DirectAccess force tunneling - Web proxy (TMG) needs authentication

Similar Messages

• DirectAccess Force Tunneling via proxy server (TMG)

  Hello
  I am looking to enable Force Tunneling for DirectAccess.  All web traffic would then go via TMG proxy.  This is all fine, but in the past this was once configured and stopped IMAP from working?  
  The question is, would forced tunneling only send http/https traffic to the proxy by design and all other traffic directly out? Other traffic does traverse the proxy when internal to the LAN but I am sure DA treats this a little different in terms of what
  protocols are forwarded - Is this correct?
  If this is the case then I am assumming the firewall infrastructure is stopping IMAP?
  Thanks

  Hi There - it is a strong recommendation even in Microsoft deployments not to use Force Tunnelling unless you really have to. Using Force Tunnelling will always revert to IP-HTTPS which is still technically the slowest of the transition technologies. This
  means DirectAccess clients use only IP-HTTPS to obtain IPv6 connectivity to the DirectAccess servers over the IPv4 Internet.  IP-HTTPS has much higher overheads than IPv6, 6to4 or Teredo. Also your proxy server will handle every request and consume
  plenty of bandwidth and you cannot put NRPT exemptions in force tunnelling as all traffic has to come through the tunnel. There is also the small issue of captive portals. There are more things to list but the above should be enough to start an argument on
  why not to do it !!
  You could implement a split tunnel with enforced web proxy (seeing as you have TMG) as per the guide / recommendations by Shannon Fritz below (which works well in reality.
  http://www.concurrency.com/infrastructure/web-filtering-for-directaccess-users-55/
  Kr
  John Davies

• The Scout CC installer stalls. I am behind a proxy that needs authentication. What can I do?

  The Scout CC installer stalls at the beginning of the process (trying to connect to the server).
  I am behind a proxy that needs authentication.
  How can I install Scout CC?
  Thanks

  Hi cadrian,
  Are you on a managed network. If yes then kindly make sure that the following host/port combinations may need to be white-listed when logging in with an Adobe ID to download, install, and activate licensing for applications via a Creative Cloud membership.
      ccmdls.adobe.com:443
      ims-na1.adobelogin.com:443
      ims-prod06.adobelogin.com:443
      na1r.services.adobe.com:443
      prod-rel-ffc-ccm.oobesaas.adobe.com:443
      lm.licenses.adobe.com:443
      ccmdl.adobe.com:80
      swupmf.adobe.com:80
      swupdl.adobe.com:80
  Regards,
  Rave

• How to make my URLConnection through proxy(need authentication)

  Hi...
  we are writing a net program behind the firewall,and the proxy server need authentication(you have to input your id,pswd and the domain where you are), so, our URLConnection cant reach the outside of the firewall.
  Is there any solution???

  For HTTP:
  Check for example http://forum.java.sun.com/thread.jsp?forum=31&thread=360245

• A web service that calls another ws which need authentication

  Hi,
  I need to call a web service which need authentication.
  I've used the following code:
  SystemMsg sm = new SystemMsg();
  sm.setMsgType("Test");
  sm.setMsgDesc("Test");
  sm.setDateTime("Test");
  SystemMsgOB acbss = new SystemMsgOBBindingStub();
  acbss._setProperty(SystemMsgOB.USERNAME_PROPERTY, "user");
  acbss._setProperty(SystemMsgOB.PASSWORD_PROPERTY, "password");
  acbss.systemMsgOB(sm);
  When I try to run the project from the J2EE engine I get an exception: java.lang.IncompatibleClassChangeError.
  When debugging I found that the method that causes the trouble is the _setProperty.
  I'll appreciate any help.
  Yaniv.

  Hi Yaniv,
  This error previously only occurred if the inqmyxml.jar archive was enhanced incompatibly.
  1) Terminate the SDM. Copy the inqmyxml.jar              file from the deploying/lib subdirectory of the J2EE installation directory into the lib subdirectory of the SDM.
  2) Make sure that you remove the original file from the lib subdirectory.
  3) In particular, the file must not remain renamed in the lib subdirectory. Then restart the SDM and repeat the deployment by selecting "Restart".
  Hope it helps,
  Regards,
  Nagarajan.

• Web Proxy Authentication using Kerberos or NTLM - ForeFront TMG

  Hi All
  I was hoping someone would be able to guide me on addressing an issue I have with authenticating MACs against the web proxy. I have scoured the internet and looked on the forums but I can't seem to find a solution to the problem I am experiencing.
  Our network consists and an AD domain, and a single TMG server 2010. The TMG server is enabled for integrated authentication for the Web Proxy. All the MACs have been added to the AD Domain, so all users logon as themselves. Authentication to various shares
  are granted using Kerberos - so part of the Kerberos infrastructure works.
  My Problem:
  Currently, my MAC clients are prompted for a username and password when accessing the internet within Firefox and Camino. If I use Safari I have my credentials twice as the keychains saves my credentials seperately, for HTTP and HTTPS traffic.
  Ideal Solution
  Since a kerberos ticket is issued to the user who has logged in by the domain controller, I would like to use kerberos to authenicate the user for web access.
  What I've done so far
  There is a feature within Firefox and Camino web browsers to enable trusted websites to use your kerberos ticket. If you open Mozilla, navigate to about:config and look for 'network.negotiate-auth.trusted-uris' and add various internal sites (not proxy).
  The authentication works perfectly using Kerberos as you can see the tickets that have been handed out using 'klist' and I'm not prompted for my username or password. If I disable it, it stops working and I am prompted for my username and password. I have
  tried typing in the proxy address, also tried putting in the proxy port too but to no success within the trusted-uris text field.  Maybe there is a different way of putting in the address?
  I have enabled Kerberos on the computer account in AD for the firewall (Trust this computer for delegation to any service (kerberos only)), but without any success. I must admit, I haven't rebooted the TMG server though.
  I hope someone can help me out, and really appreciate your time and support.
  Thanks
  Jamie

  Hi All
  I have resolved my issue. I added the SPN of HTTP/SERVERNAME & HTTP/IPADDRESSOFSERVER to the firewall computer account and replicated my changes and now I have authenication working on my MACS without any username and password prompts, apart
  from the user logging into the domain. Beautiful.
  https://community.mcafee.com/docs/DOC-2682 - This detailed article from McAfee helped me signfictantly.
  Cheers Anyway,
  Jamie

• HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )

  17:06:13 Synchronizer Version 14.0.6123
  17:06:13 Synchronizing Mailbox '[email protected]'
  17:06:13 Synchronizing Hierarchy
  17:06:13   4 folder(s) added to online store
  17:06:13   1 folder(s) updated in online store
  17:06:13 Synchronizing local changes in folder 'Inbox'
  17:06:13 Error synchronizing folder
  17:06:13 [80041004-0-0-430]
  17:06:13 Error with Send/Receive.
  17:06:13 There was an error synchronizing your folder hierarchy. Error : 80041004.
  17:06:13 Synchronizing server changes in folder 'Calendar'
  17:06:13 Synchronizing server changes in folder 'Contacts'
  17:06:13 
  17:06:13 
  *Request*       
  17:06:13 17:06:13:0590
  17:06:13 POST
  17:06:13  http://
  17:06:13 contacts.msn.com
  17:06:13 /ABService/ABService.asmx
  17:06:13 
  17:06:13 <ABFindAll xmlns="http://www.msn.com/webservices/AddressBook"> <abId>00000000-0000-0000-0000-000000000000</abId><abView>Full</abView><deltasOnly>false</deltasOnly></ABFindAll>
  17:06:13 
  *Response*  
  17:06:13 17:06:13:0870
  17:06:13 HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  )
  Via: 1.1 TMG
  Proxy-Authenticate: Negotiate
  Proxy-Authenticate: Kerberos
  Proxy-Authenticate: NTLM
  Connection: close
  Proxy-Connection: close
  Pragma: no-cache
  Cache-Control: no-cache
  Content-Type: text/html
  Content-Length: 707
  17:06:13 
  17:06:13 
  17:06:13 
  17:06:13 Error with Send/Receive.
  17:06:13 There was an error synchronizing a contacts folder. Error : 80004005.
  17:06:13 Synchronizing server changes in folder 'Drafts'
  17:06:13 Synchronizing local changes in folder 'Inbox'
  17:06:13 Error synchronizing folder
  17:06:13 [80041004-0-0-430]
  17:06:13 Synchronizing server changes in folder 'Sent Items'
  17:06:13 Synchronizing server changes in folder 'Deleted Items'
  17:06:13 Synchronizing server changes in folder 'Junk E-mail'
  17:06:13 Done
  17:06:13 
  17:06:13 
  *Request*       
  17:06:13 17:06:13:0870
  17:06:13 POST
  17:06:13  http://
  17:06:13 mail.services.live.com
  17:06:13 /DeltaSync_v2.0.0/Settings.aspx
  17:06:13 
  17:06:13 <?xml version="1.0" encoding="utf-8"?><Settings xmlns="HMSETTINGS:"><ServiceSettings><SafetySchemaVersion>1</SafetySchemaVersion><SafetyLevelRules><GetVersion/></SafetyLevelRules><SafetyActions><GetVersion/></SafetyActions><Properties><Get/></Properties></ServiceSettings><AccountSettings><Get><Options/><Properties/></Get></AccountSettings></Settings>
  17:06:13 
  *Response*  
  17:06:13 17:06:13:0870
  17:06:13 HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  )
  Via: 1.1 TMG
  Proxy-Authenticate: Negotiate
  Proxy-Authenticate: Kerberos
  Proxy-Authenticate: NTLM
  Connection: close
  Proxy-Connection: close
  Pragma: no-cache
  Cache-Control: no-cache
  Content-Type: text/html
  Content-Length: 707
  17:06:13 
  17:06:13 

  Hi,
  According to the log, it seems that TMG firewall denied the request and replied with an HTTP 407 response, indicating that proxy authentication was required. This was done because the Forefront TMG firewall did not have any access rules which would allow
  the anonymous request. Please check if you have configured related access rules.
  When did you recieve this log? Is there anyting wrong? Which authentication method you have used, Kerberos, NTLM or other? 
  It seems that each time a web proxy client requests a resource through a Forefront TMG firewall that requires NTLM authentication the client is actually denied twice during the transaction before being successfully authenticated and allowed access. When
  the Forefront TMG firewall is configured to use Kerberos there is only a single denied request and HTTP 407 response and then contact a domain controller and obtain a Kerberos ticket to present to the TMG firewall to gain access to the resource.
  If you configured the TMG clients with a certain proxy name, please make sure you typed the TMG's domain computer name only (not IP address nor alias).
  Best regards,
  Susie

• DirectAccess (2012 R2) Force Tunnel & Non-IE Browsers

  I'm setting up a DirectAccess solution with Force Tunneling enabled (don't ask why, the client demanded it). The solution is working flawlessly except for internet access for non-IE browsers. I have a proxy server entry in the nrpt for the '.' dnssuffix
  and IE is honoring that entry and routing all traffic over the DA tunnel to the proxy server correctly.
  however, non-IE browsers like firefox and chrome, while they are browsing the internet off of the DA infrastructure tunnel, are ignoring the proxy entry and browsing directly. (in the environment, the DA Server itself has access to the internet that
  is not proxy-filtered)
  It appears that the proxy server entry in the nrpt is only for IE, and not a global "client" setting. Firefox can still browse the web, but it appears that it's simply throwing the traffic at the DA server directly, which is in turn using its internet
  access as defined by the my clients firewall rules for infrastructure servers.
  or, am I missing something? it seems that the proxy server specified in the nrpt for the '.' dnssuffix should apply to all client traffic and not just IE...

  For anyone that happens to run across a similar issue, here's how I solved it:
  The main problem was that the '.' dns suffix in the nrpt policy that was set to route that suffix to a specified intranet proxy server didn't seem to apply to all traffic, non-ie broswers (such as firefox) would send traffic over the DA tunnel according
  to the force tunnel configuration, but wouldn't have their internet based traffic routed to the proxy server. instead, they would send internet traffic to the DA server, which would access the internet directly, effectively bypassing the corporate proxy and
  it's filtering rules.
  the infrastructure design problem at the client was that the server subnet is granted direct internet access that is not proxied, so the DA server had the ability to forward 6to4 internet traffic directly.
  we ended up changing the windows firewall on the DA server so that the default outgoing policy was set to block, and created explicit allow rules for only the internal subnets and the proxy servers, effectively killing the DA servers internet access, but
  allowing traffic to the internal infrastructure.
  this in turn killed DA clients' ability to browse the internet unfiltered. for non-IE clients or ftp applications a proxy server will now have to be manually (or potentially through group policy) be set, but it closed the loophole in the forced tunnel configuration
  for DA client's web browsing.

• Mac Adobe Flash Player not supporting Web Proxy Authentication

  Anyone else got an enterprise network where you use web proxies with web authentication and no traffic allowed out except through the proxies?
  You may need to be in the UK for this, but try accessing BBC iPlayer content - http://www.bbc.co.uk/iplayer and you should discover that the content won't play. the error says "This content doesn't seem to be working. Try again later.". The content will never work as the Mac version of Flash (currently 10.1.53.64) is not able to respond to web proxy authentication requests. The BBC use various streaming server which are randomly selected when a user starts a stream and they have no DNS. Just IP addresses. They don't publish a list for security reasons. So it is almost impossible to exempt all their servers from authentication.
  I've logged a bug with Adobe. If you have this issue too, please add a comment and vote so that they can begin to grasp the impact of this problem:
  https://bugs.adobe.com/jira/browse/FP-5161

  I have the same issues in Australia trying to access flash content from the ABC website. The strange thing is the content will play if your leave the browser open for 5min.
  After several packet data captures we identified that it has to do with the amount of time it takes the Mac timeout from the proxy before it plays the video content.
  No solution yet.

• Basic Authentication SSO, Web proxy, Rewriter issue

  I have iPS 3.0 SP4.
  I have configured the Gateway to do single signon for HTTP Basic Authentication. My external application also requires a web proxy to connect, so I added the proxy to the "DNS Domain and Subdomains" list. My "Rewrite all URLs Enabled" is not checked.
  I added a link to the external application in the Bookmark channel. When I click on the link, a new browser window is launched, SSO happened (verified from iwtGateway log), but the contents kept going back to the Portal Desktop instead of the external aplication.
  I found out that the external application is using the URL location information of the browser to extract the protocol, host and port info to construct the target page using JavaScript. By the Gateway rewriting the URL, the JavaScript is incorrectly using the Gateway host and port, instead of the application host and port.
  How do I setup the Gateway to do Basic Auth SSO, use a web proxy to fetch the content, but do NOT do URL rewriting? Our users have access to the application directly, so we do not need to run the app behind the Gateway. But I need to use the Gateway to to the SSO. Also, since the "DNS Domain and Subdomains" list is used for both proxy definition and rewriting, how do I make them mutually exclusive - i.e. want to use web proxy but do not want rewriting?
  Can you also suggest other ways of doing Basic Authentication SSO without using the Gateway? I have seen some discussions on using the Authenticator class and a separate Servlet. Please post me an example.
  Thanks.

  Yes, I have already tried the option you suggested. I had previously created a JSP channel that has a link invoking my servlet. This servlet, reads the user profile from an external LDAP and sends the Authorization header on a URLConnection object, just like you described it.
  However, I cannot just simply render the returned content on the InputStream of the URLConnection. The browser/client is actually connected to the servlet - so presenting the images and links directly will be relative to the servlet machine, not the external app. So the images and links do not work.
  If I do a request.sendRedirect(...), the external application will ask for the auth header again. The browser has not captured the auth header that was sent earlier by the servlet.
  How do you tell the browser to keep the auth header for all subsequent request? Is the Gateway SSO approach telling the browser to keep sending the auth header, or is the Gateway programmatically adding the auth header for each request?

• DirectAccess 2012 force tunneling

  Hi,
  I have a Windows Server 2012 DirectAccess implementation where I want to enable force tunneling so clients using DirectAccess from the Internet will us force all traffic to the
  DA server.
  When I select “use force tunneling” in the DA Wizard and save the configuration, my DA enabled clients loses network connectivity when they are placed on my internal network.
  In the DA wizard I see the help text “DirectAccess clients connected to the internal network and to the Internet via remote Access server” below the “use force tunneling” option.
  Can it be true that the force tunneling apply to all DA clients regardless if they are placed internally or on the Internet?
  If that is true it will give a lot of traffic on the DA server if force tunneling is enabled.
  Thomas Forsmark Soerensen

  I'm having the exact same issue :
  When in the internal network there is still an entry in the NRPT : the one for "."
  DNS Effective Name Resolution Policy Table Settings
  Settings for .
  Certification authority :
  DNSSEC (Validation) : disabled
  IPsec settings : disabled
  DirectAccess (DNS Servers) : fd17:dc02:d12b:3333::1
  DirectAccess (Proxy Settings) : Bypass proxy
  My setup is the following:
  One NIC behind a FW/Reverse Proxy (squid), force tunneling activated, windows 7 clients (PKI deployed), NAP (NPS/HRA deployed and working).
  I tried some tips on DNS resolution:
  - enable "Allow DA clients to use local name resolution"
  - use least restrictive local name resolution option 'use local name resolution for any kind of DNS resolution error" (but I tried others)
  In the configuration there is :
  - "." and the DA DNS Server prefix:3333::1
  - public url of my DA and no DNS server
  - DirectAccess-NLS.internaldomain no DNS Server
  On the netsh dnsclient show state this is also strange:
  C:\Users\administrator>netsh dnsclient show state
  Name Resolution Policy Table Options
  Query Failure Behavior : Always fall back to LLMNR and
  NetBIOS for any kinds of errors
  Query Resolution Behavior : Resolve only IPv6 addresses for names
  Network Location Behavior : Let Network ID determine when Direct
  Access settings are to be used
  Machine Location : Inside corporate network
  Direct Access Settings : Configured and Enabled
  DNSSEC Settings : Not Configured
  It says it is inside corporate network but direct Access settings are "Configured and
  Enabled"
  Do you have some ideas ?

• Configuring authentication in web proxy server

  We are using iPlanet Web Proxy Server 3.6 on WindowsNT 4.0
  After installation of iplanet web proxy server 3.6, and making a request for internet access through browser it does not ask for authentication. There is no pop up window received for user name password to authenticate users.
  Upon creating a group and then adding a few members (user1,user2,user3 etc.) to it, we configure rules to restrict user access to internet in the Global settings tab. After saving all the configuration and taking a restart of the proxy server, when we try to log on to internet from a
  different client machine (browser) using an existing user id and password, it does not prompt us for user name and password even though the option "restrict access" in global setting is properly set.
  My first question......
  =>DOES iPlanet Web Proxy allow for such authentication pop up ??
  => If Yes, then kindly let us know where we have gone wrong in configuring the server.
  We are NOT using any webserver or LDAP to authenticate users. No SSL is enabled.
  Please suggest.

  We are using iPlanet Web Proxy Server 3.6 on WindowsNT 4.0
  After installation of iplanet web proxy server 3.6, and making a request for internet access through browser it does not ask for authentication. There is no pop up window received for user name password to authenticate users.
  Upon creating a group and then adding a few members (user1,user2,user3 etc.) to it, we configure rules to restrict user access to internet in the Global settings tab. After saving all the configuration and taking a restart of the proxy server, when we try to log on to internet from a
  different client machine (browser) using an existing user id and password, it does not prompt us for user name and password even though the option "restrict access" in global setting is properly set.
  My first question......
  =>DOES iPlanet Web Proxy allow for such authentication pop up ??
  => If Yes, then kindly let us know where we have gone wrong in configuring the server.
  We are NOT using any webserver or LDAP to authenticate users. No SSL is enabled.
  Please suggest.

• Is iPlanet Web Proxy Server support OpenLdap authentication ?

  Do you know Is iPlanet Web Proxy Server support OpenLdap authentication ?
  Thanks
  Regards,

  Hi
  This as per the HTTP/1.1 RFC (RFC2616)
  The Connection general-header field allows the sender to specify options that are desired for that particular connection and MUST NOT be communicated by proxies over further connections.
  The Connection header has the following grammar:
  Connection = "Connection" ":" 1#(connection-token)
  connection-token = token
  HTTP/1.1 proxies MUST parse the Connection header field before a message is forwarded and, for each connection-token in this field, remove any header field(s) from the message with the same name as the connection-token. Connection options are signaled by the presence of a connection-token in the Connection header field, not by any corresponding additional header field(s), since the additional header field may not be sent if there are no parameters associated with that connection option.
  Read the following at
  http://www.w3.org/Protocols/rfc2616/rfc2616-sec8.html#sec8.1.3
  and
  http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.10
  Regards
  Nagendra HK

• Problem with TMG web Proxy Clients

  Hi
  I have a TMG 2010 in my network an clients can access to the internet with web proxy method there is a problem when they want to open translate.google.com and the can't open it(the connection has timeout) this problem is occur wen the want to open
  translate.google.com I can't understand what's the problem
  can anyone help me????
  alfONso

  Hi,
  You could use netmon trace to troubleshoot this issue. And the following blog might be help.
  http://blogs.technet.com/b/isablog/archive/2009/08/27/side-effects-of-incorrect-dns-configuration-on-isa-server-10060-connection-timeout-scenario.aspx
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• TMG Web Proxy - Whitelisting MapQuest

  My org insists that we do whitelist filtering for a certain group of employees. This group should be able to use MapQuest.com... However, I can't seem to create a good ruleset that denies everything but allows mapquest to function normally. Any ideas?
  Obviously adding *.mapquest.com does not work. How can I make sure the site and all the specific URLs its HTML / JavaScript code references is allowed only? So far when I try and get to mapquest.com, it shows a blank page (when I click view source, I can
  see the source though). Oddly enough.

  I am still having trouble. I actually made it so the group is NOT filtered (Allow Web Access for All), and it is still failing.
  In Internet Explorer, when trying to load the page without web filtering (but still going through the TMG web proxy), I get the following errors:
  Webpage error details
  User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; chromeframe/19.0.1084.56; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 1.1.4322; InfoPath.2) Timestamp: Tue, 26 Jun
  2012 15:01:15 UTC
  Message: Unexpected call to method or property access. Line: 6 Char: 13154 Code: 0 URI:
  http://content.mqcdn.com/winston-405/cdn/toolkit/lite/mqa.toolkit.js.pre$profile=winston
  Message: '_mio' is null or not an object Line: 1 Char: 37539 Code: 0 URI:
  http://content.mqcdn.com/winston-405/cdn/loader.js.pre$locale=en_US&profile=winston
  Message: 'm3.util.History' is null or not an object Line: 1085 Char: 9 Code: 0 URI:
  http://www.mapquest.com/
  Message: 'm3.dotcom.controller.MCP' is null or not an object Line: 1267 Char: 9 Code: 0 URI:
  http://www.mapquest.com/
  It appears to work in Firefox.. Even going through the proxy. It's starting to look like an IE 8 issue.. but it works when not going through the proxy (IE 8), but not when going through the proxy (IE 8, no filtering).