TMG 2010 rewriting original host headers when … – Extropy

I found a strange behavior with TMG 2010 when publishing a website. It appears to rewrite URLs sent outbound to clients when the "send original host header is sent" under certain conditions. Here are those conditions:

Here is precisely what I encountered:

So by process of elimination I found that this appears to be TMG not affecting any host header inbound, nor affecting the alternate URLs outbound.This appears to affect only the main URL outbound, as TMG appears to be rewriting the protocol part of the header when the submitted form returns a redirect from http to https (changing https back to http).

Fixes: Uncheck the "send original host header..." flag and all functionality works correctly. I don't think this is as "clean", because it means that TMG touches every request and changes the host header to the internal host header, however on the IIS bright-side this means the web server will see the same host header no matter what clients request (normalization). The only caveat is that if you wanted to use an internal URL (instead of IP address) for the site that was the same as the external URL it would either not work, or would require a DNS trick on TMG to force it. Or, you could just change the internal URL to something else (not used).

TMG proxy background:

This isn't so much of a bug in TMG as a "feature". TMG is designed to allow external access to internal resources. I've found that it makes a powerful and flexible reverse proxy server, you just have to contend with a few "features". TMG's basic design-premise is based on rewriting URLs that are normally only internally visible, to URLs that are externally visible. This means that TMG errs towards the side of rewriting in exception cases, which this appears to be. This methodology appears to assume that the web servers are dumb, and don't know about external URLs. This premise is fine, except when it is necessary for the web server to perform some type of functionality that requires a complex redirect based on a user action (such as switching to https when a user logs in). TMG assumes that the redirect is internal in nature and blocks the redirect in favor of maintaining the original URL and same-protocol bridging (or more accurately not bridging). This appears to only be an issue when TMG is confused by using the external URL as the internal URL (same as listener and client requests). This shouldn't be an issue when you specify that TMG uses an IP address for the internal site, however it appears that MS has designed TMG to be "smarter" and "more helpful" by performing host header translation outbound, even when you request it no to do so...

TMG 2010 rewriting original host headers when ... - Extropy

DotNetNuke Skins - Home - February 20th, 2017 [February 20th, 2017]
Greydon Square Extropy Lyrics | Genius Lyrics - March 11th, 2017 [March 11th, 2017]
Extropy - Evernote User Forum - March 11th, 2017 [March 11th, 2017]
Extropy SHIFT> - March 11th, 2017 [March 11th, 2017]
Sabretooth Clan | Father Sebastiaan - February 15th, 2018 [February 15th, 2018]
College of Arts and Humanities The central page for the ... - May 11th, 2018 [May 11th, 2018]
Knights of Unicron (SG) - Transformers Wiki - TFWiki.net - May 22nd, 2018 [May 22nd, 2018]
Unicron/Shattered Glass - Transformers Wiki - July 6th, 2018 [July 6th, 2018]
Knights of Unicron (SG) - Transformers Wiki - July 6th, 2018 [July 6th, 2018]
Removing Dead Exchange 2010 Servers | www.extropy.com - July 6th, 2018 [July 6th, 2018]
Negentropy - Wikipedia - September 6th, 2018 [September 6th, 2018]
Exchange 2010 - www.extropy.com - November 11th, 2018 [November 11th, 2018]
Active Directory, NTP and VMware | www.extropy.com - April 9th, 2019 [April 9th, 2019]
Markus Guentner: Extropy Album Review | Pitchfork - December 27th, 2021 [December 27th, 2021]
Whatever Happened to the Transhumanists? - Gizmodo - August 5th, 2022 [August 5th, 2022]