Hi All,

Hoping for some information/assistance. Currently testing Windows 8 Ent x64 in our Domain Environment. All works well for the built in apps and certainly looks promising. Hoping to get quite a few Surface or other W8 Tablets in the organisation if I can fix this final issue.

I currently cannot install any Apps via the App Store through or Microsoft TMG 2010 SP2 product. I can change rules on the TMG to help make this work if necessary.

This is the message I am currently experiencing when I attempt to install an App:

"Your purchase couldn't be completed. Something happened and your purchase can't be completed"

I hit Try Again and immediately I get the same message. I have traced it to WindowsUpdate.log in the Windows dir which shows:

2012-11-01	12:12:30:243	 852	47cc	Agent	*************
2012-11-01	12:12:30:243	 852	47cc	Agent	** START **  Agent: Finding updates [CallerId = WSAcquisition]
2012-11-01	12:12:30:243	 852	47cc	Agent	*********
2012-11-01	12:12:30:243	 852	47cc	Agent	  * Include potentially superseded updates
2012-11-01	12:12:30:243	 852	47cc	Agent	  * Online = Yes; Ignore download priority = No
2012-11-01	12:12:30:243	 852	47cc	Agent	  * Criteria = "AppCategoryIDs contains '5e19cc61-8994-4797-bdc7-c21263f6282b'"
2012-11-01	12:12:30:243	 852	47cc	Agent	  * ServiceID = {117CAB2D-82B1-4B5A-A08C-4D62DBEE7782} Third party service
2012-11-01	12:12:30:243	 852	47cc	Agent	  * Search Scope = {Current User}
2012-11-01	12:12:30:243	 852	47cc	Agent	  * Caller SID for Applicability: S-1-5-21-1390067357-746137067-1202660629-26658
2012-11-01	12:12:30:243	 852	47cc	EP	Got 9482F4B4-E343-43B6-B170-9A65BC822C77 redir SecondaryServiceAuth URL: "http://fe1.ws.microsoft.com/w8/2/redir/storeauth.cab"
2012-11-01	12:12:30:244	 852	47cc	EP	Got 117CAB2D-82B1-4B5A-A08C-4D62DBEE7782 redir Client/Server URL: "https://fe1.ws.microsoft.com/v6/ClientWebService/client.asmx"
2012-11-01	12:12:30:247	 852	47cc	PT	Skipping StartCategoryScan, no categories require server checks.
2012-11-01	12:12:30:248	 852	47cc	PT	+++++++++++  PT: Synchronizing server updates  +++++++++++
2012-11-01	12:12:30:249	 852	47cc	PT	  + ServiceId = {117CAB2D-82B1-4B5A-A08C-4D62DBEE7782}, Server URL = https://fe1.ws.microsoft.com/v6/ClientWebService/client.asmx
2012-11-01	12:12:30:256	 852	47cc	WS	WARNING: Nws Failure: errorCode=0x803d0006
2012-11-01	12:12:30:256	 852	47cc	WS	WARNING: There was an error communicating with the endpoint at 'https://fe1.ws.microsoft.com/v6/ClientWebService/client.asmx'.
2012-11-01	12:12:30:256	 852	47cc	WS	WARNING: The operation timed out after 60000 (0xEA60) milliseconds.
2012-11-01	12:12:30:256	 852	47cc	WS	WARNING: The operation could not be completed because the channel has been aborted.
2012-11-01	12:12:30:256	 852	47cc	WS	WARNING: Web service call failed with hr = 8024401c.
2012-11-01	12:12:30:256	 852	47cc	WS	WARNING: Current service auth scheme='None'.
2012-11-01	12:12:30:256	 852	47cc	WS	WARNING: Proxy List used: 'PROXYIPHERE:8080', Bypass List used: '(null)', Last Proxy used: 'PROXYIPHERE:8080', Last auth Schemes used: 'None'.
2012-11-01	12:12:30:256	 852	47cc	WS	FATAL: OnCallFailure(hrCall, m_error) failed with hr=0x8024401c
2012-11-01	12:12:30:256	 852	47cc	PT	WARNING: PTError: 0x8024401c
2012-11-01	12:12:30:256	 852	47cc	PT	WARNING: SyncUpdates_WithRecovery failed.: 0x8024401c
2012-11-01	12:12:30:256	 852	47cc	PT	WARNING: Sync of Updates: 0x8024401c
2012-11-01	12:12:30:256	 852	47cc	PT	WARNING: SyncServerUpdatesInternal failed: 0x8024401c
2012-11-01	12:12:30:256	 852	47cc	Agent	  * WARNING: Failed to synchronize, error = 0x8024401C
2012-11-01	12:12:30:256	 852	47cc	Agent	  * WARNING: Exit code = 0x8024401C
2012-11-01	12:12:30:256	 852	47cc	Agent	*********
2012-11-01	12:12:30:257	 852	47cc	Agent	**  END  **  Agent: Finding updates [CallerId = WSAcquisition]
2012-11-01	12:12:30:257	 852	47cc	Agent	*************

The key line here being: Last auth Schemes used: 'None'

Which gives the error: hr=0x8024401c - Authentication error?

This leads me to the TMG live Proxy log. Which shows all as Allowed Connection but the HTTP Status Code is 407 Proxy Authentication Required:

Hi All,

I have some questions regarding the setup and implementation of TMG and a pure ESXi vmware environment. I have been tinkering in a lab / non-production environment to get things situated before proceeding with a full deployment. Here's a basic rundown of the environment:

Server Hardware:

(1) HP DL380G7, 1 x 6-core Intel CPU, 96GB RAM, 1TB Internal SAS storage (RAID 6), 10 Broadband/Intel GBit NIC

(1) HP DL580G5, 4 x Quad Core Intel CPU, 96 GB RAM, 500GB SAS storage (RAID 1+0), 10 Broadband/intel Gbit NIC

Core Switch:

(2) Cisco 3750G 48-port. No Stack configuration, only one is being utilized

Storage:

NetApp FAS2040, 8 x internal 300GB SATA drives, 1 x DS14 MK2 Shelf with 14 x 250GB FC drives

That's a rundown of the hardware involved. ESXi 5.1.0 is installed on both servers. I have installed a vCenter 5 Appliance on one host, 10.20.10.13 GW 10.20.10.1. The networking is broken out by VLAN's on the core switch. I didn't want to do VLAN tagging from within the ESXi hosts / vCenter server because I've always used vlan's on the core. I have a number of vlans created on the core i.e. vlan 5 (Perimeter DMz) 192.168.0.2, vlan 10 (INT-LAN) 10.20.10.2, vlan 30 (iSCSI) 10.20.30.1, vlan 40 (ESX MGT)10.20.40.1, vlan 50 (VMOTION) 10.20.50.1.

The ESX hosts were assigned a management vlan IP, 10.20.40.5/6 Gateway 10.20.40.1. My internal Domain Controller has an IP of 10.20.10.9 GW 10.20.10.1 I then installed TMG as a 3-network template, Internal, Perimeter, External. It is a member of the domain.

The networking of the ESXi hosts use Virtual Distributed Switches that I created in vCenter. I was meticulous about breaking out NIC's for each VLAN and tried to keep the traffic separate. For instance, vmnic0 is vDS CSI-MGT_VLAN40 connected to 3750 on vlan 40 and has vmk0 10.20.40.5/6 per respective esx host. I have vmnic1/vmnic2 for internal traffic on a separate vDS CSI-INT-LAN_VLAN10, connected to the 3750 on vlan 10. I have vDS for Vmotion/iSCSI/DMz done this way as well, a physical NIC is connected to the uplink and assigned the appropriate VLAN on the switch. I have the External vDS setup to a single vDS with assigned vmnic6 attached directly to the Internet and only the TMG VM has this NIC vDS assigned to it.

I have only ever used a physical server for my ISA before, this is my first time testing/configuring with a pure virtual environment. The TMG Internal NIC has IP settings: 10.20.10.1 255.255.255.0 No Gateway DNS: 10.20.10.9. The DMZ NIC has IP settings: 192.168.0.1 255.255.255.0 No Gateway DNS: 192.168.0.9. The External NIC has internet provider IP settings. The thought bing the TMG is basically the router/firewall for systems. I have the Internal network defined as IP ranges 10.20.10.0-10.20.10.255 and 10.20.40.0-10.20.40.255. I have a route 10.20.40.1 > GW:10.20.10.1 allowing the TMG to act as the route path for traffic from the vCetner server management (vlan10) to the ESXi hosts (vlan40). All Internal LAN systems use the INT GW of the TMG Internal NIC. Management services i.e. iSCSI / VMOTION do not pass through the TMG and traffic is routed on the core switch.

To my only issue I seem to be having trouble with, vSphere Client / vCenter server communication's. I have the vCenter appliance on the internal network, 10.20.10.13. I have a vSphere Client installed on an internal PC, 10.20.10.17. I have created an access rule allowing the many specified protocols for the vCenter Appliance to communicate with the ESXi hosts(8080, 443, 902, 512, etc. etc. etc.). The problem comes when I'm on the PC with the vSphere Client installed and try to connect to the vCenter appliance to manage the vmware environment. It can connect to the vCenter. I was able to add the host's but seem to be running into issues now, unable to communicate with the ESXi hosts. When I change the GW IP of the client pc to 10.20.10.2 (core switch vlan10 IP) the issues almost goes away completely. I'm not quite sure what the TMG might be blocking or denying from the client PC to the vCenter or the ESXi hosts? I see connections initiated from the vCenter Appliance to the ESXi hosts as well as being blocked. The most repetitive error is a Port 902 TCP_SYNC_DROPPED_PACKET from the PC vSphere client to the ESXi Hosts (10.20.40.5/6). I created a rule allowing port 902 from the vCenter Appliance and the Client PC (both INT LAN) to the ESXi hosts. I'm still having some issues.

So from all the information above, can anyone see any configuration issues? Possibly change some things around differently, either vlan tagging in vCenter instead of the core switch. Possibly install the vCenter IP on the same subnet as the ESXi hosts (vlan40) rather than having the ESXi hosts in the 40.x SN and the Appliance in the 10.x SN? Any suggestion anyone could offer would be appreciated.

-Slevin

Dear All,

I have recently installed TMG server in my network after configuration basic rules outlook was unable to connect , We using SSL 993 PORT and smtp 465 port. Every thing are working fine except email there is no email server in my network.

Please advise or give some steps to allow ssl ports to ge email.

Thanks

kashif

Has anyone tried successfully installing Forefront TMG 2010 on Windows Server 2012?

I tried but failed, it complained about unable to add roles and features.

Valuable skills are not learned, learned skills aren't valuable.

I have an issue which I hope TMG can solve, but I could do with some expert advice before engaging with Microsoft.

I have an Oracle 10g application which I need to upgrade to 11g. In order to use the 11g application, the client must be running JRE 1.6.26 or later. However, the customer flatly refuses to install JRE and won't budge from Jinitiator (which is needed for the 10g application).

I have considered TS RemoteApp, but the customer won't allow RDP on the client either. 

If I have JRE 1.6.26 installed on the TMG server and publish the Oracle 11g application as a web application on the TMG server would that negate the need for JRE on the client?

Any help or alternative suggestions would be appreciated.

Background: 
  Forefront TMG 2010 on Server 2008 R2
  SharePoint 2010 on Server 2008 R2 (different box)

Client had a working setup on ISA 2006 box but they called me one morning after they found it laying dead in the rack.  Tried to find the backups but they appear to have left with the last guy who worked for them.

I built up a new box with TMG 2010 and got it dialed in to their SharePoint.  All (navigation, button clicks, etc.) work as expected.  However, they have several forms that they use: one customized list form and one straight-up browser based form (no code).  From inside the network the forms operate exactly as expected.  Once someone opens the form from an external network the TMG logs:
"12210 An Internet Server API (ISAPI) filter has finished handling the request, InfoPath Forms Services"

Wireshark shows: HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE

I get the same "HTTP/1.1 302 Moved Temporarily" in TMG logging as noted in this post.

Anyone have any ideas?  The post I linked to did not suggest a specific fix.

Thanks,

Chris

A Vmware VM hosting Windows 2008 R2 server running TMG is having frequent network dropouts and unable to RDP. Tracert is clean.How to tackle this issue.

Urgent

Hello

In my new work that i arrived some weeks ago they have a forefront configured to assign VPN´s using DHCP but right now, they need one IP from a remote server conect  to an internal server with an static IP, i tried to configure an access rule from that server to that internal IP.

For some reason, doesnt seems working at all. i could use some advice here since im bit new using forefront.

i got this in the event viewer

Event ID: 20253

CoId={NA}: The user domain\user connected to port VPN3-98 has been disconnected because no network protocols were successfully negotiated.

Hi,

Sometimes i recive bad login attempts on TMG server in event log. I cant find real ip/hostname with log,  because logon process initiated by TMG service.  In TMG console section this login name is absent. Please help me with recognizing, who initiate this session!

I replace in log this section %username%  - name of user who attept to logon ,  %domainname% - real name of domain  , %servername% - tmg server name.

An account failed to log on.

Subject:
 Security ID:  NETWORK SERVICE
 Account Name:  %SERVERNAME%$
 Account Domain:  %DOMAINNAME%
 Logon ID:  0x3e4

Logon Type:   3

Account For Which Logon Failed:
 Security ID:  NULL SID
 Account Name:  %username%
 Account Domain:  %domainname%

Failure Information:
 Failure Reason:  Unknown user name or bad password.
 Status:   0xc000006d
 Sub Status:  0xc0000064

Process Information:
 Caller Process ID: 0x255c
 Caller Process Name: C:\Program Files\Microsoft Forefront Threat Management Gateway\wspsrv.exe

Network Information:
 Workstation Name: %servername%
 Source Network Address: -
 Source Port:  -

Detailed Authentication Information:
 Logon Process:  Advapi 
 Authentication Package: Negotiate
 Transited Services: -
 Package Name (NTLM only): -
 Key Length:  0

"

PS Sorry for my English

Hi all

I have TMG 2010 with SP2 and roll up 1 install , but when i generate the User Activity its show blank , no data display , can any budy help me out please..

Hello,

Have a TMG 2010 on Windows 2008 R2.  Ran Security Configuration Wizard (SCW) after installing TMG.  I am now trying to add a Remote client (ScreenConnect) using goup policys and it keeps failing.  I have tried manually installing the client and it installs successfully (shows in appwiz.cpl) but the service cannot start:

ScreenConnect Service failed to start. Verify you have the permission to start the service

Regards Tony "Great things can be expressed In fifteen words or less And bring that to your heart" - Kaiser Chiefs

I built my TMG server at the begiining of this year and ran SCW.  Over time I have migrated the rules from ISA to TMG and am at the point I can now decommision the ISA.  However over the last few weeks I have been getting problems with WMI, upgrading/installing software to the point where I have looked again at SCW.  I have 2 issues that I am hoping the forum can resolve:

1. No matter what I do, it always want to disable Routing and Remote Access which is a problem as we have a site to site link running as well as 20 field based operatives that use VPN.  I have turned on both Remote access/VPN Server roles.
2. Can I roll back to before I ran SCW for the first time (January 2012).  I have not applied SCW since then. 
   

Thanks
Tony

Regards Tony "Great things can be expressed In fifteen words or less And bring that to your heart" - Kaiser Chiefs

Been struggling with IP spoofing issues on our TNG 2010 server.

We have web services published to public IP’s all bound to a NIC called WAN-PUBLIC which then NAT’s to the internal IP’s on the web servers.

In certain scenarios we’re unable gain access to the servers and the ISA logs are full of Spoofing errors such as this:

Log type: Firewall service

Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed. 

Rule: None - see Result Code

Source: Local Host (213.122.169.54:18816)

Destination: Internal (192.168.9.130:443)

Protocol: HTTPS

The source host in this scenario is an IIS server / NLB using ARR so it’s almost acting like a reverse proxy.

Below is the relevant public IP’s bound to the WAN Nic and as you can see it has a default gateway set of un upstream ISP router.

Ethernet adapter WAN-PUBLIC:

   Connection-specific DNS Suffix  . :

   IPv4 Address. . . . . . . . . . . : 213.122.169.50

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.51

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.52

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.53

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.54

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.55

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.56

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.57

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.58

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.59

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 213.122.169.49

Below is the internal NIC of the ISA server (no gateway set)

Ethernet adapter LAN-PRIVATE:

   IPv4 Address. . . . . . . . . . . : 192.168.0.1

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . :

So the rule above that’s failing is on a 192.168.9.x network, this network has a manual route defined that’s an internal core switch.

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0   213.122.169.49   213.122.169.50    266

       10.10.10.0    255.255.255.0      192.168.0.2      192.168.0.1     11

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

      192.168.0.0    255.255.255.0         On-link       192.168.0.1    266

      192.168.0.1  255.255.255.255         On-link       192.168.0.1    266

    192.168.0.103  255.255.255.255    192.168.0.103    192.168.0.107     31

    192.168.0.107  255.255.255.255         On-link     192.168.0.107    286

    192.168.0.255  255.255.255.255         On-link       192.168.0.1    266

      192.168.9.0    255.255.255.0      192.168.0.2      192.168.0.1     11

    213.122.169.0    255.255.255.0         On-link    213.122.169.50    266

   213.122.169.50  255.255.255.255         On-link    213.122.169.50    266

   213.122.169.51  255.255.255.255         On-link    213.122.169.50    266

   213.122.169.52  255.255.255.255         On-link    213.122.169.50    266

   213.122.169.53  255.255.255.255         On-link    213.122.169.50    266

   213.122.169.54  255.255.255.255         On-link    213.122.169.50    266

   213.122.169.55  255.255.255.255         On-link    213.122.169.50    266

   213.122.169.56  255.255.255.255         On-link    213.122.169.50    266

   213.122.169.57  255.255.255.255         On-link    213.122.169.50    266

   213.122.169.58  255.255.255.255         On-link    213.122.169.50    266

   213.122.169.59  255.255.255.255         On-link    213.122.169.50    266

  213.122.169.255  255.255.255.255         On-link    213.122.169.50    266

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link       192.168.0.1    266

        224.0.0.0        240.0.0.0         On-link    213.122.169.50    266

        224.0.0.0        240.0.0.0         On-link     192.168.0.107    286

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link       192.168.0.1    266

  255.255.255.255  255.255.255.255         On-link    213.122.169.50    266

  255.255.255.255  255.255.255.255         On-link     192.168.0.107    286

===========================================================================

Persistent Routes:

  Network Address          Netmask  Gateway Address  Metric

      192.168.9.0    255.255.255.0      192.168.0.2       1

       10.10.10.0    255.255.255.0      192.168.0.2       1

The 192.168.9.x network range has been defined within the ISA Network tab to the “Internal Nic”

I’ve run the ISA BPA and that’s not detected a configuration issue.

Any thoughts on how to proceed?

We currently use the TMG as a reverse proxy for our sharepoint sites. Some are public and need to be indexed by Google and Bing but these sites also need to be authenicated so we have the redirect from http to https set-up. We have some Search Engine Optimization guy telling us that we need to make the TMG return a 301 instead of the 302. My question is has anyone else run into this issue if so what did you do the resolve it? 

Thanks.

Banners

Have a strange situation ,when trying to install Mcafee on TMG server it will not connect to my Enterprise server to communicate and install the antivirus .(Telnet fails on port 9080 to 9085)

I created a rule for Inbound and outboud for ports 9080 to 9085 so as TMG can communicate with the centralised server .

When i run log event test it always goes to the last rule which is default irrespective of rule above default is mcafee (Inbound and outbound rule ).

I have a DLL I run behind TMG.  The DLL fires when the user logs on and passes a user id to an outside proxy server that returns a set of values based on the user id.  Right now the user id is hard-coded in my C++/ASP.NET code.  I need to pull the person who authenticates with TMG.  

So far I can only pull NETWORK SERVICE.  Any idea how I can pull the logged on user?

So I have read thousands of posts, spent too much time trying to allow FTP uploads through the TMG Firewall. I have tried everything that I can think of but I still get this error message; "The Folder xxxxxxxxx:xxxxxxx@ftp.usa.hp.com is read only because the proxy server is not setup for full access. I have right clicked on the rule and unchecked read-only. I have allowed active FTP, etc. I am missing something and I need help! 

Our setup is very simple...internal network is made up of several servers "ops boxes" that have proxy connectivity to the internet for support sites. I need to allow the "ops boxes" the ability to upload logs to HP. I have also installed the TMG client on one of the boxes for testing. 

TMG Server is a VM with two NICs; one for internal and the other for external. 

The title pretty much says it all....

So I have a URL  'http://sub.example.com' that resolves to a BigIP VIP that routes traffic through to the ISA server on port 90.  I have the listener configured for port 90 for a custom template. If I go to the

If I request:  

    http://sub.example.com

ISA is returning a 302 to the login URL at

   http://sub.example.com:90/CookieAuth.dll?GetLogon?curl=Z2F&reason=0&formdir=33

If I take out the :90, the site works just fine.

The rules that I am listening on the listener and Firewall rule are:

Review-Dev Listener:
  Networks: All Networks (and local host)
  Connections: HTTP on 90, Adv: Unlimited connections
  Certificates: N/A
  Authentication: HTML Form Auth, Active Dir Auth, Advanced: Require all users to authenticate, allow http, 3000 sec
  Forms: Use Custom Template: Review-Listener, Advanced: Cookie name: Review; Never use persistent; Ignore IP for cookie validation; Treat as max idle time, Apply session timeouts enabled
  SSO: Enabled for .example.com

Review Dev Web Pub
 Action: Allow, Log
 From: Anywhere
 To: review-iis-dev.example.com  (this is another VIP that routes traffic to the IIS site)
 Traffic: HTTP
 Listener: ReviewDev-Listener
 Public Name: review-dev.example.com
 Paths: <same as I>:/*
 Authentication Delegation: NTLM
 App Settings: Use custom - ReviewDev-Listener, logoff - "?cmd=logoff", logon select by user
 Bridging: Redir 80
 Users: All Auth Users
 Schedule: Always
 Link Trans: Enabled

When i first created the rule, I did not enable link translation (this seems to be the most probable culprit) and I have enabled link translation and restarted the Firewall Service.  

Anyone have some thoughts?

Thanks in advance