3

I am attempting to set up a vSphere Site Recovery Manager lab. I have two datacenters linked via a site-to-site VPN with Microsoft Threat Management Gateway 2010 SP1.

I am attempting to add the two vSphere servers to each other, but I keep getting an Error 500 whenever I try to connect:

 Unable to communicate with vsphere:80 server, http response code: 500.

I don't see anything in the log files on either server and there's nothing in any KB articles about this. What could be going on here?

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255

1 Answers1

3

The problem is caused by the TMG gateway doing HTTP inspection, which disables certain not-oft-seen-in-the-wild HTTP verbs.

Watching the connection attempt in WireShark, we see:

CONNECT /sdkTunnel HTTP/1.1

CONNECT /sdkTunnel HTTP/1.1

And reproducing this in Telnet shows us:

<LI id=L_default_11>Error Code: 500 Internal Server Error. The parameter is incorrect. (87)
<LI id=L_default_12>IP Address: 192.168.101.16
<LI id=L_default_13>Date: 27/09/2012 5:35:59 AM [GMT]
<LI id=L_default_14>Server: tmg
<LI id=L_default_15>Source: proxy

which is verified by the TMG Web Proxy log:

TMG Web Proxy log confirming that TMG is blocking the request

So, this error has nothing to do with tomcat or vsphere, it's TMG blocking the request. I've never seen the CONNECT verb before, and a brief google indicates that this is required to be disable to pass certain audits. So it's possible that TMG blocks it by default.

To work around this, you need to create a new Web Access Rule in TMG.

  1. Create a Computer Set containing your two vSphere servers
  2. Go to Web Access Policy
  3. Under "tasks", click "Create Access Rule"
  4. Fill in the default wizard, choosing "Allow", and selecting to/from your new computer set
  5. After the rule is created, go to its properties
  6. Go to the "Protocols" tab
  7. Click on "HTTP" and click "Edit"
  8. Go to "Parameters"
  9. Un-Check Web Proxy Filter
  10. OK to everything and apply the changes

enter image description here

If you have a TMG server on the other side of the VPN that's not part of this management cluster, then you will need to repeat this rule on there as well. And then, voila, free flowing traffic:

enter image description here

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255