You can experience the problem described in this post if you’re running:

  • Forefront Threat Management Gateway Medium Business Edition with Windows Essential Business Server 2008.
  • Forefront Threat Management Gateway Medium Business Edition as a standalone installation.

Note: This problem doesn’t occur when you are running Forefront Threat Management Gateway 2010.

Symptoms

If you haven’t defined your Web access policy rules using the Web Access Policy Wizard (available from the Tasks pane –> Configure Web Access policy), you can set or modify the authentication methods for the Web Proxy, as follows:

1. Click the “Configure Web Proxy” task in the Tasks pane:

image

2. Click the “Authentication…” button under the “Web Proxy” tab to display the available authentication methods:

image

3. Enable the “Integrated” & “Basic” authentication methods (for purposes of this example) and click OK to apply the changes.

image

After the changes have been applied (the synchronization status appears as green under Monitoring -> Configuration), if you then open the “Authentication” settings dialog box again, you’ll see that the changes you made do not appear in the UI:

image

However, this is purely a UI issue, and your changes have actually been applied (that is, the outgoing web traffic will be authenticated accordingly).

You can double check that the authentication methods are properly set by running the Visual Basic script below. This script will display the authentication methods that are enabled for the internal network:

Set root=CreateObject("FPC.Root")

Dim tmgArray

Set tmgArray= root.GetContainingArray()

Set internalNet = tmgArray.NetworkConfiguration.Networks("Internal")

Set webListener = internalNet.WebListenerProperties

If webListener.BasicAuthentication = True Then

Wscript.Echo "Basic authentication is enabled"

End If

If webListener.IntegratedWindowsAuthentication = True Then

Wscript.Echo "Integrated Windows authentication is enabled"

End If

If webListener.DigestAuthentication = True Then

Wscript.Echo "Digest authentication is enabled"

End If

If webListener.SSLCertificateAuthentication = True Then

Wscript.Echo "SSL Certificate authentication is enabled"

End If

Set authenticationSchemes = webListener.AuthenticationSchemes

For each authenticationScheme in authenticationSchemes

Wscript.Echo authenticationScheme.Name & " authentication is enabled"

Next

Solution

To resolve this issue, do the following:

1. Define your Web access policy rules using the Web Access Policy Wizard, available from the Tasks pane:

clip_image010

The resulting Web Access Settings will look similar to this:

clip_image012

2. Configure the authentication methods according to your requirements, by clicking the highlighted link below:

clip_image014

As a result, any changes you made to the authentication settings will appear in the UI.

Author:
Eric Detoc, TMG Escalation Engineer, Forefront TMG

Reviewers:
Doron Juster, Senior Development Engineer, Forefront TMG    
Gabriel Koren, Forefront TMG Test Team