2

I'm testing a client machine that makes requests to a biztalk server using a forefront machine as a web proxy. Upon first test I put in an invalid name/password into the receive port and received the correct error message (407). Then, I set the correct name/password and everything worked correctly.

From there, I kept the correct information in the receive port but put an invalid name/password into the send adapter but the process completed successfully (should have failed with 407).

I've ensured that both the recieve and send ports are not bypassing the proxy for local addresses.

So the only thing that seems to make sense is if TMG is caching the authentication request coming from the machine I'm working on.

Is this thinking correct, and if so, does anyone know how to disable it in TMG?

Steven Evers
  • 673
  • 5
  • 9
  • 23
  • 1
    I am unaware of any authentication caching by TMG. It does have the ability to cache webpages, etc. but that's turned off by default. We're using to proxy Exchange 2010 externally BTW. – Tatas May 24 '11 at 17:34
  • @Tatas: Thanks for the info. I was aware of web caching, but didn't know whether auth caching was a possibility - hence the question. I'm connecting to BizTalk 2010 on the local machine, but using an external machine with Forefront on it for proxying (which is why I was certain to disable local bypass in biztalk). – Steven Evers May 24 '11 at 17:38
  • I'm not sure how Biztalk works, but at least with Exchange the authentication you present for the inbound connection is all that is needed. Outbound traffic to the client are inherently passed back. – Tatas May 24 '11 at 18:04
  • @Tatas: Makes sense. With BizTalk, both the receive and send ports are outgoing from BizTalk through the proxy (Receive pulls information from a source into BizTalk and Send spits that information back out to a recipient). – Steven Evers May 24 '11 at 18:11
  • Are there presets for Biztalk in TMG? With Exchange I just had to choose the preset for the exchange client service I wanted to proxy then set the desired auth method. I also had to match the desired auth method on the backend service behind TMG. – Tatas May 24 '11 at 18:14
  • @Tatas: No, unfortunately there doesn't seem to be. Although, I'm working with custom BizTalk adapters, so that might have something to do with it. – Steven Evers May 24 '11 at 18:39

3 Answers3

2

that shouldn't be your problem but the steps to configure revese caching rules can be found here: Configure Forefront TMG as a Proxy Cache

see also Configure TMG as Cache Proxy

Jim B
  • 24,081
  • 4
  • 36
  • 60
2

Validate credentials every (seconds) — This option enables the caching of client credentials for a configurable period of time.

This setting is available under Authentication - Advanced on the Listener.

padda
  • 21
  • 1
1

No it does not cache authentication, but NAT session will be marked as "authenticated"

It is very similar to what will happen if you: - have a rule defined - access the site - nat session gets created - you delete the rule

Until that NAT session expires, or you manually expire it from (Monitoring/Sessions) you will continue to access the resource even though the firewall rule no longer exists for it

arthur
  • 25
  • 3