Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

Errors in publish ActiveSync - TMG 2010

May 27, 2014, 2:01 am
$
0
0

Hi everybody

I haveActiveSyncpublishingservicesformobiledevices.Everything's coolandworksnicelyauthenticateusersaccount andpasswordfrom domainandallnicelybiking through..

But ...

From time to timeI receivedin logssomething like this

Failed Connection Attempt

Log type: Web Proxy (Reverse)
Status: 10054 An existing connection was forcibly closed by the remote host. 
Rule: Exchange 2010 ActiveSync
Source: External (31.61.130.244:25376)
Destination: Local Host (10.X.X.X:443)
Request: POST http:/ / nazwadomeny/ Microsoft-Server-ActiveSync?Cmd=Sync&User=pl%5Cpbysina&DeviceId=SEC1E10A6740BE94&DeviceType=SAMSUNGGTI9300
Filter information: Req ID: 0c89329a; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Filter information: Req ID: 0c89329a; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Filter information: Req ID: 0c89329a; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: https
User: domain \username

Maybe someonesomethingwould be able tosuggest how toget ridof thisFAILor what is the reason this FAIL ?

Thanks for posting

Przemo


Search

Site to Site IPSec Tunnel and Remote access clients

May 27, 2014, 7:24 am
$
0
0

We have a site to site ipsec tunnel between 2 locations i.e Location A and Location B.

Our requirement is that - if Remote Access users connect to the TMG at location A, they would be able to access resources behind Location B.

The problem is that I cant specific the local network as Pool Range for remote access users and destination networks as Location B in crypto access-list in Phase 2.

The TMG sends a random subnet in mode configuration packet for local and remote ident whenever the client connects. Is it possible if we have have a subnet for address range of remote access client sent at once? So that whenever the remote access client connects, they should be able to acesss location B.

Also, it is possible if we can have Route Based VPN on TMG?

Any help would be appreciated !!

Regards,

Mitesh

FTP 425 error

May 27, 2014, 3:36 am
$
0
0

Greetings, community!

Does anyone knows how to correctly allow FTP Access from Internal to External for FTP-Clients through TMG 2010?

I created the rule that Allow FTP and FTP over HTTP Protocols from Internal to External for specific AD Group, but it works very strange...

FTP Read-only flag is turned off for all Rules where it's possible.

Some distant FTP-servers works perfect without any Errors. But some have errors when FTP-clients (TotalCommander, FAR, FileZilla) try to get folder lists.

Errors like:

MLSD
425 Unable to build data connection: Software caused connection abort

If I try to reconnect several times, or refresh page (TotalCommander), then sometimes it shows folder lists.

If I try to connect to this servers through my old ISA 2004 server, all is perfect.

Additional, I found some strange messages from my DMZ-TMG servers:

Closed Connection
<id id="L_LogPane_LogType">Log type:</id><id id="L_LogPane_FirewallService">Firewall service</id>
<id id="L_LogPane_Status">Status: </id>You were not connected because a duplicate name exists on the network. If joining a domain, go to System in Control Panel to change the computer name and try again. If joining a workgroup, choose another workgroup name.
<id id="L_LogPane_Rule">Rule:</id>Allow all from Internal to External
<id id="L_LogPane_Source">Source:</id>Internal (172.16.0.101:46508)
<id id="L_LogPane_Destination">Destination:</id>External (62.113.86.19:31021)
<id id="L_LogPane_Protocol">Protocol:</id>FTP

Maybe anyone knows how to solve this error? It's the error on my side or on External FTP-server side? Why some Servers are works fine and some with errors?

How To find User Whos Used My IP Address

May 28, 2014, 1:57 am
$
0
0

Dears,

 We are using FTMG Software for firewall and I have IP address it has full internet access, for some reason I took annual leave and when I come back to the office, some one used my IP address to download staff, kindly I need way to know who used my IP address via TMG or any other software.

Thanks..

TMG 2010 publish ADFS 2.2 (server 2012 R2)

December 16, 2013, 7:05 am
$
0
0

I was running a DC with server 2012 and ADFS 2.1 (server 2012) had an ADFS 2.1 Proxy

I published ADFS external via TMG with a web publishing rule, this worked great (no preauth by TMG).

Now i have a 2nd DC with server 2012 r2 and installed ADFS 2.2 (server 2012 r2) on it.
Now in the TMG adfs publishing rule i change the TO field to the ip of  the 2nd DC.

Now when i run the TEST RULE i get "64 - the specified network name is no longer available"


Internet Consumption - ISA

May 26, 2014, 12:36 am
$
0
0

I have noticed that one the service "wspsrv.exe" is consuming a huge amount of data. Can I please know the reason and whether it can be stopped? If yes please provide me the instructions.

Thanks in advance!

VNC not working in All Authenticated mode of User

May 29, 2014, 2:34 am
$
0
0

Hello,

I have TMG installed in my environment through which user access filtered internet. A rule in which i have enabled URL filtration is in Authenticated mode of user and proxy address is also added in all internet explorer of user. when ever user try to VNC a computer it says "connection timed out" and when i add " all user" instead of Authenticated mode in TMG rule. its is able to connect.

Deleted computer object still in TMG

May 29, 2014, 5:12 pm
$
0
0

So I used to have a SharePoint server on IP 10.10.2.6. It required some specific rules to function through TMG, hence I created a Network Object / Computer entry for it.

This server was removed months ago from AD and TMG, I recently setup a new Exchange server, re-cycling the IP address 10.10.2.6. Now that my Exchange publishing rules point to 10.10.2.6 in the logs, I am seeing the Destination as: Local host (SharePointServer.domain.local 10.10.2.6)

instead of ExchangeServer.domain.local.

I have a Network Object / Computer entry for the Exchange server, but still in the logs 10.10.2.6 seems somehow associated with the Sharepoint server. I'm having issues with traffic to the Exchange server and so far this is the best lead I have.

So how do I get completely rid of the SharePointServer in TMG?

Search

TMG drops spoofed packets from external networks

May 28, 2014, 2:57 am
$
0
0

Greetings, community)

We have a strange situation with our "TMG Servers".

Architecture:

2 Internal (Back-End) TMG servers with 2 NIC each - Internal and Perimeter

2 DMZ (Front-End) TMG servers with 3 NICs each - Perimeter, Provider1, Provider2

2 EMS servers that have 2 Arrays - "DMZ" with two DMZ standalone servers and "Proxy" with two domain internal TMG servers.

Internal TMG servers have enabled NLB on each NIC. So, they are available from Perimeter through their Perimeter-VIP and form Internal through Internal-VIP.

DMZ servers have NLB on their perimeter NICs, and enabled ISP Redundancy. Each external NIC has his own Default gateway.

DMZ servers has persistent route for traffic to internal network through Perimeter-VIP of Internal servers.

So, the problem is strange:

We have some delays for traffic from external networks.

DMZ servers logs have errors with IP address spoofing:

Denied ConnectionDMZ-TMG-02 28.05.2014 13:24:18
Log type:Firewall service
Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed.
Rule:None - see Result Code
Source: External (62.168.252.106:21972)
Destination:Internal (172.16.0.100:443) <- This is Back-End Servers Perimeter-VIP.

Same situation in Internal ARRAY logs:

Denied ConnectionBLK-TMG-02 28.05.2014 13:29:16
Log type:Firewall service
Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed.
Rule:None - see Result Code
Source:Local Host (172.16.0.102:54152)
Destination:External (93.158.134.11:80)
Protocol: HTTP
and
Denied ConnectionBLK-TMG-02 28.05.2014 13:45:45
Log type:Firewall service
Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed.
Rule:None - see Result Code
Source:Local Host (172.16.0.100:443)
Destination:External (213.87.131.98:46125)
Protocol: Skype <- User defined protocol for Skype ACCESS

Is it normal or somewhere I did a mistake with configuration?

Internet acces from Internal works good but with annoing delays sometimes:

Closed ConnectionDMZ-TMG-02 28.05.2014 13:52:33
Log type:Firewall service
Status: A connection was rejected because the connection limit specifying the maximum number of connections that can be created for a rule during one second was exceeded.
Source:Internal (172.16.0.101:49934)
Destination:External (66.196.66.157:80)
Protocol: HTTP

Flood Mitigation is disabled, but why TMG talking about connection limits?


TMG reports over a million records for DNS traffic in one day??????

May 29, 2014, 8:27 am
$
0
0

Hi All

We have Several TMG servers in our Data Centers over the globe, all is working well and we have gotten this product to a stage where outages are limited :), we have enabled reporting on daily traffic and have picked up on over a million DNS requests on Top Protocols listed.

We have 2 DNS AD Servers for HQ and approximatly 60 DNS Servers Scattered around the Globe.

Replication between these servers occurs one a night.

There is no NLB in our enviroment and its pretty simple setup, 2x Lan - 1 - internal -1 external (no DNS listed on External)

the behavior for everything is as follows -
when i open outlook, TMG queries DNS
When i open Lync, TMG Queries DNS

When i browse intranet... TMG queries DNS.

i would just like to narrow down what it could be or is this normal behaviour ?

thanks for the help Gents

Getting denied errors when using TMG Array for publishing Exchange and Lync

May 30, 2014, 8:24 am
$
0
0

I'm setting up a TMG array of 2 TMG servers for Lync. The TMG array is already in use for Exchange. The Exchange publishing rules and web listener use a VIP of x.x.x.220.

I added a secondary VIP of x.x.x.209 for Lync and set up a web listener and Lync pubishing rule using the secondary VIP. I am now getting the below error. And yes, there are publishing rule and listener for the Lync URL's already.

I've google'd and google'd but didn't find any answers.

One thing I do notice on the setting for the Lync Web Listener is that the secondary VIP IP shows as "Virtual IP" as opposed to "<server name>" as with the primary VIP IP for Exchange rules/listener (x.x.x.220).

All the listner / rule settings are fine, and I've rechecked many times. It just appears that when I send requests for the Lync URL's, TMG doesn't even relate the request to the Lync Rule.

Any help would be appreciated!

me


SSO using Microsoft Forefront Threat Management Gateway (TMG) involving heterogenious systems/platforms

March 20, 2013, 9:42 pm
$
0
0

Hi All,

We are facing a situation where in we need to implement SSO in our organization leveraging the capabilities of TMG. This is a migration from CAS to TMG. We have an array of Microsoft Products along with a number of java based web applications and a few php applications. From the documentation it is not clear that we can manage this with TMG.  Did anyone managed a similar situation? Please provide some pointers to solve this issue.

Thanks in advance,

San


Windows 7 isa firewall client problem

May 20, 2012, 10:35 pm
$
0
0

Hi,

I have a problem with isa 2006 firewall client on windows 7 joined to domain , I can browse websites with webproxy but I cannot connect to any pop3 and smtp mailservers when using pop3 dns name on outlook, so if I add the full name of mail.something.com, it does not work with (name cannot be resolved), it works when adding ip address, also if I try to access ftp servers on internet it does not work.

This only happens with windows 7 computers windows xp works correctly with firewall client.

If secure nat client is used on windows 7 they work (but I need to authenticate users by name).

I have searched many forums but cannot find a solution.

I have rule in isa server that allows http,https,ftp,ping,smtp,pop, even the rule that applies to me which have all outbound ports open had the same problem.

Thanks in advance.


Can't connect to the TMG Management console error with ISASTGCTRL Service

June 11, 2013, 1:50 am
$
0
0

i have TMG server sp3 and it was working like a charm but iam trying to connect to the management console it gives me a server is not operational message with error code 0x8007203a so icame to the services and tried to start the ISASTGCTRL service but i didn't and it gives me an error of 0xc0000001 so i came to the event viewer and tried to view the error messages corresponds to the ADAM service and i found these errors :

ISASTGCTRL (3664) ISASTGCTRL: Unable to read page 5124 of database C:\Program Files\Microsoft Forefront Threat Management Gateway\ADAMData\adamntds.dit. Error -1018.

and 

ISASTGCTRL (3664) ISASTGCTRL: Database recovery/restore failed with unexpected error -1018.

   

Active Directory Lightweight Directory Services could not be initialized. 

The directory service cannot recover from this error. 

User Action 
Restore the local directory service from backup media. 

Additional Data 
Error value:
-1018 JET_errReadVerifyFailure, Checksum error on a database page

and

 

Internal error: An Active Directory Lightweight Directory Services error has occurred. 

Additional Data 
Error value (decimal):
-1018 
Error value (hex):
fffffc06 
Internal ID:
4078b

and even tried to change the service account of ISASTGCTRL service with the local system account and restart the service but i didn't it give me these errors even tried to modify the permissions  to read and write of the ADAM and ADAMDATA folders with anonymous login account and tried to start the ISASTGCTRL but i didn't also 

sooooooooooo any help here ??????

 

TMG SSO issue with Windows 7 clients

May 30, 2014, 1:24 pm
$
0
0

I have very strange problem with Forefront TMG 2010 Single Sign On feature.

SSO settings:

  • I'm publishing two websites (https://site1.domain.com and https://site2.domain.com) by using the same web listener with SSO enabled for *.domain.com
  • SSO is working as charm for Windows 8.1 clients

The issue when accessing sites from Windows 7 clients:

  • On the first access to any of the sites (i.e. site1), I'm getting TMG forms login form - as expected.
  • I login, then visit few pages of the same site (i.e. site1), and everything works as expected. I'm logged in, and I can surf.
  • The problem arises when I try to open the other site (i.e. site2). I'm getting TMG forms login form again! And even worse - as soon as new TMG login form opens -I'm logged off from the first site also. So not just I must login separately for both sites - I can't be logged to both sites in the same time because as soon as I login to one site, the session with other site is terminated!
  • Interesting thing is that behavior is the same in any browser. I've tried with IE, Chrome and Mozilla - the problem is the same.

When external client tries to open the second site, TMG logs one interesting message:

  • Req ID: 0ae9f57b; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ;FBA cookie: exists=yes, valid=no, updated=no, logged off=no, client type=private, user activity=yes

It looks that TMG finds that cookie is not valid and deletes it, terminating this way existing session with all sites.

My setup:

  • Array of two TMG's 2010 SP2 RU4, on Windows Server 2008 R2, all updates installed.
  • Published websites (site1.domain.com and site2.domain.com) are residing on two different servers (srv1 and srv2)
  • Websites are published over https by using SSL certificate gotten from local PKI. All clients and servers do have PKI CA in their "Trusted Root Certificates" storage. No client or server reports any certificate issue. Websites are "green" in address bar.

I'm really confused with this behavior. Especially due to the fact that the same third-party browser (Chrome), can be used with SSO without any problem when installed on Windows 8.1, but not when installed on Windows 7!?!?

Any help would be appreciated...

Thanks!

Fat Dragon

Search

Publis a monitoring camera through TMG 2010

March 18, 2014, 12:02 pm
$
0
0

Hi, I have a monitoring IP-camera inside my LAN what I want to publish through TMG 2010 to access from outside. The camera has a build in webserver running (currently) on port 80. Insuide the LAN (no restrictions) everybody who has a login to the cam can watch. So the cam is working pretty well. Now I created a web publishing rule in TMG 2010 for the Cam but it seems not to be enough. I easily can connect to the log-on screen of the cam, I can log in, but than I get an empty (black) picture(Cam healthy light on the screen is yellow instead of green, means the video is not working)! No stream is visible. The cam should not use any other (additional) ports, I checked that by using wireshark. What can be the problem that TMG blocks the stream?

TMG2010 - Exhcange 2010 - Restrict User Groups

June 2, 2014, 3:22 pm
$
0
0

Hey Guys, 

We have TMG2010 currently reverse publishing OWA however no Pre-Auth is being used, the Exchange 2010 Auth Form is being used. 

The TMG box is not Domain Joined, however if we joined it to the domain would we be able to use AD Security Groups to restrict access to certain services such as OWA?  Without enabling the "Pre-Auth" Functions of TMG? 

Thanks, 


Robert 

Robert

Forefront TMG 2010 web publishing rule returns blank page

June 3, 2014, 12:42 am
$
0
0

Hello all,

I have a firewall rule configured that should be redirecting all requests from https://tmgserver.com to http://internalserver.domain applying kerberos contrained delegation but upon a user authenticating all that is returned to the browser is a blank page. I can see that there were headers returned from the target server but there is no page content in the response.

For this rule I have the listener configured to listen to all networks, ssl is enabled with a certifcate and authentication is set to html form with Windows Active directory authentication validation method. SSo is enabled and for the required domain.

Bridging is set to redirect to the internals servers non default 8080

Authentication delegation is set to kerberos constrained with the SPN set as the server machine.

If I visit the server directly (not through TMG) the reponse contains the HTML of te page as I woudl expect.

Is there a configuration setting in TMG that could be stripping the contnet, that is returned from the proxied server?

TMG Proxy Authentication Issue

June 2, 2014, 10:17 pm
$
0
0

Hi

I am facing an issue with TMG proxy.

Some times it is prompting for User credentials. Even after giving the correct credentials also it is prompting for the credentials again and again. After restarting the TMG proxy server it is working fine. Like this happening once in a day or once for every two days. Today without restarting the sever issue has been resolved. 

Why this issue is coming. Please suggest me to resolve this issue.

 

Route between two branch offices via IPsec VPN to head office

June 3, 2014, 8:38 am
$
0
0

I have TMG 2010 running on Server 2008 R2 in our head office with 2 branch offices connecting in using Dray Tek 2930 routers with IPsec site to site VPNS. The remote sites can route between the head office network and vice versa with no issues. I would like to enable the branch offices to route between each other.

Head Office is on 192.168.100.0/24 DG 192.168.100.254 (internal TMG NIC)

Branch office A is on 192.168.7.0/24 DG 192.168.7.1

Branch office B is on 192.168.0.0/24 DG 192.168.0.1

On the routers at the branch offices I have added the other subnets to the routing table to route via the VPN.

On TMG network and Firewall rules allow traffic between all networks listed above and traffic simulator reports allowed packets.

When pinging from one branch network to the other, TMG Reports that allowed packet from source network to destination network correctly, however pings fail. RDP is the same.  

Viewing all 3822 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>