Internal clients not connected to the domain are not given forms-based authentication page when they connect to an internal website.

External users coming through TMG to our internal website are given a TMG forms-based authentication page to log in to. Fine.

But internal users going to the same website are passed through directly to an IIS authentication page by TMG, they are not given a TMG login page.

Any ideas why not?

I have tried creating a new Publishing Rule for internal users who are not on the domain, but as they use the same website they have to use the same listener (you can only have 1 listener per website IP address).

Why don't the internal users also get the TMG forms-based login page?

Everything works OK, we just want the internal users to get the same prompt as external users, instead of the ISA server prompt.

• Edited by The British School in The Netherlands Tuesday, October 08, 2013 1:18 PM

Hi,

activate the option on the TMG Weblistener that the Weblistener listens to the EXTERNAL and INTERNAL network

Thanks for the suggestion Marc, but that option is already ticked.

In the Web Listener properties; Networks tab; Perimeter and Internal are ticked. (External network not used).

Any other suggestions?!?

Regards,

Richard Artes.

Hi,

Could you provide a simple sketch for us?

Do your topology like this?

Internal client-----------TMG-----Website(DMZ-------3Layer Device----Internet

Or

Internal client---------TMG---------Internet

                                        |

                                    Website(DMZ)

Please check your network rule between Internal and Perimeter

And if you change the authentication to Basic authentication, do the problem persists?

Best Regards

Quan  Gu  

Hi,

Is there any update?

Do the problem persist?

Best Regards

Quan Gu

Hi Quan, thanks for the message. I think it's like this:

Internal client---------TMG---------Internet

                                        |

                                    Website(DMZ)

I've had a chat with an external consultant who knows more about TMG than me, he thinks we need to edit the existing listener and add a new internal IP address to it.

1. Add the internal IP to the existing listener (creating a new listener is also valid but as far as I can see at this time it is not necessary).
2. Edit your hosts file (not lmhosts) to resolve to the IP address of the TMG server.
3. Test if it works.
4. If all is okay, change the internal DNS during your maintenance window.

Richard.

• Marked as answer by Quan GuMicrosoft contingent staff, Moderator 7 hours 5 minutes ago

Hi Quan, thanks for the message. I think it's like this:

Internal client---------TMG---------Internet

                                        |

                                    Website(DMZ)

I've had a chat with an external consultant who knows more about TMG than me, he thinks we need to edit the existing listener and add a new internal IP address to it.

1. Add the internal IP to the existing listener (creating a new listener is also valid but as far as I can see at this time it is not necessary).
2. Edit your hosts file (not lmhosts) to resolve to the IP address of the TMG server.
3. Test if it works.
4. If all is okay, change the internal DNS during your maintenance window.

Richard.

• Marked as answer by Quan GuMicrosoft contingent staff, Moderator Thursday, October 17, 2013 3:46 AM

Hi,

Yes,what you said is similar with Marc metioned. You need enable web listener to listen external and internal request.And you need to properly configrure DNS server to resolve internal website name.

Thanks for your update,if the problem is solved,please let us know.

Best Regards

Quan Gu