supported by UAG).
    • If he has a public website which needs to be accessed publically he should use TMG only and UAG is not supported for this.
      This may include some Sharepoint websites that need to be accessed anonymously or with self-registration features.

    So I guess that for easy understanding we could say that anonymous connections should always use TMG and for authenticated connections we could chose UAG. Correct?

    Saturday, January 23, 2010 6:59 PM
  • Hi Pronichkin,

     

    What you are asking is a different question than the question Niklas asked which  started this thread, and which I was trying to answer.

     

    Let me try to explain: Niklas asked, to the best of my understanding, if it is possible to use a TMG feature *on the UAG server*. And to answer that question, I pointed to the TechNet Support boundaries article, which explains for which scenarios can TMG *running on the UAG server* be used, and for which scenarios it should not be used as those scenarios are not supported:

    Although you can configure Forefront TMG running on Forefront UAG using the Forefront TMG Management console, Forefront TMG is intended for use of the Forefront UAG infrastructure only. Specifically, the following is not supported: …

     

    You’re question, as I understand it, is when should one choose to publish an application through UAG vs. publishing it through TMG. I was not answering this question and I will leave it to someone else to do it. J

     

    Thank you,
    -Ran

    Sunday, January 24, 2010 10:10 AM
  • Hi Pronichkin,
    My understanding is that you are interested in knowing when should one choose to publish an application through UAG vs. publishing it through TMG. If the question is about which product to BUY for this purpose, then the generic answer is that UAG is designed to publicly publish internal websites. TMG can do this as well, but UAG allows you to do this with improved security, as well as some more flexibility of IP/Port usage (because using  a portal, you can publish multiple internal sites on a single public hostname and port). The answer for your specific needs may have other factors and considerations, so I can't give you a complete answer - if this is indeed what you are trying to decide, please contact your Microsoft sales contact or 3rd party consultant, who would be more equipped to investigate the specifics for your company and help you make an informed decision.

    If, on the other hand, your already have a UAG server, and the question is wether to publish some site using UAG application template or by configuring a TMG publishing rule directly, the answer is to use UAG, as configuring TMG directly is highly unrecommended, and officially unsupported. If you have a site that needs publishing, and UAG cannot do it, then the proper thing to do would be to get another server, with just TMG, and use it to publish that site. Naturally, the decision of wether UAG can or cannot do something is not simple, so if you feel that UAG cannot do something, I would recommend you consult your Microsoft sales contact or 3rd party consultant.
    Ben Ari
    Microsoft CSS IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Thursday, January 28, 2010 9:12 PM
    Thursday, January 28, 2010 9:12 PM