I'm trying to create a Web Farm in TMG specifically to monitor the ActiveSync virtual directory. When using the Exchange publishing wizard, and creating a Web Farm, it defaults to send an HTTPS Get Request to https://*/OWA/
I know that you can also specify https://*/rpc/ when only publishing Outlook Anywhere, so would the path for ActiveSync be https://*/Microsoft-Server-ActiveSync/
Thanks,
MCITP Exchange 2010 | MCTS Exchange 2007 | MCITP Lync Server 2010 | MCTS Windows 2008 | MCSE 2003
I use TMG as a proxy to get to the internet. I have some Macs in the environment. I want to keep TMG but the reporting is not the best. Is there third party software out there that can report and block by user account if the authentication is not turned on while using a proxy? I have looked around and many say it is not possible. Thanks for any help on this.
JM
TMG2010 SP2 with rollups
Exchange 2010 latest SP
Win 2008 R2
Multiple forests, exchange in resource forest with users in another forest (2 way trust)
If users in either the resource forest or other trusted forests have a password which has not expired or does not need changed at next logon the users can logon fine, they can then use the OWA control panel to change their password if they wish.
When attempting to logon to OWA via TMG (which then forwards to the CAS servers (x2)) for a user in the resource forest who has the password set to change at next logon it allows us to change the password no problem. However...
When attempting to logon to OWA for a user in a separate forest who's password has expires or has the option set to require a change of password at next logon it does now allow the change and instead tells us
"You could not be logged on to Forefront TMG. Make sure that your domain name, user name, and password are correct, and then try again."
I have been researching for hours and found various alleged fixes so here is what we have tried...
On the CAS servers: Enabling ChangeExpiredPasswordEnabled and resetting IIS
On the TMGs: http://support.microsoft.com/kb/957859 and http://support.microsoft.com/kb/2618727 and also http://www.jaapwesselius.com/2011/11/05/owa-password-reset-tool-and-tmg/ and also ensuring that the appropriate certificates from the domain controllers are installed...
So im not sure where to go next... given that it works for resource forest test users is it something to do with multiple forest scenario?
Thanks
Gary
Hi,
We have a scenario where we had to configure 3 Private tree domains (DC1,DC2,DC3) talking to each other using a TMG Server which resides in the corpnet. TMG was configured with a 3 legged perimeter network and all the routes and firewall policies are added. DC1 is configured as internal network to TMG and DC2 and DC3 are configured as perimeter and firewall policy is created to allow Kerberos(TCP),Kerberos (UDP) from perimeter to Internal. So TMG is expected to allow any kerberos request from nodes under DC2 to DC1 according to the configuration but contrary to that TMG is randomly blocking the kerberos requests and allowing them sometimes. And network congestion is also not there as it is a private network. Can anyone help me understand why TMG is doing this. Is there any configuration that i'm missing? Help much needed in this. Thanks in advance.
Hi
I have an ISA2004 server (not able to be replaced yet) at a remote site in the Philippines connecting back to head office in Melbourne where there is a Juniper SRX210. The VPN is up and Melbourne has full access to the Philippines network. The Philippines network
has access back to Melbourne but the Philippines server does not. The server is a DC as well as running ISA 2004. It has two NIC's, the internal with no gateway and the external with ISA controlling access. This is resulting in the server being unable to replicate
Active Directory between sites. Debugging logs shows the issue to be with ISA, not a rule in Melbourne on the Juniper. The error is:
Denied Connection 10/20/2012 6:25:37 PM
Log type: Firewall service
Status: A packet generated on the local host was rejected because its source IP address is assigned to one network adapter and its destination IP address is reachable through another network adapter.
Rule:
Source: Local Host ( 192.168.79.1:137)
Destination: Melbourne ( 192.168.75.6:137)
Protocol: NetBios Name Service
User:
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.168.79.1
Client agent:
The Networks, Network Sets, Network Rules and routes all appear fine. How else is one supposed to setup ISA to send traffic from itself to the VPN tunnel? A static route to either its own internal IP or the external gateway kills the VPN. ISA should be intercepting
the traffic and directing it over the tunnel. It is for the Philippines LAN just not for the server itself. It is the firewall service itself, there is no rule to tweak.
This is causing me no end of grief, any assistance appreciated. I have been through http://technet.microsoft.com/library/bb794765.aspx and it has not helped. Everything from Melbourne to the Philippines is fine, it is just the Philippines Server (the ISA one) that cannot see the Melbourne network. It also seems to be still trying to initiate an IP Sec VPN after the Juniper initiated SA is up and running and the VPN is up.
Thanks, Ben
Hi
I need some help identifying why from Linux server they are not being prompted for a username and password when trying to access the internet through a TMG. Browser just fails to connect
I can see in the logs the connection and that Proxy Authentication is required which what you would expect, I assumed they could put in for example a service account credentials and that would suffice.
TMG is set to Integrated Windows Authentication.
I dont really want to specify a rule for annymouse access from specific IP's. There are a lot of Linux servers!
Thanks for any advice
Hi there,
This issue has been driving me crazy for the last month, and I thought I had it solved but definitely don't.
I have TMG configured for the sole purpose of being a reverse proxy for SharePoint, SAP BusinessObjects, and some other services to follow.
Everything works great... usually....
I put this in place for a client, I had it all configured, and I could reach both sites without any issue from home as well as my office. However, the client I put it in place for was unable to reach it from home, from his office, or from his cell, or anywhere really. The site would time out for him. On the TMG server I would receive an error stating: A connection was abortively closed after one of the peers sent an RST packet.
I searched all over the internet for this, and found a million posts about this error, and none of them helped me. I decided to reconfigure everything on TMG. I reconfigured everything from scratch, and it worked for me from home, on my cell, and worked for my client from his cell and from home, so we thought we were good. However, I am now trying to access it from my office, and it times out, and I receive: A connection was abortively closed after one of the peers sent an RST packet on the TMG server.
I tried from both of our external connections here at the office and I can't get to it, and the TMG server gives this error. I can still reach it from my phone and from home.
This is all done on the same laptops, so clients are not the issue. I've done packet sniffing, and the traffic makes it to the TMG and then nothing. Just a TCP Reset. The only difference at all is where the traffic is coming from...
I need to make sure that no matter where you connect from, if you have internet access, you can reach these sites... I have no idea why TMG is dropping the packet or why the reset happens from certain IPs.
Does anyone have any possible information that might help me?
Thanks
Hi, I was wondering if someone else running TMG 2010 could try a website for me.
I don't seem to have problems with any other websites. Many people are going through TMG and not having any issues - it seems to be limited to this one website.
Things I have tried:
Added site as an SSL exemption
Disabled HTTP 1.1 requests over proxy (found an old ISA article)
Disabled compression requests
Steps to produce:
1. Go to https://www.ssbwellington.com/
2. Choose Internet Banking
At that point, my browser gets forwarded to a signon page briefly and then I get a Forefront error page that says something exploded. Error Code 64: Host not available. If I refresh the page it works fine. It's 100% repeatable for me in my environment.
Page that gives error:
https://www.ssbwellington.com/tob/live/usp-core/app/login/consumer
TMG Logging:
| Log type:
<id id="L_LogPane_WebProxyForward">Web Proxy (Forward)</id> |
|
|
<id id="L_LogPane_Status">Status: </id>64 The specified network name is no longer available |
Hello,
i have a question about publishing ActiveSync with with TMG and Two Factor Auth.
How to get this managed ? I have a Client Cert from my Internal CA and installed it on my phone. Certificate Chain is OK. the Public Cert. is connected to my AD Objekt (Name Mappings.)
So how to Configure the TMG Listener ? (Http Auth, Standard AD, with require ssl client certicate and require auth?)
How to Configure the TMG Rule ? (All auth users ? no delegation but client may authenticate directly ) ?
i checked out many possibilities but get everytime this error: "12313 site requires Client Certificate"
EAS Bug ?
Any help would be great.
thanks, best Martin
I have a Site-to-Site VPN connecting over IPSec. Everything works fine across this VPN except HTTP.
I have read that this is due to the Web Proxy Filter:
http://support.microsoft.com/default.aspx?scid=kb;en-us;885351
There are multiple sources suggesting this, and the advice seems to be to create a new HTTP protocol and remove the Web Proxy Filter from it. I have done this and assigned it to the policy rule connecting the two sites, but it makes no difference.
Any ideas would be greatly appreciated.
thanks,
Hi,
I'm trying to publish RD WebAccess on TMG server and to have the users authenticate with TMG's Forms based authentication. The web access rule in TMG is configured for NTLM authentication delegation. But I end up hitting the RD webaccess authentication forms, after I complete authentication with the TMG's forms. Is there anyway I can avoid the RD web access forms and authenticate the users only with the TMG's forms.
Both RD-WA and the TMG server run on Win Server 2008 R2.
Any info on this will be much appreciated !
Pras
Hi, I hit a small problem when setting up a Site-to-site VPN within TMG 2010.
I've created a Site-to-site PPTP VPN connection as advised here, http://www.isaserver.org/tutorials/Configuring-PPTP-Site-to-Site-VPN-Microsoft-Forefront-TMG.html However, the Site to Site doesn't connect. If you go into Routing and Remote Access you see the new Demand-dial Network Interface, with the connection state as Disconnected.
If you try to connect you receive the below error.
'An error occurred during connection of the interface. The network connection between your computer and the VPN server was interrupted. This Can be caused by a problem in the VPN transmission and is commonly the result of internet latency or simply that your VPN server has reached capacity. Please try to reconnect to the VPN server. If the problem persists, Contact the VPN administrator and analyze quality of network connectivity.' Then within Routing and remote access the connection state changes to Unreachable.
This is the first and only VPN connection created on the TMG server (VPN-HO) and network connectivity is fine. I've deleted the Site-to-site VPN and re-created it but still get the same error. The TMG server (TMG-RO) at the other end of the Site to site can connect to this TMG (TMG-HO) fine but any outgoing connections from TMG-HO to other TMG servers receive the above message.
Hope this makes sense and any ideas or help is most welcome.
Kind Regards
For5six
I need to customize the TMG login page by adding a dropdown field to the usr_pwd.htm page below the password textbox and also appending a value to username based on the current dropdown selection and also defaulting to a specific domain so the user does
not have to type it (this is to be done in addition to modifying the text)...can it be done by modifying the TMG login page?
So far I have only seen guides on how to modify simple stuff such as strings, colors, graphics, etc...any guides or guidance out there to do some more serious modifications?
Thanks,
Igor
Dear Sir,
We have installed MS forefront TMG 2010 SP2 on Windows server 2008 R2 OS. We have selected " Require all users to authenticate" option for Internal network for web proxy client connection. This rule allows only athenticated (domain users) to access internet through Forefront TMG and this is what we want.
But this rule denies access to FTP users which we do not want. When we deselect the " Require all users to authenticate" option for Internal network, FTP users get access.
Appreciate if anyone help us to resolve this.
Thank you
Hi
Now that TMG is a continued product, and it does not support Server 2012 I would like to be able to remove my TMG from my setup.
I just have one feature that I don't know how I else should achieve, and that's the feature to split up HTTPS traffic so e.g. https://domain.tld/Exchange goes to one server and https://domain.tld/ADFS goes to another server, but still only have one IP!
I can't get another IP from my supplier
Do anyone know of another way to achieve this?
Regards Lars Motensen
P.s. Is TMG completely gone from the map, or is there coming a successor?
I'm trying to redirect http://rdsfarm.company.com to https://rdsfarm.company.com/rdweb
The listener is directing http to https just fine. However, redirecting to /rdweb is a problem.
My RD Gateway role is also on the same server as the RD Web Access role. This allows us to use a single external IP and 1 name certificate. My rule's path has both <same as internal> for external, then one for /rdweb/* and another for /rpc/*
I Googled around, and found 2 solutions that do not work for me:
1) Make external path /* and internal path /rdweb/*.
- TMG does not allow this if /rpc/* path exists. Removing /rpc/* works in redirecting, but makes RD Gateway inaccessible.
- If I make ext path /, it redirects me to https://rdsfarm.mycompany.com/Pages/default.aspx/ and I get an error 403. The path should be: https://rdsfarm.mycompany.com/rdweb/Pages/en-US/login.aspx?ReturnUrl=default.aspx (note the missing "rdweb", "en-US", and "login.aspx?").
2) Action - Deny and redirect to http://rdsfarm.mycompany.com/rdweb
- Seems to cause a problem with too many redirects error on the browser. In IE, I get nothing.
Any suggestions?
Hello,
I have a Forefront TMG login page and it is currently asking for domain\username. I don't need the user to specify the domain since it is the same, can someone please point me to the setting in TMG to change the authentication to username only?
Thanks,
Igor