Hello,
We have Active Directory Site with 700 clients machines with 2 gateways. One of the gateway, we use Forefront Threat Management Gateway 2010 as web cache, firewall server, We are planning to implement WCCP with Cisco L3 switches and use Forefront TMG 2010 as a firewall role only. (I am not sure whether I can disable "cache" role)
Can I disable "Cache" role on Forefront TMG 2010 and use it as firewall?
any recommendations, thoughts would be really appreciated,
kind regards,
Akira Sekine
I am having an issue publishing the selfservice piece of RSA AM 7.1 via TMG 2010. I called RSA and was told that they currently only support ISA 2006 and even then the support they are willing to provide is very limited.
I went ahead anyway following this document:
http://www.rsa.com/products/securid/specs/proxy_sever.pdf
and am running into this when I test my rule:
Time reported by the Microsoft Forefront TMG Firewall Service: 0.037 seconds
Testing https://RSAAMServer.mydomain.com:7004/console-selfservice/
Category: Destination server certificate error
Error details: 0x80090331 - The client and server cannot communicate, because they do not possess a common algorithm.
Action: Go to http://go.microsoft.com/fwlink/?LinkId=115965
Any ideas?
Hi,
How to set the default error page for the published web page ?
I have published a website using the web publish rule in TMG and I am looking for a static error page from TMG when internal web server goes down.
Regards, Vinoth Kumar K
Hi There,
I have recently been tasked with providing an SSO solution of various systems within our organisation.
I have setup TMG in a single NIC config and I have configuraed it to:
Sign into one SPSite and Traverse a site collection without login prompt
Open documents without login promt using persistent cookies.
One of the major repquirements for this project is to allow users to sign in without adding the domain prefix. The drawback with this is the other requirement is to preserve client integration capabilities of sharepoint.
Without TMG one would activate basic authentication on the IIS Webfront ends for SharePoint to fultfill the first requirement, however, this also breaks client integration and thefore prevents the implementation of the second requirment.
Is there a way to configure TMG so that I can meet both requirements?
Any ideas would be gratefully received.
Cheers
MW Victim Support comming soon
For many years I have been running ISA 2000 on a windows 2000 server. This ISA server is configured for VPN access (PPTP). There have been no issues access network services - in particular MAPI connection from Outlook to internal Exchange server.
So recently I setup a new server running windows 2008 R2 and TMG 2010 SP2 - configured for VPN access just like my ISA 2000 server.
Everything I have tested to date runs the same EXCEPT the outlook MAPI connections. On the TMG 2010 outlook can connect to the Email server and perform all functions, but it is very slow.
I ran some tests using rpcping and the ISA 2000 VPN is about 200ms whereas the TMG 2010 vpn is about 5,400ms.
Both ISA servers are domain members and are configured the same. The only difference is one is ISA 2000 on windows 2000 and the other is TMG 2010 on WIndows 2008 R2.
I have researched this for a very long time and have tries many experiments to try to determine why the TMG 2010 has such slow RPC response. I see a lot of posts for RPC over HTTP, but hardly any relating to RPC through a vpn tunnel.
I would appreciate the input of anyone who has also encountered this issue.
Hi,
We have a web site (.net) which requires SSL Client certificate for authentication, it has it's own database for the users not AD. It works from internal network.
Now I want to publish it with TMG for the external users, the only thing what I want is to make authentication pass through configuration in TMG.
I have read some articles and posts in the forums and looks like it can't be done.
Here is a similar scenario like mine http://social.technet.microsoft.com/Forums/en/ForefrontedgePub/thread/debf9d7d-633a-44d4-82d1-2783110e872e
Is there any solution?
Hi,
I'm having trouble with a test environment using Microsoft Forefront TMG and Android/IOS Smartphones. I read the answers before and in another topic but it doesn't want to work in my test environment.
If my android phone is connected with WLAN and I set the Proxy-Setting of Forefront TMG, the phone is able to open google.de or other sites via the browser. But if i try to open the Play Store I get a connection error and there is no possibility to search or
download apps.
I also tried to allow traffic for everyone, so there's no authentication required, right?
Do you have any ideas? Thank you for any hint...
Sorry for my english...i am from germany :)
Hi
we have ISA 2000 in child domain and when ever we use the URL set as the destiantion for internet access it will prompt for user name and password repeatedly and it will not work. if we changed to all destination then it will can pls suggest on this issue.
I ma trying to setup a IPSEC site to site VPN between MS Forefront TMG 2010 to a Cisco SRP527W router
I am running the latest firmware on the router
I cannot get the 2 to connect, I have matched as best as possible the settings on the SRP527W as are in Forefront
I can't see any logs to indicate why this is not working
If anyone has any ideas?
Below are the Settings From Forefront TMG:
Local Tunnel Endpoint: External IP Router
Remote Tunnel Endpoint: External IP TMG
IKE Phase I Parameters:
Mode: Main mode
Encryption: 3DES
Integrity: SHA1
Diffie-Hellman group: Group 2 (1024 bit)
Authentication Method: Pre-shared secret (ThisIsAPreSharedKey2012)
Security Association Lifetime: 86400 seconds
IKE Phase II Parameters:
Mode: ESP tunnel mode
Encryption: 3DES
Integrity: SHA1
Perfect Forward Secrecy: OFF
Diffie-Hellman group: Group 2 (1024 bit)
Time Rekeying: ON
Security Association Lifetime: 28800 seconds
Kbyte Rekeying: ON
Rekey After Sending: 4608000 Kbytes
Site-to-Site Network IP Subnets:
Subnet: 10.10.10.0/255.255.255.0
I have what should be a very simple configuration, a single Exchange 2010 SP2 server and single TMG 2010 SP2 server with all workstations running the Forefront TMG client 7.0
When users try to configure there "Out of Office" settings they get the error message - "Your Out of Office settings cannot be displayed becuase the server is currently unavailable".
If I disable the TMg client and remove the proxy setting from Internet Explorer then the "Out of Office Assistant" works.
What is the best way to resolve this or what are the recomened setting for Exchange 2010, IIS 7 and Forefront.
I would have thougth that as all the products are Microsoft and its a common and simple scenario that it would all just work :(
Regards,
Nigel - Gold Coast, Australia
Users access to proxy server with TMG 2010 Failed.
Any clues ?!
http://h71016.www7.hp.com/dstore/sp_main.asp?HPURL=Y&hp_url=searchresults%2Easp%3Fmfg_partno%3D507614-B21%2C507616-B21%2C581284-B21%2C581286-B21%2C590698-B21%2C652564-B21%2C652572-B21%2C652583-B21%2C652589-B21%2C652597-B21%2C652605-B21%2C652611-B21%2C652615-B21%2C652620-B21%2C652745-B21%2C652749-B21%2C652753-B21%2C652757-B21%2C652766-B21%2C507610-B21%2C516814-B21%2C516816-B21%2C516828-B21%2C537805-B21%2C%2520537809-B21%2C516824-B21%2C516826-B21%2C516830-B21%2C512545-B21%2C512547-B21%2C627117-B21%2C507127-B21%2C619291-B21%2C%2520585980-B21%2C574758-B21%2C574879-B21%2C%2520574761-B21%2C605835-B21%2C537805-B21%2C625031-B21%26rank_on%3Dprice%26rank_dir%3Ddesc%26pagemode%3Dca%26jumpid%3Din_r3924%26resetSearch%3D1%26price_matrix%3DSMB-BOOK1
Failed Connection Attempt ASIA-PXY-S01P 9/7/2012 11:42:43 AM
Log type: Web Proxy (Forward)
Status: 64 The specified network name is no longer available.
Rule: Allow Web Destinations
Source: Internal (172.X.X.X:3185)
Destination: External (15.217.232.120:80)
Request: GET http://h71016.www7.hp.com/dstore/sp_main.asp?HPURL=Y&hp_url=searchresults%2Easp%3Fmfg_partno%3D507614-B21%2C507616-B21%2C581284-B21%2C581286-B21%2C590698-B21%2C652564-B21%2C652572-B21%2C652583-B21%2C652589-B21%2C652597-B21%2C652605-B21%2C652611-B21%2C652615-B21%2C652620-B21%2C652745-B21%2C652749-B21%2C652753-B21%2C652757-B21%2C652766-B21%2C507610-B21%2C516814-B21%2C516816-B21%2C516828-B21%2C537805-B21%2C%2520537809-B21%2C516824-B21%2C516826-B21%2C516830-B21%2C512545-B21%2C512547-B21%2C627117-B21%2C507127-B21%2C619291-B21%2C%2520585980-B21%2C574758-B21%2C574879-B21%2C%2520574761-B21%2C605835-B21%2C537805-B21%2C625031-B21%26rank_on%3Dprice%26rank_dir%3Ddesc%26pagemode%3Dca%26jumpid%3Din_r3924%26resetSearch%3D1%26price_matrix%3DSMB-BOOK1
Filter information: Req ID: 0a9acf64; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Hi,
I have a windows 7 client on a virtual machine (HYPER V), when i am using it as a web proxy client or TMGC everything works fine, but when i am using it as a secure nat client by putting my TMG ip in the default gateway, internet isn't working. is there any other settings that i want to do on client or on TMG server?
Hi all,
We have a Sharepoint 2010 Internet Site with anonymous access behind Forefront TMG server. The site is both accessed from internet and intranet.
When a user access the site from internet and send a Http POST request to the page (e.g. like a button click etc.), page become inresponsive for a minute then a timeout occurs. HTTP GET s are Ok without any problem. One thing to note, there is no problem when a user connects the site from intranet.
When we look at TMG's logs we see :
Log type: Web Proxy (Reverse)
Status: 64 The specified network name is no longer available.
Rule: www.xxx.com.xx
Source: External (xxx.0.xxx.xxx:51981)
Destination: Local Host (xx.0.xxx.x:80)
Request: POST
http://www.xxx.com.xxr/pages/default.aspx
Filter information: Req ID: 0fd419d7; Compression: client=Yes, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous
One thing to note: This site is also has a seperate https access with user login and that is also working without any problem both from intranet and internet.
Any help is appreciated, thanks
HI All,
We have a Server runs the Monitoring software. This server in LAN.
Net <--- Ext Int...TMG....INT Interface--- | ----LAN
TMG in DMZ as Edge Firewall just to route Exchange. So how do i allow this Monitoring Server to allow access the Internal inerface on
all ports?
AS
Hello,
We have two TMG 2010 EE with three NIC's each, external, internal, and intra-array.
An EMS is on another server, all servers are Win 2008 R2.
When I configure the NLB on the external interface, we get the famous inconsistency error message, but things works fine (except for the by-affinity traffic).
Now, when I enable the NLB in the internal interface the connectivity to one of the two nodes get totally lost!!
I have no clue what on earth is going on.
Any suggestion would be appreciated.
Hi,
I would like to have a Web Publishing Rule with fail over mechanism i.e. When Website 1 is down route the request to Website 2 and I don't want to do the Load Balancing.
Is it possible to have a rule that route the request based on statuscode from Website 1.
Regards, Vinoth Kumar K
