hi there
has anyone managed to succesfully integrate a WS1100 with TMG in front of it?
We have a requirement where the TMG needs to be the first port of call for Client devices, and in the documentation it mentions that a TMG can be in front of a WS but so far have been unable to get working.
I have been in contact with Sophos support ( via email ) but they would prefer I don't use the TMG at all.
any help or advice would be appreciated.
Hi FJ,
Sorry to hear you're having a few problems with this setup.
Looking back at your previous post, are you still trying to use the Bridged deployment mode?
The bridged deployment mode should be fairly simple to setup, as there should be no configuration changes required on the TMG. The TMG will still use the same firewall/router as it's default gateway and the appliance will just sit in between and transparently filter the traffic.
Alternatively, If you are using a 'Web Chaining' rule in TMG then there will be a little bit of setup required on the TMG. Unfortunately Sophos support wouldn't be able to go too deep into the TMG configuration as it isn't our product. However, the basics are:
Obviously the exact instructions can vary depending on how the TMG is deployed - Is it running in an edge configuration, or is it within the LAN?
I'd be happy to offer some more advice if you could let me know what mode you are considering, and what problems you've come across?
Thanks,
-Tom.
hi there
thanks for your reply.
In answer to your questions...
1) we are running in explicit mode now
2) Plug in is installed
3) Route would be User to TMG to WSA ( installed on local LAN ) to WWW
4) The TMG is on the edge with a web chaining rule pointing back to the WSA, which can get out of the firewall
Directing my browser to the TMG I can get outwards
Directing my browser to the WSA I can get outwards
Directing my browser to the TMG - then attempting to use the web chaining rule to WSA - Fails
So I am partly there... just can't get the web chaining rule to work
FJ
Hi FJ,
Your setup sounds fine to me . Is there a particular error you are seeing in the browser when trying to use the web chaining rule?
It sounds like the WSA is going out through the TMG firewall? Depending on your web chaining rules, TMG may attempt to redirect this traffic back to the appliance, causing a proxy loop. If you switch back to explicitly using the WSA as proxy (when the web chaining rule is on) do you still get internet access?
Thanks,
Tom.
hi there
This is the error that I am seeing
if I switch back to the WSA as my proxy I can get internet Access.
My web chaining rule is
Action: Upstream Proxy Server configured with correct name and ports, along with an AD account that has the required access and integrated windows for authenticaiton
To: External
Bridging tab: as default
FJ
Hi FJ,
It sounds very much like the TMG is blocking this before it gets to the appliance for some reason. It's odd that it only occurs when the web-chaining rule is enabled.
You should be able to get some more info by looking at the logs on the TMG. Alternatively you might want to contact Microsoft about this.
Thanks,
Tom.
Hi
I'm new to the community. We've just purchased our WS1100 which we want to integrate with a new TMG 2010 front end, with the plugin installed so we can identify traffic in the TMG logs by AD username. Testing went OK with our (soon to be retired) ISA2006 server up front and TMG behind with web chaining. Now we want to remove ISA and just have WS1100 with TMG out front. The online documentation for the plug in only describes a bridged deployment with a single front end firewall. We don't have bridged as an option, but want explicit with the plug in and a single front end TMG server.
Is there any documentation describing how to set this up - or has someone achieved this successfully?
Thanks in advance.
James.
Hi James,
Welcome to the SophosTalk community.
I may have misunderstood the question here - so please correct me if I'm wrong! Are you trying to setup the TMG upstream of the WS1100?:
Client > WS1100 > TMG > Internet
This setup will work fine, but proxy settings for the WS1100 will be required in the browser. However, the AD username will not be reported to the TMG because the WS1100 doesn't provide authentication to upstream proxies.
You could also consider:
Client > TMG > WS1100 > TMG > Internet
The TMG would need the plugin and a web-chaining rule to pass traffic to the WS1100 as an upstream proxy. It's important that the WS1100 is allowed to download pages directly without being affected by the web-chaining rule (to prevent a proxy loop).
Hope this helps,
Tom.
Hi Tom
Thanks for your response. Your first scenario is the one we'd like to use (ie Client > WS1100 > TMG > Internet) but we do also want the AD username reported to TMG. We only have one firewall (TMG) although we could perhaps retain our old ISA2006 firewall to set up scenario 2 (Client > ISA2006 > WS1000 > TMG > Internet). Is that the best way forward? Does the plug in work on ISA2006 - or should we have the TMG downstream from the WS1000?
James.
Hi James,
Unfortunately at the moment the appliance won't pass the AD username to the upstream ISA in this scenario. Is this required simply for logging purposes? Remember that all traffic is logged on the Web Appliance, and you can also use features like Syslog, or log backups to make sure you always have access to the most detailed logging.
The plugin does work on ISA2006, so this scenario is possible:
Client > ISA2006 > WS1000 > TMG > Internet
However, remember that only the ISA2006 and the WS1000 will get the username. The web appliance still won't pass the username to the upstream TMG device I'm afraid.
Thanks,
Tom.
