Hello.

I use TMG 2010 on my Gateway with some rules. I have a rule with the name NAT and everyone that add to this rule can use Internet without any limitation. I added my IP address to this rule but when I want to go to my Cpanle of web site it show me an error and web page can't open. I attached a photo.

What is your idea?

Hi,

How do you configure this rule? Please provide more details.

Please also check TMG logging.

Joyce

Hi,

How do you configure this rule? Please provide more details.

Please also check TMG logging.

The reason you don't find the keys is that it applies to Windows NT 4.0 which is a far different thing than Windows Server 2008R2 which TMG runs on.

The starting point for troubleshooting this kind of errors is http://blogs.technet.com/b/isablog/archive/2009/08/27/side-effects-of-incorrect-dns-configuration-on-isa-server-10060-connection-timeout-scenario.aspx

I change my DNS server forwarder to 8.8.8.8 but not matter :(

If I understand you correctly:

1. Users with their usernames added to this rule can browse the Internet through TMG. Correct?

2. How does the rule look like? What did you add? Can you please show us how the rule looks like?

3. When using live logging in the TMG console, what happens when you try to browse the site?

a) Denied by the correct rule?

b) Denied by default rule?

c) other? Please then share what TMG logs.

If the answer to #1 is yes, then DNS is not your issue. If the answer to 3a is yes, then your rule configuration is wrong. If the answer to 3b is yes, then your request does not match the rule (or any other).

In any case, you need to share with us how the rule is configured. If not, all we can do at best is guess. The above does not give enough information.

If I understand you correctly:

1. Users with their usernames added to this rule can browse the Internet through TMG. Correct?

2. How does the rule look like? What did you add? Can you please show us how the rule looks like?

3. When using live logging in the TMG console, what happens when you try to browse the site?

a) Denied by the correct rule?

b) Denied by default rule?

c) other? Please then share what TMG logs.

If the answer to #1 is yes, then DNS is not your issue. If the answer to 3a is yes, then your rule configuration is wrong. If the answer to 3b is yes, then your request does not match the rule (or any other).

In any case, you need to share with us how the rule is configured. If not, all we can do at best is guess. The above does not give enough inform

To use live logging, open the TMG Management Console and go to Logs & Reports and make sure that you are on the loggin tab. When ready to test, click Start Query on the right hand side in the tasks pane, test from the failing workstation, click Stop Query (same Place as start). Review the log output.

If it is denied by "default rule" then no other rule matches the request.

I see that rule #2 implies that you must do this from the two computers added to the from tab of the rule. Furthermore I assume that this TMG is implemented as a firewall (e.g. an internal nic and an external nic) since you are using external as the destination.

Are you doing your test from one of the defined computers in this rule?

Are the computer objects correctly defined, e.g. the correct IP address is used?

Live logging as described above should tell you if the rule is used at all.

To further analyze your rules you can use the Traffic simulator found under the Troubleshooting node in the TMG console like follows. Change your source IP address to match your clients IP and the destination to match whatever you are testing :

As you see, I attached a picture and I collected log. I used a computer that I specified in "test rule" and worked with the web site but in some case I see error page.  I copy and paste log into below address :

http://paste.ubuntu.com/11979640/

What is your idea?

If you look at the data you have provided, you see that the connection is allowed but fails with 500 server error.

I would say that the issue is not on the TMG server but rather on the remote server, the status comes from the remote host in this example.

In your example the POST always fails when posting something to http://185.8.173.190/ajax/saveImage.

If the log entry would have said "rejected by http filter" then I would be blaming TMG.

If you look at the data you have provided, you see that the connection is allowed but fails with 500 server error.

I would say that the issue is not on the TMG server but rather on the remote server, the status comes from the remote host in this example.

In your example the POST always fails when posting something to http://185.8.173.190/ajax/saveImage.

If the log entry would have said "rejected by http filter" then I would be blaming

Based on the information at hand, yes, TMG is doing its thing perfectly fine.

A capture of network traffic on the external interface of TMG would confirm that (wireshark/network monitor/ms message analyzer) as it is plain http it is easy to see.