Greetings, community!

We have two EDGE TMG servers and two INTERNAL TMG servers.

We have two providers with two dedicated external IP addresses each.

I configure ISP Redundancy for each EDGE TMG servers with parameters:

Each EDGE TMG server has two External NIC and one Internal NIC. 

EDGE 1: Provider1_IP1 and Provider2_IP1

EDGE 2: Provider1_IP2 and Provider2_IP2

ISP Connections:

Provider1 and Provider2

So, the trouble:

We have some published Web-Services, like OWA, ActiveSync, TerminalGatewayServers and others.

Also we made 4 external DNS records for each Web-Service.

For example:

mail.domain.com Provider1_IP1

mail.domain.com Provider1_IP2

mail.domain.com Provider2_IP1

mail.domain.com Provider2_IP2

If we try to connect from external to any published Web-Services, we have big delay (~ 30 sec), and then it connected.

After some tests we find that ONLY ONE EDGE TMG server is used for reverce proxy. IP Addresses from EDGE 1 is unavailable from external access. But it still works as Web-Proxy from Internal connections. Reverse-Proxy works only for EDGE 2 IP Addresses.

If we shutdown EDGE 2 TMG server, then Reverse-Proxy for EDGE 1 IP addresses are works correctly.

Why all 4 my external IP addresses are not works for reverse-proxy? Only 2 from one of my EDGE servers.

Hi

We have a requirement to use RSA authentication for external OWA users on Exchange 2010.  Exchange ActiveSync users will not be affected and will authenticate normally.  We currently have OWA, EAS and Autodiscover on the same URL mail.company.com.

I have installed TMG on a server with 1 NIC on our DMZ.  I have set up 3 listeners, one for OWA with RSA, one for EAS and one for Autodiscover.  The problem is the OWA/RSA listener can't share the same IP as the others (I get an 'overlap' error message) so I have had to add a 2nd IP address to the server NIC to solve that.  All looks OK on TMG except now I have the problem that all the traffic is coming into our firewall on one URL and has to be NATted to only one of the 2 IP addresses.

Do I need to have separate external URL's for OWA and EAS/Autodiscover so that they can be NATted to different IP addresses and hence different listeners?  Is there an easier way to split the traffic?

Thanks

Hi,

Hi,

I have a TMG cluster wit 3 legs - External, Internal1, Internal2

On Internal1 I have all clients and servers

On Internal2 I put my Fortigate 80C used for the wireless network. I use Radius for auth. Radius server is on a Windows server in Internal1 network.

Everything works fine but as soon as I start NLB for the 2nd TMG cluster the RADIUS auth fails. Everything else works. If you are already auth for wireless internet and everything works for you.

For internal1 I have to use Unicast, For External I use Multicast NLB and it works great. For Internal2 I tried unicast/multicast no difference. I even configured the multicast MAC and IP on the cisco switch between TMG and Fortigate.

What I find strange is that everything works with 1 TMG node (one or the other) but as soon as I start NLB service on the second one Radius auth will timeout.

Looking at the network packets it seems that TMG drops the UDP fragments for RADIUS.

I have the Block IP fragments disabled.

Any idea?

Does TMG NLB has trouble with NLB and UDP traffic?

Thanks a lot!

Ok, so this is a weird as it sounds. 

We've been working with ISA and TMG since 2004, this is the first time I've seen this kind of behavior. Let me explain the details.

We implemented 3 TMG 2010 Servers in an Array and 2 EMS Servers on Windows Server 2008 R2. Each TMG Server has 4 NICs (Internal, External, DMZ-Intra-array). At first we wanted to enable them with an F5 Hardware Load Balancer but after weeks of trying to make them work together we couldn't (SNAT and routing issues related), so we tried using Windows NLB but had problems with the Multicast configuration using VMWare and after some other battles we decided to first try out just using one TMG Server as the main one to try to make it work. The customer we are implementing this is currently using ISA 2006 and they wanted to upgrade to TMG 2010 using basically the same stuff as their ISA had, so we backed up that configuration and imported it into TMG without problems. We added the TMG Servers on the EMS configuration and everything replicated just fine.

Since they already had IPS, Cisco ASAs and Ironports as Proxy they decided to disable NIS, Malware inspection, Flood Mitigation and all those things TMG has for better securing Internet traffic.

The firewall policy rules are about 100 and they have 3 publishing rules to HTTPS Services. 

So after making the necessary configuration changes to the TMG infrastructure, we then decided to unplug the ISA Servers, change the TMG servers IP Address to the ISA Server ones and test to see if everything worked just as ISA Server did. However it didn't.

At first we have issues related to slow internet traffic, after troubleshooting for some time we ended up finding out that the Source IP used by TMG was different that the one ISA was using, even if the same IP was configured in the NIC and the other IPs were configured as alternate. We found out after some searching that Windows Server 2008 R2 uses some RFC and manipulates the IP Address on a NIC in a way that 2003 didn't. We found out that we needed to add the other IPs via Netsh int ipv4 add address<Interface Name> <ip address> skipassource=true

After that configuration we got things working fine... for a while, several hours later, servers started losing connectivity, switches stopped responding and the entire network was collapsed! After unplugging the TMG Servers, everything returned back to normal.  We though this was a issue related to drivers or something to do with VMWare plataform, so it was decided to reinstall everything on physical servers.

After some days of reconfiguring again TMG Servers, we made the switch again, unplugged the ISA Servers, configured the TMG with the ISA IP Addresses, did the NETSH thing and then tested out everything and everything worked.

But again hours later the same behavior appeared once more! Servers and switches stopped responding and the entire network went down once more! Again we unplugged the TMG Servers and everything returned back to normal!

So here we are, back to square one with no clue on what is causing this behavior on the network. The current physical servers are running HP 3666i 4 multiport 10Gb NICs, we don't know if that has something to do with this. Or the fact the the switch core to which the TMG servers are directly connected to is a Nexus 7000 and there is some configuration issues with it against the TMG or something. The TMGs are patched with Service Pack 2 Update Rollup 5.

We are probably going to open a support case with Microsoft with this issue, but we first wanted to see if anyone else may have had, seen or heard something related to this and has an explanation or ideas on why is this happening.

I appreciate any replies.

Thank you all.

Eduardo Rojas

We use VMware SRM to replicate VMs to a second site. With a TMG Server at either end of the VPN. SRM management traffic uses HTTP port 80.

I have unstable communication between SRM servers because of TMG web proxy filter. Disabling the proxy filter for HTTP object in TMG and works no problems.

But rather than disable web proxy for HTTP across the board I created a user-defined object copying HTTP (port 80 outbound etc) but bypassing web proxy filter, and using this in the particular rule for the SRM traffic.

Now SRM comms simply do not work at all with the user-defined HTTP object (HTTP 500 error). But as I say work fine with the pre-defined HTTP object and web proxy disabled.

I can however, get the user-defined object working by using the associate standard protocol dropdown and selecting HTTP in there but then this requires the pre-defined object to have web proxy disabled as well! Defeating the purpose!

I do have another application which I am using a user-defined HTTP object bypassing the proxy successfully but SRM is refusing to work with it.

Has anyone else encountered issues with a user-defined HTTP object?? What is different between the pre-defined and just creating a user-defined object and giving it port 80 outbound etc?

I am going to gather info using Wireshark this afternoon to see exactly what is in the HTTP header but will be interested to hear others experience here.

Regards,

Steve

Hi

I have set up a listener on our TMG server to authenticate external OWA users with RSA.  Currently on non RSA OWA users enter their username in the form domain\username which I can see is set on the OWA website on the CAS server.  However, when I connect to the new RSA enabled OWA listener externally I am presented with a screen where I enter my RSA ID and passcode and my AD password.  This authenticates OK but I am then presented with the OWA screen which wants my username (domain\username) and password again, presumably as this is what Exchange expects.

I'd like to get rid of this second login screen so users only have to enter their credentials once.  From reading around I can either change the setting on the CAS server to 'basic authentication' (the same as is set on the TMG server) or I can set it to forms based but just username with no domain required.

I only have limited time to test the changes as this is on our live system.  Has anyone seen the same thing and can advise on which method is the best?  Are there any security implications in using basic authentication between the TMG server and CAS server?

Hi

i recently moved the logging folders (firewall/web proxy/ queue) from C drive to D drive on my 2008 R2 server

according to tmgBpa recommendation

i gave the folder the same permissions as the original has, logs appearing to be written normally but i keep getting

The Discretionary Access Control List (DACL) in the security descriptor of the logging folder D:\TMG_Logs\FireWall_Logs does not grant full access to both the Network Service and System accounts.

for all logs related (as written above)

googled it for a while but cant seem to understand how to move forward

any help would be appreciated

thanks

Dear Experts!,

I am new to the Forefront TMG 2010. Have requirement to implement internet access.

Head office : 192.168.11.x/24 (192.168.11.1 is the TMG server)

Branch Office 1: 192.168.12.x/24

Branch Office 2 : 192.168.14.x/24

Branch Office 2 : 192.168.16.x/24

Forefront TMG 2010 standard edition.

Having 3 NIC's two have different ISP network addresses and one has 192.168.11.1.

Branch office are connected using MPLS network, the requirement is all branch site internet must be accessed through TMG 2010 server which is homed in Head Office. How to achieve ?

What needs to be done in external firewall and in TMG for enabling internet access.

Thanks!

Regards, Ganesh, MCTS, MCP, ITILV2 This posting is provided with no warranties and confers no rights. Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread.

Hello,

   I have a client with a Forefront TNG 2010 server on a 2008 AD domain.  It is configured with 2 NICs, an internal and an external.  The internal has the internal address of the server bound to it and nothing else.  The external has quite a few of their external IPs bound to it.  They have a full 255 address block and the majority are used.

  A strange thing happened the other day.  We had to reboot the server and when it came back up, several things weren't working including VPN and Email.  Some troubleshooting revealed that there were only 3-4 external IPs bound and listening on the external NIC.  And none of them were the main IP configured on the NIC.  I checked the NIC config and saw all the addresses were in there as they should be, but the addresses weren't in the registry entry for the NIC config, HKLM\System\CurrentControlSet\Services\{ID of NIC}\Parameters\TCPIP\IP Address .

 I have no idea what could have caused this.  I fixed it easily enough by adding the missing addresses back into the registry entry and disabling and re-enabling the NIC but I would like to prevent from happening again if they reboot the server.

Thanks.

Hi all,

We're running TMG 2010 Version: 7.0.8108.200.

I´m trying to create a rule set that will:

a) Allow AUTHENTICATED users web access through a whitelist
b) Allow UNAUTHENTICATED users unrestricted web access

They're all on the same subnet.

The rule that allows UNauthenticated users is above the one for the authenticated users, otherwise UNauthenticated user are precluded from further processing.
But then I need a way to exclude authenticated  users from matching that rule.

Any ideas? I'm lost here....

Thanks!
- Kris

HI All,

  We need give access to our Web server from our third party agents. But i need to lock it down by their IP.

 Currently web publishing rule is From: Anywhere  To: Server IP

 So how do i allow only our internal sites and external these third party companies?

 Ex:

 Head office- 10.1.x.x

 Site 1-20.1.x.x

 site 2 -30.x.x.x

These all are connect via IP VPN.

 Third Party01  Ext IP :203.1.x.x

 Third Party02  Ext IP :205.1.x.x

As

Hi,

I am having a problem connecting to a TMG 2010 array from an installation of TMG management console we are receiving the error 'Refresh Failed' 'Error 0x80070057' ' The Parameter is incorrect'.

The only article i can find on this error is this http://support.microsoft.com/kb/2591719 which doesn't seem to apply to our setup or this problem but I have applied Service pack 2 anyway but still get same error. The only other thing i can find is a few people saying the management console needs to be at the same version as the TMG servers you are trying to connect to but I cannot see how this can be done as when I try to run the service pack on the machine with only the management console I get an error as the full installation is not there.

Hello,

I am having some problems with testing a OWA (SSL) rule. I get that message.

The TMG belongs to the domain and therefore as far as I know it gets the root certificate of my CA (I have deployed a Enterprise CA for my domain).

That is why I don't understand the message: "...that is not trusted."

-------

The exact message:

Testing https://mail.mydomain.eu443/owa

Category: Destination server certificate error

Error details: 0x80090325 - The certificate chain was issued by an authority that is not trusted

Thanks in advance!

Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)

Hi I have TMG (2NICs). In front of the TMG is hardware firewall. Inside the network/DMZ we have a lot sites and servers. Now I need to configure access so that everything works but I am struggling, I never configured TMG before. 

Sites to include Lync, Exchange OWA, Exchange Activesync, Remote desktop server, web server,VPN (SSTP/L2tP), Sharepoint (TFS),....

Main problem is that I have UCC that is supposed to replace different certificates and I am able to create only one Weblistener.

That one WL works for example exchange but not for SSTP. How would you configure this network? Please advise, stuck for a while here :( 

Dear all.

I want to block youtube with TMG 2010

I try with url name

youtube.com/* or  *.youtube.com  or youtube.com:443  or  youtube.com:443/* or  *.youtube.* 

...

I aslo add content fliter

video/mp4

video/x-flv

video/x-ms-asf

and stop Flash player

application/x-shockwave-flash

1. User cannot access www.youtube.com directly but they can access youtube.com/watch?v=xxxxx and view video without problem.

2. User can access youtube.com and view video without any problem.

Please help me slove this problem.

Thanks and best regards.

Hello,

Currently we are running TMG 2010 in our environment and Management decided to move from TMG to NetScaler. Looking for good documentation or whitepaper for Migrating TMG to NetScaler.

I'd appreciate if anyone could help on this.

Dinesh S.

Hi,

I have a web application that only works when you use the hostname to access it, iehttp://server01/client not http://server01.domain.local/client. It crashes the web browser if we enter the fqdn.

Im trying to publish this website externally through TMG 2010. Unfortunately when entering the externally published web address we get the same crashing issue.

Is there any way to force tmg only to use the hostname or ip address?

Hello,

I have this configuration:

TMG 2010:

    member of forest domain A

    FBA with ldap/Enable change password

CAS 2010:

     ChangeExpiredPasswordEnabled is 0

     member of domain forest B

AD 2003 (forest domain B):

   Trust relationship between the forest A et B is set (bidirectional)

   ADDefaultDomainPasswordPolicy have the values

            MaxPasswordAge              : 00:00:00
            MinPasswordAge              : 00:00:00

The issue:

My account is not expired because i can log on to all ressources BUT:

when i try to log on the owa from TMG, it considers that my passwords expired and need to be changed and ask me to change it. BUT, when i try to log on the owa directly (internal), the owa doesn't ask me to change my password.

When i check AD attributes associated to my account, ms-DS-User-Account-Control-Computed attribute is Password_expired and userAccountControl is set to 512 (normal account).

When, i check in the Account options , Password never expires, the Tmg does'nt asks me to change my password. so, the attribute ms-DS-User-Account-Control-Computed is set to 0 and userAccountControl is set to 10200 (normal account/don't expire the pasword).

i wonder if TMG check the ms-DS-User-Account-Control-Computed  attribute ? it requires to set for all users account Password never expires on account options in order to not have this behaviours on TMG ?

did you have any idea ?

Regards