I set up ISP redundancy on Forefront TMG that has my exchange 2010 server published through it. If both external NICs are enabled, I lose internet connectivity. If either NICs are enabled, and the other disabled, I get internet connectivity. Any ideas?
↧
ForeFront TMG ISP Redundancy - Lost of internet connectivity
↧
Track down SYN attack
I am having a problem on my TMG 2010 SP2 Update Rollup 4. It is detecting a Syn attack and locking down the network connections Until I reboot. I cannot seem to track down the offending IP. Can anyone tell me where to find the log that would have this
information? I looked at all the logs around that time, but nothing really jumps out as the culprit. Any help would be appreciated.
↧
↧
" ISP Redundancy : Connection have different offload capabilities " Is it harmful or not?
The offload capabilities of the network adapters associated with the ISP connections are not equal and will be disabled.
For best system performance, we recommend that you use network adapters with the same capabilities for both ISP connections.
For best system performance, we recommend that you use network adapters with the same capabilities for both ISP connections.
electrifying
↧
Unable to send emails through outlook .. ISA blocking port 587
Hello All,
I am sending this message after searching every possibility through google but haven't figure out the problem.
I have ISA server 2006 installed with service pack 1 and its already updated. I am using Edge template to configure network settings. In our area ISP has blocked smpt port 25 due to spams going through that. So we only have let with two ports i.e. 587 or 465 with ssl. I wan to let my windows 2003 server domain users to use port 587 for sending their emails trough outlook. Please note that our exchange server is situated in USA (we are in Pakistan) and through a client computer and through ISA i am able to ping that. Also i have configured DNS as first policy then SMTP, SMTPS as secnond and HTTP & HTTP as third and then the default deny policy. Please also note that through smtp port 465 (SSL) works fine but don't now about the CA.
I noticed in the loging activity that 587 port denies by the ISA with a message that un identified traffic. I have also configured TMG on my network and the same issue occurs.
Could any buddy please help?
Regards,
I am sending this message after searching every possibility through google but haven't figure out the problem.
I have ISA server 2006 installed with service pack 1 and its already updated. I am using Edge template to configure network settings. In our area ISP has blocked smpt port 25 due to spams going through that. So we only have let with two ports i.e. 587 or 465 with ssl. I wan to let my windows 2003 server domain users to use port 587 for sending their emails trough outlook. Please note that our exchange server is situated in USA (we are in Pakistan) and through a client computer and through ISA i am able to ping that. Also i have configured DNS as first policy then SMTP, SMTPS as secnond and HTTP & HTTP as third and then the default deny policy. Please also note that through smtp port 465 (SSL) works fine but don't now about the CA.
I noticed in the loging activity that 587 port denies by the ISA with a message that un identified traffic. I have also configured TMG on my network and the same issue occurs.
Could any buddy please help?
Regards,
Abdul Ghaffar
↧
SQL Server blocked by default Rule
SQL Server is Working fine in 1433 port in internal network.
if i change port to 6060, I Get Connect from external, but if I change to 1433 , In log i Can See the follow error
0xc004000d FWX_E_POLICY
the default rule block SQL server
↧
↧
Busy TMG array, ways of tweaking it?
Hey,
I have 5 TMG servers in array. One of them is master. All server are same pizza boxes - quad core CPU, 8Gb ram, mirror disks. Two on board and dual port NICs. I have Exchange 2013 published there. There are 9000 users and during peak hours each TMG has 3.2-3.5k connections (in TMG dashboard). I'm also collecting performance monitors with SCOM and I see ~12-15k active firewall connections:
occasionally during peak hour I receive authentication errors - HTTP 10013, 10048. It comes and goes.. it last for 5-10 minutes and after it works just fine..
I noticed that errors are produced by specific servers, not all of them.. just 2 out of 5.. it changes through the time.. but it always just one or two servers out of 5.. Not all of them producing errors..
I looked at Firewall - Available Worker Threads counter:
During this specific period server 1 and server 2 were producing issues. It seems that server 1 has 270 workers available and server 2 ~40. There are no drops in workers availability.. this is weird..
I'm not sure how to explain this, why server 1 is failing even it was so much workers available, and same way server 2 is also failing..
Is there any way of tweaking this array to make it better? Disable CRL checking? Anything else?
Regards, Mindaugas Laucius
↧
Block downloads containing zipped exe files
Hi Community.
I need too block the download possibility for zipped exe files but so far I could not find any solution for that.
thank you very much in advance and
best regards
Martin
↧
Publish SharePoint site with TMG for external access
Dear all,
Could you show me how to configure Publish SharePoint site with TMG 2010 for external access
Thanks you
Hung Viet
↧
0xc0040396 Error When Joining EMS Array
I am trying to migrate ISA 2006 Enterprise to TMG 2010 Enterprise. I built the Windows 2008 R2 EMS server and successfully imported the configuration which I had exported from ISA (single server "array"). I then installed TMG 2010 on my intended first array member, which is a Windows 2008 R2 server with the same name and IP address as the original ISA server. The new server thus has a certificate with the same subject name as the one used by the old ISA server. I also imported a certificate which is used for an OWA publishing rule into the new server.
When I try to join this server to the array, it can connect to the EMS but it eventually fails with this error:
"0xc0040396 SSL is enabled for the internal network. You must specify a certificate to use for SSL authentication."
I'm not entirely sure what the error means. I've checked the Web Proxy tab for the Internal Network on the new server and SSL was not enabled. I've tried enabling it and specifying the certificate with the subject name of the server, but that made no difference. I also tried using the OWA certificate, which of course also failed (no surprise there). (I don't think the old ISA server has SSL enabled on the Internal Network anyway, but I'll need to confirm this.)
Does anyone have an idea as to how I resolve this? I'm guessing that maybe I'm missing the meaning of the error and I'm hoping someone else can help with this. I'm not finding much about this on Web about this error.
Thanks in advance for any help.
↧
↧
NLB IP problem and Loop problem.
Hi,
I have 2 TMG Server SP2 for service and another single Configuration storage server. (all acting as a web proxy only )
Each of the TMG service server had 2 interface on the same subnet
Server 1: Client Facing: 192.168.1.1 / 24 GW: 192.168.1.254
Intra-Array: 192.168.1.2 / 24 No GW or DNS
Server 2: Client Facing:192.168.1.3 / 24 GW: 192.168.1.254
Intra-Array: 192.168.1.4 / 24 No GW or DNS
I had enable WNLB 192.168.1.10, but as I notice that the IP for the NLB is placed as : Server 1: on the Client Facing , Server 2 on the Intra-Array, Why this happend. shouldnt the IP be on the Client facing only
Another Thing, I am also gettnig the following errors
Forefront TMG detected a proxy server loop. There may be a problem in the configuration of the Forefront TMG Web chaining policy. Alternatively, in Enterprise Edition, when CARP is enabled and there are intermittent interruptions of intra-array connectivity, array member A may forward a request to array member B according to the CARP algorithm, and array member B may forward the request to array member A in an endless loop.
But i did not enable it.
And another error:Routing configurations for some intra-array servers are not defined properly. Routing to intra-array servers should be configured to use the local intra-array network adapter. Intra-array servers that do not comply with this configuration: 192.168.1.2
Why this error if all the interface are on the same subnet, All the interfaces are pingable from all interface.. should I put the Intra-array in a subnet or there is no problem if they stay on the same subnet
↧
Link Translation warning
When I have the listener setting below to redirect everything to https I get link translation errors, I don't really understand what I am suppost to add to the global settings.
Description: The Web listener used in a Web Publishing
rule specifies HTTP connections to the clients, but the rule specifies an HTTPS
connection to the published server or web farm. HTTPS links will be translated
to HTTP links.
Description: Forefront TMG detected that the Web
Publishing rule TEST specifies HTTPS connections to the published server or server
farm, while the Web listener used in the rule specifies HTTP connections from
clients. In this configuration, HTTPS links will be translated to HTTP links,
which may compromise security. You can prevent this behavior by adding global
mappings to the link translation settings. To do this, in the console tree of
Forefront TMG Management click Configuration and click General. Then, in the
details pane, click Configure Link Translation, and on the Global Mappings tab,
use the Add button to create additional global mappings.
Can you help me?
↧
Web publishing Paths
I have published a website that uses http://site.domain.com/xyz/abc users have to manually enter the full link. I was hoping to make this simply by adding /xyz/abc to the internal path and /* to the external path and that worked so users now only have to enterhttp://site.domain.com however now it won't let users log in, then I discovered that when users could log in the url changed tohttp://site.domain.com/zxy/MYabc
I need help figuring out how to add that in paths, when I try just /xyz/* that doesn't work. Any ideas? Hope this makes sense.
I've tried every combination I could think of.So to summarize, I'd like users to be able to use http://site.domain.com externally and support http://site.domain.com/zxy/MYabc and http://site.domain.com/zxy/abc internally. http://site.domain.com/zxy/abc would have to be first.
↧
TMG rule for redirecting all request for iee access to one isp
Hi All
i have two ISP's. We have registred one ISP with IEEE for IEEE Journal access. now we got one more ISP and in the TMG Firewall we configured ISP Load balancing. when ever the request is going through the second ISP, we are not able to access IEEE Journals. I need help to make a firewall rule for redirecting all IEEE access request through the first ISP only. Please help.
Urjent help needed.
Thanks in advance
Shaji
↧
↧
Redirect all IEEE Access to one ISP
Hi All
i have two ISP's. We have registred one ISP with IEEE for IEEE Journal access. now we got one more ISP and in the TMG Firewall we configured ISP Load balancing. when ever the request is going through the second ISP, we are not able to access IEEE Journals. I need help to make a firewall rule for redirecting all IEEE access request through the first ISP only. Please help.
Urjent help needed.
Thanks in advance
Shaji
↧
IEEE Access
Hi All
i have two ISP's. We have registred one ISP with IEEE for IEEE Journal access. now we got one more ISP and in the TMG Firewall we configured ISP Load balancing. when ever the request is going through the second ISP, we are not able to access IEEE Journals. I need help to make a firewall rule for redirecting all IEEE access request through the first ISP only. Please help.
Urjent help needed.
Thanks in advance
Shaji
↧
TMG Stops responding every 4 days / many connection drops with idle vpn connections
Hi everyone!
I am running a TMG Firewall with about 200 users connected on Server 2008 R2 - patch level 7.0.9193.601.
It is virtualized on a Hyper-V 2008 R2. Additionally we have 4 IPsec Site2Site VPNs configured in Windows Advanced Firewall - as TMG doesn't provide such a comfortable way to configure them directly in TMG.
About 3 Months ago that TMG started to lose connectivity from time to time. At first we were not monitoring that problem precisely as we thought it was an isp issue but some days before christmas that tmg server just dropepd every outgoing connection and stopped listening!
I was able to control the server over hyper-v directly but no connection in or outbound could be established. (no VPN inc or surf outgoing)
I checked the event logs and there was NO other error than the errors from TMG connection verifiers...
As far as I was able to tell tmg still worked as far as logs and engine was conserned but no routing was done at all!
The last resort was to reboot the TMG then everything worked as before...
This behavior then appeard every 4 days... - simple workaround scheduled reboot every 3 days!
But that is no statisfying solution.... additionally some vpn users reported that their connections has quite annoying drops from time to time, unfortunately I was not able to trace the error.
Possible sources that I can exclude:
-Backup (online snapshot with ArcServe - the server was NOT saved)
-AV (Symantec Endpoint protection 12.1 - was uninstalled nothing changed)
Any ideas??
Best regards
↧
Problem in connect VPN Client to ISA Server (error 628)and Result Code : 0x80074e24 FWX_E_CONNECTION_KILLED
Hello Everybody !
I have one ISA Server that config VPN server
Client could connect to VPN Server one week age !I had to power off the ISA Server becuase the Host must be Upgrade .After Power on Server , VPN Server in ISA does not working.
Message show " Verifying username and password" and finally "Error 628..." when Client Connect to VPN Server.
I run Query in logging Tab in ISA Server and . this result Code show :
0x80074e24 FWX_E_CONNECTION_KILLED
I do not Know!
Please help me !
↧
↧
How to block specific Device ID in TMG 2010
Hi,
i need to block device ID in the TMG server, and not in exchange 2010.
Is it possible ?
The problem is that an old device is trying to connect with old password and we does not find this device.
The wrong password is blocking the specific user from accessing the mail in is new device.
The device ID is not listed in the Exchange mobile devices, because someone deleted it long time ago.
We have password lockout policy in TMG.
Is there a solution ?
Thanks,
Lior
↧
Forefront TMG 2010 + Forefront TMG Client + SFTP Connection = "The action cannot be performed because the session is not authenticated"
Hello together,
i want to restrict winsock access for defined active directory groups, so i thought i use TMG Client instead of SOCKS cause the TMG SOCKS filter doesnt support authentication:
But now i face a Problem
- i create a firewallrule for ssh/scp/sftp, looks good so far
- i use winscp as client
- TMG Client is installed on the client
- i setup my tmg in the tmg client
- i start the sftp connection, see the connection gets dropped at tmg cause
"The action cannot be performed because the session is not authenticated"
But in the same log entry "User: <my username>(?)"
So, why theres an (?) and why does he say it is unauthenticated? I thought all TMG Client Connections are authenticated and as far as i see it is authenticated?!
Can anyone help on this?
Thanks in advance
edit
It works with "Filezilla"?! With filezilla the given username is
"user: Domain\username"
Why is this different to what i see with winscp?
↧
TMG 2010 network adapter losing connectivity after application of MS updates for October 2013
Shortly after we applied the Microsoft October 2013 updates to our TMG 2010 SP2 server we started experiencing loss of connectivity on our Internet facing adapter (could not longer ping the gateway etc). A reboot would resolve the issue. The problem kept recurring so we removed a couple of the networking related updates for October (http://support.microsoft.com/kb/2888049 ) and (http://support.microsoft.com/kb/2882822 ) as a test. After these were removed the problem stopped.
We inadvertently reapplied these two updates during the November 2013 update cycle and the problem happened again. We removed the updates and everything is back to normal.
Just wondering if anyone else has applied these two updates to their TMG 2010 SP2 server and experienced any unusual issues?
Thanks
↧