I am asking this question to the Forefront TMG community because I believe the problem lies in the Forefront configuration and not on my SCCM server.
We are having trouble configuring a non-web server publishing rule (as noted in appendix E here: http://technet.microsoft.com/en-us/library/cc707697.aspx#AppendixE) for our native mode SCCM site because a listener is already configured for our Exchange 2010 environment on the Forefront TMG primary NIC/IP using port 443.
The documentation here (http://technet.microsoft.com/en-us/library/cc707697.aspx) states "Do not create Web listeners that use the same IP address and port combination as existing server publishing rules or Web listeners. Doing so will cause both to fail".
Please note that I am primarily a SCCM administrator so most of my experience lies there. I did read technet documentation on Forefront but I am new to the concepts and I think that's where I could use your help. I was not involved in setting up the Forefront TMG server; our team's sysadmin did that last year, and he has been involved in helping me troubleshoot this issue. At this point in our troubleshooting, we need advice from a Forefront TMG or ISA specialist who can point us in what direction to go in next.
Here's what our environment looks like:
Environment Overview:
We are a department within a larger academic institution. We have our own domain, our own subnet, and administer all our resources ourselves, but our environment lies within the larger institution's internal network. The parent institution manages the DMZ but not our domain. We have a Forefront TMG server in the DMZ that manages Internet access/traffic for our domain. The dc, forefront server, sccm server, and mail server are all separate servers. All are running Server 2008R2 SP1. All servers except for the forefront server are on the intranet and domain-joined to our dept.org.edu domain.
SCCM Site:
- We are conducting a mixed mode to native mode site migration for a production site
- The site is a single site on single site server on our intranet with ~200 clients
- The clients primarily connect from the intranet but we also need Internet connectivity as well because users frequently take their laptops out of the office for long periods of time, resulting in them becoming noncompliant with software updates, inventory collection, et cetera.
- We do not have the available resources to have additional sccm role servers in the perimeter network/DMZ
- Desired configuration for native mode is this: http://technet.microsoft.com/en-us/library/bb632529.aspx
- We have the site server signing certificate, web certificate, and client autoenrollment certificates configured correctly
- I am using the default website and ports 80/443 for the SCCM site, and the custom website ports 8530/8531 for
- We have a 2008 CA (the primary 2008R2 DC on our 2008-level domain)
- The AD Schema is extended
- As far as I can tell, everything is configured correctly in preparation for native mode from the internal sccm server side
- The site server is serverA.dept.org.edu
- The FQDN for the intRAnet website is serverA.dept.org.edu; I can connect to the internal website from the intRAnet using both http and https
- The FQDN for the intERnet website is cfgmgr.dept.org.edu; I can connect to this using cfgmgr.dept.org.edu from the intranet using both http and https
- On the intranet DNS, a host (A) record exists for serverA and an alias (CNAME) record exists for cfgmgr pointing to serverA.dept.org.edu
- I have not thrown the native mode switch yet because I do not want clients to become unmanaged, so I do not plan to actually switch to native mode until we resolve the below-described problem
Forefront TMG Server:
- OS is Server 2008R2 Server with Forefront TMG 2010
- TMG server is not domain-joined (it's in a workgroup) and domain administrator does not want it joined to any domain. I am aware that because of this, we must usetunneling instead of bridging for publishing as stated in bullet point 2 of the requirements here: http://technet.microsoft.com/en-us/library/cc707697.aspx
- TMG Server already has successful publishing set up for our domain's Exchange 2010 OWA, ActiveSync, and Outlook Anywhere. These are using a listener on SSL 443 with Forms authentication. These work correctly.
- TMG Server has three NICs configured (of the 6 installed): First one is public and disabled, second is private DMZ 192.x.x.50, and third is private DMZ 192.x.x.51
- DNS A records exist on the Forefront TMG server for serverA.dept.org.edu (points to the static intRAnet IP address), for cfgmgr.dept.org.edu (points to 192.x.x.51), the intRAnet's primary domain controller (points to the PDC's intRAnet IP address), and for the TMG forefront server itself (points to 192.x.x.50).
- The parent organization NAT-ed and configure IP addresses for the third NIC which we then configured because we read: "Do not create Web listeners that use the same IP address and port combination as existing server publishing rules or Web listeners. Doing so will cause both to fail" in http://technet.microsoft.com/en-us/library/cc707697.aspx. Our thought was that we could use a second NIC/IP/port combination to create a second listener/publishing rule for SCCM separate from the Exchange listener.
- We created a custom network within the network on the TMG server console (Networking / Networks tab) named cfgmgr in order to utilize connections from the 192.x.x.51 IP/SSL port:
- The address range for this network is 192.x.x.51, the domains tab lists dept.org.edu, the web browser tab has Bypass proxy for web servers in this network and Directly access computers specified in the domains tab checked, auto discovery is not configured, Forefront TMG Client is not enabled, and web proxy client connections is enabled with http using port 8080 and SSL using 443, with the SCCM Web server certificate added here by us importing it to the Personal store of the computer account certificates store of the TMG server. Integrated and Basic authentication are both enabled.
- The 192.x.x.51 address was removed from the Internal network in order to create the custom network (it wouldn't allow the IP address to be in both).
- We created a Firewall Policy non-web server publication named configmgr:
The policy is enabled, action is set to "allow" and it's set to log requests, traffic is set to HTTPS Server, from is set to Anywhere, To is set to the intRAnet IP address of the SCCM server, requests are set to look like they're coming from the Forefront TMG computer (we've tried both options with no change in results), Networks is set to cfgmgr, and schedule is always.
Test laptop:
- Test laptop is a machine joined to our intranet domain, it has client certificates configured correctly as far as I can tell, and when on the local intranet can connect to the IIS website as described above using both http and https.
- We are testing from a public wireless network that is not part of our domain and is external to the parent organization's network.
- Laptop client firewall is currently turned off for all networks
- Laptop is a Win 7 SP1 Enterprise machine
We are testing by attempting to connect to the IIS website for the SCCM server using the https://cfgmgr.dept.org.edu address or https://cfgmgrpublicIP while on the public wireless. Attempts to connect to https://serverA.dept.org.edu or any http combination of these fail as predicted and desired.
When connecting to either of these, we get a strange "Network Access Message" error with error code: "502 Proxy Error. The URL does not use a recognized protocol. Either the protocol is not supported or the request was not typed correctly. Confirm that a valid protocol is in use (for example, HTTP for a Web request). (12006)
IP Address: 192.x.x.51
Server: TMGforefront.dept.org.edu
Source: proxy"
In the error log on the forefront server, I see two errors.
Denied Connection
Log type: Firewall service
Status: A packet was dropped because its destination IP address is unreachable.
Rule: None - see Result Code
Source: Local Host (192.x.x.51:137)
Destination: Internal (192.168.255.255:137)
Protocol: NetBios Name Service
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.x.x.51
Denied Connection
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Local Host (192.x.x.51:137)
Destination: Local Host (192.168.255.255:137)
Protocol: NetBios Name Service
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.x.x.51
A strange finding: https://TMGforefront.dept.org.edu redirects to our OWA webmail with a certificate warning.
What are we doing wrong? Is there a better way to configure it than to use a second NIC? Can I/should I publish the site using Web publishing instead of non-web server publishing? I was reviewing the documentation for publishing multiple websites over https (http://technet.microsoft.com/en-us/library/cc441449.aspx) and wondering if that was a possibility for us. I will be glad to provide more details if that would be helpful, and especially appreciate anyone's advice.
Thank you.