locked
CRM IFD/ADFS via TMG 2010 on SSL Port 443 & 444 RRS feed

  • Question

  • Hi all,

    Having not much joy with our current setup. 

    Set as follow: 

    ADFS.mydomain.local  443

    CRM.mydomain.local 444

    Therefore the internal endpoints are:

    10.1.1.5 sts1.mydomain.local

    10.1.1.5 Org.mydomain.local

    10.1.1.5 dev.mydomain.local

    10.1.1.5 auth.mydomain.local

    All tested okay within LAN, using DNS/browser. The logon page is displayed and successfully authenticated to the CRM server using (claim based)

    https://org.mydomain.local:444



     I have published the external IPs of these two end points. Do I need ALL end points to be published externally?

    128.xxx.xxx.xxx -> sts1.mydomain.com

    128.xxx.xxx.xxx > - org.mydomain.com

    When it comes to TMG rules:

    Defined Port 444 any: 10.1.1.5

    One listener: 

    Listening on 443

    Bridging on 444

    IP to 128.xxx.xxx.xxx

    Wild card bind to *.mydomain.com

    No auth.

    Firewall rules:

    Org CRM rule

    From any to Org.mydomain.com, to IP 10.1.1.5. Forward the original host header.

    Listener on 443. Bridge to SSL port 444. 

    Path /*, no delegate and client cannot authenticate directly.

    STS1 rule

    From any to sts1.mydomain.com, to IP 10.1.1.5. Forward the original host header.

    Listener on 443. Bridge to SSL port 443. 

    Path /*, no delegate and client cannot authenticate directly.

    Auth rule

    From any to auth.mydomain.com, to IP 10.1.1.5. Forward the original host header.

    Listener on 443. Bridge to SSL port 444. 

    Path /*, no delegate and client cannot authenticate directly.

    Discovery rule

    From any to dev.mydomain.com, to IP 10.1.1.5. Forward the original host header.

    Listener on 443. Bridge to SSL port 444. 

    Path /*, no delegate and client cannot authenticate directly.



    I get timed out error from logging from an external client. 

    Log tyep: web Proxy (reverse)

    Failed connection Attempt

    status: 10060 A connection attempt failed bacause the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

    Rule: Org CRM rule

    Destination: local host (org.mydomain.com 10.1.1.5:444)

    Request: GET http://org.mydomain.com/favicon.ico

    Filter info: Req ID: oaaec994

    protocal: https

    User anonymous

    From cmd I can telnet to Org.mydomain.com on 443, no issues there. 

    Since I am not using the standard port for ssl 443 for CRM. While listening to 443 &  bridging to 444 should solve the problem? Or do I really need to extend the port tunnel 444 to become SSL port like it mentioned below?

    http://www.isaserver.org/articles-tutorials/articles/2004tunnelportrange.html

    Also do I need another listener just for port 444? Many thanks in advance. 


    Regards,

    Shing


    • Edited by Shingy Monday, November 11, 2013 6:49 AM
    Monday, November 11, 2013 6:39 AM

Answers

  • Problems resolved.

    Solution:

    i) Published all endpoints DNS externally. 

    128.xxx.xxx.101 -> sts1.mydomain.com
    128.xxx.xxx.101 > - org.mydomain.com

    128.xxx.xxx.101 -> auth.mydomain.com

    128.xxx.xxx.101 > - dev.mydomain.com

    ii) Extended the SSL port to include 444 by port tunnelling ---> http://www.isaserver.org/articles-tutorials/articles/2004tunnelportrange.html

    iii) Two listeners: one on 443 for ADFS and 444 for CRM. (both ADFS/CRM boxes are behind a firewall and NAT rules, hence restricted us to use non standard port for SSL).

    iv) Changed all web access rules to "Request appear to come from TMG computer" rather than original client. (TMG only has one nic)

    The above enable me to get pass the Status: 10060 error. But still get 404 error when trying to display the ADFS logon page. Logging in TMG from source address revealed "Denied Connection" for the ADFS rule, under filter information - security filter: URL normalization was not complete after one pass.  

    Therefore the final step in resolving the errors:

    V) Untick the check box for "Verify Normalization" under Configured HTTP for ADFS Web access rule. 

    Shing



    • Marked as answer by Shingy Thursday, November 14, 2013 1:09 AM
    Thursday, November 14, 2013 1:09 AM