topic Loadbalancing TMG 2010 with ACE 4710 in Application Networking

Loadbalancing TMG 2010 with ACE 4710

BrandonNC — Sat, 10 Sep 2011 01:37:19 GMT

Hello all,

We have a pair of ACE 4710 devices in front of a TMG 2010 array (3 members) and are having some issues. We have a nat pool on the ACE and need to be able to use integrated authentication in TMG since we are filtering URLs based on user ID. For example some users might have access to certain websites that other users do not have access to. TMG does all this fine when we send traffic directly to one of the TMG servers and it can successfully authenticate the user using the active directory username that was passed through. The problem occurs when we send traffic through the ACE first, upon which time the user credentials are no longer appearing to TMG and the user is getting prompted for a username/password whenever they try to access a website. Even when they do enter their username and password (which they shouldn't have to do) the request is still denied by TMG since it is coming from "anonymous" instead of their actual username.

Another problem we seem to be having which isn't as important right now is the fact that since we are using a nat pool on the ACE, every web request to the TMG servers comes from one of the NAT addresses, rather than the original client IP. Is there any way to get around this and have the actual client IP show up instead?

Thanks,

Brandon

Loadbalancing TMG 2010 with ACE 4710

Marko Leopold — Mon, 12 Sep 2011 10:47:11 GMT

For the other problem i recommend you this article:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3041.shtml

Loadbalancing TMG 2010 with ACE 4710

Marko Leopold — Mon, 12 Sep 2011 10:49:07 GMT

For the first problem, I have a question. Do you loadbalance on L7? If yes, what is the header-size? Do you come over the default max-parse-length?

Loadbalancing TMG 2010 with ACE 4710

BrandonNC — Mon, 12 Sep 2011 18:58:27 GMT

Marko,

I am not sure how to determine the header siz however we have increased the max-parse-length to 4096 (from the default 2048) just to be sure.

The ACE is still not passing the NTLM/Integrated authentication credentials through to the proxy server.

Loadbalancing TMG 2010 with ACE 4710

Marko Leopold — Tue, 13 Sep 2011 05:38:21 GMT

Hello Brandon!

Please look at show stats http. Are the counters for Max parselen errors increasing? If yes, your header will be stil lmuch bigger. To determine the size you can use a sniffer-tool like wireshark or tcpdump and just count the bytes in the header.

Another way is to use the command length-exceed continue in a http parameter-map.

Loadbalancing TMG 2010 with ACE 4710

BrandonNC — Tue, 13 Sep 2011 17:54:51 GMT

Marko,

It looks like the size of the headers was indeed greater than the allowed size. After increasing the max header size in the parameter-map we are no longer seeing the Max parselen errors counter increase, however credentials are still not passing through the ACE.

Any other ideas?

Thanks for your time,

Brandon

Loadbalancing TMG 2010 with ACE 4710

Marko Leopold — Wed, 14 Sep 2011 06:50:33 GMT

I guess it is time to provide some config now. Everything else would be just playing an oracle 🙂

Loadbalancing TMG 2010 with ACE 4710

Rafael Mendes — Thu, 26 Apr 2012 20:25:00 GMT

Brandon,

Can post your configuration for this?

I trying configure too...

Tks!