ISA 2006 Denied connection 0xc0040012 FWX_E_NETWORK_RULES_DENIED

October 10, 2012, 10:10 am

≫ Next: Remote Desktop Services Questions

≪ Previous: Proxy White List open access to non listed websites

$

0

0

Hello.

I have a ISA with 3 NIC`s.

NIC 1 with 172.17.0.0 network X

NIC 2 with an external ip

NIC 3 with a internal ip

On the networks i have the follow networks:

External

Network X

Internal

Intra

local and VPN clients.

My NIC 1 is directly connected to the cisco router where resides a VPN SiteToSite with other location, and all inbound traffic is NAT on the cisco to the network 172.17.0.0

So i create a following network rule:

Traffic from the network X will be routed to internal

After i create a Policy rule permit all outbound traffic from network X to internal.

After this i try to ping, trace, accessing an inside web server but all the traffic is denied with  0xc0040012 FWX_E_NETWORK_RULES_DENIED

From the router i can ping the NIC 1 on the ISA but can´t ping server´s on the internal network.

I already change my network rule to NAT but with no success.

Any body has suggestion?

I´m really stuck on here

Any questions our doubts just ask.

Thank you.

---

Remote Desktop Services Questions

October 11, 2012, 7:24 am

≫ Next: Forefront Threat Management Gateway

≪ Previous: ISA 2006 Denied connection 0xc0040012 FWX_E_NETWORK_RULES_DENIED

$

0

0

I have a customer that is using Citrix with NFuse in the DMZ to proxy/broker connections to the back end Citrix farm.  They are moving away from Citrix since 2008R2 provides the needed functionality.  Currently they have built a RDS server internally but would like to expose it publicly and have the same functionality as internal.  They plan on using Gateway Services, RemoteApps and possibly Webapps along with regular RDP.

Like most I can confused by UAG/TMG and unsure what product I should recommend to them.

I also recently read that MS is collapsing TMG so only UAG will be continued?

I also assume that neither support 2012 yet fully, anyone know if this is coming?

So my question is will this provide them with the needed abilities? 

So a user can simply open a remote app from home and connect to said application?

Can a user simply open RDP and connect to the back end RDS?

Can a user simply open RDP and configure GWS and get to any RDP/RDS internally?

Can a user simply open the Remote Web Page and open a web app?

Essentially the forefront server will only be used for RDS.

i know I need valid SSL on both, not an issue.

I know I need 2 nics for UAG.

I just want to make sure this is solid and simple for the end user being no different then port fowarding 3389/443 to the RDS directly.

---

Thanks, Grady Vogt

Forefront Threat Management Gateway

October 11, 2012, 10:21 am

≫ Next: Webserver behind TMG. getting "Request appear to come from the original client" to work

≪ Previous: Remote Desktop Services Questions

$

0

0

Hi,

We are using Forefront Threat Management Gateway 7.0.9 193.500 as a proxy. Installed on Windows Server 2008 R2 Standard Edition.

The problem is, some times it asking proxy credentials for some users only.

I have used NetWrix Tool (Account Lockut Examiner) to find out where that user accounts are locked out any where .But the user accounts are not locked out anywhere.

Even i suspected the if there is any virus causes this, but those systems are virus free.

Please help me that, how to resolve this issue.

I found below error in EVENVWR

-

System

- Provider [ Name] Microsoft Forefront TMG Firewall

- EventID 21137 [ Qualifiers] 49152

Level 2

Task 0

Keywords 0x80000000000000

- TimeCreated [ SystemTime] 2012-10-10T23:08:31.000000000Z

EventRecordID 45081

Channel Application

Computer PROXYSERVER.semanticindia.com

Security

-

EventData

ABC

ABC.domian01.com

The request has timed out

Webserver behind TMG. getting "Request appear to come from the original client" to work

October 7, 2012, 12:43 pm

≫ Next: TMG 2010 - HTTPS Inspection - certreq

≪ Previous: Forefront Threat Management Gateway

$

0

0

arhitechure is following:

router (port 80 forwarded)->TMG->Webserver. 

when I set in TMG "Request appear to come from the TMG Server" my sites in server are visible OK. 

If I change it to "Request appear to come from the original client" sites are not visible any more. What should be changed in order to use this option?

TMG 2010 - HTTPS Inspection - certreq

October 11, 2012, 4:31 pm

≫ Next: Error message: "59 An unexpected network error occurred" occurs when I try to make an FTP connection with an FTP client through an ISA 2006 proxy.

≪ Previous: Webserver behind TMG. getting "Request appear to come from the original client" to work

$

0

0

I'm setting up TMG with a Forward Array and a Reverse Array.

For the forward proxy, we want to inspect HTTPS traffic.  I need to issue a certificate for this purpose.  My ADCS looks like this:  Offline standalone RootCA, 2 subordinate issuing CAs.  The subs can't issue subordinate certificates because of key constraints - the cert will need to be issued from the RootCA.  Does anyone have any experience crafting the request I'll need to use to make this certificate?  I assume I'll be using certreq.exe to make this happen.

MG

Error message: "59 An unexpected network error occurred" occurs when I try to make an FTP connection with an FTP client through an ISA 2006 proxy.

October 10, 2012, 5:53 am

≫ Next: Siri on ipad with Forefront problem

≪ Previous: TMG 2010 - HTTPS Inspection - certreq

$

0

0

Error message: "59 An unexpected network error occurred" occurs when I try to make an FTP connection with an FTP client through an ISA 2006 proxy.

====================================

Failed Connection Attempt	[servername] 10/10/2012 2:00:03 PM
<id id="L_LogPane_LogType">Log type: </id><id id="L_LogPane_WebProxyForward">Web Proxy (Forward)</id>
<id id="L_LogPane_Status">Status: </id>59 An unexpected network error occurred.
<id id="L_LogPane_Rule">Rule: </id>
<id id="L_LogPane_Source">Source: </id>Internal (UserIpAddress)
<id id="L_LogPane_Destination">Destination: </id>(ProxyIpAddress:80)
<id id="L_LogPane_Request">Request: </id>
<id id="L_LogPane_FilterInfo">Filter information: </id>Req ID: 148ac64e
<id id="L_LogPane_Protocol">Protocol: </id>
<id id="L_LogPane_User">User: </id>anonymous
Additional information <id id="L_LogPane_ClientAgent">Client agent: </id> <id id="L_LogPane_ObjectSource">Object source: </id>(No source information is available.) <id id="L_LogPane_CacheInfo">Cache info: </id>0x0 <id id="L_LogPane_ProcessingTime">Processing time: </id>0 ms <id id="L_LogPane_MimeType">MIME type: </id> ====================================

Siri on ipad with Forefront problem

October 11, 2012, 10:19 pm

≫ Next: Same subnets of NLB and LAN for TMG 2010 - Exchange 2010 publishing

≪ Previous: Error message: "59 An unexpected network error occurred" occurs when I try to make an FTP connection with an FTP client through an ISA 2006 proxy.

$

0

0

I use Windows 2008 R2 + Forefront 2010 SP2 Rollup 2 . I use an IPAD with SIRI. When I speaking but it never convert to text. It just blink and wait.
I check at log, it run perfectly, it say my ipad pass & allow connection both 80/443 to apple.com & guzzoni.apple.com:443 . However, it didn't work.

I test by bypass proxy, yes it work properly, SIRI convert my voice to text without problem. So proxy is suspect.

Can anyone give a suggest what should I do? Thank you in advance.

Same subnets of NLB and LAN for TMG 2010 - Exchange 2010 publishing

October 11, 2012, 11:34 pm

≫ Next: Proxy server shows 502 bad gateway

≪ Previous: Siri on ipad with Forefront problem

$

0

0

Hi I have TMG01 and TMG 02 and both are configured as single NIC. Each of them has two nics.

TMG01

LAN 89.5.1.39 \ NLB 89.5.1.41

TMG 02

LAN 905.1.40 \ NLB 89.5.1.41

Is this supported? Im going to use the NLB VIP to publish exchange services such as autodiscover etc. Is it ok for both to be on the same subnet?

---

Proxy server shows 502 bad gateway

October 12, 2012, 12:31 am

≫ Next: Unable to update TMG through WSUS

≪ Previous: Same subnets of NLB and LAN for TMG 2010 - Exchange 2010 publishing

$

0

0

HI,

We have 2 proxy server installed, one is ISA Server 2004 & second is Forefront TMG 2010. Some of the systems in our internal network goes out via proxy server and some systems directly with out proxy server.
Suddenly, we started facing a below issue.

When we try to reach the following web page over a machine that goes out via proxy server,
http://www.dishtv.in

we get the following error in browser:

ERROR

The requested URL could not be retrieved

While trying to retrieve the URL: http://www.dishtv.in/

The following error was encountered:

• Read ErrorThe system returned:

    (104) Connection reset by peer

An error condition occurred while reading data from the network. Please retry your request.

Your cache administrator is webmaster.

When we try to reach the same page on a machine that goes out to the internet with out a proxy server, we can reach the page.

We are facing same error on both the proxy servers. But after bypassing the proxy server, above URL is opening properly.

In proxy server logging, it allows the above URL but showing message as below.

502 bad gateway

kindly help me to resolve this issue.

Thanks in advance.

Best Regards,

Unable to update TMG through WSUS

October 10, 2012, 4:51 pm

≫ Next: Mapped network drive in TMG

≪ Previous: Proxy server shows 502 bad gateway

$

0

0

Hi guys,

     I have recently built a new TMG 2010 server to take over from our ISA 2004 server.  The server is functioning properly as a web proxy server so normal operation seems to be working ok.  The issue i am having is that when i try to update the TMG through WSUS i get the following error:

 "An error occurred during an attempt to update the definitions for the Network Inspection System update service on the server xxxxx"

and the following error on the Alerts Tab under Monitoring:

"Description: An error occurred during an attempt to check for, download, or install definition updates on the server xxxxx. The failure is due to error: 0x80240022 "

I cannot find any information about what that error code means or how to fix this issue.  I have created an access rule to allow the TMG server to communicate with the WSUS server on port 8530 but to no avail.  I have also followed the following article 

"http://technet.microsoft.com/en-us/library/cc995320.aspx" but it is still not working.

I can however update the server manually through Windows update.

Any help is appreciated

Regards,

 

Mapped network drive in TMG

October 11, 2012, 11:27 pm

≫ Next: Forefront TMG Gateway 2010 de ping de 270 ms. Es normal?

≪ Previous: Unable to update TMG through WSUS

$

0

0

I am trying to map a network drive on my TMG 2010 server in order to backup the TMG server.

the network drive is a NAS shared folder.

\\nas\tmgserver

but i cant seems to be able to map the drive.

Do I need to configure any permission to allow the mapping ?

Forefront TMG Gateway 2010 de ping de 270 ms. Es normal?

October 12, 2012, 2:55 am

≫ Next: can not login to the drv

≪ Previous: Mapped network drive in TMG

$

0

0

Hola,

Tengo Un Forefront TMG Gateway 2010 funcionando en Modo de trabajo.

Los Equipos de la red entre ELLOS TIENEN UN  ping de 270 ms. Es normal?. 

Los equipos que no pasan por el TMG tienen un ping 60ms

Gracias

Un saludo

can not login to the drv

October 7, 2012, 10:42 pm

≫ Next: Certificates cannot longer be used in TMG - Incorrect Key Type

≪ Previous: Forefront TMG Gateway 2010 de ping de 270 ms. Es normal?

$

0

0

i installed isa server 2006 as a proxy server. All user authenticate to brows and my branch office has static IP for dvr . Can not log in to the dvr trough isa server. It says login failed.

Certificates cannot longer be used in TMG - Incorrect Key Type

September 30, 2011, 7:37 am

≫ Next: NLB event 105 and 106 in TMG Array

≪ Previous: can not login to the drv

$

0

0

After TMG 2010 mysteriously failed to start firewall service I have identified that there are some firewall rules/web listeners possibly corrupted. I have fixed that and proceeded to troubleshoot and I have suspected problems with certificates. So I decided to create certificates from scratch and import them in TMG 2010 (as it has worked for number of years since ISA 2004).

I have followed the pretty much know procedure of requesting certificate from IIS server, installing it at IIS, exporting it with private key and importing it to TMG however I cannot link certificate to listener as TMG says it has Incorrect Key Type.

One thing indeed changed which is that we had reinstalled our PKI (Microsoft Windows 2008 R2). So basically keys that have been issued and imported to TMG (long ago) seem to be working fine. I however, cannot import the new one.

I have searched the Internet a lot but for no avail. The only particular thing I found is that TMG doesn't work well with CNG (version 3) certificates. I have looked into certificates quite well and found only significant difference between working ones and not working ones in the order of properties.

I don't think my CA is issuuing version 3 certificates but I am not 100% sure.

Any ideas how I can verify this or any idea what else could be wrong with the certificate so TMG cannot recognize it?

 

Many thanks.

 

Oggi

NLB event 105 and 106 in TMG Array

October 12, 2012, 3:40 am

≫ Next: MMC Error only TMG EMS server

≪ Previous: Certificates cannot longer be used in TMG - Incorrect Key Type

$

0

0

Hello,

We have a setup running consisting of 2 TMG 2010 machines in an Array. We use NLB Multicast.

We are hosting about 25 site to site vpns in this setup. Users behind these (site to site) vpns are expiriencing lag in their RDS session from time to time through these VPN's. Also sometimes the sessions are disconnected/reconnected.

I have seen that tcp checksum offloading was enabled on all interfaces, so I disabled this.

What I also notice are NLB event 105 and 106 numerous times in the time window when users are active.

105: NLB cluster []: Timer starvation has been detected. This might be due to a denial of service attack or a very high server load. During this period, some connections might fail. If this problem recurs frequently, analyze the threat and take appropriate measures and/or add more servers to the cluster. An informational event log entry will be logged when the attack has subsided.

106: NLB cluster []: Timer starvation has subsided.

I have found the following post regarding these events: http://sharepointblog.michaelrperry.com/2011/03/nlb-event-id-105-sharepoint-2007-and.html

Here the problems are resolved after disabling tcp checksum offloading on the virtual nics, just as what I have done. However, I still got the same errors.

Has somebody experienced the same issues and errors? I'm getting a bit stuck here and users are still complaining about latency and disconnected sessions.

---

MMC Error only TMG EMS server

October 9, 2012, 11:22 pm

≫ Next: TMG Reporting Failure

≪ Previous: NLB event 105 and 106 in TMG Array

$

0

0

On Windows 2008 SP2 TMG EMS server MMC shows error "mmc has detected an error in a snap-in. it is recommended that you shutdown and restart mmc" when dashboard is accessed. The observation is that if new Array is created before applying any SP1 this error does not generate. I have updated TMG with SP1,SP1 Update 1, SP2 and hotfixes. Even after applying SP2 the TMG standard is not changed to Enterprise according to KB2555840 which has fixed this issue. This issue is not seen in other 2 Windows 2008 SP2 TMG FW Servers with identical updates Windows 2008 as well as TMG Services Packs.

I have followed this link http://technet.microsoft.com/en-us/library/ff717843.aspx to install and uninstall Service Packs. Tried Windows Update to install Service Packs as well as manual installing of SP2 and related hotfixes. None of the methods resolves the issue. So far none of TMG servers are joined to newly created Array in EMS. This MMC issue, i think is not related to IE9, otherwise other TMG servers would have generated similar error.

TMG installation on all servers is done through Domain Admin account.

Any further diagnostics can be done to troubleshot and  resolve this issue.

Thanks

TMG Reporting Failure

January 3, 2011, 7:39 pm

≫ Next: TMG 2010 (SP2) as edge firewall on Hyper-V guest cannot access any other computers on same subnet

≪ Previous: MMC Error only TMG EMS server

$

0

0

Hi,

I have an array TMG setup with my first TMG server as the reporting server. When I run a report from the EMS server for a specific user and date I get the following error.

ForeFront TMG Error|
The Operation Failed
The Microsoft Forefront TMG Control service could not be accessed.

The error occurred on object 'Reports' of class 'Reports Configuration' in the scope of array 'TMG Array'.

Any ideas why I would be getting this? If I run a normal One time report it all works fine.

 

 

 

 

TMG 2010 (SP2) as edge firewall on Hyper-V guest cannot access any other computers on same subnet

October 12, 2012, 5:37 am

≫ Next: Rebuild ISA 2006 EE server as TMG 2010 using same machine/network name

≪ Previous: TMG Reporting Failure

$

0

0

I'm hoping someone may be able to help me with this as I've been completely unable to figure out why this setup does not work on a Hyper-V guest running Server 2008 r2. I'm in the process of testing some scenarios and have successfully managed to configure TMG 2010 on a physical system but when creating the same setup on a Hyper-V guest, TMG seems to run into serious network issues...

Some details:

Physical system (Server 2008 r2) running Hyper-V and ADDS - single Domain Controller.
 - 3 physical NICs
   - 1 NIC setup for use by the Physical Server - no problems with Local or Internet connectivity
   - 2 NICs allocated to Hyper-V Virtual Network Manager (External Connection Type, unticked "Allow Management OS to share this adapter) ie. dedicated to Hyper-V
   - All three NICs are connected directly into the Switch ports on my Router.

Hyper-V Guest (Server 2008 r2 with all updates completed) running TMG2010 configured as edge firewall with following updates installed: SP1, SP1 update 2, SP2.

So on the Guest I have NICs as follows:
 - VNIC1 - Renamed External for easy reference in TMG.
    - Static IP address and Default Gateway. DNS servers left blank
 - VNIC2 - Renamed Internal
    - Static IP address, Default Gateway left blank. DNS server has IP for Hyper-V host as it is running the Domain Controller.

Prior to installing TMG 2010 I was able to fully update windows and join the domain without any problems at all (I have uninstalled TMG several times as well and when its not installed, everything works perfectly)
While TMG is installed and running, I have no connectivity to any computer running on the physical network which I am pretty certain is because the TMG is unable to make connections with the Domain Controller/DNS server.
If I enter an alternate DNS server in the IPv4 settings on the VNIC Internal, then I am able to get connection to websites etc. on the WAN.
NS Lookup correctly identifies the IP address for the domain controller but any DNS queries time out - for some reason the connection is being blocked.
Using the TMG control panel logs and reporting. I can see that DNS queries (UDP 53) are being allowed from the TMG Internal NIC to the IP of the Domain Controller/DNS server so it doesn't seem to be the firewall component that is blocking the traffic.

Rebuild ISA 2006 EE server as TMG 2010 using same machine/network name

October 10, 2012, 11:23 am

≫ Next: FTMG decompression of GZIP files locally

≪ Previous: TMG 2010 (SP2) as edge firewall on Hyper-V guest cannot access any other computers on same subnet

$

0

0

Hi,

I'm getting ready to rebuild my ISA 2006 EE as a TMG 2010 server and I've read all the information I could find about exporting the configuration and the certficiates and the like and I think I'm hopefully going to be ok there.

My question concerns the name of my ISA/TMG machine. I'm going to be using the box my ISA server is on for the new TMG server, just replacing the current drive that has ISA with a new drive to be used with the rebuild of the TMG server - Win 2K8 R2 and TMG.  I would like to keep the same machine/network name for my new TMG server as I had for the ISA server.  This will save me a lot of heartache I think.  Is this possible?  I can think of a couple of possible places where I could run into trouble.  First would be when I add the newly rebuild TMG server to my domain.  There will already be a machine name in my AD with that name obviously.  Will this cause me any problems?  The second problem I can think of is related to certficates.  I know as part of the export process from the old ISA server I need to export my certificates.  Should I bother to export the machine certificate on my old ISA server or will I need to issue a new certificate to my new TMG server that has the same name?

Hopefully the answers to these questions are easy and straightforward.

Thanks in advance,

Nick

FTMG decompression of GZIP files locally

October 12, 2012, 11:38 am

≫ Next: TMG 2010 - Some external locations/IPs cannot reach sites published by TMG but others can - A connection was abortively closed after one of the peers sent an RST packet

≪ Previous: Rebuild ISA 2006 EE server as TMG 2010 using same machine/network name

$

0

0

I am experiencing a problem with our FTMG where content that exists on the web in a GZIP format is arriving on my desktop decompressed instead of compressed.  Note that the content  still has the filename with the extention of .gz so from Windows perspective it still thinks the content is compressed.

I've verified that this is happening on multiple computers that utilze the FTMG and that this behavior is NOT happening when I use a computer that is not attached to the FTMG.

I cannot find any settings or configuration information that would allow me to turn this "feature" off.

This only happens for HTTP traffic and does not happen for FTP traffic since I can routinely download other gzip compressed files using the FTP protocol and those files arrive on my local desktop still compressed.

This is a problem since the software that I'm using - provided by an external agent - is expecting the files that it is working with to arrive fully compressed. This software crashes (as it should) when trying to decompress a file that is already decompressed.

I have verified that this is happening irrespective of the use of caching, i.e. it happens with the cache turned on and with the cache turned off.

Note that this problem started about two days ago since the software I have been using for years started crashing two days ago.

Please provide some advice on how to stop this behavior.

Sincere yours

Jerry W. Manweiler, Ph.D.

---

Jerry W. Manweiler, Ph.D.