Direct Access and Proxy server...

I've followed the step-by-step instructions for demonstrating UAG DA in a test lab. It all works fine.

Now I've configured TMG on the UAG server to act as a web access proxy and created a group policy to apply the proxy settings. It seems that the DA Client applies this policy and tries to use the proxy server for internet access when outside of the Intranet. How do I configure group policy to force the client to use the web proxy when connected to the Intranet, but not when outside the Intranet and connected using DA?

Thanks all,

Neil

March 26th, 2010 1:12pm

Using TMG on UAG for forward proxy is not supported...
Free Windows Admin Tool Kit Click here and download it now
March 26th, 2010 7:42pm

Jason,

Point taken - I obviously wouldn't do that in a production environment, I'm just trying to get my head around some of the issues that arise when using DirectAccess as opposed to our curretn VPN solution. Looking beyond the fact that my sandpit hasn't got a separate proxy server, the question remains:

If my user is roaming, connecting via the corporate network or over the web via DirectAccess, how do I configure Group Policy so that he uses a proxy server (whatever it may be) when connected at the office, and then not using a proxy when connected via DirectAccess?

In fact, the general principle of the question applies to any settings that you want to be different depending on how they are connected.

Thanks again,

Neil

 

March 29th, 2010 2:58pm

Hi Neil,

I don't think you'll be able to bounce back through the UAG server that the DA client is connected to, since the TMG configuration required isn't with support boundaries.

However, you can configure the DA clients to use another TMG firewall on your network to connect to the Internet through the Web proxy. You will need to take advantage of the DNS64/NAT64 on the UAG server to connect to the FQDN of the outbound web proxy listener on the TMG firewall. That will translate the IPv6 request to a IPv4 request, and since the TMG firewall's web proxy will perform name resolution on behalf of the client, then client doesn't need to worry about that.

That's how it's supposed to work. I'll try to stand this up in the lab and see what it works in practice.

Thanks!

Tom

Free Windows Admin Tool Kit Click here and download it now
March 29th, 2010 6:04pm

If you add the proxy server FQDN to the NRPT bypass list, clients will not be able to access the internal proxy via DA.

If you combine the above with WPAD or an autoconfig script that falls back to "direct" when the proxy it not available, this should produce your desired results...well, it works in our setup ;)

Cheers

JJ

March 29th, 2010 6:54pm

Hi Jason,

That's is correct, and that's why we recommend that you make exceptions for WPAD in the NRPT. That recommendation is made with the fact that split tunneling is the default configuration. You don't want the web requests to be made through the tunnel -we want the client to connect to the web over the local link.

But it sounded like he wanted to force the web requests over the DA connection. In that case, you will want to allow wpad throught the DA connection and provide the FQDN of the TMG web proxy listener. Then the connections can be made through that device - with the exception that it can't be the device that the DA client is connected to - it has to be another TMG web proxy somewhere else on the network.

Thanks!

Tom

Free Windows Admin Tool Kit Click here and download it now
March 30th, 2010 5:09pm

Thanks Jason/Thomas

I've abandoned trying to get group policy to do the job - I was clearly barking up the wrong tree!

WPAD however definitely does work...and works a treat. My Win 7 client machine can now seamlessly use the proxy when on the Corporate LAN, and use the local link when outside. I figured that I'd need to add wpad to the NRPT on the UAG as an exclusion.

Live pilot is next up...

Thanks again.

 

March 31st, 2010 5:53pm

Thanks Jason/Thomas

I've abandoned trying to get group policy to do the job - I was clearly barking up the wrong tree!

WPAD however definitely does work...and works a treat. My Win 7 client machine can now seamlessly use the proxy when on the Corporate LAN, and use the local link when outside. I figured that I'd need to add wpad to the NRPT on the UAG as an exclusion.

Live pilot is next up...

Thanks again.

 

Free Windows Admin Tool Kit Click here and download it now
March 31st, 2010 5:53pm

Cool :)
March 31st, 2010 6:14pm

I have our UAG setup with TMG acting as a Proxy and even PPTP VPN.  We use a DHCP WPAD entry so when clients are internal they get the proxy settings via DHCP and of course when external they are using a different DHCP Server so they don't get the proxy settings.  Works fine for us we just have to remember each to we make a config change in UAG and activate it to make sure it doesn't wipe out the TMG settings which it tends to do so I am guessing this is why it isn't supported.
Free Windows Admin Tool Kit Click here and download it now
March 31st, 2010 8:35pm

Hi Dan,

Yes, that and other reasons as well. It you want to force the DA clients to use an internal proxy (which seems like a good thing to do), then configure another device on the network as a TMG firewall and set the wpad entry for that device. That's fully supported and I suspect that performance might be better as well.

Thanks!

Tom

April 1st, 2010 4:36pm

Resolve:

1. Add wpad host to NRTP table like exception, while DA connected this host can not resolve.

2. Add GPO for DA Client:

disable WPAD cache for IE https://support.microsoft.com/kb/271361 

set autoconfiguration proxy enable

3. Apply policy and restart DA Client

While DA connected, client can not download wpad and IE use not corporate proxy, while client in corp network IE can load wpad and use corp proxy.

IE every time reload wpad.

Free Windows Admin Tool Kit Click here and download it now
February 12th, 2015 10:05am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics