HTTPS Inspection causes Error 12030 ( Connection to the server ended unexpected )

February 4, 2015, 2:08 pm

≫ Next: TMG on MSDN

≪ Previous: Error details: 64 - The specified network name is no longer available.

$

0

0

Hi together,

since in the german TechNet plattform nobody has any ideas about this, i try it here :)

We have implemented a TMG 2010 (SP2 + Rollup 5) with HTTPS Inspection, the certificate to inspect sites is issued by an 2008 CA. We followed this blog post to generate it http://blogs.technet.com/b/isablog/archive/2014/08/29/how-to-create-a-cng-httpsi-cert-using-a-2008r2-ca.aspx

So far, so good. CNG/SHA2 Sites are no issue (twitter, Google etc pp) and work fine but some https sites throw the error 12030 code.

Examples for this behaviour are the sites httpsnow.org and https://www.nudelheissundhos.de

I dont know why this is a Problem, Proxy Service listens only on port 8080 (http + https), can this be an issue?

Another Thing i just noticed, httpsnow.org public key is 4096bit strong, the cng certificate is issued with 2048bit strength. Can this cause this issue? Can this be resolved if i issue a 4096bit certificate for inspection? Or should i use 8k to be sure there will be no further Problems with other sites?

On the other side, https://www.nudelheissundhos.de has "only" 2048bit andhttps://www.moparisthebest.com/ (some random site with sha1+4096bit) works fine

Hope someone knows about this Problem 12030 and can help me out :)

of course, the problematic sites can be reached when inspection is disabled for those....but i dont like this as a "solution" cause it is no solution and i dont understand why those sites are a problem.

Ah and this are our tls/ssl config on the server

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"AllowInsecureRenegoClients"=dword:00000000"DisableRenegoOnServer"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enable"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000001"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000001"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000001"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000001"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000001"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001"DisabledByDefault"=dword:00000000

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA"

Thanks in advance

---

TMG on MSDN

March 10, 2015, 7:36 pm

≫ Next: Install FTP services on TMG 2010

≪ Previous: HTTPS Inspection causes Error 12030 ( Connection to the server ended unexpected )

$

0

0

What is the last year that TMG was distributed on MSDN as a development license?

---

Will

Install FTP services on TMG 2010

March 11, 2015, 11:46 am

≫ Next: iPhone and android VPN problem

≪ Previous: TMG on MSDN

$

0

0

We need to securely publish an FTP server to the internet.  We already have a TMG 2010 server in place to securely publish Exchange 2010 ActiveSync and OWA.  I know it can publish FTP sites.  Is there any issue with the TMG 2010 server being the FTP server itself; installing the FTP role on the TMG 2010 server and then publishing it securely?  Any security issues with this?

J

iPhone and android VPN problem

March 11, 2015, 1:46 pm

≫ Next: Browsing HTTPS Web Pages

≪ Previous: Install FTP services on TMG 2010

$

0

0

Hi guys,

I have a very strange problem. I have implemented VPN sever in TMG and dealing with a problem. when i conenct via a PC , everything is OK and I can see the remote LAN but when I connect via iPhone or Android deviced, VPN gets connected-TMg shows the VPN IP address- but cannot ping or access any remote LAN host. I'm trying to connect to my voip server but getting this problem.

As this problem is so critical for me, any help would be so appreciated.

Thanks and regards,

Bahman

Browsing HTTPS Web Pages

March 13, 2015, 8:24 am

≫ Next: isa 2006 wspsrv.exe high cpu load

≪ Previous: iPhone and android VPN problem

$

0

0

Hi.

I have an environment where one TMG 2010 server exist. It's a Windows Server 2008 R2 Enterprise with just one NIC so I don't have any Publishing rule or Web Listener.
Issue comes when trying to access a site where the protocol is secure (HTTPS), and a block rule is in place for that site/domain. If protocol is not secure (HTTP), I can see the htm page I've set within "Redirect web client to the following URL:" for the advanced options of the rule.
However, when the blocked protocol is HTTPS, I don't see such html page I've set but "This page can’t be displayed. Make sure the web address https://www.youtube.com is correct." if using Internet Explorer, although TMG blocking rule is accurate. So I can see the rule is properly acting for blocking, but not for displaying the URL/HTML I want.

Is there a way for handling HTTPS blocked connections with a custom error page (html)?

Thanks in advance!

---

Infrastructure Management Sr. Analyst | MCSA Windows Server 2012

isa 2006 wspsrv.exe high cpu load

March 13, 2015, 9:53 pm

≫ Next: TMG 2010- 10060 Connection Timeout

≪ Previous: Browsing HTTPS Web Pages

$

0

0

I have an ISA 2006 Server which run for 5 years without any problem. As the hardware is getting old now I have decided to change the Hardware to a new server but was unable due to the hardware to install Server 2003 which ISA runs only on this one as it is 32-bit. I then decided to install server 2008 R2 and install isa 2006 on a vm. Installed all updates patches on server 2008 and the 2003 running on VM, SP1 for ISA.

Everything went fine, transferred the rules and Exchange and everything works fine.  However, every day, two days three days, very randomly and no systematically timeframe isa 2006 wspsrv.exe get a 99% high cpu load and then the service makes the internet to stop.  No internet access anymore, no ping by name or IP.  Rebooting the server fixes that problem until it happens again.  It also happens during different time when people are working or even during the weekend when noone is working on the system.

I have no idea anymore what I could do next.  ISA is the only thing installed on the Server

Any help would be appreciated

TMG 2010- 10060 Connection Timeout

March 16, 2015, 4:27 pm

≫ Next: ADFS 3.0 compatibility

≪ Previous: isa 2006 wspsrv.exe high cpu load

$

0

0

Good night!

I need your help.

I have a rule to allow access to a webpage but never load (intranet).

I can enter if try without TMG. (extranet)

• Error Code 10060: Connection timeout
• Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties.
• Date: 3/16/2015 11:17:27 PM [GMT]
• Server: xxxx.xxxx.xxx.xx
• Source: Firewall

Any idea?

Regards!!

ADFS 3.0 compatibility

March 17, 2015, 7:50 am

≫ Next: test

≪ Previous: TMG 2010- 10060 Connection Timeout

$

0

0

Hello,

I've tried to setup the new ADFS version with TMG 2010 since it was perfectly working with ADFS 2.0 and I ran into a lot of troubles with it, here is basically what was my problem:

http://blogs.blackmarble.co.uk/blogs/adawson/post/2014/07/08/Publishing-ADFS-using-Web-Application-Proxy-behind-TMG.aspx

Does anyone have any official information about compatibility issues with TMG? I would rather not use a WAP but if Microsoft officially states that it is not possible to publish it through TMG then I guess I'd have no choice.

Thanks!

---

test

March 17, 2015, 11:12 pm

≫ Next: [ADFS 3.0] Compatibility with TMG 2010

≪ Previous: ADFS 3.0 compatibility

$

0

0

test

[ADFS 3.0] Compatibility with TMG 2010

March 17, 2015, 7:25 am

≫ Next: ADFS 3.0 WAP Publishing Rule in TMG for Certificate Authentication

≪ Previous: test

$

0

0

Hello,

Did anyone successfully configured the new ADFS in a TMG environment? I was unable to make it work and I'm starting to think there is some incompatibility issue after days of searching on the Internet and not finding anything related to it.

Does anyone have any info on this?

Thanks!

ADFS 3.0 WAP Publishing Rule in TMG for Certificate Authentication

March 17, 2015, 9:33 pm

≫ Next: WPAD Issue Migrating ISA 2006 to TMG 2010. Internet traffic still flowing through Old ISA 2006 Server.

≪ Previous: [ADFS 3.0] Compatibility with TMG 2010

$

0

0

having a real issue with TMG publishing ADFS 2012 R2 certificate authentication. I have successfully published NLB WAP servers and everything works fine to the ADFS NLB servers internally. But when I try to publish 49443 (certificate authentication) it hits the WAP servers with no issues, then gets blocked from the WAP servers to the ADFS servers as unidentified TCP traffic. I have created a separate access rule for this as I can see ti creates a new connection. Just unsure as to how it sees 49443 as definied traffic in one rule and blocked the next! 

TMG is behind a firewall so internet trafficis NAT'd to TMFG external non-web rule allows access to WAP server NLB address. WAP servers are single NIC and send traffic from TMG DMZ to TGM Internal to hit internal ADFS servers.

any help appreciated, I know this is a non-standard install but I am lacking choices from the client. I have seen this article but is it applicabel to ADFS 3.0 as well which lacks IIS?

http://social.technet.microsoft.com/wiki/contents/articles/11185.adfs-publishing-rule-in-tmg.aspx

WPAD Issue Migrating ISA 2006 to TMG 2010. Internet traffic still flowing through Old ISA 2006 Server.

March 18, 2015, 10:35 am

≫ Next: TMG

≪ Previous: ADFS 3.0 WAP Publishing Rule in TMG for Certificate Authentication

$

0

0

I’m having a perplexing issue with our migration from ISA 2006 to TMG 2010.  In a nutshell, we use DNS for WPAD.dat distribution.  To test the WPAD.Dat from TMG before I make a global change in DNS, I have changed the HOSTS record of a group of Windows7 users in our pilot group and reboot them.  After the reboot, when I look at their IE, all proxy settings are correct with the new TMG 2010 server, as is the automatically detected Forefront Server in their Forefront TMG client (we run that on all workstations here.) So all looks perfect.

However, their Internet traffic is still going through our old ISA 2006 server.  On the Windows7 client machines in the registry I found that within the subkeys of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad there are multiple pointers to the old ISA 2006 server.  As a test, I deleted the entire key, rebooted and then all Internet traffic was correctly routed through the new TMG 2010.

Any idea what the problem might be? Why aren't these subkeys populating with the new WPAD address? I don’t particularly want to delete this key on all our workstations unless there’s a good reason to.  It appears the key does repopulate, however it doesn't contain any pointers to the new TMG 2010 like the old key did.

Below is a screenshot showing a client workstation with the correct settings in IE, but the wrong settings in the Registry.  Seatmg.wkg.com is the new TMG 2010 server and Seaisa.wkg.com is the old ISA 2006 server.

Thank you!

---

George Moore

TMG

March 18, 2015, 11:49 pm

≫ Next: Authentication Required During Web Sites Access

≪ Previous: WPAD Issue Migrating ISA 2006 to TMG 2010. Internet traffic still flowing through Old ISA 2006 Server.

$

0

0

Hi everyone I have problem with tmg 2010 I have one internal web server for documents if I enable in the internet explorer proxy setting I can not connect to webserver but if this link locate in bypass proxy I can connect users have full port access,in this firm I creat vpn in tmg vpn users also can not connect but they have full access ports, in the web filter I disable web filter but I again can not connect thanks best regards Farid.

Authentication Required During Web Sites Access

March 19, 2015, 12:23 am

≫ Next: 64 The specified network name is no longer available

≪ Previous: TMG

$

0

0

Hi All,

 It has been observed randomly on mostly proxy users behind forefront TMG firewall when they access web site they ask for Authentication and when they re-login issues resolves.

For troubleshooting purpose I check other resources like SMB share which works fine.

64 The specified network name is no longer available

March 19, 2015, 2:38 am

≫ Next: hi

≪ Previous: Authentication Required During Web Sites Access

$

0

0

Hi Experts,

We have been using TMG 2010 from last 5 years as a reverse web proxy for OWA , outlook anywhere , active sync etc. Of late users from one particular site have been complaining of regular disconnections on outlook and OWA.

We don't have complaint from any other site except to this , whereas users in this site can browse other secure web sites without any challenge.

I have diagnosed the packets coming from their public IP and i could see that lot of connections happen successfully whereas few it shows either denied connection or failed connection attempt.

if i concentrate on failed connection attempt , i get the below information. Can some one provide any hint on the possible resolution for this issue.

Any help would be much appreciated

Failed Connection Attempt	3/19/2015 1:29:14 PM
<id id="L_LogPane_LogType">Log type:</id><id id="L_LogPane_WebProxyForward">Web Proxy (Reverse)</id>
<id id="L_LogPane_Status">Status: </id>64 The specified network name is no longer available.
<id id="L_LogPane_Rule">Rule:</id>Outlook anywhere success rule
<id id="L_LogPane_Source">Source:</id>External (91.230.41.193:53933)
<id id="L_LogPane_Destination">Destination:</id>Local Host
<id id="L_LogPane_FilterInfo">Filter information:</id>Req ID: 19374dc2; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=yes, logged off=no, client type=unknown, user activity=yes
<id id="L_LogPane_Protocol">Protocol:</id>https
<id id="L_LogPane_User">User:</id>anonymous

---

Md.Abubakar Noorani IT Systems Engineer Serco Ltd.

---

hi

March 19, 2015, 3:10 am

≫ Next: Isa server standalone, applying SSL to install OWA and ActiveSync

≪ Previous: 64 The specified network name is no longer available

$

0

0

Hi everyone I have problem with tmg 2010 I have one internal web server for documents if I enable in the internet explorer proxy setting I can not connect to webserver but if this link locate in bypass proxy I can connect users have full port access,in this firm I creat vpn in tmg vpn users also can not connect but they have full access ports, in the web filter I disable web filter but I again can not connect thanks best regards Farid.

Isa server standalone, applying SSL to install OWA and ActiveSync

March 19, 2015, 4:17 am

≫ Next: TMG Roll ups

≪ Previous: hi

$

0

0

Hello,

I have an ISA Server standalone, and behind it, is my domain, sort of: internet--->my router--->ISA server --->my domain

I am running a CA in my domain.

I imported a certificate called "mail.mydomain.com" to the Computer certificates console within this ISA Server. To achieve this I first exported the certificate from the actual Exchange mail server inside the LAN, then imported it in the ISA machine.

The issue is that when I am creating a WebListener in a publishing rule (publishing OWA and ActiveSync), it cannot access to the certificates of this ISA Server. It looks like it is not recognized.

---

Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)

TMG Roll ups

August 19, 2014, 12:55 am

≫ Next: forefront

≪ Previous: Isa server standalone, applying SSL to install OWA and ActiveSync

$

0

0

Hi,

I am using TMG2010. A question is regarding Roll up installation. I have installed a Roll up 5 on TMG 2010 SP2 server.

My question is, is it mandatory to install all the Roll ups from (1 to 5) on TMG 2010 SP2 or only Roll up 5 is enough?

Please also suggest me the order of installation of Roll up?

Thanks 

forefront

March 19, 2015, 12:45 am

≫ Next: OWA publishing rule not workin in UAG if multiple domain and SAN entry not exist

≪ Previous: TMG Roll ups

$

0

0

Hi everyone I have problem with tmg 2010 I have one internal web server for documents if I enable in the internet explorer proxy setting I can not connect to webserver but if this link locate in bypass proxy I can connect users have full port access,in this firm I creat vpn in tmg vpn users also can not connect but they have full access ports, in the web filter I disable web filter but I again can not connect thanks best regards Farid.

OWA publishing rule not workin in UAG if multiple domain and SAN entry not exist

March 19, 2015, 10:17 pm

≫ Next: TMG RDP

≪ Previous: forefront

$

0

0

Hi,

We have published OWA 2013 thrugh UAG. but one domain entry not exist in SAN certificate and for that OWA is not working. we have public certificate.

Is there any workaround in UAG so that even if SAN entry not exist for one domain but UAG will authenticate the request for missing domain in certificate.

Thanks

---

jitender