<p>Dear forum,</p><p></p><p>I was testing with new TMG 2010 and working fine. Would like to give access on a cloud based helpdesk solution for all users.</p><p>We have 4 groups in TMG 1) full acess 2) Normal Access
3 ) special 4) Local.</p><p>the website login details as below.</p><p><a href="https://cureintl.zendesk.com/access/unauthenticated?return_to=%2Fhc&theme=hc">https://cureintl.zendesk.com/access/unauthenticated?return_to=%2Fhc&theme=hc</a></p><p>Full
access and normal access groups are allowed to go out with out any restriction.</p><p>special access group can access only certain sites and local access can only have access on our hospital external website.</p><p>This new helpdesk
system works fine on both Normal and full access groups.</p><p>I have created/tested with a domain name set for this website. but while accessing it gives the webpage like a cahed one.</p><p>No logo or nothing is showing up.
I tried the same using URL sets and resulted the same.HTTP sites are working fine with this.</p><p>Domain Name Set Used for this</p><p> </p><p></p><p>Firewall Rules</p><p><img alt=""
height="772" src="http://social.technet.microsoft.com/Forums/getfile/418179" width="1261" /></p><p><img alt="" src="http://social.technet.microsoft.com/Forums/getfile/418184" /></p><p></p><p>Appreciate
you help on this case.</p><p></p><p>Thank You,</p><p>Bibin</p><p></p>
↧
HTTPS access for Cloud Based helpdesk System for all Users on our Hospital
↧
HTTPS access for Cloud Based helpdesk System for all Users on our Hospital
Dear forum,
I was testing with new TMG 2010 and working fine. Would like to give access on a cloud based helpdesk solution for all users.
We have 4 groups in TMG 1) full acess 2) Normal Access 3 ) special 4) Local.
Full access and normal access groups are allowed to go out with out any restriction.
special access group can access only certain sites and local access can only have access on our hospital external website.
This new helpdesk system works fine on both Normal and full access groups.
I have created/tested with a domain name set for this website. but while accessing it gives the webpage like a cahed one.
No logo or nothing is showing up. I tried the same using URL sets and resulted the same.HTTP sites are working fine with this.
Domain Name Set Used for this
Firewall Rules
Appreciate you help on this case.
Thank You,
Bibin
↧
↧
Traffic logged as coming from another interface than the actual one + error 0xc0040012 FWX_E_NETWORK_RULES_DENIED
Hi,
I've three legged TMG, where one NIC "Internal" while other is "EDC"
- The network behind "Internal" is configured and working with remote site through PPTP VPN
- I want to add the network behind other NIC "EDC" to use same VPN.
Thus in TMG: Networking -> Networks -> Internal, I added the EDC adapter in addition to the Internal one, and used the already configured network rule between internal & other site interface.
The strange is that when I initiate traffic from EDC network, the TMG logging shows it with correct source IP but labeled as External, where external is the built-in network object representing the internet. Also traffic is denied with error : error 0xc0040012 FWX_E_NETWORK_RULES_DENIED.
I believe the external label issue is the root cause for the network rule error, but I don't know why it's occuring
Please help
↧
RRAS VPN routing issue
Hi all,
Wondering if anyone can assist me with the following issue:
I have a PPTP VPN on my TMG server, when I connect to the VPN I can access all LAN resources just fine. The problem is I have a VLAN on a switch called test network that I cannot always access from the VPN, I say always as sometimes I connect and can ping servers that are in that subnet, I'll disconnect the VPN, reconnect and then I can't ping them.
The config is as follows:
LAN: 10.0.0.0/16 (Default Vlan on HP switch) Gateway 10.0.0.254 (Juniper SRX)
Test network: 172.16.28.0/24 (Test Vlan on same HP switch) gateway 172.16.28.254 (which is on the HP switch 10.0.0.9)
My TMG server has a DMZ adapter (external) for published load balanced web servers, and an internal adapter. The Internal adapter has no gateway set, the DMZ (external) adapter has a gateway of 192.168.168.254 (Juniper SRX).
On the TMG server there is a static route for 172.16.28.0 with gateway of the HP Switch 10.0.0.9. The 172.16.28.0/24 address range is also in the internal interface on the TMG console.
I can ping any server on 172.16.28.0 from the TMG server, some times when I connect to the RRAS VPN I can ping the 172 network, as soon as I disconnect and reconnect the VPN I can't get to it again (it does resolve the name) it just times out on ping. I can see within logging that the ping is allowed and has reached the TMG server yet I get no reply.
Additional info, the RRAS has a DHCP relay so my VPN clients get the DNS suffix etc. I added a static route in the RRAS console for 172, the VPN could then reach the 172 network, but when I reconnected nothing again.
I do also have a firewall rule that allows all outbound from internal and vpn to internal,vpn,external.
I know it's not an ideal setup and I am looking to move the Test network gateway to the Juniper SRX, I just really wanted to figure out why this isn't working, or more to the point why it sometimes is and sometimes isn't.
When I do a tracert to a 172 address on the TMG server it goes to the switch 10.0.0.9 and then the server as expected. When doing the same from a VPN client it (when not working) first goes to the RRAS adapter address and then it will timeout.
If anyone could give me any tips that would be great.
Thanks
Ross
↧
How to forbid users bypass TMG server??
Users in my network are using proxy clients such as (ultrasurf) and VPN clients such as (hotspot shield) to bypass firewall policies on my TMG server...
Is there any possible way to forbid them??
.
.
best regards
Is there any possible way to forbid them??
.
.
best regards
↧
↧
Unable to Login to Wordpress Login Page through Forefont TMG 2010
Hi
I'm having a wordpress website, and when I try to login to the wordpress admin login panel through forefront TMG proxy I'm getting an error message says Below Error message
Service Temporarily Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later
But when I try to login Directly without using TMG I was able to login to the Wordpress Page.
Please help me on this
Muja
↧
Block Https://youtube.com
Hi Team,
I want to block YouTube in my environment irrespective of the protocol it uses. I created an Access rule to block few websites, details provided below
Action: Deny, redirect to another site
Protocols: Http, HTTPS, HTTPS server, Http Proxy and all streaming media protocols
From: Internal
To : Blocked Websites (Domain name set)
Rule applies to: All users
Youtube gets blocked when accessed through Http protocol, whenever it’s accessed using HTTPS protocol it just connects. After few days of research I found that issue is only with Google Chrome. Whenever I accessHTTPS://youtube.com in Internet explorer the page is not displayed, but somehow Google Chrome overrides my proxy settings for this site alone.
Note: This same rule works fine for other secured websites. (ie) I am able to blockHTTPS://Facebook.com using this same rule.
Workaround:
I have also found a workaround to make this work. Goto Internet Explorer, Proxy server settings page, Uncheck ‘automatically Detect settings‘ . .. Now HTTPS://youtube will be blocked in all the browsers including Chrome if it’s importing proxy settings from Internet Explorer.
Question:
- When I select ‘ Automatically detect settings ‘ option in local proxy settings why is TMG not able to blockHTTPS://youtube.com when used in Chrome .
- Whenever a HTTPS site is blocked, redirection doesn’t work. As per the rule that I have set whenever a site is blocked the page should be redirected to another Webpage. This works absolutely fine when a site using Http protocol is blocked. Whenever a HTTPS site is blocked it just says ‘Cannot display the webpage’
Thanks in advance .
↧
With TMG EOL what can I replace with?
My TMG 2010 is used mainly for reverse proxy for internal .NET applications, OWA, etc. What MS products or third party products are available to replace this functionalility?
↧
Allowed Public Key Parameters for TMG reverse proxy HTTPS
Hi!
Is there any document where I can find what Public key parameters are allowed in the certificates that are used for reverse proxy HTTPS publishing in TMG?
Is it always mandatory to have SHA1 / RSA or can I use SHA1 / ECDH_P256? Or even something else than SHA1?
I tried but I get a message that keys are not allowed...
I'm asking just to be sure that it's a software restriction, and not my lacking know-how. :)
Antti
Antti Laatikainen IT Security Manager Santen Europe
↧
↧
ISP redundancy with two Servers (two LAN cards on each server)
hi,
i have two total TMG , two LAN cards in each , one for Internal LAN and other for External ISP, i have made array for both of them , one is manager and other is managed ,
my question is if i can enable ISP redundancy , cause when i go there i can see only LAN cards of same server not of other server to add as second isp
please help
↧
HTTP 401 Unauthorized response was received from the server-activesync
we have 1 2007 exchange server publishing activesync and a tmg device. when we run the connectivity test we get..
An HTTP 401 Unauthorized response was received from the server. This may be the result of invalid credentials or a configuration problem on the Exchange Server.
Headers:
Connection: Keep-Alive
Content-Length: 1293
Content-Type: text/html
Date: Wed, 05 Feb 2014 03:59:39 GMT
Set-Cookie: cadata6C8B350652B244CDB9D3CED3A5B4B3E7="0d48e8766-0f58-4d69-9ed2-47fb26d52f0dVtBdeeexcyZbMqvKmYUFZbdifAG8M6pM97kvBjuJbfetthOpcXR/Js+r7leco3BusBFF3PW9a7MiorVBXbYaBbVIuZewuMLNxKPKNtfYp1C75132bxSnwmf0z4npA3URSGoRhfc4fmAyh+jbAA6Lcjx5lceio1DJaxokOu5Nkpql+54cs3ji1SIPHxcHX5WSuZHbWBnyiuF0+JrPSAZ0ZzTZwnwHGqhBlyBSpWwxtSU=";
HttpOnly; secure; path=/
Server: Microsoft-IIS/7.0
WWW-Authenticate: Basic
X-Powered-By: ASP.NET
can someone please help
↧
VPN Client configuration
Hi All,
i am new to TMG .. I would like to get connected to my office network even when i am at home . I am able to find settings to be done on the TMG server but unable to find what needs to be done on the client side (My Laptop) , should i install TMG Client package ??? How to instruct my laptop to get connected to my office network when i am using an open internet at home .... My requirement is when i am @ home i need to log in to my office domain and carry out my regular work as if i am physically connected to my office network . Is this possible using TMG ???? or should i initiate a remote session and connect to one of the PC in my office and do my work from there . Thanks in advance
Regards
Khan
↧
Multiple routes and ISA2004 spoofing block
We are in the process of moving from SBS2003 with ISA 2004 to TMG and are currently running both firewalls with seperate Internet connections.
Inbound SMTP traffic tru the TMG firewall works fine as long as the email appears to come from the internal TMG nic adress, If we enable "send originating IP adress" for logging purposes we will get spoofing detected.
Is there a way to get this working with ISA 2004?
TIA,
Fred
↧
↧
TMG 2010, HTTPS and "non-SYN packet"
Hello everybody,
I have a problem on my network. Sometimes, when a user opens an Internet website he notices a reduction in speed. It’s principally the case when the website does additional transfer from Google, for example from Google Analytics. But this problem is not
systematic so it’s difficult to give you more information. Sometimes it can be very difficult to access a website and ten minutes later we can go on the same website without noticing any reduction in speed.
I do several analysis from the Forefront TMG 2010, and every time we have that loss of speed the TMG records this event :
Denied Connection SRV-TMG2008 11/02/2014 10:29:37
Log type: Firewall service
Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer.
Rule: None - see Result Code
Source: Internal (10.4.120.16:51786)
Destination: External (213.152.1.81.static.not.updated.as8218.eu 213.152.1.81:443)
Protocol: HTTPS
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 10.4.120.16
This message only concerns the port 443. There is no problem with all the other ports. I understand the “3 ways handshake”, but I wonder why do I have this problem when a request in concerned by the HTTPS protocol… I make several researches on the subject,
but I didn’t find the answer to my problem… On top of that, I am pretty a newbie in networks. I will give you some additional information.
The TMG in installed as the “door” of the network. It checks all the input and output traffic and plays the role of a proxy. Every byte of data coming from the network passes through the TMG. Every byte of date coming from the external passes through the TMG.
The HTTPS inspection is not enabled and the network administrator doesn’t want to enable it, because it can causes problems with some of the software used by the employees.
All the computers of the network have the IP address of the TMG as a default gateway. But the latter itself has no default gateway except the link toward the Internet Provider. So the TMG has no gateway for the LAN and PPP interfaces.
All the users’ sessions are “remote desktop” sessions from a thin client to a Windows 2008R2 server… yes, the employees work on a 2008R2 session, without any administrator’s rights of course. The problem appears on the thin clients, but also on “classic” computers
with a local session. The reduction in speed appears in Internet Explorer and in Mozilla Firefox. I don’t know if it’s the same problem with other navigators. But we have another problem on Firefox : if we browse pictures and then we do a refresh of the page
(ctrl + F5), the result page will freeze, only show some images, up to ten, and the scrolling bar will disappear. When we do an analysis of this phenomenon on the TMG, the error quoted above appears many ten of times.
I have no idea how to solve this problem…if you have any suggestion, I will read them carefully !
I will also apologize for all the mistakes I made in this message. I’m French and I’m not really good in practicing foreign languages.
Thank you in advance for your answers, and have a nice day !
Lysle
↧
authentication problems from iphone via ISA-Server (ldap)
Hello,
in our environment (Windows Small Business Server 2003 Domain with Microsoft Exchange enabled) we have several users who logon exclusively from smartphone (iphone) to the domain getting their the messages via pushmail. Authentication goes through isa server 2006 via ldap - the server is not member of that domain
Everything works fine for a couple of days but then it comes up a error message that username and/or password might be incorrect. The logon failure will be reported in security log at the domain controller (event-id: 529) with isa server as the source address.
At that time a "compromised" user can log on to a domain member (a client or a terminal server session) without any problems and after that the authentication from it's smartphone is successfully
Users who works on a windows client too doesn't have those problems
Any help would be appreciated
Thanks in advance
Torsten
↧
Soap/XML web services through TMG in DMZ
Hello,
I hope someone can help me out here by answering a question.
I have a requirement to install a SOAP/XML based web services on two web servers. The web servers are going to be public facing with certain bodies/authorities sending and recieving electronic notices using SOAP/XML based services. Both (sending and receiving) parties will act client and server depending on request type. I am wondring what i will need to allow this application level filtering via TMG?
THe web servers are currently sitting in production DMZ behind internet facing checkpoint firewalls.
TMG is currently sitting in its own Direct Access DMZ which is behind the production DMZ.
Thank you,
Rockaposhi
↧
TMG errors
Dear all,
I am using TMG 2010 with the Websense Filter (7.5.0) and I have recently had problems with accessing a particular website.
Also I have ran some logging on the TMG server and I got the following:
Allowed Connection SERVERNAME 2/13/2014 10:54:52 AMLog type: Web Proxy (Forward)
Status: 301 Moved Permanently
Rule: RULE NAME
Source: Internal (x.x.x.x:57554)
Destination: External (50.63.202.25:80)
Request: GET http://www.thefdforum.co.uk/
Filter information: Req ID: 179991df; Compression: client=No, server=Yes, compress rate=0% decompress rate=0%
Protocol: http
User: domain\username
The proceeding logs show the following status:
407 Proxy Authentication Required
12210 An Internet Server API (ISAPI) filter has finished handling the request. Contact your system administrator.
The web page displays HTTP 443 Forbidden
↧
↧
SQL query
Dear all,
I have used the following SQL query to get a list of all the tables that contain a particular term in the column name:
SELECT COLUMN_NAME, TABLE_NAME
FROM INFORMATION_SCHEMA.COLUMNS
WHERE COLUMN_NAME LIKE '%test%'
However I would like to write a query that looks through all the rows of each table for a particular value, is this possible?
↧
VPN Connection pass through to another server PPTP
Hi Guys,
Here’s a question that will get you thinking! I have the following situation: I have two Academies that need to be connected using a VPN. Academy 1 has a TMG Server which NATS from the SWGFL IP Range to our internal range which is much bigger than the SWGFL Provided range. Academy 2, has a RRAS Server and has a small number of computers with a DNS and DHCP Server.
I need these two Academy to connect to each other. We have decided to use RRAS to join Academy 2 to Academy 1 using PPTP. I have configured the TMG Server at Academy 1 to allow PPTP Through to the RRAS Server (172.16.0.26) and configured a On Demand interface. When I try to connect from Academy 2 I get the following error (see screen capture).
![VPN Connection Issue-networkconnectionerror.jpg]( "VPN Connection Issue-networkconnectionerror.jpg")
Does anyone have any idea as to what is going wrong or how I can setup the RRAS server on the Legacy (SWGFL) network and connect to our internal network.
Academy 1 setup
TMG Server 10.3.128.69 (SWGFL Netowrk)
10.3.128.2 NAT to 172.16.0.26 (PPTP)
Internal Network
IP Range Start: 172.16.0.1
IP Range End: 172.16.65.254
Academy 2
RRAS Server: 172.16.100.1 (Default Gateway)
DHCP Server: 172.16.100.8
Network Range: 172.16.100.1 – 172.16.101.254
Hope this makes sense to you I can provide more details if required to assist with this issue.
Kind Regards
Here’s a question that will get you thinking! I have the following situation: I have two Academies that need to be connected using a VPN. Academy 1 has a TMG Server which NATS from the SWGFL IP Range to our internal range which is much bigger than the SWGFL Provided range. Academy 2, has a RRAS Server and has a small number of computers with a DNS and DHCP Server.
I need these two Academy to connect to each other. We have decided to use RRAS to join Academy 2 to Academy 1 using PPTP. I have configured the TMG Server at Academy 1 to allow PPTP Through to the RRAS Server (172.16.0.26) and configured a On Demand interface. When I try to connect from Academy 2 I get the following error (see screen capture).
Does anyone have any idea as to what is going wrong or how I can setup the RRAS server on the Legacy (SWGFL) network and connect to our internal network.
Academy 1 setup
TMG Server 10.3.128.69 (SWGFL Netowrk)
10.3.128.2 NAT to 172.16.0.26 (PPTP)
Internal Network
IP Range Start: 172.16.0.1
IP Range End: 172.16.65.254
Academy 2
RRAS Server: 172.16.100.1 (Default Gateway)
DHCP Server: 172.16.100.8
Network Range: 172.16.100.1 – 172.16.101.254
Hope this makes sense to you I can provide more details if required to assist with this issue.
Kind Regards
TPark IT Technician
↧
[TMG 2010] Open port
Hello,
Sorry formy English,a little rusty
^ ^
I need to openTCP andUDPports 46015for ajava applicationthat connects
us to aroomwithvideooutside.
http://evo.caltech.edu/evoGate/Documentation/faq/firewall/firewall.html
Icreateprotocolsand make
the rulebutit does not work!
the rule:
WebConference->Incoming TCP(46015)outgoing TCP(46015)UDPSend Receive (46015)
->From:InternaltoExternal
WhenI enabledit worksafter2-3 minutesit does not work...
When I check in the log:
[Engine][analyseNetwork] Default UDP port (46015): false, RTT = 0 [Engine][analyseNetwork] ... tested with xxx.xxx.xxx.xxx [Engine][analyseNetwork] Default TCP port (46015): false [Engine][analyseNetwork] Port 80 TCP: true [Engine][analyseNetwork] Port 443 TCP: true [Engine][analyseNetwork] Port 8080 TCP: false [Engine][analyseNetwork] Port 8443 TCP: false
Thank youfor your help
↧