05 May 2011

HTTPS to HTTP redirect causes endless loop through TMG

When a mixed HTTP / HTTPS web application is published through TMG you might get stuck in and endless loop that ends in TMG dropping you because of flood mitigation.

This will only occur when certain criteria exists.

The TMG listener needs to be configured to accept connections on 80 and 443.  TMG should also be configured NOT to do any HTTP to HTTPS redirection.

The publishing rule bridging setting also need to forwards requests to 80 and 443.
This setup would then rely on the application to do the switching between HTTP and HTTPS for the relevant pages.

From Microsoft

"In this scenario, when the Web server receives an HTTP request, it redirects the request to the TMG server as an SSL request (HTTPS). For example, http://www.contoso.com is redirected to https://www.contoso.com.

Then TMG translates SSL requests to HTTP requests and redirects it to the Web server. This causes an endless loop."

In our scenario what happened was that our session would successfully go from HTTP to HTTPS but when when were redirected by the application down to HTTP again we would get stuck in the loop.

A trace would show the following loop

This would end with TMG dropping all request from this client and you would end up with a "Internet Explorer cannot display the webpage" that would persist as long as TMG is dropping connection from that client IP.

To resolve the issue you need to explicitly define link translations for HTTP to HTTP and HTTPS to HTTPS. This seems a redundant configuration but it is required.

Thanks to Chris Lotter for figuring this out based on info from  http://support.microsoft.com/kb/924373 and http://social.technet.microsoft.com/Forums/en/Forefrontedgegeneral/thread/6b58c704-7d42-4168-82e6-8fa302d5e12f


Anonymous said...

This seems to be working for me for a test of publishing HTTPS on the external network but use HTTP to the internal host as a temporary test workaround.

Etienne Liebetrau said...

Yes, publishing to the internal on HTTP only will resolve this issue. This only occur if the bridging is set to allow both HTTP and HTTPS

I am assuming that you would need to enable HTTPS on the internal as well, Try the fix described above and please give feedback.

Toad said...

Great article this. Fixed exactly what I was experiencing.

Sacha said...

Great article. This is exactly what I was experiencing. Thank you very much.

Anonymous said...

WOW. This exact thing was happening to me. This will happen when you want to publish a site that will switch from HTTP to HTTPS when viweing a shopping cart and checking out. This is a GREAT tip! Thanks!

Post a Comment