TMG - OWA publishing - Restrict access

December 17, 2012, 5:53 am

≫ Next: HTTP traffic through port 80 and custom port

≪ Previous: Install TMG on ESX server with one NIC

Dear TMG comunity,

I have folowing situation:

- 1xTMG Single NIC, Domain Member, Located in Main office
- OWA, Outlook Anywhere, Autodiscover published, SSL cert
- many small branch offices across the country accessing the OWA via specific blue coat proxy

Current OWA rule:

Allow, From Anywhere, HTTPSListener - HTML Form Auth, Windows (AD), No Delegetation, but client may auth.directly, All Users

This allows anyone with AD account to access and use OWA from anywhere. Now there is a request to limit this as follows:

1. Branch users may access OWA only from branch networks (on TMG it commes as from one IP - blue coat proxy - easy to detect)
2. Main office users may access OWA from anywhere - even branch office networks

I created "Branch users" group in AD and TMG and "Branch networks" object in TMG. I plan to create a rule and place it before existing OWA allow rule as follows:

Deny, From Anywhere Except "Branch Networks", HTTPSListener - HTML Form Auth, Windows (AD), No Delegetation, but client may auth.directly, "Branch Users".

Will this prevent "Branch Users" from accessing OWA from other networks and let them use it from "Branch Networks" ?
Will all the other users hit the old Allow rule and be able to access OWA from any network?
Will it be necessary to turn on the "Require all users to authenticate" options in the HTTPS Listener?

Any idea how to make this most efficiently?

Thanks

↧

HTTP traffic through port 80 and custom port

February 24, 2013, 10:46 am

≫ Next: Banners not displayed in IE

≪ Previous: TMG - OWA publishing - Restrict access

Hi,

My scenario as below:

I have iPad connected to VPN configured on external NIC of TMG and running some application. On Internal NIC inside our LAN I have some web server.

I created new Outbound TCP protocol on port 1111 (My1111) and configured allow rule on TMG to allow traffic from VPN to Internal. iPAD application connected to web server on port 1111 with protocol My1111, user authenticated on server IIS and everything is OK.

But when I am trying to switch both iPAD and server binding to port 80, the application can connect only once. Next tries are failed.

I tried to find solution with TMG logs. There is no dropped packets. The only problem is protocol changed from My80, that I created, to http. This is only difference from traffic through port 1111.

Looking like a problem with caching on TMG. I already disabled all caching, but it wasn't help.

Is any way to prevent it TMG to recognize the traffic through port 80 as http?

Any help is appreciated.

↧

Banners not displayed in IE

February 13, 2013, 10:01 am

≫ Next: Override rule for HTTPS sites

≪ Previous: HTTP traffic through port 80 and custom port

Hello,

We have a strange problem with displaying banners in Internet Explorer. For example, banners that are included on websites fromhttp://pubads.g.doubleclick.net/gampad are not displayed using TMG as proxy filter.

I can see an error in logs, but I don't know why it happens, because few log entries later the same URL gets allow on the same rule, because user IS authenticated:

Denied Connection ee 2/13/2013 12:30:39 PM
Log type: Web Proxy (Forward)
Status: 12209 Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
Rule: Allow Web Access for All Users
Source: Internal (172.18.253.168:50490)
Destination: External (172.6.11.211:8080)
Request: GET http://pubads.g.doubleclick.net/gampad/ads?correlator=4055877724410839&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-7724620848043588&slotname=Avtonet.Wallpaper&page_slots=Avtonet.Wallpaper&cookie_enabled=1&url=http%3A%2F%2Fwww.avto.net%2F&ref=http%3A%2F%2Fwww.avto.net%2F&lmt=1360755039&dt=1360755039815&cc=100&oe=windows-1250&biw=1076&bih=745&adk=2925535707&adx=8&ady=23&ifi=1&oid=3&u_tz=60&u_his=2&u_java=true&u_h=839&u_w=1076&u_ah=799&u_aw=1076&u_cd=16&flash=11.6.602.168&gads=v2&ga_vid=27065755.1360754622&ga_sid=1360755040&ga_hid=1290708231&ga_fc=true
Filter information: Req ID: 144efdc5; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous

We don't have this problem in Firefox.

Thank you!

Best wishes,

Marko

↧

Override rule for HTTPS sites

February 24, 2013, 12:16 pm

≫ Next: How to Use Both Autoconfiguration Auto Discovery and Round Robin ISA in DNS For Firewall Clients and Web Proxy Clients?

≪ Previous: Banners not displayed in IE

Hello,

I would like to ask you if it is possible to create an override rule also for HTTPS sites? I would like to create a list of HTTPS sites (URLs) that would be blocked, but with user override option?

Thank you!

Best wishes,
Marko

↧

How to Use Both Autoconfiguration Auto Discovery and Round Robin ISA in DNS For Firewall Clients and Web Proxy Clients?

February 17, 2013, 5:18 pm

≫ Next: WFP FILTER CONFLICT

≪ Previous: Override rule for HTTPS sites

I need the Web Proxy Clients to autodiscover the VIP of the 2 ISA servers and I need the web proxy clients to automatically use Round Robin.

If you have 2 ISA servers called ISA1 and ISA2, do you just add a second DNS entry for ISA1 pointed to the IP address of ISA2 or do you create a new fake host name with both ISA1 and ISA2's IP adresses?

When you are using automatic configuration Autodiscovery of firewall clients and are also using Round Robin, what do you put as the "ISA Server Name or IP Address" in Firewall Client Properties?

↧

WFP FILTER CONFLICT

February 19, 2013, 5:05 am

≫ Next: Getting a 12210 An Internet Server API filter error when downloading file from HP

≪ Previous: How to Use Both Autoconfiguration Auto Discovery and Round Robin ISA in DNS For Firewall Clients and Web Proxy Clients?

After installing symantec endpoint protection server ForeFront TMG 2010 with only antivirus features, TMG began issuing the alert message:

Forefront TMG detected Windows Filtering Platform filters That may cause policy conflicts on the server HPML350. The Following providers may define filters That conflict with the Forefront TMG firewall policy: SYMANTEC CORPORATION.

The configuration of the antivirus antivirus protection just for this, ie a set of basic protection, moreover done the necessary checks on the main exclusions of folders.

I wonder if anyone knows what might be happening

thank you

MCP - MCTS

↧

Getting a 12210 An Internet Server API filter error when downloading file from HP

February 19, 2013, 9:57 am

≫ Next: Group AD with TMG

≪ Previous: WFP FILTER CONFLICT

I am trying to download a file from HP. The download starts at 7-10k per sec and ends up stopping by itself. Review the TMG logs, I get the following message.

Failed Connection Attempt XXXXXXXXXXXXX 2/19/2013 12:38:45 PM
Log type: Web Proxy (Forward)
Status: 12210 An Internet Server API (ISAPI) filter has finished handling the request. Contact your system administrator.
Rule: ALLOW: IO OPS to FTP
Source: Internal (XXXXXXXXXXXXX:4993)
Destination: External (192.232.17.169:80)
Request: GET http://h30537.www3.hp.com/prdownloads/DVD_CV_v10.2_SS_v4.2_Windows_SSSU_Docs_T5494-11004.iso?downloadid=NTIyMzMxMTEzLDEsU1dfREVQT1Qsc29mdHdhcmUsOGM3MWVjYTIwNGVjMDQ5NGY3NjU0OTYwZjdmNmI2YzUsYmlsbC5zY2h3YWJAYWNjZW50dXJlLmNvbSxIUC1FU0QtQVVUSCwxMzYxMjkzNTU3NzY0LFA2MDAwX0NWMTAuMg==&merchantId=SW_DEPOT&dlm=ON&rnid=1.0&bpid=SWD&egid=F
Filter information: Req ID: 0b209f64; Compression: client=No, server=Yes, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x40800000 (Response includes the LAST-MODIFIED header. Response should not be cached.)
Processing time: 49389 MIME type: application/octet-stream

↧

Group AD with TMG

February 19, 2013, 12:35 pm

≫ Next: ISA 2006 open access to certain pages

≪ Previous: Getting a 12210 An Internet Server API filter error when downloading file from HP

I havea groupon the domain controller,this grouphassome users, the groupisuniversalsecurity.
AfterTMGwas createdin a UserSet,wherethis group createdon the domain controllerwas added.
Andfinallycreateda rule blockingall users(Alluser) of certainsites,unlessthose userswho are init in theADgroup, whichwas added toUserSet
I do not knowwhat happenedtothe ghostnowthe following happens, I'llit inAD,anda member of this groupretreat, withdrawingis not the guytoaccess certainsites, according to therule cited, howeverthe guycontinuesaccessingor viceversaI includea user whodid not have accessand the guydoes not accessanyway.
Howeverif Irestartthe client stationordo alogoffaltheright,iethe customer whowas not in thegroupand nowthisistheaccesstothe sitesnormally.And viceversa.
Howeverjustbeforetaking orplacingthe user'sgroup has worked outwithout having to restartorlogoffat the station

↧

ISA 2006 open access to certain pages

February 24, 2013, 10:41 pm

≫ Next: How to block https sites, streaming video sites and application extensions in TMG 2010

≪ Previous: Group AD with TMG

Hi,

In case I want to open access to certain pages on different directories only like below, keeping other pages in same directory protected from external access
Internal : http://Internal_domain/directory1/SubDirectory2/page1.aspx
and
External : http://Internal_domain/directory1/SubDirectory2/page1.aspx

how can I allow TMG/ISA to pass dynamic query URL string to the protected server? ex.http://Internal_domain/directory1/SubDirectory2/page1.aspx?param1=78279872987&param2=8909&......

↧

How to block https sites, streaming video sites and application extensions in TMG 2010

February 20, 2013, 4:45 am

≫ Next: discontinuing any further releases Forefront TMG 2010 - Adding recently implemented Server to EA program

≪ Previous: ISA 2006 open access to certain pages

Hi,

We have deployed TMG 2010 ( Single NIC topology) in a virtual machine for our client. We have applied SP2 and Rollup3. We are tried to block video streaming sites through streaming protocols and URL categories. Then we have blocked videos files through content type blocking ( Http filter). We have added URL set and Domain set also. None of the rules is working.

We have facing the one more issue is http web sites is blocking successfully but https sites are not. For example http://www.facebook.com is blocking but https://www.facebook.com is not blocking.

Please advice how to fix this issue.

Edward Antony.D | Quadrasystems.net India Pvt Ltd

↧

discontinuing any further releases Forefront TMG 2010 - Adding recently implemented Server to EA program

February 20, 2013, 8:24 pm

≫ Next: very 20 mins ISP Redundancy down

≪ Previous: How to block https sites, streaming video sites and application extensions in TMG 2010

Hi,

I am in middle of the implementation (almost at its production stage) of new TMG 2010 server for publishing my Exchange 2010 infra, however came to know that MS is discontinuing the TMG from June 2013. I wish to keep the TMG alive for some more time, and hence want to add it to the EA agreement until we find a replacement. Is it possible to add in middle of a EA declaration period.

Simply, can I add the TMG Perpetual Server License into the licensing program now to avail the support life cycle ?

Ref - http://blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx

-Praveen

Praveen Balan |MCITP - Exchange Server 2010 | Exchange Dictionary(www.exchangedictionary.com)

↧

very 20 mins ISP Redundancy down

February 20, 2013, 9:49 pm

≫ Next: TMG 2010 New Install - No Internet Access For Users.

≪ Previous: discontinuing any further releases Forefront TMG 2010 - Adding recently implemented Server to EA program

we have TMG 2010 server, ISP redundancy going 20 mins down, two internet connection have load balance 70%-30%,

after 20 mins restart services coming up every 20 mins need to restart

this error

eroor

↧

TMG 2010 New Install - No Internet Access For Users.

February 24, 2013, 5:06 pm

≫ Next: Publish Microsoft Exchange Active Sync (EAS) with ISA Server 2006

≪ Previous: very 20 mins ISP Redundancy down

I have a new install of TMG 2010 on a Windows 2008 R2 server. Domain joined, one nic on the internal network, the other nic on the dmz. I have confirmed that i can get out to the internet from the TMG server itself before the TMG install, and also after TMG install and base configuration.

I went through the initial wizard configuration and also the wizard to proxy client traffic out to the internet. the problem is, the clients machines cant get out to the internet going through TMG. I can see the traffic hit the TMG server, and they appear to connect, but on the client machine, the screen is blank.

Am I missing something on the configuration of TMG to allow the client machines to proxy through TMG?

↧

Publish Microsoft Exchange Active Sync (EAS) with ISA Server 2006

February 21, 2013, 3:15 am

≫ Next: VPN's clients can't access any resource from my network

≪ Previous: TMG 2010 New Install - No Internet Access For Users.

Hello guys,

I want to enable exchange activesync on my ISA server.

Does it requires a front-end server that maintains the IIS site (link)?

or the link that i'm publishing on isa can be on my internal exchange server?

Where do i have to maintain the link that i'm publishing? on isa server, exchange server or a front-end server??

Grateful to help in my confusionsss

↧

VPN's clients can't access any resource from my network

February 25, 2013, 4:16 am

≫ Next: Forefront VPN - non-domain clients

≪ Previous: Publish Microsoft Exchange Active Sync (EAS) with ISA Server 2006

Hi folks,

I enabled VNP features on Forefront TMG and selected the IP address assignment method my DHCP Server.

The clients can connect but can't access any resourse of my network, ping, etc

The DHCP range is 172.16.16.100~172.16.17.254.

May be some configuration is missing, but I don't know what.

Thanks,

↧

Forefront VPN - non-domain clients

February 20, 2013, 1:49 am

≫ Next: Publish internal website to internal clients with passthrough authentication

≪ Previous: VPN's clients can't access any resource from my network

I'm running Forefront 2010 SP2 as our VPN gateway, and whilst it's mostly working fine I do have one problem - we have a contractor who occassionally needs to VPN in with his own, non-domain joined PC, but cannot do so - it returns error 787 (The L2TP connection attempt failed because there is no valid machine certificate on your computer for security authentication).

I've looked for an answer as to how to allow/block non-domain PCs from connecting to Forefront but have drawn a blank. Does anyone have any idea how I might allow this (and even better, restrict the non-domain PC to only coming from a specific IP address)?

Many thanks in advance for any advice.

↧

Publish internal website to internal clients with passthrough authentication

February 25, 2013, 7:33 am

≫ Next: Isa2006 and sharepoint to expose certain urls

≪ Previous: Forefront VPN - non-domain clients

I need to publish a website through TMG 2010 for internal use. The web server is on the same subnet as the internal interface in TMG and listens on port 8080. I want to be able to connect to an alias for this website on port 80 and redirect this to port 8080 on the web server.

I can authenticate directly to the website which uses NTLMv2 to sign the user in automatically.

When I set this up through TMG I can't get the automatic sign in to work if I use HTTP authentication on the listener. If I use forms based authentication then I can get this to work by setting the delegation to "NTLM" and this works fine. It does not appear that I can set the delegation to "NTLM" when using HTTP authentication.

Using the option "No delegation, but the client may authenticate directly" gives the same outcome where I am prompted for a username and password. I have ticked the box for "Allow client authentication over HTTP" to no effect.

Thanks

Danny

↧

Isa2006 and sharepoint to expose certain urls

February 25, 2013, 12:37 pm

≫ Next: Downloads never finishes, stuck after 50 or more percent

≪ Previous: Publish internal website to internal clients with passthrough authentication

hi We are using sharepoint 2010 installed on windows 2008 R2 and ISA 2006 We want to expose certain pages under certain folder over Internet but these pages haave refrence to other URLs in other folder such as images, CSS , and files hosted on root folder /. External url: Http://externalname/public/folder1/page1.aspx (Please note public folder is not exist on internal URL and we want to hide _layouts from internal) Http://externalname/public/folder1/page2.aspx Internal urls for the above Http://internalservername/_layouts/folder1/page1.aspx Http://internalservername/_layouts/folder1/page2.aspx Some of internal files are referenced in the above pages: Http://internalservername/CSS/* Http://internalservername/JavaScript/* Http://internalservername/webresources.aspx Http://internalservername/scriptresources.aspx Http://internalservername/_layouts/folder1/~/_vti_bin/Get1.svc Http://internalservername/_layouts/folder1/~/_vti_bin/Get2.svc So how do we achieve this via ISA to map external urls? Please note we don't want to exposes any arbitrary pages outside folder1,but there are are files reside outside folder1 and we need access it in order to render page correctly. Thanks

↧

Downloads never finishes, stuck after 50 or more percent

February 25, 2013, 2:15 pm

≫ Next: Server 2008 R2 running TMG 2010 unbootable after installing Microsoft Updates, classpnp.sys is last driver seen in Safe Mode

≪ Previous: Isa2006 and sharepoint to expose certain urls

I have TMG with SP2 and Updates installed. The downloads does not work, untill I bypass malware protection by adding in the Exception list. Is there anyway to fix this? as I can't add every site that has problems. I have changed the default settings for downloads, also increased the filesize using the Registry method from Technet etc. My current Malware Inspecttion optons are:

- Attempt to cleaninfected files

-Block Suspicious files

-Block files if scanning time exceeds is set to 99999

-Block Files if archive depth level exceeds is set to 60

NOT enabled block files larger than.. NOT enabled Block Archives.. Also, I have increased the file size downloads to 4GB from TechNet method..

No luck, unless I add sites to bypass malware protection, it fails after 10% download or 50% etc. even can't install FLash from Adobe or download PDF reader, any help to fix this is really appreciated!!!

↧

Server 2008 R2 running TMG 2010 unbootable after installing Microsoft Updates, classpnp.sys is last driver seen in Safe Mode

February 25, 2013, 2:48 pm

≫ Next: TMG question

≪ Previous: Downloads never finishes, stuck after 50 or more percent

Not sure if list of 20+ updates included any for TMG 2010 or not, so I'm listing in both forums.

Windows reboots (no blue screen) shortly after classpnp.sys is loaded, as seen during Safe Mode boot. When choosing Enable Boot Logging option at F8 startup, [e:\windows\Ntbtlog.txt] doesn't appear to be created (e: is the letter assigned to the existing system partition when in Recovery Console). As suggested by http://support.microsoft.com/kb/275735: "If the computer stops responding (hangs) before Session Manager (Smss.exe) is initialized, the log file [%windows%\Ntbtlog.txt] is not created because data cannot be committed from the registry to the file."

1) I located the registry files of the failed system - can this pre-file format of the boot logging be retrieved from the registry?

As suggested by http://social.technet.microsoft.com/wiki/contents/articles/windows-server-2008-repair-steps-for-no-boot-issues.aspx, booting from the Server 2008 R2 DVD and choosing "Command prompt" and running X:\sources\recovery\startrep.exe results in no %WINDIR%\System32\LogFiles\Srt folder, much less the anticipated SrtTrail.txt log file in it. But the GUI reports:

Problem Signature 01:6.1.7600.16385
Problem Signature 02:6.1.7600.16385
Problem Signature 03: unknown
Problem Signature 04: -1
Problem Signature 05: ExternalMedia
Problem Signature 06: 1
Problem Signature 07: NoOsInstalled
OS Version: >6.1.7600.2.0.0.2561
Locale ID:1033

2) Is this the same information expected to be logged to SrtTrail.txt?

3) If not, why might this file not be created?

4) Either way, does the info above suggest what is wrong? "NoOsInstalled" doesn't sound very accurate.

5) Is there a way to uninstall or roll back the most recent round of updates?

As suggested by http://support.microsoft.com/default.aspx?scid=kb;EN-US;975484, the .vbs script resulted in removal of 2 POQ nodes, but now seems to reboot even faster than before, still upon appearance of classpnp.sys in Safe Mode.

Running sfc resulted in "there is a system repair pending which requires a boot to complete...", renaming e:\Windows\WinSxS\pending.xml allowed sfc to run successfully, with no problems detected.

6) The prescribed methods for running DISM haven't made any sense to me... where does C:\test\offline come from? It's not on my system. Even if it was, how would I specify which "packages" (I prefer to call them "updates") to remove?

↧

Latest Images