Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

Error Code: 500 Internal Server Error. The certificate is revoked. TMG 2010 Publishing with CA Client Auth

June 12, 2014, 1:06 pm
$
0
0

Hello,

I have published a couple of sites trough TMG 2010 to the outside world.

They are publish trough https and listener activated for only Certificate Client Authentication. When I test the sites on my windows 7 pro, my Ipad (IOS7) or whatever it works fine. When I try it on my Windows Phone 8.1 (WP8.1) TMG gives a error...

Error code 500 internal server error. The certificate is revoked. (-2146885616)

My WP8.1 is version 8.10.12393.890 and should support the user certificate.

The same certificate is used for ActiveSync on the same phone and works like a charm. This was also with WP8, but the browser did not support the user certificate. Now it does, I believe:http://msdn.microsoft.com/en-us/library/dn643705.aspx

Perry

Search

Skype vs TMG

November 25, 2011, 6:32 am
$
0
0
Hi all,
 
I titled the debate Skype vs TMG because I know this is a struggle of nearly a decade.

Well, now that MS bought Skype and I hope they can modify the protocol so it can be more manageable at the enterprise level, I'm sure they knowthat Skype is a tool used massively in Latin American companies to reduce telephony costs, and certainly inthe world.

Now I think I'm behind this issue since ISA Server 2004, has always been a nightmare to allow or deny Skype, first instance because it is a P2P software.I took a log of a Skype connection attempt and the results are frightening, Skype tries to connect using TCP and UDP random ports and destination IPs are also random, there are no URLs, just IPs. So, the only way to allow Skype (with HTTPS-enabled Inspection) is to follow these steps:

1. First of all, I want my TMG to check HTTPS => HTTPS Inspection = On
2. That protocol Create outbound traffic open
   => TCP (outbound) = 1-65535
   => UDP (send receive) = 1-65535
3. Create firewall rule For This protocol from Internal network to Internet
4. Install Forefront TMG Client (it's part of installation files) on local computer, and allow ITS support on TMG server.
5. To restrict skype from using other rules (holes in other rules),add signature Which Will Prevent STIs Such Behavior.
6. Try to connect to skype network.

Okay, Skype works, it connects, excellent! And I can use the signatureon the other rules to not allow Skype, great!

Now, we have a rule that essentially allows traffic of any software using any TCP or UDP port to internet, giant security hole, because the signature is used in the other rules for Skype not pass through them,but not in the Skype rule to only allow Skype traffic.

The navigation is still controlled by the other rules and application layer inspection of traffic, however, when using any software (other than a browser with the proxy configured), using any TCP or UDP port, it hasabsolute freedom.

TMG can use signatures to block traffic, but not to allow traffic. I cannot find a way to include in this rule something like:

Allow TCP and UDP (any port) toonlytrafficwith this signature.

I do not see this possibility.
Nor I see the possibility of creating a rule like:

Allow traffic from the "client application path"C:\Program Files\Skype\Phone\Skype.exe  only

or

Allow traffic from the "Client Agent" Skype.exe: 3:6.1 only


Can anyone help me close this security hole?

There are several conditions that must be met:

- Skype must work
- I must be able to select which users have access to Skype, and wich users do not.
- I must optimize security and allow Skype, only Skype.
- HTTPS Inspection must be enabled

 My infrastructure?

- TMG 2010 Standard
- W2K8 Standard R2
- TMG is not our gateway, only our proxy, and only we use it for navigation control and "outbound" connections (we might use some other features in the future)
- All users have the TMG client installed

 If someone wants the log I took I will gladly send it to your mail.

I hope someone can help, not just for me, believe me, there are thousands of IT Pros (though clearly I’m not a TMG Gurú) ​​ looking for information on this topic.

 Thanks a lot.
goDog

Load Balancing TMG 2010

June 23, 2013, 7:02 am
$
0
0

hi,

i use 2 tmg's with sp2.

no active directory, hance no tmg array.

i want to enable microsoft load balancing on the internal and external but i always get "RPC is not ..." although i have opened the correct ports.

i have managed to establish a load balance cluster on the 1st host on both internal and external nic's but no luck in joining the other host.

any suggestions ?

Regards,

Udi

TMG Standalone Array simple question

June 14, 2014, 7:00 am
$
0
0
hi everyone i have what i think is a simple question but i don't know if i'm missing something in all the tutorials about standalone arrays i've read.

i'm working with 2 tmg enterprise editions in 2008R2 in a test environment. both are on sp2 fully updated and a single 20 Mbit connection. i would like for this two tmg's to work for high availability using that connection only and i was able to join both in a standalone array. here's how they're configured:

tmg01
internal nic ip range: 192.168.1.1/24
second internal nic: not connected at the moment, considering for intra-array network if needed later on (if anyone suggest is absolutely necessary)
external nic ip: dhcp supplied by isp.

tmg02
internal nic ip range: 192.168.1.2/24
second internal nic: not connected at the moment.
external nic: not connected. (where do i connect this one if i only have one modem for that 20 Mbit connection??)

i have read that the intra-array network is not absolutely necessary so i’m leaving those unplugged.

now, here’s my question, since they’re both already on an array, if tmg01 fails to deliver (let’s assume it has a hardware malfunction), how is tmg02 going to take over and connect to the external network if by definition my modem only accepts one cable? will i have to be near the server and change the cable to the other nic in tmg02 for it to work or do i have to add something in between the modem and the two tmg’s?

is there something i’m missing? will i be needing 2 connections? maybe it’s too obvious or stupid and it just went passed me. i’m open to criticism and opinions.

thanks

TMG - Block Youtube - HTML5

June 16, 2014, 2:11 am
$
0
0

Dear all.

I want to block youtube with TMG 2010

I try with url name

youtube.com/* or  *.youtube.com  or youtube.com:443  or  youtube.com:443/* or  *.youtube.* 

...

I aslo add content fliter

video/mp4

video/x-flv

video/x-ms-asf

and stop Flash player

application/x-shockwave-flash

1. User cannot access www.youtube.com directly but they can access youtube.com/watch?v=xxxxx and view video without problem.

2. User can access youtube.com and view video without any problem.

Please help me slove this problem.

Thanks and best regards.


TMG 2010 to connect Branch Office

June 16, 2014, 10:54 pm
$
0
0

We have TMG 2010 installed for proxy solution. Recently we opened new branch office but they are unable to internet through proxy. I have added the route add command in TMG Server.

route add 10.24.84.0 mask 255.255.255.224 10.24.30.20 -p           - Branch 1

route add 10.24.86.0 mask 255.255.255.224 10.24.30.20 -p                           - Branch 2

10.24.30.20 is our core router IP...

Is there any configuration required in core router and branch office router...Branch office users can access all server service except proxy solution.Please advice

TMG drops spoofed packets from external networks

May 28, 2014, 2:57 am
$
0
0

Greetings, community)

We have a strange situation with our "TMG Servers".

Architecture:

2 Internal (Back-End) TMG servers with 2 NIC each - Internal and Perimeter

2 DMZ (Front-End) TMG servers with 3 NICs each - Perimeter, Provider1, Provider2

2 EMS servers that have 2 Arrays - "DMZ" with two DMZ standalone servers and "Proxy" with two domain internal TMG servers.

Internal TMG servers have enabled NLB on each NIC. So, they are available from Perimeter through their Perimeter-VIP and form Internal through Internal-VIP.

DMZ servers have NLB on their perimeter NICs, and enabled ISP Redundancy. Each external NIC has his own Default gateway.

DMZ servers has persistent route for traffic to internal network through Perimeter-VIP of Internal servers.

So, the problem is strange:

We have some delays for traffic from external networks.

DMZ servers logs have errors with IP address spoofing:

Denied ConnectionDMZ-TMG-02 28.05.2014 13:24:18
Log type:Firewall service
Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed.
Rule:None - see Result Code
Source: External (62.168.252.106:21972)
Destination:Internal (172.16.0.100:443) <- This is Back-End Servers Perimeter-VIP.

Same situation in Internal ARRAY logs:

Denied ConnectionBLK-TMG-02 28.05.2014 13:29:16
Log type:Firewall service
Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed.
Rule:None - see Result Code
Source:Local Host (172.16.0.102:54152)
Destination:External (93.158.134.11:80)
Protocol: HTTP
and
Denied ConnectionBLK-TMG-02 28.05.2014 13:45:45
Log type:Firewall service
Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed.
Rule:None - see Result Code
Source:Local Host (172.16.0.100:443)
Destination:External (213.87.131.98:46125)
Protocol: Skype <- User defined protocol for Skype ACCESS

Is it normal or somewhere I did a mistake with configuration?

Internet acces from Internal works good but with annoing delays sometimes:

Closed ConnectionDMZ-TMG-02 28.05.2014 13:52:33
Log type:Firewall service
Status: A connection was rejected because the connection limit specifying the maximum number of connections that can be created for a rule during one second was exceeded.
Source:Internal (172.16.0.101:49934)
Destination:External (66.196.66.157:80)
Protocol: HTTP

Flood Mitigation is disabled, but why TMG talking about connection limits?


Behavioural Intrustion Detection

June 16, 2014, 9:09 am
$
0
0

Hi,

I have an internal Wireless Network and LAN on the same subnet, my users switch between networks when moving between floors/meeting rooms from Wireless to LAN and LAN to wireless (they don't close applications) sometimes the IP gets blocked by the TMG as it thinks its under a SYN attack. I have tried changing the thresholds and adding exceptions for all network addresses and it still happens, it also happens even if this is disabled. Some of my Senior users are getting really frustrated by this and I need to fix this issue Asap, All TMG patching is up to date and we run Windows 7 enterprise, HELP!

Thank you,

Matt

Search

Onedrive (Skydrive) Sync issues through TMG

June 16, 2014, 2:24 pm
$
0
0

We are having a ton of issues when using Onedrive (skydrive) to sync document libraries with our SharePoint 2013 server behind Forefront TMG. Users will randomly stop syncing (with no errors on skydrive), or files will just sit there trying to upload. I checked the logs on forefront, and see the following error occurring quite often for the document libraries the users are trying to sync.

 12210 An Internet Server API (ISAPI) filter has finished
handling the request. Contact your system administrator.

We have an array of TMG servers that use FBA for authentication on the front end, then delegate using NTLM to the sharepoint server. The array is also setup as a reverse proxy, and is the only way the sharepoint server can reach the internet. We are using the external host name (portal.domain.com) from TMG's internal adapter to the sharepoint server, so it's not a mapping issue. It's also happening on images and files that are less than 100KB, so it's not a size issue either.

I have tried disabling the malware filter completely, but the error still occurred. This is happening to multiple users running both windows 7/8.


Unidentified IP Traffic

June 18, 2014, 8:28 am
$
0
0

Hi all,

Trying to get some understanding in the Unidentified IP Traffic message i get.

Lets say i try to make a connection with a URL bla.localdomain.local:8089. This localdomain.local is located externally, and we have a domain trust with this external side. Conditional Forwarding is in place to reach their DNS servers.

Source 10.0.0.10 (mydomain)
Destination (website) 10.233.10.10 (localdomain.local)

On TMG i saw a block on port 8089, so i made an access rule with source Internal and destination 10.233.10.10, port 8089 outbound. This works as i now get succesfull messages. But after those messages i get two messages complaining about Unidentitfied IP Traffic. Port 41470 for example.
Only this time, the source is still 10.0.0.10, but the destination is my proxy LB IP address.

Normally i say to the proxy to open port xxxx to destination xxxx. But now my destination is the proxy it self. How should i handle this?

Thanks!

Cannot RDP To TMG Server

May 27, 2010, 1:12 am
$
0
0

we have tmg running on server 2008. all was working fine but now i cannot rdp into the server from inside or outside the network.

i cannot telent either to port 3389

i checked the loging query and it open the port then close's it the error denied rst packet

 

 

TMG SSL Client Certificate

June 18, 2014, 5:36 am
$
0
0

I have a website where i want to authenticate user with client certificates from enterprise pki.

I have setup web server in my domain with client certificate mapping and i can authenticate with my user certificate from internal.

Now i want to publish this site over tmg. TMG is non-domain

I tried to follow this guide http://media.wix.com/ugd/641a74_b4dc7881c7bffb35d061c900fdda0475.pdf

 

On Step 3 i have problem that i cannot choose SSL Client Certificate Authentication for my Web-listener, i guess because of the non-domain of TMG. What would be a good configuration for my purpose.

Now I have

WebPublsihing Rule

Authentication Delegation

?

Weblistener:

Authentication

- Http Auth > Basic (Advanced > Require SSL; Client Certificate Trust > My EnterpriseRoot CA)

Connection

- Only 443

Certificates

My Server Certificate which i use for website

VPN client cannot access internal network after a VPN connection established

June 18, 2014, 11:12 pm
$
0
0

Dear Experts,

We using MS TMG server as our VPN server, it already working for 3 years.

But from 7 days ago, we found a very strange problem that VPN clients cannot access internal network although VPN connected.

As checking the route table of TMG server, we found all routing entries for VPN clients lost when the problem happened.

For example, we set VPN client IP range in TMG is 10.212.226.1 ~ 10.212.226.250, with 5 clients have VPN connected with TMG server, normal situation the routing entries should be like this:

10.212.226.1  255.255.255.255         On-link      10.212.226.1    277
10.212.226.6  255.255.255.255     10.212.226.6     10.212.226.1     22
10.212.226.7  255.255.255.255     10.212.226.7     10.212.226.1     22
10.212.226.11  255.255.255.255    10.212.226.11     10.212.226.1     22
10.212.226.14  255.255.255.255    10.212.226.14     10.212.226.1     22
10.212.226.18  255.255.255.255    10.212.226.18     10.212.226.1     22

With above routing table, all 5 VPN clients working fine, they can access internal network. But once the problem happened, then only below one VPN routing entry can find in routing table, others are all missing.

10.212.226.1  255.255.255.255         On-link      10.212.226.1    306

At this moment, all VPN clients cannot access internal network although they still connected. This problem can be solved after a server reboot. But it would happen after several days. 

Looking for your support and feedback. Thank you very much.

Best regards,

Jiali Feng

Getting denied errors when using TMG Array for publishing Exchange and Lync

May 30, 2014, 8:24 am
$
0
0

I'm setting up a TMG array of 2 TMG servers for Lync. The TMG array is already in use for Exchange. The Exchange publishing rules and web listener use a VIP of x.x.x.220.

I added a secondary VIP of x.x.x.209 for Lync and set up a web listener and Lync pubishing rule using the secondary VIP. I am now getting the below error. And yes, there are publishing rule and listener for the Lync URL's already.

I've google'd and google'd but didn't find any answers.

One thing I do notice on the setting for the Lync Web Listener is that the secondary VIP IP shows as "Virtual IP" as opposed to "<server name>" as with the primary VIP IP for Exchange rules/listener (x.x.x.220).

All the listner / rule settings are fine, and I've rechecked many times. It just appears that when I send requests for the Lync URL's, TMG doesn't even relate the request to the Lync Rule.

Any help would be appreciated!

me


ISA Server Internet Explorer content limit

June 18, 2014, 5:53 am
$
0
0
Have access to a site that has more than 20,000 characters through a Microsoft TMG2010 Server with SP2.
We did not get to see the last 50 characters.
But if we turn off the Microsoft Forefront TMG firewall service we could access.
We Would like to know if there is some limitation to cause this problem.
Search

Error the service FWSRV of TMG 2010 on Windows server 2008 R2 Enterprise

June 19, 2014, 12:59 am
$
0
0

Please help me about a issue of TMG 2010:

My company installed TMG 2010 on Windows server 2008 R2 Enterprise but it happen error " Due to an unexpected error, the service fwsrv stopped responding to all requests. Stop the service or the corresponding process if it does not respond, and then start it again. Check for related error messages."

and " The Firewall service stopped because an application filter module C:\Windows\SYSTEM32\ntdll.dll generated an exception code C0000005 in address 0000000077A72F86 when function CompleteAsyncIO was called. To resolve this error, remove recently installed application filters and restart the service."

I have reinstall but there error also appear again. My company use about 2000 clients access through TMG 2010.

i have try update windows and TMG latest but can not solved this issue.

i hope everyone help me as soon as. thank you so much.


Conficker A or B Conficker botnet in Local

June 19, 2014, 6:16 am
$
0
0

My static IP is Mail Server. http://cbl.abuseat.org do notice like this:

This IP is infected (or NATting to an infected computer) with Conficker A or B Conficker botnet.

Please help me how to fix this problem thoroughly to avoid relisting, I've removed a few times but still again, no longer dare to remove it for fear of blacklisting. My system uses TMG firewall. My client in Local is infected Conficker A or B Conficker botnet.

Sincere thanks.

Scrambled TMG Reports

April 22, 2013, 11:00 am
$
0
0

Running reports in Forefront TMG 2010 yields virtually unreadable reports no matter what browser or version of browser I use (see below).

I am running version 7.0.9193.515 on a Windows Server 2008 R2 Standard box. All of the latest updates, service packs and patches have been applied.

Don't know when this started.

Bob Esquenazi

TMG block internet access for IP local

June 19, 2014, 6:07 am
$
0
0
TMG block internet access for IP local

The number of denied connections from the source IP address 192.168.0.13 exceeded the configured limit. This may indicate that the host is infected or is attempting an attack on the Forefront TMG computer.

Please, help me fix problem.

TMG Logging Status - Disconnected

December 29, 2011, 3:55 am
$
0
0

Hi folks,

Our TMG 2010 (SP2) installation is configured using default settings for Firewall & Web Proxy Logging. However, we are seeing the Log Status as being 'disconnected'. We are logging to the default folder which just appears to contain .llq files. Could someone please point me in the right direction to begin troubleshooting this issue as we are hoping to move this installation on to our live network as soon as possible?

 

Many thanks,

 

JP

Viewing all 3822 articles
Browse latest View live
Search