SharePoint Workspace not working through TMG

Hi,

I have exposed a SharePoint site collection called BrainBoosters through TMG. This is meant to be a secure connection for consultants who access the site externally. Access to the site is 100%. The only issue I am currently experiencing is that Workspace is not working externally only internally. We are using SharePoint Foundation 2010. Below is the error message on the client when WorkSpace option is clicked from within the browser. I have also included the Deny action taking place on TMG.

Your help would be very much appreciated.

Guy

 


Microsoft Office Sharepoint Workspace 2010        Reverse Proxy    -    sp.brainboosters.co.za    TCP    -    Req ID: 0aaf2f55; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes    -        0x0    0x0    49512    Web Proxy                    0    2407    213    -    2011/09/22 11:55:40    -    -    0    -    0    -    -    -    -    -    -    0    0                                            -    2011/09/22 13:55:40    41.27.219.15    196.28.27.107    443    https    Denied Connection    -        -    -    -        12309 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.     anonymous    -    -    http://sp.brainboosters.co.za/    SVR-TMG    Unknown    Web Proxy Filter            -            0    -   

September 22nd, 2011 3:51pm

Workspace may require the use of persistent cookies which allows applications outside of the browser to authenticate corr

Free Windows Admin Tool Kit Click here and download it now
September 22nd, 2011 4:37pm

In IE9 there is a 3rd party , 1st party and session cookie option. All of these are allowed and yet the error persists. I cant find a persistent cookie option.

 

Tks.

September 22nd, 2011 4:52pm

Have a look here for the exact location: http://technet.microsoft.com/en-us/library/cc995078.aspx

Be aware that persistent cookies provides an element of security risk and, if possible, you should use the private option and educate users to use the private computer option on the FBA screen if they specifically need workspace functionality.

I have not deployed SPS workspace with ISA/TMG, so this is just a hunch...

Cheers

JJ

Free Windows Admin Tool Kit Click here and download it now
September 22nd, 2011 5:01pm
Yes, persistent cookies is the way to go as per Jason's advice. Once you launch something else (read app) from the browser authentication is lost, hence the need for persistent cookies.
September 23rd, 2011 11:58am

Thanks for the feedback. I have activated persistent cookies for private computers on my listener. I then logged into the SharePoint site using TMG authentication form with private computer option ticked. Still, when trying to add a new workspace either from my browser or from SP Workspace itself it gave me the same error as included in my first post.

Any other ideas?

Free Windows Admin Tool Kit Click here and download it now
September 23rd, 2011 1:22pm
What do you get in the TMG logs now?
September 26th, 2011 12:33pm

These are the only deny incidents I could find:

 

    Result Code    HTTP Status Code    Client Username    Source Network    Destination Network    URL    Server Name    URL Category    Log Record Type    Malware Inspection Action    Malware Inspection Result    Threat Name    Threat Level    Content Delivery Method    Malware Inspection Duration (msec)    NAT Address    Client Application Path
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)        Reverse Proxy    -    sp.brainboosters.co.za    TCP    -    Req ID: 0abe1b5e; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes    -        0x0    0x0    49638    Web Proxy                    0    241    296    -    2011/09/27 06:40:28    -    -    0    -    0    -    -    -    -    -    -    0    0                                            -    2011/09/27 08:40:28    41.31.69.45    196.28.27.107    443    https    Denied Connection    -        -    -    -        12302 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.     anonymous    -    -    http://sp.brainboosters.co.za/    SVR-TMG    Unknown    Web Proxy Filter            -            0    -   
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)        Reverse Proxy    -    sp.brainboosters.co.za    TCP    -    Req ID: 0abe1b0c; Compression: client=Yes, server=No, compress rate=67% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes    -        0x0    0x0    49625    Web Proxy                    0    2940    331    -    2011/09/27 06:39:58    -    -    0    -    0    -    -    -    -    -    -    0    0                                            -    2011/09/27 08:39:58    41.31.69.45    196.28.27.107    443    https    Allowed Connection    -        -    -    -        0 The operation completed successfully.     anonymous    -    -    http://sp.brainboosters.co.za/CookieAuth.dll?GetLogon?curl=Z2Ffavicon.ico&reason=0&formdir=3    SVR-TMG    Unknown    Web Proxy Filter            -            0    -   
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)        Reverse Proxy    -    sp.brainboosters.co.za    TCP    -    Req ID: 0abe1b03; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes    -        0x0    0x80    49623                        0    252    280    -    2011/09/27 06:39:58    -    -    0    -    0    -    -    -    -    -    -    0    0                                            -    2011/09/27 08:39:58    41.31.69.45    196.28.27.107    443    https    Denied Connection    -        -    -    -        12302 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.     anonymous    -    -    http://sp.brainboosters.co.za/favicon.ico    SVR-TMG    Unknown    Web Proxy Filter            -            0    -   

Free Windows Admin Tool Kit Click here and download it now
September 27th, 2011 9:49am

Another suggestion, assuming that persistent cookies are configured in TMG - have you tried to turn off "Block High-Bit Characters" and/or "Verify Normalization" on the HTTP filter for the publishing rule?

The above doesn't really give conclusive information, what would be good is to use a tool like http://www.microsoft.com/downloads/details.aspx?FamilyID=F5EC767F-27F2-4FB3-90A5-4BF0D5F4810A&displaylang=e&displaylang=en in order to see what the client sends. Attach Strace to the application (IE?) used to open the workspace. This may need some tinkering and playing around to get to work... but if you get a trace you will be able to see exactly what the client sends that is denied.

September 28th, 2011 10:21am

Hello,

I have a similar problem (same Setting).

I get the error message that the sharepoint "saving/storing location" could not be interpreted (translation from the German error message), after I was prompted for the user credentials. I do not get an error message on server side.

The TMG Settings:

Rule applies to published site: wi-sharepoint

Request appear to come from the Forefront TMG computer

Listener : https; 8443

Public name (changed): something.tech.at

Authentication: NTLM auth.

Bridging: Redirect top HTTP: port 81

Apply link translation to this rule

This setting works if I connect via a browser (from inside and outside)

But trying to connect via Workspace 2010 I get an error from outside (from inside it works)

The log from the TMG:

SourceExternal: 80.081.215.166:4881 (changed)

Destination: Lcoal Host (192.168.50:81)

Request: POST http://wi-sharepoint:81/...

On the Sharepoint I configured AAM:

http://wi-sharepoint DEFAULT => http://wi-sharepoint

http://wi-sharepoint:81 Internet => http://wi-sharepoint:81

I also tried to add:

http://something.tech.at => http://something.tech.at

and

http://something.tech.at => http://something.tech.at

but it was not working correctly.

Hope you can help.

Thanks,

Florian

Free Windows Admin Tool Kit Click here and download it now
January 18th, 2012 11:51pm

Hello,

does anyone have any hint how to solve this problem?

regards,

Florian

February 12th, 2012 7:02pm

Hi,

Did you ever found a solution for this? We have our SharePoint published externally. Everything seemed to work fine but now some users wanted to use Workspace from outside and they got the same error. We've turned on the persistent cookies but the error did not go away.

Best regards,

    Sandra

Free Windows Admin Tool Kit Click here and download it now
January 7th, 2014 4:07pm

Hello,

Yes the Problem was the URL mapping of SharePoint and the Forefront Settings. I played arround quite Long too find a solution. I used the logging and trace functionality of TGM to identify the URL used to access the SharePoint behind the TGM and addapted the URL to fit to the requests.

If you need specific Input I can create some screenshots till next week.

KR

FE

January 8th, 2014 5:58pm

Thank you for your answer, I will look into the logs. Screenshots would be very appreciated.

Best regards,

    Sandra

Free Windows Admin Tool Kit Click here and download it now
January 9th, 2014 11:11am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics