none
TMG HTTP listener not working but HTTPS listeners are working

    Question

  • I have 3 different HTTPS listeners setup, there is one with no form based authentication, one with form based authentication and one dedicated to MS Lync services. Each one of these HTTPS listeners use a different public IP address. The external NIC on tmg has about 6 Public IP addresses on it. So I went to create an http listener for our main corporate website and for some reason it will not work! For some reason TMG is not allowing HTTP connections in, TMG acts like it doesn't even notice that I have the HTTP listener. I have verified that the listener is listening on port 80, the listener is also setup with no authentication at all (but I have tried all variations of authentication). The only way I am able to get it working is if I setup the http listener to listen on 443 and then the web publishing rule then bridges connections to port 80 but this obviously won't work in production.

    I spent hours trying to get it to work with no success. Looking at the logs I just saw HTTP traffic coming in from external to local host and TMG was dropping it. The Local host ip was the ip I have associated to the HTTP listener yet TMG did not recognize it or use it.

    I was able to publish the site by creating a non-website publishing rule and creating a custom port for inbound http connections and that worked but again, this isn't what I want to do and I shouldn't have to do it this way. I also have HTTP inspection off so no problems there. I am running TMG SP2 (Version: 7.0.9193.500). What am I missing here?

    Monday, February 06, 2012 2:42 PM

Answers

  •  

    Hi,

    Thank you for the update.

    TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4” – it indicates that Process ID 4(System) is listening on port TCP 80. That explains why firewall service was not able to bind itself to TCP port 80. In scenarios where IIS is installed on the same machine as the TMG Server and IISA binds itself to port 80, it is common to such output. Please stop the default website in IIS. And then restart TMG server control service and run netstat command again to make sure port 80 is being listened by wspsrv.exe.

    Regards,


    Nick Gu - MSFT

    Friday, February 10, 2012 4:38 AM
    Moderator

All replies

  • Hi,

    please check if there is no other Service/Application (SQL Reporting services, Remote Control Software, IIS or something like that) listening on Port 80 on the TMG Server (netstat -ANO)


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
    Monday, February 06, 2012 5:33 PM
  • The only one I see below is a listening for the local server but I don't see any established connections to it.

     

     Proto  Local Address          Foreign Address        State
     TCP    0.0.0.0:80             IRPV-DMZTMG:0          LISTENING
     TCP    0.0.0.0:135            IRPV-DMZTMG:0          LISTENING
     TCP    0.0.0.0:445            IRPV-DMZTMG:0          LISTENING
     TCP    0.0.0.0:1433           IRPV-DMZTMG:0          LISTENING
     TCP    0.0.0.0:2171           IRPV-DMZTMG:0          LISTENING
     TCP    0.0.0.0:2172           IRPV-DMZTMG:0          LISTENING
     TCP    0.0.0.0:2173           IRPV-DMZTMG:0          LISTENING
     TCP    0.0.0.0:3389           IRPV-DMZTMG:0          LISTENING
     TCP    0.0.0.0:3847           IRPV-DMZTMG:0          LISTENING
     TCP    0.0.0.0:9389           IRPV-DMZTMG:0          LISTENING
     TCP    0.0.0.0:10000          IRPV-DMZTMG:0          LISTENING
     TCP    0.0.0.0:10001          IRPV-DMZTMG:0          LISTENING
     TCP    0.0.0.0:10002          IRPV-DMZTMG:0          LISTENING
     TCP    0.0.0.0:10027          IRPV-DMZTMG:0          LISTENING
     TCP    0.0.0.0:10059          IRPV-DMZTMG:0          LISTENING
     TCP    0.0.0.0:10077          IRPV-DMZTMG:0          LISTENING
     TCP    0.0.0.0:10082          IRPV-DMZTMG:0          LISTENING
     TCP    0.0.0.0:10095          IRPV-DMZTMG:0          LISTENING
     TCP    0.0.0.0:10101          IRPV-DMZTMG:0          LISTENING
     TCP    0.0.0.0:15474          IRPV-DMZTMG:0          LISTENING
     TCP    0.0.0.0:47001          IRPV-DMZTMG:0          LISTENING
     TCP    127.0.0.1:8008         IRPV-DMZTMG:0          LISTENING
     TCP    127.0.0.1:8080         IRPV-DMZTMG:0          LISTENING
     TCP    172.16.10.2:139        IRPV-DMZTMG:0          LISTENING
     TCP    172.16.10.2:1745       IRPV-DMZTMG:0          LISTENING
     TCP    172.16.10.2:2171       IRPV-DMZTMG:18059      ESTABLISHED
     TCP    172.16.10.2:2171       IRPV-DMZTMG:43629      ESTABLISHED
     TCP    172.16.10.2:2171       IRPV-DMZTMG:43631      ESTABLISHED
     TCP    172.16.10.2:2171       IRPV-DMZTMG:43635      ESTABLISHED
     TCP    172.16.10.2:3389       irva-matest-pc:55322   ESTABLISHED
     TCP    172.16.10.2:15476      irvm-dc-02:1025        ESTABLISHED
     TCP    172.16.10.2:18003      IRPV-DMZTMG:0          LISTENING
     TCP    172.16.10.2:18059      IRPV-DMZTMG:2171       ESTABLISHED
     TCP    172.16.10.2:43613      irps-lyncfe1:4443      ESTABLISHED
     TCP    172.16.10.2:43629      IRPV-DMZTMG:2171       ESTABLISHED
     TCP    172.16.10.2:43631      IRPV-DMZTMG:2171       ESTABLISHED
     TCP    172.16.10.2:43635      IRPV-DMZTMG:2171       ESTABLISHED
     TCP    172.16.10.2:43636      IRPV-DMZTMG:ms-sql-s   TIME_WAIT
     TCP    172.16.10.2:43637      irvm-dc-02:ldap        TIME_WAIT
     TCP    172.16.10.2:43639      irvm-dc-02:epmap       TIME_WAIT
     TCP    172.16.10.2:43640      irvm-dc-02:epmap       TIME_WAIT
     TCP    172.16.10.2:43641      irvm-dc-02:1025        TIME_WAIT
     TCP    172.16.10.2:43649      IRPV-DMZTMG:ms-sql-s   TIME_WAIT
     TCP    172.16.10.2:43650      irvm-dc-02:ldap        TIME_WAIT

    Monday, February 06, 2012 5:51 PM
  • FYI,

    IRPV-DMZTMG is TMGs domain name. This domain name is registered to the 172.16.10.2 DMZ nic on TMG. TMG also has an external Nic which has about 6 public IP addresses on it.

    Monday, February 06, 2012 5:53 PM
  •  

    Hi,

    Thank you for the post.

    Please use this command to verify which process is listening on port TCP 80: netstat –aon |findstr “:80”.

    Regards,


    Nick Gu - MSFT

    Tuesday, February 07, 2012 5:17 AM
    Moderator
  • To clarify what Nick said, we need the column "pid".

    Then use command tasklist -svc | findstr [pid that is listening to port 80]

    If it is not TMG, then find that other service and reconfigure or remove it.


    Hth, Anders Janson Enfo Zipper

    Tuesday, February 07, 2012 12:23 PM
  • Here is what I found. I also deleted the HTTP listener from TMG before running this command. 

    TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
      TCP    127.0.0.1:8008         0.0.0.0:0              LISTENING       4
      TCP    127.0.0.1:8080         0.0.0.0:0              LISTENING       3164
     TCP    [::]:80                [::]:0                 LISTENING       4

    Not to sure what 0.0.0.0 is supposed to be or why it would be "system". Looks like ipv4 and ipv6 are both listening though. Any ideas what this may be? This was a clean system build, I just installed TMG and tmg installed its prereqs and that is it.

    System                           4 N/A
    csrss.exe                      324 N/A
    services.exe                   476 N/A
    lsass.exe                      484 Netlogon, SamSs
    lsm.exe                        492 N/A
    svchost.exe                    764 eventlog, lmhosts
    svchost.exe                    864 EventSystem, netprofm, nsi, SstpSvc, W32Tim
    sqlservr.exe                  1408 MSSQL$MSFW
    SMSvcHost.exe                 1488 NetPipeActivator, NetTcpActivator,
    ReportingServicesService.     1784 ReportServer$ISARS
    sqlwriter.exe                 1944 SQLWriter
    svchost.exe                    844 W3SVC, WAS
    mspadmin.exe                  2224 isactrl
    IsaManagedCtrl.exe            2784 IsaManagedCtrl
    svchost.exe                    624 PolicyAgent
    csrss.exe                     3432 N/A
    winlogon.exe                  3240 N/A
    LogonUI.exe                   3648 N/A
    wspsrv.exe                    3164 fwsrv
    rdpclip.exe                   1404 N/A
    dwm.exe                       3524 N/A
    explorer.exe                  4200 N/A
    VMwareUser.exe                4256 N/A
    MagicDisc.exe                 4152 N/A
    conhost.exe                   4960 N/A
    notepad.exe                    436 N/A
    tasklist.exe                  4912 N/A
    findstr.exe                   4964 N/A
    WmiPrvSE.exe                  4540 N/A

    Tuesday, February 07, 2012 2:16 PM
  • Ahh, I may of figured it out. For some reason IIS was installed and was listening on port 80. Was this a prereq for TMG? I certainly did not install it.
    Tuesday, February 07, 2012 2:26 PM
  •  

    Hi,

    Thank you for the update.

    TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4” – it indicates that Process ID 4(System) is listening on port TCP 80. That explains why firewall service was not able to bind itself to TCP port 80. In scenarios where IIS is installed on the same machine as the TMG Server and IISA binds itself to port 80, it is common to such output. Please stop the default website in IIS. And then restart TMG server control service and run netstat command again to make sure port 80 is being listened by wspsrv.exe.

    Regards,


    Nick Gu - MSFT

    Friday, February 10, 2012 4:38 AM
    Moderator
  • When trying to publish HTTP websites (on port 80), the published websites aren't working. Published HTTPS websites (on port 443) are working normally.

    The following error message is written to the eventlog:
    The Web Proxy filter failed to bind its socket to A.B.C.D port 80. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure.

    A.B.C.D is the TMG's external IP address.

    When trying to disable rules for this IP the following message is written to the eventlog:
    "A problem preventing the Web Proxy filter from binding its sockets was resolved"

    When checking the listeners with netstat -ano, you see PID 4 is listening on port 80 on all the IPs. PID 4 is a system process.

    Solution

    The problem is caused because the http service is listening to port 80 on all IPs.

    Opening "Command Prompt" and running the following command:
    netsh http add iplisten ipaddress=127.0.0.1
    and restarting the TMG services (or rebooting the server) solves the problem.

    Roma

    Wednesday, January 09, 2013 7:47 PM