The problem is caused by the TMG gateway doing HTTP inspection, which disables certain not-oft-seen-in-the-wild HTTP verbs.
Watching the connection attempt in WireShark, we see:
CONNECT /sdkTunnel HTTP/1.1
And reproducing this in Telnet shows us:
<LI id=L_default_11>Error Code: 500 Internal Server Error. The parameter is incorrect. (87)
<LI id=L_default_12>IP Address: 192.168.101.16
<LI id=L_default_13>Date: 27/09/2012 5:35:59 AM [GMT]
<LI id=L_default_14>Server: tmg
<LI id=L_default_15>Source: proxy
which is verified by the TMG Web Proxy log:
So, this error has nothing to do with tomcat or vsphere, it's TMG blocking the request. I've never seen the CONNECT
verb before, and a brief google indicates that this is required to be disable to pass certain audits. So it's possible that TMG blocks it by default.
To work around this, you need to create a new Web Access Rule in TMG.
- Create a Computer Set containing your two vSphere servers
- Go to Web Access Policy
- Under "tasks", click "Create Access Rule"
- Fill in the default wizard, choosing "Allow", and selecting to/from your new computer set
- After the rule is created, go to its properties
- Go to the "Protocols" tab
- Click on "HTTP" and click "Edit"
- Go to "Parameters"
- Un-Check Web Proxy Filter
- OK to everything and apply the changes
If you have a TMG server on the other side of the VPN that's not part of this management cluster, then you will need to repeat this rule on there as well. And then, voila, free flowing traffic: