locked
UAG DA clients connected from the exterior can not browse internet using IE but they can using Chrome or Firefox RRS feed

  • Question

  • Hi all

    I've been working during the last 3 weeks in our UAG DA solution. The results of our work are:

    1-The clients are able to connect to the corp network and browse internal web site and access share folder

    2-Microsoft Outlook can not connect with the Exchange servers

    3-The direct access clients connected from the exterior can not browse Internet using IE but they can do it using Chrome.

    We are using force tunneling. The web proxy, DCs, and any server in the corp network are  accessible by the external DA clients, also I've check using nslookup to DNS64 server and tothe internal corp DNS server that both servers can resolve the names. We had a GPO to enforce the proxy settings through a proxy pac file but I've removed and I've set manully the proxy, IE doesn't work but Chrome does.

    I'm feel lost right now because I can't find the logic in this issue. Any help or comment would be very appreciated.

    Regards.

    Wednesday, April 25, 2012 11:55 PM

Answers

  • Hi marektalas,

    Yes we have found a solution using the NRPT settings. You can define the proxy you want to use by each of the NRPT entries. If you want to send all the DA clients Internet traffic through your corp proxy, you only need to declare the proxy FQDN for the Internet Traffic entry on the NRPT. Do this editing the client GPO issued by the UAG wizard.

    Good luck

    • Marked as answer by Pavel Aleman Tuesday, October 23, 2012 4:58 PM
    Wednesday, October 3, 2012 2:23 PM

All replies

  • Are you doing Forced Tunneling because you want to filter their web traffic?  You might try this instead

    http://blog.concurrency.com/infrastructure/web-filtering-for-directaccess-users/


    MrShannon | Concurrency Blogs | UAG SP1 DirectAccess Configuration Guide


    • Edited by MrShannon Sunday, April 29, 2012 4:15 AM
    • Marked as answer by Pavel Aleman Sunday, April 29, 2012 5:43 AM
    • Unmarked as answer by Pavel Aleman Sunday, April 29, 2012 5:43 AM
    Sunday, April 29, 2012 4:15 AM
  • Great article. I have some questions about it:

    1)
    In the article, you mention:
    "Microsoft Threat Management Gateway can function as your web proxy as well as generate and host the configuration script for you".

    We have an internal Web proxy, the UAG-DA cluster is configured with Force Tunneling (using DNS64/NAT64), and Two factor authentication. All the internet traffic should be managed by the corp web proxy, we need to use a proxy pac or any other solution to automate the browser proxy settings. I'm wondering if it's possible to use TMG just to generate and to host the script file but use the corp web proxy to managed the Internet traffic.

    Our current proxy pac doesn't work with the DA clients because all the functions in the pac are referring to IPv4 addresses.

     2)

    We are experiencing a really weird issue. The direct access clients connected from the exterior can not browse Internet using IE but they can do it using Chrome or Firefox.

    We are using a manual proxy settings and there are not GPO applied to IE. I've found using Microsoft Network Monitor in the UAG server that the IE http request never reach the web proxy. Any idea?

    Thanks so much, Shannon for your reply. I was using one of your articles (http://blog.concurrency.com/infrastructure/uag-sp1-directaccess-configuration-guide/#BGS) to check my UAG configuration a few days ago, great work by the way.

    Regards


     

    Sunday, April 29, 2012 5:11 AM
  • Hi,

    i just got a quick question if you have found any solution to that problem when IE cant browse whilst Firefox/Chrome is OK when connected to UAG? We are experiencing the same problem in one of our regions.

    Thanks

    Tuesday, October 2, 2012 3:17 AM
  • Hi marektalas,

    Yes we have found a solution using the NRPT settings. You can define the proxy you want to use by each of the NRPT entries. If you want to send all the DA clients Internet traffic through your corp proxy, you only need to declare the proxy FQDN for the Internet Traffic entry on the NRPT. Do this editing the client GPO issued by the UAG wizard.

    Good luck

    • Marked as answer by Pavel Aleman Tuesday, October 23, 2012 4:58 PM
    Wednesday, October 3, 2012 2:23 PM