After installing TMG server, I want to join it to my already existing EMS server.
However, at the end of it, it attempts to join the server, and halfway through pops a message "Operation Failed", and details as follow:
"0x800706d9
There are no more endpoints available from the endpoint mapper"
Does any one have any idea why this is happening? Didn't have such errors from my previous experiences with TMG 2010.
Would like to black all websites in ISA 2006 by using * like in block rule add http://*. Is it possible?
If yes it will block all web sites, so will set this rule lowest priority and later create new rules for allowed sites and higher priority.
Any suggestion?
Abhijeet D
Hi Folks;
I could use a hand with a strange issue I've encountered.
Recently we built a new TMG 2010 VM from scratch (Edge w/2 WAN NICS & 1 LAN). This all works well.
The problem I'm having is with adding another network. In the past, we used TMG 2010 with a separate NIC that went to an open wireless access point. So we created a new network for that and restricted it's access to the WAN only (Internet). This served to separate all traffic from that access point from the internal network. So we had this working well before and it was secure (at least, with respect to the internal network).
Now, this is not working with the new TMG install :(
We created the virtual NIC on the TMG virtual machine, we then created a new network in TMG, as well as a NAT rule to the External network (the WAN). Problem is, it doesn't work.
But the real issue that's preventing me from troubleshooting and repairing this issue is that the TMG 2010 real-time logs show NO results for this new network. If I go on that network and start creating traffic I see NOTHING in the logs on TMG. I've even opened up the logs to show everything and still see nothing from that network.
Nothing has changed on the configuration of the access point and the TMG 2010 NIC that's it's pointing to has the same addressing as with the previous TMG 2010 install. It should work, at least to the extent that I see results in the TMG logs.
What have I forgotten? If I can get to the point where I see traffic in the logs I can create rules as required etc but without log information.....
Hi there,
This is what we have setup at the moment.
We have two TMG 2010 SP2 Servers, let's call them TMG1 & TMG2. They sit in two different sites (physically not logically) which I will refer to as Site1 and Site2. TMG1 sits in Site1 and TMG2 in Site2.
All internal users access the Internet via TMG1. They all have TMG Clients installed and they receive TMG1 as their proxy server (WPAD) via our DHCP servers.
I feel bad to see that TMG2 cannot take a little bit of traffic off from TMG1 for those who want to access the Internet. How can I go about doing this. I can achieve this by adding the TMG2 manually on TMG Clients but I prefer to do this automatically. Is there a way to publish TMG2 in WPAD while TMG1 is already there? Dont forget we only have the luxury of using two TMGStandard servers. :(
Thank you.
TMG 2010 clients cannot access www.medicare.gov web site. A second site with TMG 2010 can access the site.
The clients that cannot access the site do not get an error in their browser - just nothing happens?
All other sites we have tried work without a problem.
Thanks,
John
I have reinstalled TMG MBE (Security Server, part of Essential Business Server). The original server had 0x80090005 Bad data errors which rendered the user interface inoperative. The re-installation followed 'Replacement mode' procedure and was installed to different hardware.
Since the reinstallation TMG randomly drops all network connectivity so that it cannot connect to Internet or internal computers. The failure is intermittent and lasts from 30 to 120 seconds, on some days it occurs frequently and on other days does not occur at all. Restarting server reduces the problem but does not always resolve it. Updates have been installed KB967723 fails as it has already been installed.
Further to this problem:
there have also been a couple of 0x80090005 Bad data errors and have restored the server from a Windows backup;
the firewall and other TMG services do not start with the computer, I have to logon and start manually.
We have three users in a remote office, each with a PPTP VPN connection that connect through a single router. The problems seem to have started when multiple VPN connections were created. I am in the process of setting a IPSEC site-to-site VPN and have created it with routing and firewall rules on TMG but have not setup remote router (we are awaiting a new connection at the remote site). I now find that PPTP connections fail when server is restarted and find randomly moving VPN firewall rules and restarting firewall service will resolve this eventually.
The hardware is a Dell R300 with dual core 3.1 Ghz CPU , 4 Gb RAM and Broadcom NIC's. This is within the system requirements. However I cannot find any hardware problems and have updated firmware.
On our NLB TMG cluster (TMG 2010 Enterprise SP2) we have a problem that on one server we have many dropped connections with a status code 10055 ( An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.) This started with one alert: Event 14198: The Web Proxy filter failed to create a network socket because there are no available ports on this computer. Forefront TMG already reset the maximal port number to 65535. Make sure this is the value at HKLM\System\CurrentControlSet\Services\TcpIp\Parameters\MaxUsePort and restart the computer to apply this change.
According to some old fixes for ISA 2006 we should shorten time_wait period. But using netstat -ano and counting TCP sessions and time_wait sessions, we see about 8000 - 10000 TCP connections of which abouut 2000-3000 are time_wait. I don't think that that is too much.
We don't see a sudden increase of load.
What could cause these 10055 errors?
We currently are trying to publish Server 2012 r2 rdweb through TMG. We get to the point of launching an app, and get the message stating that your computer cannot connect to the remote computer, because the remote desktop gateway is temporarily unavailable. The solution works fine internally, so we suspect it has something to do with TMG. We get 3 denials when logging traffic:
1)
Log type: Web Proxy (Reverse)
Status: 12302 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.
Source: 111.111.111.111:63206
Destination: 222.222.222.222:443
Request: RDG_OUT_DATA http://url.domain.com/remoteDesktopGateway/
Filter information: Req ID: 0dcaf420; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
2)
Log type: Web Proxy (Reverse)
Status: 12302 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.
Source: 111.111.111.111:63206
Destination: 222.222.222.222:443
Request: RPC_IN_DATA http://url.domain.com/rpc/rpcproxy.dll?localhost:3388
Filter information: Req ID: 0dcaf423; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
3)
Log type: Web Proxy (Reverse)
Status: 12302 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.
Source: 111.111.111.111:63206
Destination: 222.222.222.222:443
Request: RPC_OUT_DATA http://url.domain.com/rpc/rpcproxy.dll?localhost:3388
Filter information: Req ID: 0dcaf427; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
We also have a 2008 R2 server published (using different URL's, Listerners, rules, etc...) which works perfectly fine.
Has anyone tried successfully installing Forefront TMG 2010 on Windows Server 2012?
I tried but failed, it complained about unable to add roles and features.
Valuable skills are not learned, learned skills aren't valuable.
The main issue is that the external Lync clients can't connect to the Lync server. The reason this happens is blocked ports on TMG.<o:p></o:p>
There is Non-web server publishing rules setup allowing inbound connection from public ip to Lyncedge server's external ip using tcp ports: 443, 444, 445, 5061, 50000-59999 (inbound).<o:p></o:p>
All the rules use to work fine and the external Lync clients were connecting fine, but now when i test the ports on the public ip, using web tools (like checkmyports.net) I am getting "Port is Closed" for all of them.
What is not allowing the ports to be open?<o:p></o:p>
Nothing has been changed on the TMG server. The other rules (Activesync and OWA access) on the TMG work with no problem.<o:p></o:p>
Any help would be greatly appreciated!<o:p></o:p>
I am experiencing a problem with our FTMG where content that exists on the web in a GZIP format is arriving on my desktop decompressed instead of compressed. Note that the content still has the filename with the extention of .gz so from Windows perspective it still thinks the content is compressed.
I've verified that this is happening on multiple computers that utilze the FTMG and that this behavior is NOT happening when I use a computer that is not attached to the FTMG.
I cannot find any settings or configuration information that would allow me to turn this "feature" off.
This only happens for HTTP traffic and does not happen for FTP traffic since I can routinely download other gzip compressed files using the FTP protocol and those files arrive on my local desktop still compressed.
This is a problem since the software that I'm using - provided by an external agent - is expecting the files that it is working with to arrive fully compressed. This software crashes (as it should) when trying to decompress a file that is already decompressed.
I have verified that this is happening irrespective of the use of caching, i.e. it happens with the cache turned on and with the cache turned off.
Note that this problem started about two days ago since the software I have been using for years started crashing two days ago.
Please provide some advice on how to stop this behavior.
Sincere yours
Jerry W. Manweiler, Ph.D.
Jerry W. Manweiler, Ph.D.
Hi Guyz,
I need to publish Sap Gui Web from TMG to internet access. On Sap Versin R/3 works fine, but the company update SAP to ECC 6. This publication presents error on logon Sap.
I created the rule, redirect the logon screen with success but on user logon on SAP, presents this error:
Ps.: Until this page the SAP logon screen has been rederect with success. The failure its only when users try to log on.
Anyone with this case or some ideia? I update TMG 2010 to SP2 and apply the RP4.
Se ajudei, classifique! Rodrigo Fontes Tavares - Adm. de Redes
Bob Lin, MCSE & CNE Networking, Internet, Routing, VPN Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net How to Install and Configure Windows, VMware, Virtualization and Cisco on http://www.HowToNetworking.com
Dear Team,
We having ISA server 2006 configure for proxy, randomly all uses are getting password prompt while accessing any website, password not accepting.
OS : Windows server 2003.
As of now we are restarting server and resolving problem.
If anyone have faced this issue pls guide me how to kick this proxy issue.
Regards, Sushant
As the subject says, our Forefront TMG logs are being flooded with Denied Connections with result code 0xc0040050 FWX_E_TCPIP_DROP_IP_NOT_LOCALLY_DESTINED.
Unlike the other posts discussing this error, there is no NLB involved and it is not running as a single interface proxy, we are using TMG as a gateway so it has two interfaces. The switch also has broadcast traffic disabled on the port connected to TMG.
The logs are very mysterious and provide very little to go on as the Network interface and all IP addresses for these errors in the logs are blank, and the destination port is shown as zero. Note that other packets are being logged correctly and these fields are turned on in the firewall logs.
Any help to get something meaningful to show in the logs or resolve this error would be much appreciated.
Hi Folks!
I'm seeing a Routing (chaining) failure every time the localhost tries to download CRL updates from the Internet.
I checked the System Policy and it has an enabled rule from localhost to All Networks for CRL updates.
This is the first entry in the connection;
| Failed Connection Attempt | EDGE 3/7/2014 6:04:12 PM | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Log type:Web Proxy (Forward) | |||||||||||||||||||||
| Status: 12206 Forefront TMG detected a proxy chain loop. There is a problem with the configuration of the Forefront TMG routing policy. Please contact your server administrator. | |||||||||||||||||||||
| Source:Local Host (WAN IP:10475) | |||||||||||||||||||||
| Destination:External (a23-59-190-136.deploy.static.akamaitechnologies.com 23.59.190.136:80) | |||||||||||||||||||||
| Request: HEAD http://23.59.190.136/v10/1/microsoftupdate/redir/muredir.cab?1403080204 | |||||||||||||||||||||
| Filter information:Req ID: 0b21a351; Compression: client=No, server=No, compress rate=0% decompress rate=0% | |||||||||||||||||||||
| Protocol: http | |||||||||||||||||||||
| User: anonymous | |||||||||||||||||||||
| |||||||||||||||||||||
Q: Marking a question as answered when it's not - is this something new? A: Not at all, it's standard Nick Gu!
I am trying to setup reverse and forward proxy using TMG 2010. I have following networks:
Internal Networks:
10.2.1.0/24
10.3.1.0/24
DMZ (Perimeter) Network:
10.7.1.0/24 NAT relationship with external network e.g. Public IPs
I've setup one TMG node and selected "Back Firewall" as topology.
NIC 1 Config: (Internal)
------------
IP: 10.2.1.20
Subnet: 255.255.255.0
DW: Not defined
DNS: 10.2.1.5
NIC 2 Config: (Perimeter)
-------------
IP: 10.7.1.20
Subnet: 255.255.255.0
DW: 10.7.1.5
DNS: Not Defined
During setup when wizard asked me to define internal IP ranges, I defined 10.2.1.1 - 10.2.1.255 instead of selecting Adaptor.
Setup Completed successfully.
I created Allow rule from internal to local host.
From Client-end:
From client machines i can not access TMG internal interface IP (because gateway is not defined on TMG internal interface i guess)
while i can access DMZ interface IP i.e. 10.7.1.20 and can telnet port 8080.
When i define DMZ interface IP i.e. 10.7.1.20:8080 as proxy address in client-side browser, that throws an error "10061 no connection could be made because the target machine actively refused it"
Failed Connection Attempt
Log Type: Web Proxy (Forward)
Status:10061 No connection could be made because the target machine actively refused it.
Rule: Allow
Source: Internal (10.2.1.39)
Destination:LocalHost (10.7.1.20:8080)
Request:Get http://www.google.com
Protocol:http
On TMG server:
When i define DMZ interface IP i.e. 10.7.1.20:8080 as proxy address in browser that still throws an error "10061 no connection could be made because the target machine actively refused it"
But when i define internal interface IP as proxy in browser i.e. 10.2.1.20:8080 it works.
Allowed Connection
Log Type: Web Proxy (Forward)
Status:303 Not Modified
Rule: [System] Allow all HTTP traffic from forefront TMG to all networks (for CRL downloads)
Source: LocalHost (10.7.1.20:10082)
Destination: External (94.245.34.74:80)
Request:Get http://someurl
Protocol:http
What am i missing please advise and what could be the work around to get this work from internal network.
Regards,
Good Day
We are blocking facebook.com in our company using forefront tmg 2010.
the problem is now, if a site has a facebook plugin (for example i like button) which is blocked, the tmg message is overlay over other text.
how can we Change this behaviour?
Thanks
Hello
We are attempting to secure Outlook anywhere access via TMG (2010) and IPSec for external users of Exchange 2010. I have setup the TMG rule via instructions from MS.
IPSec has been setup to require authentication using our internal CA between "Any IP Address" and the external IP that TMG listens on. This has also been tested and I can verify that a Main Mode is created between the 2 systems (Authentication: cert,
Encryption: 3DES, Integity: SHA1, Diffie: Madium 2).
Problem is that they don't seem to work together with Quick Mode.
TMG Logs:
event id 4651
An IPsec main mode security association was established. Extended mode was not enabled. A certificate was used for authentication.
Local Endpoint:
Principal Name: cas-a1.company.local
Network Address: 12.17.154.41
Keying Module Port: 500
Local Certificate:
SHA Thumbprint: af4253038110f736921065e4ac3f709adc5b7c6
Issuing CA: firma Certificate Authority
Root CA: C=PL, O=firma, OU=www.firma.com, CN=firma Root Certificate Authority
Remote Endpoint:
Principal Name: pc.firma.local
Network Address: 95.40.78.98
Keying Module Port: 500
Remote Certificate:
SHA thumbprint: 8fa55581e23d2afba500ed69904af3372d4c30854
Issuing CA: firma Certificate Authority
Root CA: C=PL, O=firma, OU=www.firma.com, CN=firma Root Certificate Authority
Cryptographic Information:
Cipher Algorithm: 3DES
Integrity Algorithm: SHA1
Diffie-Hellman Group: DH group 2
Security Association Information:
Lifetime (minutes): 480
Quick Mode Limit: 0
Main Mode SA ID: 128
Additional Information:
Keying Module Name: IKEv1
Authentication Method: Certificate
Role: Responder
Impersonation State: Not enabled
Main Mode Filter ID: 362858
next event id 4655
An IPsec main mode security association ended.
Local Network Address: 12.17.154.41
Remote Network Address: 95.40.78.98
Keying Module Name: IKEv1
Main Mode SA ID: 128
event id 4653
An IPsec main mode negotiation failed.
Local Endpoint:
Local Principal Name: -
Network Address: 12.17.154.41
Keying Module Port: 500
Remote Endpoint:
Principal Name: -
Network Address: 95.40.78.98
Keying Module Port: 500
Additional Information:
Keying Module Name: AuthIP
Authentication Method: Unknown authentication
Role:
Responder Impersonation State: Not enabled
Main Mode Filter ID: 0
Failure Information:
Failure Point: Local computer
Failure Reason: No policy configured
State: No state
Initiator Cookie: c61882ea0dd6310c
Responder Cookie: f6bdd2d3235cf6e1
On TMG I have VPN with ipsec - that working fine (users from domain group, with certyficate can only authenticate). OWA is on separate listener and roule (users from domain, with certyficate can only authenticate).
Any ideas why Quick Mode/IPSEC for Outlook gets dropped (No policy configured - where ?) ?
Thanks a lot for help.
Additional
information