Quantcast
Viewing all 3822 articles
Browse latest View live

TMG load balance and publishing issues

January 16, 2014, 11:36 am
$
0
0

Dear Experts,

I have some questions about publishing multiple services with TMG's ISP redundacny with load balancing:
We are using a single TMG 2010 server to protect our network and providing Internet connection to them. We manage our own domain providing the name service with the DNS server component installed on the TMG box and published it outside. We are using Exchange for mail service, as well we publish web sites too and terminal services via RDP. There wasn't any problem till today, when we got an other, separate Internet connection via a new different ISP. When I set ISP Redundancy to Load Balance I faced to a problem. The Internet connection works fine, but the partner SMTP's drop our letters, because they can not complete the reverse DNS check.
How can I set the TMG and/or the DNS to provide a correct mail publishing service? How should I set our DNS to provide access to our web sites and other services when one of the Internet connections brake down?
Thank you in advance!

Thomas

Search

Issue with Microsoft Reputation Service (10.ds.mrs.microsoft.com host offline)

January 22, 2014, 6:44 pm
$
0
0

Dear TMG Community,

Since yesterday (22/1/14) a client of ours has been experiencing an issue with TMG and the Microsoft Reputation Service.

The following event is intermittently logged to the Application Log:

Event ID: 31524

"An error occurred while trying to communicate with the Microsoft Reputation Service server. If this Forefront TMG server is chained to an upstream server, verify that the WinHTTP proxy is set to localhost. If this issue persists, check that Internet connectivity is available."

Further troubleshooting has revealed an issue with one of the hosts behind the 10.ds.mrs.microsoft.com DNS record.

10.ds.mrs.microsoft.com --> 207.46.60.244 (HTTPS not working)

10.ds.mrs.microsoft.com --> 207.46.60.245 (HTTPS working)

10.ds.mrs.microsoft.com --> 65.55.74.113 (HTTPS working)

We experience an event each time TMG attempts to connect to 207.46.60.244. This is consistent across several ISPs/upstream DNS providers. For now, we've entered a static hosts file entry on the TMG servers to avoid the many SCOM alerts.

Could someone at Microsoft please look into this and advise once the issue is resolved.

Kind regards,

David Barrett

SharePoint Workspace not working through TMG

September 22, 2011, 5:51 am
$
0
0

Hi,

I have exposed a SharePoint site collection called BrainBoosters through TMG. This is meant to be a secure connection for consultants who access the site externally. Access to the site is 100%. The only issue I am currently experiencing is that Workspace is not working externally only internally. We are using SharePoint Foundation 2010. Below is the error message on the client when WorkSpace option is clicked from within the browser. I have also included the Deny action taking place on TMG.

Your help would be very much appreciated.

Guy

Image may be NSFW.
Clik here to view.

 


Microsoft Office Sharepoint Workspace 2010        Reverse Proxy    -    sp.brainboosters.co.za    TCP    -    Req ID: 0aaf2f55; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes    -        0x0    0x0    49512    Web Proxy                    0    2407    213    -    2011/09/22 11:55:40    -    -    0    -    0    -    -    -    -    -    -    0    0                                           -    2011/09/22 13:55:40    41.27.219.15    196.28.27.107    443    https    Denied Connection    -        -    -    -        12309 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.     anonymous    -    -    http://sp.brainboosters.co.za/    SVR-TMG    Unknown    Web Proxy Filter            -            0    -   

Site-to-site routing(?) fails

November 12, 2013, 7:53 am
$
0
0

Dear community!

I would like to ask you if you could help me configuring the TMG I have here.

The network topology:

                          External
                               |
                               |
Site1 <-  IPsec  ->  TMG    <- IPsec -> Site2
                               /\
                              /  \
                             /    \
                      Internal     DMZ

Internal: 192.168.201.0/24
DMZ: 192.168.151.0/24
Site1: 192.168.21.0/24
Site2: 192.168.202.0/24

All networks have their network objects created.

The problem is: I can see and ping everything from the Internal network,
but the he site1 and site2 can only see the Internal, nor the DMZ, nor eachother.

Network rules:
#1: All protected networks ROUTE All protected networks
#2: All protected networks NAT External.

Question: Is this good enough, or should I define all the route rules each-by-each?

I am not 100% sure if the TMG is the wheakest chain in the, but I have absolutely no monitoring abilites over the Brach office routers (FritzBoxes). So:
Question: Is there any way to monitor, os sniff into the traffic the TMG sends or receives on ove of the site-to-site connections?
Can I tap into and for example capture all the PING-s that were sent out or sent troughh the tunnen between TMG and Site1?This might be a relly dumb question, but sorry, I am stuggling with this for over a month now.

Firewall rules:
#1: Tonns of publishing rules.
#2:Allow all protocolls from All protected networks, to all protected networks. (Only until i find out what is wrong.)
#3: Standard Deny all from Everywhere

Question: Should there be a Demand dial connection in RRAs when you create a site-to-site connection?
Should the site-to-site VPN appear in the routing table?

Display time in GMT for network error access msgs

January 23, 2014, 3:40 am
$
0
0

In Forefront TMG 2010 following error msg is displayed:

  • Error Code: 403 Forbidden. Forefront TMG denied the specified Uniform Resource Locator (URL). (12232)
  • IP Address: 192.168.10.200
  • Date: 1/23/2014 11:41:03 AM [GMT]

Can we change the GMT time zone to our local time zone so that troubleshooting will be easy for us.

Is it possible to change if yes then how?

error code 64

January 10, 2014, 4:02 am
$
0
0

hI ALL,

I have read 20 - 30 threads about this error, but still i cant solve mine.

Since a few days this errors pops up by accessing sharepoint over https trough tmg 2010.

Who can help me, i cant fiend a solution for this weird problem.

i can reach my sharepoint server from tmg, certificate is also ok, names in the certificate also.

I have installed no update the last past days and also havent changed anything yet

Image may be NSFW.
Clik here to view.

Clents from specific site loosing internet access randomly

January 23, 2014, 1:36 pm
$
0
0

Hi, this is happening for a while on one of our site. First, here's an overview of our setup

Image may be NSFW.
Clik here to view.

The problem is happening on clients of 12.x subnet. So randomly some clients can't browse internet sites. It happens for 30min-1h and then comes back by itself.

  • Doesn't seem to be a routing issue as when the problem is happening I can still ping internet IPs
  • Doesn't seem to be DNS related as I can resolve LAN and WAN DNS names from the problematic machine
  • I also looked at my 3 DNS servers and A records are correct ith the correct IP for the client PC
  • Browsing web sites on LAN is working fine
  • The problem NEVER happened on the other site (subnet 8.x)
  • When it's happening it's only to 1,2 or 3 clients and all others of the same subnet are working perfectly

On TMG log, we can see traffic between the client and TMG but with "SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer." errors. As soon as the client PC becomes alive again, the log doesn't show these "non-SYN" errors again.


web page is allowed but video is not playing

January 24, 2014, 3:21 am
$
0
0

Hello,

ive got a TMG configured on Windows Server 2008 Enterprise. 

so when i'm trying to access the web page i'm entering on the page and when i'm pressing to watch video..

it says "video not found <url>".

without proxy i can access this video and watch it.

on TMG i'm getting logs:

Denied ConnectionTMG02 1/24/2014 3:00:21 PM
<id id="L_LogPane_LogType">Log type:</id><id id="L_LogPane_WebProxyForward">Web Proxy (Forward)</id>
<id id="L_LogPane_Status">Status: </id>12209 Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
<id id="L_LogPane_Rule">Rule:</id>Allow-Media
<id id="L_LogPane_Source">Source:</id>Internal (192.168.1.14:50654)
<id id="L_LogPane_Destination">Destination:</id>External (10.11.12.13:8080)
<id id="L_LogPane_Request">Request:</id>GET http://abc.def.com/secure/224/2235402.mp4?key=oK-KHXwM9owfTnfQhVF3aw&ttl=1390575620&start=0
<id id="L_LogPane_FilterInfo">Filter information:</id>Req ID: 0db33909; Compression: client=No, server=No, compress rate=0% decompress rate=0%
<id id="L_LogPane_Protocol">Protocol:</id>http
<id id="L_LogPane_User">User:</id>anonymous
Image may be NSFW.
Clik here to view. Additional information
  • <id id="L_LogPane_ClientAgent">Client agent:</id>Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36
  • <id id="L_LogPane_ObjectSource">Object source:</id>(No source information is available.)
  • <id id="L_LogPane_CacheInfo">Cache info:</id>0x0
  • <id id="L_LogPane_ProcessingTime">Processing time:</id>1<id id="L_LogPane_MimeType">MIME type: </id>

AND

Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Failed Connection AttemptTMG02 1/24/2014 3:00:21 PM
<id id="L_LogPane_LogType">Log type:</id><id id="L_LogPane_WebProxyForward">Web Proxy (Forward)</id>
<id id="L_LogPane_Status">Status:</id>5 Access is denied.
<id id="L_LogPane_Rule">Rule:</id>Allow-Media
<id id="L_LogPane_Source">Source:</id>Internal (192.168.1.14:50654)
<id id="L_LogPane_Destination">Destination:</id>External (10.11.12.13:8080)
<id id="L_LogPane_Request">Request:</id>GET http://abc.def.com/secure/224/2235402.mp4?key=oK-KHXwM9owfTnfQhVF3aw&ttl=1390575620&start=0
<id id="L_LogPane_FilterInfo">Filter information:</id>Req ID: 0db3390a; Compression: client=No, server=No, compress rate=0% decompress rate=0%
<id id="L_LogPane_Protocol">Protocol:</id>http
<id id="L_LogPane_User">User:</id>anonymous
Image may be NSFW.
Clik here to view. Additional information
  • <id id="L_LogPane_ClientAgent">Client agent:</id>Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36
  • <id id="L_LogPane_ObjectSource">Object source:</id>(No source information is available.)
  • <id id="L_LogPane_CacheInfo">Cache info:</id>0x0
  • <id id="L_LogPane_ProcessingTime">Processing time:</id>1<id id="L_LogPane_MimeType">MIME type:  </id>

any ideas?

Costa Curta


Search

The Object Invoked has Disconnected from its clients

July 12, 2012, 8:17 am
$
0
0

Hi all,

experiencing an error with TMG 2010 which was never seen before. when opening the Network from the TMG 2010 console I am getting below error.

Image may be NSFW.
Clik here to view.

this firewall is connected to a domain and managing 6 networks ( 6 arms connected to TMG 2010).

other than the network tab, every other links are working fine.

has anybody gone through an error like this?

thanks.


Block Https://youtube.com

January 25, 2014, 11:49 pm
$
0
0

  Hi Team,

   I want to block YouTube in my environment irrespective of the protocol it uses. I created an Access rule to block few websites, details provided below

Action: Deny, redirect to another site

Protocols: Http, HTTPS, HTTPS server, Http Proxy and all streaming media protocols

From: Internal

To : Blocked Websites (Domain name set) 

Rule applies to: All users

Youtube gets blocked when accessed through Http protocol, whenever it’s accessed using HTTPS protocol it just connects. After few days of research I found that issue is only with Google Chrome. Whenever I accessHTTPS://youtube.com in Internet explorer the page is not displayed, but somehow Google Chrome overrides my proxy settings for this site alone.  

Note: This same rule works fine for other secured websites. (ie) I am able to blockHTTPS://Facebook.com using this same rule.

Workaround:

   I have also found a workaround to make this work. Goto Internet Explorer, Proxy server settings page, Uncheck ‘automatically Detect settings‘ . .. Now HTTPS://youtube will be blocked in all the browsers including Chrome if it’s importing proxy settings from Internet Explorer.

Question:

  1. When I select ‘ Automatically detect settings ‘ option in local proxy settings why is TMG not able to blockHTTPS://youtube.com  when used in Chrome .
  2. Whenever a HTTPS site is blocked, redirection doesn’t work.  As per the rule that I have set whenever a site is blocked the page should be redirected to another Webpage. This works absolutely fine when a site using Http protocol is blocked.  Whenever a HTTPS site is blocked it just says ‘Cannot display the webpage’

Thanks in advance .

                                

Forefront Identity Manager Resources on the TechNet Wiki

January 26, 2014, 1:07 am

ISP redundancy with two Servers (two LAN cards on each server)

January 26, 2014, 2:55 am
$
0
0

hi,

i have two total TMG , two LAN cards in each , one for Internal LAN and other for External ISP, i have made array for both of them , one is manager and other is managed , 

my question is if i can enable ISP redundancy , cause when i go there i can see only LAN cards of same server not of other server to add as second isp 

please help

Can't ping from DC1 behind TMG1 to DC2 behind TMG2 on a site-to-site VPN connection

January 26, 2014, 8:57 pm
$
0
0

Hi,

I have a weird problem. I have two TMG servers on each site in a hyper-v lab environment. I have been able to establish the site-to-site VPN successfully however when I ping from DC1 behind TMG1(on site 1) to TMG2, DC2, i am able to ping. However the opposite doesn't work. After some trial and error, I figured out that the one initiating the demand-dial request is able to ping the other site, not vice-versa..very strange. I would like to know whether ICMP requests could be achieved bi-directionally..

Secondly, I am able to ping from TMG1 to all the clients sitting behind TMG2 (including the TMG host), however the clients sitting behind TMG1 can't ping TMG2 neither any of the clients behind it. I tried every possible combination under the firewall policies but of complete vain. hell, I am starting to develop a very bad feeling about this product because of making such simple tasks overly complex. I mean, if it were a Cisco or Sonicwall, we could have done this so easily. 

What my final motive is to send LDAP requests from DC1 to DC2 and vice-versa over a site-to-site VPN so that I could set up 2 different sites in AD on different subnets and then proceed with configuring DAG. But if this simple thing turns out to be such major roadblock, dunno how am I gonna pass DAG traffic over it.

Can someone PLEASE help me!! I am completely exhausted researching on this issue.

Regards,

Dman

I Have a Wifi manageable switch. I have 10 users to whom i want to provide wifi connection. what kind of rule i have to make in my TMG so that all thse users automatically receives IP from wifi switch. Should i need to create DHCP rule in TMG firewall?

January 16, 2014, 5:54 am
$
0
0

I Have a Wifi manageable switch. I have 10 users to whom i want to provide wifi connection. what kind of rule i have to make in my TMG so that all thse users automatically receives IP from wifi switch.

Should i need to create DHCP rule in TMG firewall?

electrifying

Error Code 12206 : Proxy Chain Loop

January 26, 2014, 9:52 pm
$
0
0
i have received an error code 12206: proxy chain loop. when i am trying to connect my wifi router through WAN port. how to resolve it

electrifying

Search

Allow selected Sites in Deny Rule

January 27, 2014, 2:15 am
$
0
0

Dear All,

Please guide me how to create a rule to block all web sites and allow only selected sites.

Thanks in advance.

ISA Server 2006 + Average response time for Non Cached requests = performance issues?!?!?!

January 9, 2014, 3:23 am
$
0
0

All,

I am in a predicament with internet browsing speeds...We have a 3rd party look after our line and internet facing f/w  so I cant troubleshoot them, so at the moment Im looking at ISA as the potential bottleneck - we have a fairly standard environment:

Internal > Local Host > Perimiter n/work > Firewall > Internet

I have been running custom reports on the ISA server to see what data can be collected - I have noticed that "Average response time for non cached requests" (traffic by time of day) can be as high as 76 seconds!!!!!! Cached hits are between .5 and 2 seconds.

I have also coonfigured a connectivity verifier which is also flagging slow connectivity, massively over the >5000ms and also reporting "cant resolve server name on occassions- and this is configured forwww.Microsoft.com --- DNS ???!?!, however I have looked through DNS (no obvious errors / config issues) which I can see 

I have run the BPA on ISA server to ensure its Health - - connectivity verifier errors flagged timeouts to microsoft.com as expected...

Can anyone advise any obvious areas to investigate as Im struggling! - as always the 3rd party have told us the internet pipe is fine :O

BITTORRENT SYNC

January 27, 2014, 8:10 am
$
0
0
I Have problems using bittorrent sync for bakcups, it seems like he wants to go out throught multicast and port 3838, any idea?

authentication problems from iphone via ISA-Server (ldap)

January 28, 2014, 1:38 am
$
0
0

Hello,

in our environment (Windows Small Business Server 2003 Domain with Microsoft Exchange enabled) we have several users who logon exclusively from smartphone (iphone) to the domain getting their the messages via pushmail. Authentication goes through isa server 2006 via ldap - the server is not member of that domain

Everything works fine for a couple of days but then it comes up a error message that username and/or password might be incorrect. The logon failure will be reported in security log at the domain controller (event-id: 529) with isa server as the source address.

At that time a "compromised" user can log on to a domain member (a client or a terminal server session) without any problems and after that the authentication from it's smartphone is successfully

Users who works on a windows client too doesn't have those problems

Any help would be appreciated

Thanks in advance

Torsten


Activesync and OWA URL cannot be accessed from Nokia E5 or E63 phones after disabling SSL2.0 in TMG server

January 28, 2014, 3:36 am
$
0
0

We are having Exchange 2013, OWA/ActiveSync URLs are published via TMG. As per IT security we had disabled SSL2.0 in TMG servers. After that Nokia E5 or E63 phones cannot browse OWA URL or cannot sync e-mails. Getting error in TMG that connection is forcely CLOSED.

What type of SSL used by nokia E5 and how to make it force to use SSL3.0 from client side.

Please Suggest.

Viewing all 3822 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>