Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

Routing/Chaining Failure TMG Detected a Loop

May 13, 2013, 6:49 pm
$
0
0

Hi Folks;

I'm having an issue with TMG 2010 in that I'm seeing reports of Routing/Chaining failure / TMG Detected a Loop;

Event id 14141

Forefront TMG detected a proxy server loop. There may be a problem in the configuration of the Forefront TMG Web chaining policy. Alternatively, in Enterprise Edition, when CARP is enabled and there are intermittent interruptions of intra-array connectivity, array member A may forward a request to array member B according to the CARP algorithm, and array member B may forward the request to array member A in an endless loop.

A look at the log files indicates that this error occurs when the localhost (the TMG 2010 VM itself) is connecting to Microsoft to check for Windows Updates. This is the only time the error occurs and it occurs often.

Here's a snippet to illustrate;

Microsoft-CryptoAPI/6.1  Proxy - 65.54.87.108 TCP GET Req ID: 0a655fc7; Compression: client=No, server=No, compress rate=0% decompress rate=0% - 0x110 0x0 58066 SecureNAT     1 3923 201 - 5/14/2013 1:23:26 AM - - 0 - 0 - - - - - - 0 0         From cache  65.54.87.108 5/13/2013 6:23:26 PM Local Host xx.external.IP.xx External 65.54.87.108 80 http Failed Connection Attempt  -  - - 

[System] Allow all HTTP traffic from Forefront TMG to all networks (for CRL downloads)  

12206 Forefront TMG detected a proxy chain loop. There is a problem with the configuration of the Forefront TMG routing policy. Please contact your server administrator.  anonymous http://65.54.87.108/pki/mscorp/crl/mswww(6).crl EDGE Technical Information Web Proxy Filter   -   0 - 

Is there anyone left in the groups with knowledge of TMG 2010? I've already looked on the web for information relating to this but none seems relevant. I think the key is in the fact that it only happens when the local host goes off to Microsoft to check for Windows Updates.


Search

Access rule for Google Cloud Printer

March 12, 2014, 12:37 am
$
0
0

I want my user to access google doc, gmail account, google drive, and google cloud printer only but they dont get access to the google website.

i make rule for it and block google search engine.

after testing.

google docx is accessing, gmail account is accessing and google drive is also accessing but i am not able to access google cloud printer. because google cloud printer is not a namespace

so kindly help me out what should i do then what kind of rule i have to make so my user can also access google cloud printer. i dont want my client to access google search engine

electrifying

TMG Web Proxy - Whitelisting MapQuest

June 25, 2012, 11:31 am
$
0
0

My org insists that we do whitelist filtering for a certain group of employees. This group should be able to use MapQuest.com... However, I can't seem to create a good ruleset that denies everything but allows mapquest to function normally. Any ideas?

Obviously adding *.mapquest.com does not work. How can I make sure the site and all the specific URLs its HTML / JavaScript code references is allowed only? So far when I try and get to mapquest.com, it shows a blank page (when I click view source, I can see the source though). Oddly enough.

Google Chrome can still access banned sites BUT IE8/9 cannot - TMG 2010 SP2

September 17, 2012, 1:01 am
$
0
0

Hi All,

I have a TMG 2010 SP2 server configured with Web Proxy, banned URL and Domain sets defined, autoconfig script set in IE.

The issue we are having is; IE8 and IE9 access to any of the banned sites/ domains is blocked and ForeFront message appears. However when you try access through chrome for example www.facebook.com or www.twitter.com, Chrome, even though it uses proxy settings to that of IE, it will still gain access by redirecting the http to https and get to the destination.

How can I fix this? Chrome will simply not respect being blocked.....

Decommission ISA 2004 servers

March 12, 2014, 1:19 pm
$
0
0

Hello forum, I have to decommission few ISA servers because our project team implemented TMG in our environment. The ISA version is 2004 and the traffic logging is done on a different box with SQL 2005. Which means that all server, service/application or user generated traffic first hits ISA boxes and data is logged in SQL server. Now, I ran a query on SQL boxes to see if there are servers or applications still accessing old ISA servers and found that many still are using that route. The query I ran is 

select clientusername,Max(logtime)
from webproxylog
where logtime > '2014-03-04'
Group by Clientusername

Outcome is a list of servers and users accessing old ISA servers, please see below

clientusernameTimeStamp
Domain\USER112/03/2014 9:42
Domain\USER210/03/2014 8:29
Domain\SERVER1$12/03/2014 6:33
Domain\SERVER2$7/03/2014 23:05
Domain\SERVER3$7/03/2014 23:09
Domain\SERVER4$7/03/2014 22:18
Domain\SERVER10$12/03/2014 0:15
Domain\SERVER12$6/03/2014 13:00
Domain\SERVER21$9/03/2014 15:05
Domain\USER46$6/03/2014 7:17
Domain\SERVER22$5/03/2014 17:25
Domain\SERVER73$12/03/2014 9:11
Domain\SERVER14$5/03/2014 17:31

So I logged on to few servers to check proxy settings. The server list comprise of Windows 2003 and 2008 R2 boxes. On a handful of servers I found proxy, under IE settings but on others I didn't find any proxy settings (under IE). Then I tried proxcfg.exe (pre 2008) and netsh winhttp show proxy (post 2008) but I got following results, please see below. 

C:\proxycfg
Microsoft (R) WinHTTP Default Proxy Configuration Tool
Copyright (c) Microsoft Corporation. All rights reserved.

Current WinHTTP proxy settings under:
  HKEY_LOCAL_MACHINE\
    SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
      WinHttpSettings :

     Direct access (no proxy server).


C:\netsh winhttp show proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).

I have also looked at registry keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings but found nothing of relevance. Checked IE settings and found no proxy configuration. I know that these boxes are still using old proxy servers because they show up when I query ISA logs.

I tried few network sniffing tools but the trouble is that those servers and applications\users are not accessing the server all the time. How can I verify what data is being passed through ISA? I have date & time but not the reason. How can I check which application or service is using proxy and on which port? Thanks again.





L2TP VPN on TMG

March 12, 2014, 10:03 pm

downloaded file zise limitition in TMG?

March 12, 2014, 11:11 pm
$
0
0

Hi, guys

As title descripted, how to limit the file size just i want.

Nice Day

Let android traffic go through the TMG

March 12, 2014, 11:15 pm
$
0
0

Hi, guys

Many users have their own android devices, what should i do to make it successfully be allowed by TMG?

Nice Day

Search

block virtual directory

March 12, 2014, 11:21 pm

FTP cant uplodate file?

March 12, 2014, 11:28 pm
$
0
0

Hi,guys

i have a FTP server in internal ,TMG has published it, but i cant upload file through TMG. Whats wrong?

Nice Day

Publish issue

March 12, 2014, 10:10 pm
$
0
0

Hi,guys

I have depolyed TMG as our reverse proxy. We published a web server located in internal network.Internet users can successfully access the webserver, however, internal users can only access by IP address not domain name.

Nice Day

TMG URL set

March 12, 2014, 9:59 pm
$
0
0

Hi, guys

I configured some URL sets, but it seems not work, where should i start to check out? Or where can i get some detailed information about that?

Nice Day

TMG Firewall service terminates with service-specific error %%213001

November 26, 2013, 7:33 am
$
0
0

Following a recent reboot, the TMG Firewall service has started to crash shortly after startup, reporting Service Control Manager Event 7024 in the System event log, and at the same time, Microsoft Forefront TMG Firewall event 14001 in the Application event log.

The service crashes every time.

The Event log messages say

  • Log: System
  • Source: Service Control Manager
  • Event ID: 7204
  • Message: The Microsoft Forefront TMG Firewall service terminate with service-specific error %%213001

  • Log: Application
  • Source: Microsoft Forefront TMG Firewall
  • Event ID: 14001
  • Message: Firewall Service failed to initialize. Previous log entries might help determine the proper action

The only other event logged is a Service Control Manager 7036 (Service entered the stopped state) for the TMG Firewall service, logged at the same time as the 7024. There's nothing else being logged at all.

Anyone have any ideas as to why it's crashing? Or how I get some more detail about what it's up to during service initialisation? I can't find any reference to the %%213001 error code. is there a lookup for those, or do I need to open a case?


Any Substitute for FF TMG 2010 ?

January 16, 2013, 5:28 am
$
0
0

Hi,

since Microsoft Windows 2012 and FF TMG 2010 are not compatible, and there won't be any upgrade for TMG nor any newer version or a service pack. shall we switch to Cisco? or there will be a substitute ?

Systems behind TMG 2010 firewall are unable to get any updates from internet:

March 14, 2014, 3:17 am
$
0
0

Hi Team,

I've Windows 8 and Windows 2012 systems which are behind the TMG2010 firewall and NONE of these systems are getting any type of updates from internet.

Any Help?

Muhammad Nadeem Ahmed Sr System Support Engineer Premier Systems (Pvt) Ltd T. +9221-2429051 Ext-226 F. +9221-2428777 M. +92300-8262627 Web. www.premier.com.pk

Search

Ports required between TMG and EMS Server.

March 14, 2014, 9:25 am
$
0
0

Hi,

       We have a situation where we are using TMG server as an Reverse Proxy server which will reside in DMZ network, but my existing EMS Server resides in corporate network, which all ports needs to be allowed between TMG (DMZ) and EMS servers...there are few articles which says 1000-65535..some says 10000-65535 and some says 49152-65535...which all ports are required between TMG and EMS.....all Servers has Windows Server 2008 R2....

Thanks and Regards,

Praakassh Ghaitadke

Cheers, Praakassh Ghaitadke

TMG Stops responding every 4 days / many connection drops with idle vpn connections

January 21, 2014, 12:18 pm
$
0
0

Hi everyone!

I am running a TMG Firewall with about 200 users connected on Server 2008 R2 - patch level 7.0.9193.601.
It is virtualized on a Hyper-V 2008 R2. Additionally we have 4 IPsec Site2Site VPNs configured in Windows Advanced Firewall - as TMG doesn't provide such a comfortable way to configure them directly in TMG.

About 3 Months ago that TMG started to lose connectivity from time to time. At first we were not monitoring that problem precisely as we thought it was an isp issue but some days before christmas that tmg server just dropepd every outgoing connection and stopped listening!

I was able to control the server over hyper-v directly but no connection in or outbound could be established. (no VPN inc or surf outgoing)

I checked the event logs and there was NO other error than the errors from TMG connection verifiers...
As far as I was able to tell tmg still worked as far as logs and engine was conserned but no routing was done at all!

The last resort was to reboot the TMG then everything worked as before...
This behavior then appeard every 4 days... - simple workaround scheduled reboot every 3 days!

But that is no statisfying solution.... additionally some vpn users reported that their connections has quite annoying drops from time to time, unfortunately I was not able to trace the error.

Possible sources that I can exclude:
-Backup (online snapshot with ArcServe - the server was NOT saved)
-AV (Symantec Endpoint protection 12.1 - was uninstalled nothing changed)

Any ideas??
Best regards

Configure TMG to work with AD FS 3.0 (Server 2012 R2)

March 14, 2014, 2:00 pm
$
0
0

Our current environment contains two Server 2012 Domain Controllers running AD FS 2.0.  We are using TMG, installed in our perimeter network, to load balance the servers in a server farm and make the connection with Office 365.  This has been working great for almost a year now.  The decision was made recently to upgrade the domain controllers to Server 2012 R2 (with AD FS 3.0).  We have replaced one of the servers and have AD FS 3.0 installed on it and configured.  It is working okay to connect our internal users to Office 365.  The problem is in getting TMG reconfigured to work with AD FS 3.0.  The problem appears to be that with the current version we configured IIS to allow us to use Windows Authentication when connect externally to Office 365.  AD FS 3.0 does not use IIS and it's Authentication Policy for the extranet does not permit Windows Authentication.

Is there anyone who has run into this same scenario and found a way to configure TMG to work correctly?  We know that we could set up a Windows Application Proxy to handle this, but we would prefer not to have to set up an additional server in our perimeter network, if possible.

TMG Web Filter - Problem with Event Notifications

March 14, 2014, 3:10 pm
$
0
0

Hi

We are trying to implement a step up authentication(out of band SMS or email) apart from the regular HTML form based authentication for users accessing sites published using TMG. For achieving this we tried to create a web filter which registers for SF_NOTIFY_AUTH_COMPLETE event. Our plan was to redirect the user to a web application which handles the step up authentication when this event was trigerred(which we assumed would happen after the HTML form based authentication).

But we observe that the SF_NOTIFY_AUTH_COMPLETE event is called every time when the published site is accessed. How can we filter out other event triggers other than the event which occurs immediately after HTML form based authentication? Is there any other event type for which I can register to? Or can we check any data that is passed in the notification structures?

Thanks in advance!!

Santosh.

Twitter and Youtube roles on TMG

March 15, 2014, 12:58 am
$
0
0

dear all ,

i have Tmg 2010 server .. all user can open Twitter and youtube

Despite i create roles!!

1- i create url and Domain site( *.Twitter.com & *.youtube.com & *.Facebook.com) and ( https://www.facebook.com/ & https://twitter.com/ & https://www.youtube.com/ )

2- Create Roles .. Deny >> HTTPS & Dns From Internal To url and Domain ( Youtube and Twitter )  >>> not working

3- Create Roles .. Deny >> All Protocol From Internal To url and Domain ( Youtube and Twitter )  >>> not working

- i need blocking this sites .. please help !!

thx

Viewing all 3822 articles
Browse latest View live
More Pages to Explore .....
Search

Latest Images

Eco Data 4/26/24

Eco Data 4/26/24

April 25, 2024, 5:00 pm
‘Pay day every day’ may become Shangri-La Group, BPOs’ secret to happy employees

‘Pay day every day’ may become Shangri-La Group, BPOs’ secret to happy employees

April 25, 2024, 5:51 am
Nonprofit donates custom home in this East Bay city for Marine injured in...

Nonprofit donates custom home in this East Bay city for Marine injured in...

April 23, 2024, 7:00 am
New private rooms on Tokaido Shinkansen change the way we travel from Tokyo...

New private rooms on Tokaido Shinkansen change the way we travel from Tokyo...

April 22, 2024, 6:00 am
Ukraine bans military from online gambling amid addiction concerns

Ukraine bans military from online gambling amid addiction concerns

April 22, 2024, 5:17 am
ಮಂಡ್ಯದಿಂದ ಸುಮಲತಾ ದೂರ; ಹೆಚ್‌ಡಿಕೆ ಪರ ಪ್ರಚಾರಕ್ಕಿಳಿಯದ ಸಂಸದೆ –ಬರ್ತಾರೆ ನೋಡೋಣ ಎಂದ...

ಮಂಡ್ಯದಿಂದ ಸುಮಲತಾ ದೂರ; ಹೆಚ್‌ಡಿಕೆ ಪರ ಪ್ರಚಾರಕ್ಕಿಳಿಯದ ಸಂಸದೆ –ಬರ್ತಾರೆ ನೋಡೋಣ ಎಂದ...

April 20, 2024, 8:08 pm
OCBC Bank Singapore Offers Up to 2.8% p.a. Fixed Deposit Promotion from 21...

OCBC Bank Singapore Offers Up to 2.8% p.a. Fixed Deposit Promotion from 21...

April 20, 2024, 12:38 pm
National Poetry Month 2024: Maxine Starr

National Poetry Month 2024: Maxine Starr

April 19, 2024, 9:56 am
Vegan Chicken Pot Pie

Vegan Chicken Pot Pie

April 19, 2024, 9:18 am
Firefox UX: On Purpose: Collectively Defining Our Team’s Mission Statement

Firefox UX: On Purpose: Collectively Defining Our Team’s Mission Statement

April 19, 2024, 7:03 am