For Direct access to work or in other words if you want to By pass the ISA/TMG server for certain websites using configuration on the ISA/TMG server then we need to understand this process in little more detail.

let us first see what options we have on the Browser for proxy settings.

In the Proxy settings on the right side window we have area marked with red circle and area marked with blue circle

a. Area in Red is for automatic configuration.

b. Area in blue is manual proxy settings.

Now we know how browser can be configured for proxy settings, we can discuss the possible ways to By pass the ISA/TMG server.

There two possible ways.

1. Manualy configure browser to by pass ISA/TMG server.

2. Configuration on ISA/TMG server to allow web proxy clients to by pass the ISA/TMG server.

Manual configuration

This is the simplest way, here we manualy enter the proxy server(ISA/TMG server) name or Ip address in the browser as shown below

We want to bypass ISA/TMG server for www.abc.com to do that in manual approach we will click on advanced button in the above window

as shown below we will get the second window which has section exception there we would add *.abc.com; as marked.

 Then save the settings on the browser , we should be able to bypass the ISA/TMG server while accessing www.abc.com

Bypass using Configuration on the ISA server

 This option requires us to put couple of things in place before we can start using it, as explained later in this section.In order to use this option we would have to use Automatic detect settings(automatic configuration) of the browser proxy settings marked red in fig 1. which I m showing below again

i.e. we will check auto detect settings in the proxy settings. And on ISA server we would have *.abc.com/* in the direct access configuration under the web browser tab of internal network properties.

But for autodetect setting to work we need to configure web proxy auto detect on DHCP or DNS server and Publish Automatic Discovery Information on the ISA/TMG server as described in following technet article

http://technet.microsoft.com/en-us/library/cc713344.aspx in detail.

Important parts from above  article

To configure DHCP for WPAD

or configure DNS

Publish Automatic Discovery Information on the ISA/TMG server

 Above although says ISA server 2004 but concept is same for ISA server 2006 and TMG 2010. Once we have setup DHCP/DNS with WPAD and published Automatic Discovery Information, we should be able to access internet using autodetect settings in the browser(web proxy client with auto detect) and should be able to bypass ISA/TMG server while accessing www.abc.com.

Bypass ISA/TMG part 3 we will discuss the logic behind what we have discussed above.

Recently I have seen many queries about the ports required between TMG EMS server and its nodes. This information is required in scenarios most of the times if there is a firewall in between EMS server and TMG nodes, to open the ports required on the intermediate firewall.

The ports required are same as they were in case of ISA server CSS(Configuration Storage Server) and the nodes. Following fig provides the ports required for operation of ISA/TMG server in various scenarios

Issue : Web proxy clients trying to by pass the ISA Server in order to access Some websites directly are not able to by pass the ISA/TMG server and are sending requests through it.

Scenario:

ISA server is configured with web browser direct access list in the internal network properties. Here name of the domains are configured e.g.

*.abc.com

*.xyz.com

and this list has ip address ranges as well e.g.

1.2.3.0-1.2.3.50

and the names of the websites do not have their corresponding IP address in the list. So we have a direct access list which has both website names and ip addresses . But the websites names in the list do not have the corresponding ip addresses. Ip addresses mentioned are not for the domain names(websites mentioned in the list).

Users when they try to access www.abc.com are not able to bypass the ISA/TMG server and requests are going through the ISA/TMG server.

Solution: In such scenario we shall configur the website domain name entry in the direct access list as *.abc.com/* and we should be able to bypass the ISA/TMG server.

In Part2 ,I will discuss  why you are still not able to BY Pass the ISA/TMG server,even if you followed above instructions on the ISA server,

Reference : http://support.microsoft.com/kb/920715 this article although for ISA 2004 but concept is same with ISA 2006 and TMG 2010.

Wanted to share this amazing post from one of my senior colleague and friend Yuri

http://blogs.technet.com/b/yuridiogenes/archive/2010/05/26/forefront-tmg-2010-learning-plan.aspx

a good collection of links and Plan to jump start your learning.

Friends TMG sp1 is released and you can download it from

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f0fd5770-7360-4916-a5be-a88a0fd76c7c

Please find release notes of TMG sp1

http://technet.microsoft.com/en-us/library/ff686708.aspx

Make sure you read the release notes first before installing as it requires certain procedures to be understood and followed properly.

TMG SP1 Features explained on ISA/TMG blog site

http://blogs.technet.com/b/isablog/archive/2010/06/24/forefront-tmg-service-pack-1-now-available.aspx.

While researching on a issue found this amazing post about email protection using TMG

http://blogs.technet.com/b/isablog/archive/2009/11/10/email-protection-in-forefront-tmg-2010-release-candidate.aspx

good article on edge subscription

http://technet.microsoft.com/en-us/library/aa997438.aspx

thought to share it with all.

Found a nice link for memory dumps, thought of sharing with all

http://wiki.lunarsoft.net/wiki/Creating_memory_dumps