Hi all,

I'm trying to remove TMG2010 to use a Juniper device instead, but I'm facing an issue.

The Juniper works ok, ie if I take a laptop and connected it to hte Juniper, it has full internet access.

Now, if I'm trying to switch my computer from TMG gateway to Juniper gateway, I can ping, I can surf, but I can't have Outlook to work.

After further investigation, it seems that every https request does not work. Trying to browse https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml using Juniper does not work on my computer (but it work with a laptop not connected to the AD).

I know TMG can do some HTTPS inspection, so I suspect something here. TMG Client is removed on my computer. I cannot find any artcile about properly removing TMG from an AD ?

Any help ?



Thanks,

Hi,

TMG doesnt change anything in your Active Directory. Simply uninstall TMG Server or take of the machine and replace TMG with the other Firewall. IMHO your problem is client related. Please check if normal websites with HTTPS also doesnt work and check the HTTPS connection from a other client behind your other Firewall. Please also check the Juniper log for blocked HTTPS traffic

Hi all,

I'm trying to remove TMG2010 to use a Juniper device instead, but I'm facing an issue.

The Juniper works ok, ie if I take a laptop and connected it to hte Juniper, it has full internet access.

Now, if I'm trying to switch my computer from TMG gateway to Juniper gateway, I can ping, I can surf, but I can't have Outlook to work.

After further investigation, it seems that every https request does not work. Trying to browse https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml using Juniper does not work on my computer (but it work with a laptop not connected to the AD).

I know TMG can do some HTTPS inspection, so I suspect something here. TMG Client is removed on my computer. I cannot find any artcile about properly removing TMG from an AD ?

Any help ?

Thanks,

Well I'm a bit sceptical about simply replacing my TMG with the Juniper. How can I be sure that everything would work then ?

My computer is able to visit https website (google, facebook for exemple), that's why is it weird. I guess the problem is related with the authentication : browsing to https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml you'll have a pop up asking for credentials.
Also I've tried with 2 other computers, same problem.

Hi,

please check the Juniper logs if the Juniper requires authentication to access websites

No problem with the Juniper. 

Trying with a laptop that is not a domain member, it works with the Juniper. It's really weird !

Humm it seems that I've a lot a WPAD request on my network from my domain members... I guess it's a good direction ?

Hi,

so I missunderstand you? TMG is the problem you are talking about, not Juniper?

The problem is, when I switch any of my domain member computer on the Juniper gateway, Outlook does not connect anymore to Exchange.

It seems that HTTPS using a special authentication does not work, but I can't figure why.

"Normal" HTTPS works good (can go to gmail, log me in, check my mail etcetc).

Browsing to https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml does not work. 

If I switch back to TMG as gateway, browsing https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml I have a Windows Security popup that ask me for username and password.

If i use a computer that is not a domain member, using TMG or Juniper works, https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml request me for authentication.

So, not using TMG as my gateway on my domain computers broke this, but I can't explain why.

Using Network Monitor, it appears that my computer sends the "Client Hello" but never received the "Server Hello. Certificate" using the Juniper. Using the TMG, it received the Server Hello. Certificate.

doing the same on a laptop not member of the AD, I have Client Hello then Server Hello.Certificate using the Juniper or the TMG.