3

I thought in my own insanity that if I published an IIS 8 web server with websockets through HTTPS there shouldn't be a problem even with the TMG.

However, regardless of publishing, filtering and request settings, I don't see any websocket connection upgrade requests reaching the web server when going through the TMG.

Using SignalR I get fallback to whatever lesser transport the browser in question supports. It works great whenever I bypass the TMG of course.

Do I need to find another firewall / filter to get this to work or is there a way?

I'm having trouble even finding information on what products support web sockets, all I see is that weird quote aboute less than 1% of current proxy servers are incompatible, and using HTTPS should alleviate any problems. And whenever I throw "websocket" into a Google search with a Microsoft product - the result is simply gibberish and/or malware sites.

tl;dr: I realize Windows Server 2012 is still not RTM, but is there a way to establish IIS 8 websocket connections through a TMG 2010 SP2?

Oskar Duveborn
  • 10,760
  • 3
  • 33
  • 48
  • I've had the same problem (I noticed because serverfault doesn't automatically update when connected via TMG). Haven't tried via SSL but I also found information suggesting that SSL may work. – Chris McKeown Aug 22 '12 at 20:45
  • Additional: it's not the malware filtering that's causing it because excluding the site from malware inspection doesn't help. – Chris McKeown Aug 22 '12 at 20:53
  • Oh, I haven't even thought about the reverse condition, establishing websocket connections to outside sites. Well, in this case for a published site I've disabled every type of content filtering that exists on the TMG without success. For some reason the SSL doesn't help either, something with the bridging that disturbs it perhaps. – Oskar Duveborn Aug 22 '12 at 21:30
  • Sorry, I didn't notice that you were talking about publishing a site, but I guess we've deduced that it won't work in either direction! As you've already stated, it seems that TMG doesn't like the `Connection: Upgrade` header or something like that. – Chris McKeown Aug 22 '12 at 22:17

1 Answers1

2

So this is how I finally got this working:

  • Don't use Web Site publishing rules, use a Non-Web Server rule instead
  • Use the default HTTPS Server protocol definition
    • Do not enable any filters in the protocol
  • In the To section of the rule, have requests appear to come from the original client
  • Also, unrelated but alas, make sure the Web Server is a SecureNAT client (ie it's default gateway is the TMG in question)

This has some limitations but works for my need: publish IIS 8 ASP.NET 4.5 sites that utilizes web sockets.

Oskar Duveborn
  • 10,760
  • 3
  • 33
  • 48
  • Just in case anyone is trying this solution, keep in mind that I wasn't able to get this to work for TeamCity WebSockets until I introduced an Access Rule that allowed External - to Server in questions) https access. So my working scenario is non-website publishing + access rule. – Maxim V. Pavlov Dec 20 '14 at 15:59