1

I have Forefront TMG installed as a proxy server. However, whenever I make HTTP requests to servers on the Internal network with a fully qualified DNS name, the proxy denies the connection.

Denied Connection FRW-02 18/03/2011 20:06:37 
Log type: Web Proxy (Forward) 
Status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).  
Rule: Default rule 
Source: Internal (10.50.75.21:21492) 
Destination: Internal (10.50.75.10:8080) 
Request: GET http://app-01.mydomain.com.br:9871/internalwebserver_deploy/MyServiceService.svc?wsdl 
Filter information: Req ID: 0a157279; Compression: client=No, server=No, compress rate=0% decompress rate=0% 
Protocol: http 
User: anonymous 

How can I get around this block? This is an internal call, so it should not block it.

If I use only http://app-01:9871/internalwebserver_deploy/MyServiceService.svc?wsdl, without the domain after the server name, then it doesn't get blocked.

10.50.75.10 is the firewall's ip, and the internal network's gateway.

TristanK
  • 8,953
  • 2
  • 27
  • 39
Pascal
  • 133
  • 1
  • 5
  • 11

1 Answers1

4

The problem is twofold:

  • your browser is sending an internal request to TMG in the first place, and
  • TMG is preventing a possible reflection attack (or at least, has no rule to allow it)

Depending on how your browser is configured, the better solution from a minimum-wasted-computing-cycles perspecive is to to provide it with information that lets it not forward requests for *.yourinternaldomain.com to the proxy server. {Avoiding the proxy} beats {asking the proxy for something you could have got directly}.

WPAD (AutoDiscovery) and PAC files are common methods of doing this, and TMG lets you specify these exclusions on the Internal network object under Networks - as long as the client is using Auto Detection from the TMG box.

If the client isn't, you either need to modify your PAC file, or just set a proxy exclusion ("Bypass proxy for these addresses") for either just yourhostname.yourinternaldomain.com, or just *.yourinternaldomain.com if you're not using a split DNS system.

Just as an aside - last time I looked, TMG essentially performs string matches rather than name resolution in its autodetection script by default, so if you deal with bare IPs as well as nice internal domain names, you may need to specify both network ranges and host patterns (*.internal.dom).

Your other option is to create a rule in TMG to allow Internal to Internal (which is what most people do - instead, the least privilege solution would be to allow only HTTP from Internal to that specific host), but this doesn't address the problem of the browser talking to TMG at all in the first place - the browser shouldn't be sending internal requests to the proxy; that's the better problem to fix.

TristanK
  • 8,953
  • 2
  • 27
  • 39