Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

SSTP connection is dropping on some clients

March 15, 2011, 2:44 am
$
0
0

Hi,

I have set up TMG array, which is mainly used for SSTP connections. There are two servers in array and load balancing is used on external side. SSTP is using user certificate authentication.

Most of the client connectios are working fine, but I do have some issues with few clients. The users having the issue are telling that SSTP connection drops without any visible reason. Sometimes their connection will work for only few minutes, sometimes it will be up for 2-3 hours.

I have run live logging on TMG, but I cannot find any reason from there. I have also run netmon on the client side when the dropping is happening, but I cannot find any clue also from the netmon logs for this dropping.

Any tips what to check next?

BR, TommIK

Search

setting up external NLB with more than one ISP

February 24, 2014, 12:57 pm
$
0
0
We have 2 TMG 2010 servers in an Enterprise Array, each have 3 external NICs, 1 DMZ NIC and 1 internal NIC.
    - NLB is setup on the internal NICs
    - ISP Redundancy on External NICs B & C
    - NLB is setup external NIC B - 12.??.??.??/25 IPs for published web and ftp sites. 

We would like to add external NIC A (209.??.??.??/27 to the external NLB.

How can I do this?  Could I setup a netmask on the primary VIP to be a /27(225.255.255.224) if we use less than 30 VIPs in both the 12... and the 209... subnets?

It seems like this should be do-able, maybe not as I describe.

Thanks,  Mike

Recently unable to access sites that run through ISA 2006 server

February 24, 2014, 12:03 pm
$
0
0

We have several sites set up on our ISA server, including reverse proxy for an older MOC 2007 R2 install (upgrading to Lync pending)  however several of the sites that use a wildcard SSL cert are no longer functioning.  

Chrome throws this error: 
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.

Firefox throws this one: 
SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)

Another site that is run through the ISA server that doesn't use the wildcard cert but uses a premium EV SSL is working just fine.  

I've tried reinstalling the same cert as well as running a restore operation from our backups, the restored server (from Wednesday of last week) exhibits the same problems.  

I've also deleted the rule and re-created it, and it's the same problem.  

I'm at a loss.  

Recommended method for adding and managing static routes with Forefront TMG Medium Business Edition (MBE)

February 24, 2014, 11:26 pm
$
0
0

Good day,

We make use of Forefront TMG Medium Business Edition (MBE) as part of Essential Business Server 2008 (EBS) and I would like to determine the correct method for adding and managing static or persistent routes. I am aware that this may be done using command prompt, however with reference to this blog post by Ori Yosefi (MSFT), this may not be the recommended approach.

Problem is, with the version of TMG (6.0.6417.100 MBE) shipped with EBS, I can't locate a Routing tab under Networking to administer IP routing using the TMG console. I'm not sure whether this is per design for MBE or an EBS specific customisation.

The reason for adding the routes is to allow us to decommission existing VPN site-to-site links and instead opt for better performing routed internal subnets via hardware routers:

Network Routing

Any assistance will be greatly appreciated.

Regards,

Byron

TMG Stops responding every 4 days / many connection drops with idle vpn connections

January 21, 2014, 12:18 pm
$
0
0

Hi everyone!

I am running a TMG Firewall with about 200 users connected on Server 2008 R2 - patch level 7.0.9193.601.
It is virtualized on a Hyper-V 2008 R2. Additionally we have 4 IPsec Site2Site VPNs configured in Windows Advanced Firewall - as TMG doesn't provide such a comfortable way to configure them directly in TMG.

About 3 Months ago that TMG started to lose connectivity from time to time. At first we were not monitoring that problem precisely as we thought it was an isp issue but some days before christmas that tmg server just dropepd every outgoing connection and stopped listening!

I was able to control the server over hyper-v directly but no connection in or outbound could be established. (no VPN inc or surf outgoing)

I checked the event logs and there was NO other error than the errors from TMG connection verifiers...
As far as I was able to tell tmg still worked as far as logs and engine was conserned but no routing was done at all!

The last resort was to reboot the TMG then everything worked as before...
This behavior then appeard every 4 days... - simple workaround scheduled reboot every 3 days!

But that is no statisfying solution.... additionally some vpn users reported that their connections has quite annoying drops from time to time, unfortunately I was not able to trace the error.

Possible sources that I can exclude:
-Backup (online snapshot with ArcServe - the server was NOT saved)
-AV (Symantec Endpoint protection 12.1 - was uninstalled nothing changed)

Any ideas??
Best regards

SharePoint Workspace does not work through TMG

February 25, 2014, 3:52 am
$
0
0

Hi,

we have SharePoint 2010 with one web application and only one zone - the default one. We have published it on TMG so that it is accessible from outside through https. We've have also enabled https on the inside. This works fine. But some users wanted to use workspace outside our network and it turned out that this does not work:

I have already played around with persistent cookies like it is suggested here, but with no luck. Is it really necessary to expand web application to extranet zone? I don't see the point, if we use the same settings?

Best regards,

   Sandra 

 

Sandra Ratis


error 10061 refused the connection

February 25, 2014, 10:49 am
$
0
0

The error 10061 connection refused appear me trying to connect 2 applications in the same machine. I switched off the firewall for testing but there were no difference. The OS is W008 64bit. What could be the problem? Thank you in advance

smtp failed connection attemp

February 25, 2014, 10:54 am
$
0
0

Hi

This is my scenario

Exchange 2010 --> TMG 2010--> UBM Xroads --> ISP

My TMG runs on Hyper-V and Windows 2008 R2 hosted for Windows server 2012 R2

two NICS

When i publish the Exchange server on TMG receive without problems but send email is not working

Failed Connection Attempt PMSNTMGSVRV 25/02/2014 10:01:38 a.m.
Log type: Firewall service
Status: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. 
Rule: mailOUT
Source: Internal (192.168.1.20:7419)
Destination: External (85.158.140.211:587)
Protocol: mail
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 21015ms Original Client IP: 192.168.1.20

I´m already chek NIC config and all seems to be ok. but i´m stuck with this.

Any idea?

Search

Timing in TMG

February 25, 2014, 11:33 pm
$
0
0

Hi Guys,

I want to have a solution in TMG to let the users to have access to internet for 2 hours everyday. this 2 hours should be floating from 8 AM to 5 PM.

Thanks and regards,

Bahman

Which is best possible solution to distribute the web proxy settings

February 26, 2014, 11:03 am
$
0
0

Which is best possible solution to distribute the web proxy settings

Dear All,

As we have a plan to go with VDI platforms which would be the best practice for the proxy settings when a user trying to authenticate?

TMG client/ Auto Web proxy/ Group Policy Settings?

Could some on give any idea for the best practice on this.

Appreciate your help !!

Thank You,

Bibin.

TMG 2010 publish ADFS 2.2 (server 2012 R2)

December 16, 2013, 7:05 am
$
0
0

I was running a DC with server 2012 and ADFS 2.1 (server 2012) had an ADFS 2.1 Proxy

I published ADFS external via TMG with a web publishing rule, this worked great (no preauth by TMG).

Now i have a 2nd DC with server 2012 r2 and installed ADFS 2.2 (server 2012 r2) on it.
Now in the TMG adfs publishing rule i change the TO field to the ip of  the 2nd DC.

Now when i run the TEST RULE i get "64 - the specified network name is no longer available"


TMG 2010 network adapter losing connectivity after application of MS updates for October 2013

November 19, 2013, 5:08 pm
$
0
0

Shortly after we applied the Microsoft October 2013 updates to our TMG 2010 SP2 server we started experiencing loss of connectivity on our Internet facing adapter (could not longer ping the gateway etc).  A reboot would resolve the issue.  The problem kept recurring so we removed a couple of the networking related updates for October (http://support.microsoft.com/kb/2888049 ) and (http://support.microsoft.com/kb/2882822 ) as a test.  After these were removed the problem stopped.

We inadvertently reapplied these two updates during the November 2013 update cycle and the problem happened again. We removed the updates and everything is back to normal.

Just wondering if anyone else has applied these two updates to their TMG 2010 SP2 server and experienced any unusual issues?

Thanks

Issue in configuring TMG as Forward/Reverse Proxy

February 28, 2014, 9:28 am
$
0
0

I am trying to setup reverse and forward proxy using TMG 2010. I have following networks:

Internal Networks:
10.2.1.0/24
10.3.1.0/24

DMZ (Perimeter) Network:

10.7.1.0/24   NAT relationship with external network e.g. Public IPs

I've setup one TMG node and selected "Back Firewall" as topology.

NIC 1 Config: (Internal)
------------
IP:    10.2.1.20
Subnet: 255.255.255.0
DW:     Not defined
DNS:    10.2.1.5


NIC 2 Config: (Perimeter)
-------------
IP:    10.7.1.20
Subnet: 255.255.255.0
DW:     10.7.1.5
DNS:    Not Defined

During setup when wizard asked me to define internal IP ranges, I defined 10.2.1.1 - 10.2.1.255 instead of selecting Adaptor.
Setup Completed successfully.

I created Allow rule from internal to local host.

From Client-end:
From client machines i can not access TMG internal interface IP (because gateway is not defined on TMG internal interface i guess)

while i can access DMZ interface IP i.e. 10.7.1.20 and can telnet port 8080.
When i define DMZ interface IP i.e. 10.7.1.20:8080 as proxy address in client-side browser, that throws an error "10061 no connection could be made because the target machine actively refused it"

Failed Connection Attempt
Log Type: Web Proxy (Forward)
Status:10061 No connection could be made because the target machine actively refused it.
Rule: Allow
Source: Internal (10.2.1.39)
Destination:LocalHost (10.7.1.20:8080)
Request:Get http://www.google.com
Protocol:http


On TMG server:
When i define DMZ interface IP i.e. 10.7.1.20:8080 as proxy address in browser that still throws an error "10061 no connection could be made because the target machine actively refused it"
But when i define internal interface IP as proxy in browser i.e. 10.2.1.20:8080 it works.


Allowed Connection
Log Type: Web Proxy (Forward)
Status:303 Not Modified
Rule: [System] Allow all HTTP traffic from forefront TMG to all networks (for CRL downloads)
Source: LocalHost (10.7.1.20:10082)
Destination: External (94.245.34.74:80)
Request:Get http://someurl
Protocol:http

What am i missing please advise and what could be the work around to get this work from internal network.

Regards,

Microsoft Outlook cause an error

November 15, 2013, 9:42 pm
$
0
0

Good day,

           I am using TMG 2010 with latest updates and rollups. I created a role for pop3, POP3S, SMTP, and SMTP3S from internal to external to all users. The policy was working fine but after few months I received the following errors,

Denied Connection SQ-TMG-2K8 11/16/2013 8:37:51 AM

Log type: Firewall service

Status: The policy rules do not allow the user request. 

Source: Internal (192.168.160.49:137)

Destination: Local Host (192.168.160.255:137)

Protocol: NetBios Name Service

 Additional information

Number of bytes sent: 0 Number of bytes received: 0

Processing time: 0ms Original Client IP: 192.168.160.49

Denied Connection SQ-TMG-2K8 11/16/2013 8:37:53 AM

Log type: Firewall service

Status: The policy rules do not allow the user request. 

Source: Internal (192.168.160.49:137)

Destination: Local Host (192.168.160.255:137)

Protocol: NetBios Name Service

 Additional information

Number of bytes sent: 0 Number of bytes received: 0

Processing time: 0ms Original Client IP: 192.168.160.49

Regards,

ARR is support IIS 8.0?

February 19, 2014, 3:08 am
$
0
0


I have Question .

I will create ReverseProxy for ARR(Application Request Routing).

I want create ReverseProxy in Windows Server 2012

Windows Server 2012 bundled IIS 8 .

But latest ※WFF(a Compornet of ARR) is not exit for IIS 8 .


Then I doubt that its support for "use ARR for IIS 8"


Anyone know this answer ?


※WFF = Web Farm Framework

Search

TMG 2010 Can't Access Email under Outlook 2010 under POP3 with port 995

January 8, 2014, 4:31 am
$
0
0

I have TMG 2010 under Windows 2008 R2 with Symantec Endpoint Protection, everything working fine and I can Send Email but I can't receive Email under Outlook 2010 under POP3 useing Port 995 with Check box at Option " This server requires an encrypted Connection SSL" I am trying to Create Role to Add POP S3 but not working, there is no problem at Windows 2008 R2 because When I use Static (Public) IP I can Receive Email  . . . . can someone help to Solve this Problem 

Ahmed 

Ahmed Abdealla

How to block specific Device ID in TMG 2010

January 22, 2014, 1:45 am
$
0
0

Hi,

i need to block device ID in the TMG server, and not in exchange 2010.
Is it possible ?

The problem is that an old device is trying to connect with old password and we does not find this device.
The wrong password is blocking the specific user from accessing the mail in is new device.
The device ID is not listed in the Exchange mobile devices, because someone deleted it long time ago.

We have password lockout policy in TMG.

Is there a solution ?

Thanks,
Lior


Trouble with SignalR implementation in TMG environment

February 18, 2014, 1:27 am
$
0
0

I'm trying to run a Silverlight-application, which makes calls to a nested webapplication in which I have implemented Microsoft's SignalR Hub. The Silverlight-application has a SignalR Client, which tries to connect with the Hub over https at startup.

In the webapplication that hosts the Silerlight-XAP-file, a request is made to the SignalR hub to negotiate the transport protocol. This request fails, a 302 status code is the response and ForeFront Manager shows that FBA-Cookie exists="no"
The request being made is to the route URL .../HubWeb/signalr/negotiate?..... 

A request to any other file in this same "HubWeb" webapplication responds with 200 and the FBA-Cookie does exist.
Also the call to /Hub/signalr/hubs shows the Javascript-file the SignalR-hub renders, as expected.

What could the reason for this particular request to fail and lose it's FBA-Cookie?

If any more info could help, I'd be glad to supply it.


Thanks in advance for your advice

ISA Server 2006, Web Usage

March 3, 2014, 2:56 pm
$
0
0

Hello forum, I need some help around ISA 2006. I am investigating an incident in which I have to report web usage with date and time and URL visited for a specific person. I have access to the console but how do I run a custom report which only produces data for a specific person? I looked in ProgramFiles\Microsoft ISA Server\ISA Logs but couldn't figure out. Ran a report with start and end date but a lot was produced by running that report. I understand that I can use WebSpy or Proxy Inspector to read the logs but how to begin with custom reporting. Is it even possible? It is ISA 2006 installed on Windows Server 2003. I simply need 15 days worth of history. Please help. 

Edit 1: I found http://elmajdal.net/isaserver/Creating_Detailed_Report_With_ISA_2006.aspx and now I am attempting to run a custom query, will post back results. In the meantime please comment/suggest with helpful tips. Maybe a better way of doing this?

Edit 2: OK, so I am able to run query but I've got questions;

A) I can't seem to select a date range, I have options like last 7 days, 30 days etc but no option for date range.

B) ISA console will only display first 10,000 results which isn't much of help. Can I dump the result in a SQL DB or pipe it to an Excel sheet?

C) Someone told me that if I have access to ISA 2006 DBs I can create full browsing report for a specific user, however she wasn't able to tell me how to do it? Help!!!

How to create rule for single IP for Single Site.

February 5, 2014, 3:02 am
$
0
0

Hi All,

We need to create a Rule with Following requirement in ISA 2006.

Allow a single or two sites for a single IP and everything should be block, I tried following method with little success.

Create Deny rule with the following condition. 
Type:- Deny, Protocol:- all outbound, Source:- User's Computer IP , Destination:- External . But Added the URL Set and domain set to be allowed on the exception tab; Users:- All users (Don not have AD).

With above rule everything gets blocked and allowed site is opening with less option. Like the login window is not coming but site is opening, it is not displaying some images etc..

Any help is much appreciated.

Thanks

Mukesh Bisht

Viewing all 3822 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>