TMG and Azure

November 21, 2012, 7:43 am

≫ Next: publishing rdweb access url, after login its redirecting to internal url thus failing.

≪ Previous: The Configuration Storage Server Certificate is expired

We have installed a TMG in our office. We want developers machines can open remote desktops in Azure (3389) and also have access to SQL Server (1433).

From an external internet I have found that I can connect to these services, therefore I understand that they are rules I configure network but not exactly where.

thanks

↧

publishing rdweb access url, after login its redirecting to internal url thus failing.

December 26, 2012, 6:53 am

≫ Next: Unable to access Microsoft Home Page through proxy

≪ Previous: TMG and Azure

Hi guys,

I am setting up a VDI for cloud, thus publishing RDWEB access URL to internet via TMG. I can get the form-based login page of RDWEB access server, but as soon as I submit creds....it is failing with error - can't find the server "internal RDWEB access URL".

I noticed that after submitting the creds..its getting redirected to internal URL, which is https://rdweb.internal.domain.com/rdweband thus failing obviously.

But why its behaving like this? Any ideas?

thanks in advance.

himanshu

MCTS|MCSE|MCSA:Messaging|CCNA

↧

Unable to access Microsoft Home Page through proxy

December 26, 2012, 8:11 am

≫ Next: Error Code 64: Host not available

≪ Previous: publishing rdweb access url, after login its redirecting to internal url thus failing.

We are unable to access Microsoft Home page through our proxy. We are able access other links linkewww.update.microsoft.com and so on.

FYI, we are having ISA 2004 proxy.

↧

Error Code 64: Host not available

October 16, 2012, 5:26 am

≫ Next: Outbound Traffic Issue with TMG and Multiple WAN / ISP Connections

≪ Previous: Unable to access Microsoft Home Page through proxy

TMG 2010 SP2 RU2 as an edge firewall running on Hyper-V.

The following URL Works fine:

http://update.contoso.com/Packages/f5092a1d-2344-408a-a03a-f032d63dcdc2/PackageManifest.xml

The following similar URL to the same external host throws an error code 64,

http://update.contoso.com/Packages/6114f1cc-ab5e-4196-841f-d8aa8d42e994/PackageManifest.xml

Here is a snip from the diagnostic log:

114353

16.10.2012 14:04:04

0d722b7a
0d722bff

Web Proxy

Forefront TMG will connect to the Web server update.contoso.com on the IP
address x.x.x.x and port 80.

114354

16.10.2012 14:04:04

0d722b7a
0d722bff

Web Proxy

Forefront TMG is forwarding the request to the target host server for the
path
/Packages/6114f1cc-ab5e-4196-841f-d8aa8d42e994/PackageManifest.xml.

114355

16.10.2012 14:04:05

0d722b7a
0d722bff

Web Proxy

Forefront TMG rejected the request with the HTTP status code 0 and will
return the following error message to the Web client. "The specified network
name is no longer available. (64)"

Any ideas ?

Regards

Henning

Record	Time	Context	Log Source	Message

↧

Outbound Traffic Issue with TMG and Multiple WAN / ISP Connections

December 27, 2012, 11:58 pm

≫ Next: Problem with WNLB on TMG with VMware and Cisco

≪ Previous: Error Code 64: Host not available

Hi there,

We have a scenario where 3 (three) multiple external Internet connections are connected directly to our TMG with publicly subnetted address ranges on separate NICs and connected to separate routers.

The configuration is 1 x ADSL2 connection (which is the only connection configured on TMG with a default gateway), and 1 x 4Mbit SHDSL and 1 x 2Mbit SHDSL. We also have one internal NIC and a perimeter NIC.

I am attempting to implement server publishing rules on the 4Mbit and 2Mbit services but all of the outgoing traffic appears to return or be limited by the bandwidth of the default gateway's connection. I've tried creating NAT Network Rules to services to encourage the return traffic back through the NIC it originated on but it seems that everything which exits the network to the Internet through TMG, regardless of any server publishing rules, ends up going out the default gateway. For example, ingress traffic with any publishing rule on the 4Mbit service comes in through the 4Mbit service, but appears to send all of its egress traffic through the ADSL2 connection, rather than returning in a stately fashion to the incoming IP address on the 4Mbit NIC. (This doesn't make a lot of sense to me routing-wise but it's what I'm seeing through NIC traffic and packet captures).

Is this configuration something which is supported on TMG? - Multiple WAN links with specific publishing rules on each NIC, expecting traffic to exit on the same NIC that it enters? Does it require further configuration? Or does TMG just not work like this?

I have tested extensively and happy to provide further detailed information.

Thanks, Tim.

↧

Problem with WNLB on TMG with VMware and Cisco

December 28, 2012, 10:27 pm

≫ Next: Cannot use WMI remotely

≪ Previous: Outbound Traffic Issue with TMG and Multiple WAN / ISP Connections

We just deployed TMG 2010 in an array managed by one EMS server, there are two members of the array. All of the TMG nodes are running on a VMware hyper-visor. The two TMG array members have two nics a piece, one for internal and one for DMZ. Both nics have static IP addresses assigned to them. We have WNLB configured on both the internal and DMZ side. The problem right now is that we can only get a response from the primary cluster VIP on both internal and DMZ side. I have configured static ARP entries on our cisco router which DID fix the primary VIP and DID allow us to use that. But all of the secondary VIPs associated to internal and DMZ servers are not working. From the local subnet the secondary VIPs don't even respond. I need some help!!! We have been working on this for 2 days now nearly non-stop and I'm all out of ideas!

↧

Cannot use WMI remotely

December 28, 2012, 3:01 pm

≫ Next: Connection to configuration server is broken (ISASTGCTRL certificate expired)

≪ Previous: Problem with WNLB on TMG with VMware and Cisco

I am trying to use my new network monitoring software to monitor our TMG 2010 server via WMI.

The application gives me a WMI error and when I try to run a WMI command against it remotely I get the RPC Server unavailable error. I have made sure that the RPC service is on.

When I look at the TMG logs I see this

RPC (all interfaces)Initiated Connection [System] Allow remote management from selected computers using MMC0x0 SUCCESS

followed by this:

RPC (all interfaces)Closed Connection[System] Allow remote management from selected computers using MMC0x80074e24 FWX_E_CONNECTION_KILLED

I even tried making a rule from the monitoring server to the firewall and disabled the RPC filter. No luck.

Does anybody know how I can fix this?

↧

Connection to configuration server is broken (ISASTGCTRL certificate expired)

December 28, 2012, 11:30 pm

≫ Next: publishing https thruogh TMG doesnt work properly

≪ Previous: Cannot use WMI remotely

hi......this is farooq

we have the same scenario

we have ISA configuration server(ISACS01) and two ISA array members( ISA01 & ISA02)

few days back one of the certificate in the ISA configuration server got expired and i renews it perfectly and placed on the certicate personal store on the ISACS01 but the daily reports on the ISA is getting failed( geting " generating" continously

and also when iam trying to communicate with ISACS01( ISA configuration server using the troubleshooting tab( Traffic simulator) in the ISA console in ISA array member) i am getting the following error.

"Traffic simulator cannot be completed.
The configuration of the selected server is not syncronized with the configuration storage server.check synchonization tab of moniroting node in ISA
Server management."

Kindly let me know whether iam missing something

yOUR REPLY IS HIGLHLY APPRECIATED...........

↧

publishing https thruogh TMG doesnt work properly

December 10, 2012, 4:55 am

≫ Next: Forefront TMG Exchange 2010 Active Sync rule and Airwatch

≪ Previous: Connection to configuration server is broken (ISASTGCTRL certificate expired)

hello ,

im trying to publish a plan https website which is https//sof.****.***/"with whatever after here"

the publishing to come to the first oage which is the login page is wokring fine , but there is nothing happening after i put my credentials and login

on the tmg i tried to monitore whats going on there was no errors and everthing looks very smooth

i have published another website from the same forest as well but nothing loading as well after the login page , is there any way solve this issue ? i beleive that the website would change its post descreptions and characters after the login happening like any other website

Best Regards

↧

Forefront TMG Exchange 2010 Active Sync rule and Airwatch

May 22, 2012, 5:49 pm

≫ Next: Bypass Microsoft Threat Management Gateway 2010 Proxy

≪ Previous: publishing https thruogh TMG doesnt work properly

We are in the process of securing our iPhone fleet using Airwatch. In order to enroll devices with Airwatch you go to a website from the device, enter a group name and your credentials. This then talks to the Exchange server and configures the device with email. Unfortunately the Forefront TMG server seems to be blocking this traffic from going through and I can't figure out why. All ActiveSync traffic works fine, so devices which are already connected, remain connected and working, but enrollment from the Airwatch website does not work. When we have all ActiveSync traffic routed to Exchange through our Juniper devices there are no issues with enrollment so I know the problem is not with Exchange. The error in the TMG logs is "12309 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator." I suspect the Airwatch website is trying to make an anonymous connection to our Exchange server which is being blocked by TMG. When I try to change the ActiveSync rule to allow All Users I get an error message that "The Web listener selected for this rule requires authentication. However, when the All Users user set is selected for a rule, authentication is not performed. To apply authentication to this rule using this configuration, select the Require all users to authenticate check box in the Web listener Advanced Authentications dialog box."

Has anyone else come across this issue and can they suggest what settings might be required on the ActiveSync rule or the Exchange Web Listener, in order to make this work.

Regards Kate

↧

Bypass Microsoft Threat Management Gateway 2010 Proxy

December 6, 2012, 8:08 pm

≫ Next: ISA 2006 Error "The query stopped because an error occurred while it was running."

≪ Previous: Forefront TMG Exchange 2010 Active Sync rule and Airwatch

I am currently bypassing some external websites, servers, ip using internet explorer using bypass settings. I want to bypass this traffic from TMG program directly instead of explorer because i want to reroute all my HTTP traffic from core switch instead of client redirection. Any help will be really appreciated.

Eric Kim

↧

ISA 2006 Error "The query stopped because an error occurred while it was running."

November 25, 2012, 2:58 pm

≫ Next: how to block yahoo mail and gmail in TMG 2010

≪ Previous: Bypass Microsoft Threat Management Gateway 2010 Proxy

After uninstalling and reinstalling ISA 2006 Enterprise and SP1 on a Server 2003 SP2 server, I noticed that I can only use the session monitoring during one boot of the server. Whenever the server is rebooted and I open Monitoring, this error pops up again and nothing works.

I did a search and someone said it was related to the user profile, so I deleted the profile and logged in with a new profile and it was temporarily fixed until the next reboot of the server.

I even created a brand new user account and logged in and had the same issue of only being able to use the Monitoring until the server is rebooted and then having to delete the profile.

Other searches about this referred to a database being too large. ISA has only been installed for 2 days and there are only a few rules and clients, so there is no huge database.

The error message is very generic and I don't see anything related to this in Windows event logs.

What else can be done to fix this other than deleting the user profile at every restart?

↧

how to block yahoo mail and gmail in TMG 2010

December 30, 2012, 12:18 am

≫ Next: ERROR 21280 in isa server 2006

≪ Previous: ISA 2006 Error "The query stopped because an error occurred while it was running."

Hi everyone

Recently I have configured a TMG 2010 in my network and now my boss wants to block all web email access specially yahoo mail and gmail ?

I tried URL filtering and IP filtering but it is not working , my clients still can use yahoo mail and gmail from the main page of yahoo and google .

If any one has any experience or solution for my problem please kindly let me know .

↧

ERROR 21280 in isa server 2006

December 29, 2012, 8:42 pm

≫ Next: name could not be matched to a name in the address list with Exchange server 2007

≪ Previous: how to block yahoo mail and gmail in TMG 2010

hi,i`m a new problem pls help me : step by step

((The size of the free non-paged pool fell below the system-defined minimum. ISA Server will reject new connections unless they are initiated by the ISA Server computer. In addition, the timeout for idle TCP connections was reduced. This alert may indicate an attack on the ISA Server computer. Use the log viewer to examine ISA Server traffic. This event may also be raised when the ISA Server computer does not have the resources needed to handle legitimate traffic. If this is the case, you may need to add more memory to the system.))

↧

name could not be matched to a name in the address list with Exchange server 2007

December 30, 2012, 2:37 am

≫ Next: Is there a separate installer for TMG 2010 enterprise (as opposed to standard)

≪ Previous: ERROR 21280 in isa server 2006

Dears,

Iam facing an issue with some emails accounts which are configured with outlook anywhere ( Exchange server 2007)

everytime the outlook shows as " try to connect" and it connect sometimes and again disconnecting.

when i did a test for some user on "https://www.testexchangeconnectivity.com/"

i go the error as " name could not be matched to a name in the address list"

However the user is able to login with webmail( OWA) perfectly.

Kindly help me in the above regard as we are facing the above issue.

↧

Is there a separate installer for TMG 2010 enterprise (as opposed to standard)

December 30, 2012, 9:43 am

≫ Next: ISA 2006 stops serving internet request

≪ Previous: name could not be matched to a name in the address list with Exchange server 2007

Hi,

Can someone confirm if the installer files for TMG2010 Standard and Enterprise are the same, with the actual version being implemented is decided by the serial key?

Thanks

↧

ISA 2006 stops serving internet request

December 15, 2012, 2:06 am

≫ Next: Forefront TMG 2010 – internet is not accessible

≪ Previous: Is there a separate installer for TMG 2010 enterprise (as opposed to standard)

Hello,

With the above thread i found some topics but still want some solution for my problem.

I have ISA server 2006 Standard installed on windows server 2003 standard edt. Some time its stops responding requests. I have troubleshoot and fix the DNS issue on the server. Still i am facing the issue and till i restart firewall service or server the issue stays as it is. And after restarting the service or server the issue gets resolved. This is happening now frequently. Please suggest any solution on the same.

Thanks in advance

A. V. Deshpande

↧

Forefront TMG 2010 – internet is not accessible

December 30, 2012, 8:49 pm

≫ Next: How to publish website, exchange through UAG 2010, as i have upgraded from ISA 2004.

≪ Previous: ISA 2006 stops serving internet request

I have install forefront TMG 2010 on my lab server (windows server 2008 R2), after installation I can’t access the internet on local server and internal server, please help me for the issue. Is it required any pre-configuration?

↧

How to publish website, exchange through UAG 2010, as i have upgraded from ISA 2004.

December 30, 2012, 9:29 pm

≫ Next: FIREWALL TMG CLIENT unable to access TFS server

≪ Previous: Forefront TMG 2010 – internet is not accessible

I have upgarded my ISA 2004 to UAG 2010, Restored the backup on new UAG 2010 but my website for external world , owa are not getting connect from outside. i have restored full backup. is there any additional steps to do ?

shailesh chauhan

↧

FIREWALL TMG CLIENT unable to access TFS server

December 30, 2012, 10:46 pm

≫ Next: ISA problem with microsoft site

≪ Previous: How to publish website, exchange through UAG 2010, as i have upgraded from ISA 2004.

Hello All,

As in our network TMG CLIENT is installed on all computers, the issue we are getting the users connect the TFS server, but when TMG client is enable they are unable to connect the tfs untill n unless they disable it

Please give me the resolution of this issue.

thanks

REGARDS DANISH DANIE

↧

Latest Images