I am attempting to set up a vSphere Site Recovery Manager lab. I have two datacenters linked via a site-to-site VPN with Microsoft Threat Management Gateway 2010 SP1.
I am attempting to add the two vSphere servers to each other, but I keep getting an Error 500 whenever I try to connect:
I don't see anything in the log files on either server and there's nothing in any KB articles about this. What could be going on here?
The problem is caused by the TMG gateway doing HTTP inspection, which disables certain not-oft-seen-in-the-wild HTTP verbs.
Watching the connection attempt in WireShark, we see:
CONNECT /sdkTunnel HTTP/1.1
And reproducing this in Telnet shows us:
<LI id=L_default_11>Error Code: 500 Internal Server Error. The parameter is incorrect. (87)
<LI id=L_default_12>IP Address: 192.168.101.16
<LI id=L_default_13>Date: 27/09/2012 5:35:59 AM [GMT]
<LI id=L_default_14>Server: tmg
<LI id=L_default_15>Source: proxy
which is verified by the TMG Web Proxy log:
So, this error has nothing to do with tomcat or vsphere, it's TMG blocking the request. I've never seen the CONNECT verb before, and a brief google indicates that this is required to be disable to pass certain audits. So it's possible that TMG blocks it by default.
To work around this, you need to create a new Web Access Rule in TMG.
If you have a TMG server on the other side of the VPN that's not part of this management cluster, then you will need to repeat this rule on there as well. And then, voila, free flowing traffic:
