TMG Compression broke my site

Reading Time: 3 minutes

Microsoft Threat Management Gateway (TMG) should make publishing websites easy. Generally it is. We had a configuration as shown below:

Drawing2

This should work like a charm. Unfortunately it did not in Internet Explorer 9. Upon testing the published site we noticed that some of the SharePoint functionality was not working as intended; Menu functions were not correctly created in the published page. If you visited through an InPrivate session the problem disappeared. Other browsers, such as Chrome and Firefox did not seem to suffer. Also the situation was a little more complicated:

Drawing3

When we connected from to the published site from the webserver, there was no problem. When we modified the hosts file to bypass the TMG there was no problem. So it seems that the TMG was altering something. And it did.

Since the bulk of the users was connected through a satellite connection which had narrow bandwidth we used some compression methods on the webserver.

Upon testing extensively we determined that the default.css remained empty. This clearly was a caching problem resulting from the TMG configuration.

Eventually we narrowed it down to the Web access policy and the Web Compression Filter on the TMG. turning those off made the problem disappear on the clients.

Since we wanted the Compression Filter to work for some of the websites we had to come up with another solution than simply disabling the filter. After some searching we came across a MSDN article describing the SendAcceptEncodingHeader. The VBscript below can be run on the TMG. It sets the SendAcceptEncodingHeader property to true for a specific publishing rule on the TMG. This will allow compressed content from the webserver to reach the clients correctly.


' Define the constants needed const Error_FileNotFound = &H80070002 Const fpcPolicyWebPublishing = 2 Main(WScript.Arguments) Sub Main(args) If(args.Count = 1) Then AllowCompressedContent args(0) Else Usage() End If End Sub Sub AllowCompressedContent(ruleName) ' Create the root object. Dim root ' The FPCLib.FPC root object Set root = CreateObject("FPC.Root") ' Declare the other objects needed. Dim isaArray ' An FPCArray object Dim rule ' An FPCPolicyRule object ' Get a reference to the array object. Set isaArray = root.GetContainingArray() ' Get a reference to the policy rule specified. On Error Resume Next Set rule = isaArray.ArrayPolicy.PolicyRules.Item(ruleName) If Err.Number = Error_FileNotFound Then WScript.Echo "The policy rule specified could not be found." Else Err.Clear On Error GoTo 0 If rule.Type = fpcPolicyWebPublishing Then If rule.WebPublishingProperties.SendAcceptEncodingHeader = False _ Then rule.WebPublishingProperties.SendAcceptEncodingHeader = True rule.Save WScript.Echo "Done!" Else WScript.Echo "The policy rule specified already " & _ "allows forwarding of compressed content." End If Else WScript.Echo "The policy rule specified is not a Web publishing rule." End If End If End Sub Sub Usage() WScript.Echo "Usage:" & VbCrLf _ & " " & WScript.ScriptName & " RuleName" & VbCrLf _ & "" & VbCrLf _ & " RuleName - Name of the Web publishing rule" WScript.Quit End Sub

By default a web publishing rule instructs the TMG to delete all Accept-Encoding headers sent to the webserver. However the webserver answers with compressed responses. The TMG in turn will not forward the compressed responses. That’s when, for instance, the piece of java that makes up your SharePoint menu items brakes.

Conclusion

Let me point out that this will not be an issue when you are not using compression on the webserver. If you do however, and do not want to turn off all of the compression on TMG then you might find the script helpful.

I’d like to see this property of a web publishing rule to be an option in the GUI. In my opinion, especially considering the fact that a lot of clients, including mobile devices, benefit from compression, this would be a nice option which should be more accessible. Maybe a checkbox in the publishing rule wizard or properties.