Consider the following scenario:

  • You have a computer that is running Forefront TMG 2010.
  • You have a Web server that automatically redirects HTTP requests to Secure Socket Layer (SSL) requests.
  • You configure the Web listener to listen for HTTP requests and also to use bridging.
  • You configure the Web listener and the bridging for both HTTP and for SSL requests (HTTPS).

In this scenario, when the Web server receives an HTTP request, it redirects the request to the TMG adding the https on the new location within the header as shown below:

- GET Request sent from TMG to the internal Server:

Http: Request, GET /default.aspx
    Command: GET
  + URI: /default.aspx
    ProtocolVersion: HTTP/1.1
    Via:  1.1 TMG
    Host:  contoso.com
    Accept:  */*
    Accept-Language:  en-us
    Connection:  Keep-Alive
    Accept-Encoding:  peerdist
    HeaderEnd: CRLF

- Web Server reply with the new location:

Http: Response, HTTP/1.1, Status: Moved temporarily, URL: /default.aspx
    ProtocolVersion: HTTP/1.1
    StatusCode: 302, Moved temporarily
    Reason: Found
    Cache-Control:  private
    Location: 
https://contoso.com/default.aspx
    Server:  Microsoft-IIS/7.5
    XAspNetVersion:  2.0.50727
    XPoweredBy:  ASP.NET
    ContentLength:  149
    HeaderEnd: CRLF

Problem: TMG receives the request with the new location and instead of sending this new location to the client workstation, it sends http://contoso.com/default.aspx (removing the “s”), client receives this 302 and send the request again, causing an eternal loop.

Resolution: in order to fix this problem, use the resolution (method 2) from KB http://support.microsoft.com/kb/924373. Although the KB doesn’t have Forefront TMG 2010 listed, the same approach applies to TMG 2010 (yes, we will update the KB).