Hello,
we have the following scenario:
Windows XP clients with all available SPs and Updates installed and IE6 (yes, Internet Explorer 6). We will roll out IE8 starting in two weeks. Forefront TMG SP1 and Updates is setup and works very fine together with IE6.
Following config of the TMG:
- Internet explorer connection settings are deployed via GPO/proxy.pac -> work fine with both Versions of IE.
- Only Webcaching/Proxy functions is used (one NIC).
- Internal sites are accessed directly, externals via TMG then routed to upstream proxy
- Internal sites do not require authentication, external sites require authetication (only Integrated is checked)
- Some deny and grant rules, based on user membership are setup using categories
The behavior is as expected:
- Client initiates an anonymous connection -> denied.
- Client retries an authenticated connection -> granted.
- Some sites (< 5%) will show up with missing images or corrupted layout (mostly Apache Webservers or forums, not sure).
- After hitting refresh (F5), 90% of the sites show up correct.
- Bypassing the TMG an using the upstream directly works 100% fine.
- A very seldom effect is the message: Proxy-Negotiate: ( ... very long encrypted string ...), which appears to be the Kerberos Authentication Cookie (or similar)
I hope these infromation may help you answering the followin question. Please feel free to ask for additional, missing points.
Where can i look or which is the missing point, so that the users experince is not influenced?
