ISA cannot authenticate client b/c client's request doesn't contain authorization headers.
"The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. " for error code WINERROR= 2FB1 (12209)
GET https://www.nwtraders.com/ HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8; Tablet PC 2.0; CIBA; MS-RTC EA 2)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Cookie: s_vi=[CS]v1|25C8953C851D2842-600001276000354C[CE]
Host: https://www.nwtraders.com
HTTP/1.1 401 Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. )
WWW-Authenticate: Negotiate
WWW-Authenticate: Kerberos
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="www.nwtraders.com"
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 2073
Proxy-Support: Session-Based-Authentication
We see WWW-Authenticate header as Negotiate and then Kerberos and by default IE 7 above will use Kerberos as initial auth method and as Client is on External network and cannot get the Kerb Ticket and that is the reason for its failure.
So to fix this issue we need to run script from KB http://support.microsoft.com/kb/927265 on TMG
What this script does is that it makes NTLM as default behavior. Here is what it says:
1. ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
2. ' This script sets authentication schemes that ISA will return for Integrated authentication.
3. ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
4.
5. const USE_ONLY_NTLM_FOR_WINDOWS_AUTH_default = 0 ' Use Negotiate and Kerberos, too.
6. const USE_ONLY_NTLM_FOR_WINDOWS_AUTH_Always = 1
7.
8. Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
9. Const SE_VPS_NAME = "UseOnlyNTLMForWindowsAuth"
10. Const SE_VPS_VALUE = 1
Richard Mueller edited Revision 3. Comment: Removed (en-US) from title, added tag