locked
TMG as a reverse Proxy connecting to another reverse proxy RRS feed

  • Question

  • I have a TMG 2010 instance in a DMZ acting as a perimeter reverse proxy. Inside the network is a forward proxy that allows web access into a secure area, to a number of defined, named, services, all on port 80 or port 443. Existing internal users can access these services, but I want to make them available to external users, too. I want to offload SSL at the perimeter proxy (a security team requirement), but need to re-establish SSL to the internal https services.

    How can I configure TMG to correctly forward these requests to the internal proxy?

    I have tried various things. If I forward a published service to a host (the host being the proxy) then the basic port 80 kinda works, but the SSL does not - I get an odd error about the token being invalid.

    If I set up a web chain, the incoming request gets redirected to the proxy as if I was trying to reach the proxy alone, ie. if the proxy is on 192.168.1.150:8080, then the proxy receives a request for a page at that address, not the address of the original name... As you can see, I am somewhat baffled. 

    All internal and external names are the same, so no url rewriting need occur.

    Am experienced with proxying generally, but new to TMG. Any suggestions and pointers very much appreciated.

    Regards

    David

    Tuesday, July 17, 2012 7:28 PM

All replies

  • Hi,

    Thank you for the post.

    Do you have two TMG servers, one for reverse proxy and the other is for forward proxy? Would you please elaborate the network topology?

    Regards,


    Nick Gu - MSFT

    Thursday, July 19, 2012 4:59 AM
    Moderator
  • Nick,

    I have one TMG, in the perimeter that I am trying to configure. The other (forward) proxy is in the edge of a network zone that delivers web services to the organisation. This one is not TMG, it is a Bluecoat SG.

    I can get access OK to the green light connections, but can't figure out how to get TMG to correctly forward to the bluecoat. The bluecoat listener is on 192.168.1.150. All firewalls are passing the traffic OK.

    Regards

    David

    Thursday, July 19, 2012 8:49 AM