You cannot access some SSL websites on an ISA Server 2006-based upstream server if the server requires authentication from a downstream server that has Forefront TMG 2010 SP1 installed

Symptoms

Consider the following scenario:

You have a downstream server that has Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 1 (SP1) installed.
You have an upstream server that has Microsoft Internet Security and Acceleration (ISA) Server 2006 installed.
You configure the upstream server to require authentication.
You install hotfix 927265 on the upstream server to avoid Kerberos ticket issues.
You configure a web proxy client of the downstream server to use the anonymous user account to access some SSL websites on the upstream server.

In this scenario, you cannot access these SSL websites.

Note If the downstream server is running ISA Server 2006, this issue does not occur.

This issue occurs because of an error in the downstream server after the upstream server sends an NTLM challenge.

To resolve this issue, install the software update that is described in the following Microsoft Knowledge Base (KB) article:

2288910 Software Update 1 for Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 1

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Keywords: kbqfe, kbfix, kbsurveynew, kbexpertiseinter, kb

Article Info