TMG 2010 SP2
Publishing an IIS 7.5 web server to the Internet. It is on a TMG perimeter network, and is a web proxy client. While TMG is a domain member, the web server is not. The site is set up to accept HTTPS (for WEBDAV publishing) and HTTP for normal browsing.
I can browse by HTTP or HTTPS from the web server itself. But from the Internet, I can only browse with HTTPS. If I use HTTP, I get this error page:
403 Forbidden. The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator. (12311)
Web searches tell me this is related to requiring authentication where I shouldn't, but I can't find any place where I'm requiring auth in TMG.
FWIW, Test Rule is happy.
Here are all the Publishing Rule settings that seem remotely relevant to requiring auth or SSL:
Web listener
- Do not redirect traffic from HTTP to HTTPS
- No Authentication
- [ ] Require all users to authenticate
- [ ] Allow client authentication over HTTP
Authentication Delegation
- No delegation, but client may authenticate directly
Bridging
[x] Web Server
- [x] Redirect requests to HTTP port [80]
- [x] Redirect requests to SSL port [443]
- [ ] Use a certificate to authenticate to the SSL Web server
Users
- All Users
Here is the TMG log entry:
Failed Connection Attempt
Log type: Web Proxy (Reverse)
Status: 12311 The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator.
Rule: Publish Tenant Web Server
Source: External (10.200.10.1:54943)
Destination: Local Host (10.200.10.2:80)
Request: GET http://tenantwebfarm001.byoctechnologies.com/
Filter information: Req ID: 026ad3b4; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous
- Additional information
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
(No source information is available.)
0x0
1 MIME type:
Processing time:
Cache info:
Object source:
Client agent:
</dir></dir>