Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 0 subscribers
  • Views 9123 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problems with TMG and SWA as upstream proxy

svakak

Currenty in our network we have TMG 2010 and we would like to use Sophos Web Appliance as upstream proxy for TMG. I have configured SWA, but I'm having problems when I configure Web chaining in TMG.

USER->TMG->SWA->Internet

When I enable web chaining to SWA on TMG strange error occur, some sites enter endless redirect loop, on some sites only default site works. IE. http://stackoverflow.com enter endless loop, while http://lazic.info loads default site, instead of virtualhost site. It's like SWA is requesting sites per IP, and not per fqdn. I have tried changing DNS our internal DNS, ISP, and OpenDNS, always same error.

SWA is deployed as Explicit proxy, has some static routes defined, and all checks in Connectivity test are OK.

Strange thing is that if user enters proxy address manually in browser everything works OK.

:25315


This thread was automatically locked due to age.
Parents
  • 0

    Hi Svakak,

    Thanks for posting your solution.

    Yes, we have had some reports that certain versions of ISA/TMG change the HTTP request line to include the IP address.  This happens when using SecureNAT to do transparent proxying (The ISA/TMG is the default gateway of the client computer).

    For example the client will connect to the website IP (Say 1.2.3.4) and make this request:

    GET /index.html HTTP/1.1

    Host: www.example.domain

    The ISA/TMG is actually intercepting this request, but it doesn't just send the same request to the proxy.  Instead it sends:

    GET http://1.2.3.4/index.html HTTP/1.1

    Host: www.example.domain

    This is because when a request is made to a proxy the Request-URI must be absoloute. 

    You can't send GET /index.html to a proxy 

    It must be GET http://host/index.html

    Because ISA/TMG is using the IP rather than the hostname this can cause some unexpected filtering behaviour for the web appliance - we are evaluating the IP rather than the hostname. 

    Setting proxy settings using WPAD would be a good workaround.

    Thanks,

    Tom.

    :25453
Reply
  • 0

    Hi Svakak,

    Thanks for posting your solution.

    Yes, we have had some reports that certain versions of ISA/TMG change the HTTP request line to include the IP address.  This happens when using SecureNAT to do transparent proxying (The ISA/TMG is the default gateway of the client computer).

    For example the client will connect to the website IP (Say 1.2.3.4) and make this request:

    GET /index.html HTTP/1.1

    Host: www.example.domain

    The ISA/TMG is actually intercepting this request, but it doesn't just send the same request to the proxy.  Instead it sends:

    GET http://1.2.3.4/index.html HTTP/1.1

    Host: www.example.domain

    This is because when a request is made to a proxy the Request-URI must be absoloute. 

    You can't send GET /index.html to a proxy 

    It must be GET http://host/index.html

    Because ISA/TMG is using the IP rather than the hostname this can cause some unexpected filtering behaviour for the web appliance - we are evaluating the IP rather than the hostname. 

    Setting proxy settings using WPAD would be a good workaround.

    Thanks,

    Tom.

    :25453
Children
No Data
Unfiltered HTML