I have moved firewall and web proxy logging to Centralized SQL server. after that recurring reports are showing empty data.
I followed the following Article to move the logging to different SQL server
Configure Remote SQL Server Logging for Forefront Threat Management Gateway (TMG) 2010
the TMG is up to date and SQL server is SQL 2012 SP1 on Windows 2K12
Please advise
Mashhour Faraj
Hi,
Client PC: Windows 7 enterprise 64 bits
TMG 2010 server: Windows 2008 R2
Sage Server: Windows 2008 R2
When user are login into tmg using rsa they get "Authentication Success" but it wont redirect to.
When you re-enter the website name again it just show blank page.
It was working last week, we haven't change anything on our firewall or the tmg server.
I have checked
1. Firewall( all the tariff is going through)
2. Checked our dns
3. Check tmg 2010 settings all ok.
The thing is that other sites are working fine but not this one. they is no different between these sites.
Greetings, community!
We have two EDGE TMG servers and two INTERNAL TMG servers.
We have two providers with two dedicated external IP addresses each.
I configure ISP Redundancy for each EDGE TMG servers with parameters:
Each EDGE TMG server has two External NIC and one Internal NIC.
EDGE 1: Provider1_IP1 and Provider2_IP1
EDGE 2: Provider1_IP2 and Provider2_IP2
ISP Connections:
Provider1 and Provider2
So, the trouble:
We have some published Web-Services, like OWA, ActiveSync, TerminalGatewayServers and others.
Also we made 4 external DNS records for each Web-Service.
For example:
mail.domain.com Provider1_IP1
mail.domain.com Provider1_IP2
mail.domain.com Provider2_IP1
mail.domain.com Provider2_IP2
If we try to connect from external to any published Web-Services, we have big delay (~ 30 sec), and then it connected.
After some tests we find that ONLY ONE EDGE TMG server is used for reverce proxy. IP Addresses from EDGE 1 is unavailable from external access. But it still works as Web-Proxy from Internal connections. Reverse-Proxy works only for EDGE 2 IP Addresses.
If we shutdown EDGE 2 TMG server, then Reverse-Proxy for EDGE 1 IP addresses are works correctly.
Why all 4 my external IP addresses are not works for reverse-proxy? Only 2 from one of my EDGE servers.
Hello,
I used to have a TMG with three networks: Internal, Perimeter, External.
Now, due to a change in the design, I would like to remove the internal network, but I cannot.
I thought it was harmless if I just removed the NIC (vmware) and removed the ip range of that internal network, but I am having some issues and I think it is best practise to remove such network (the physical network is removed, well, it is a vmware network card)
I can't figure this out.
Thanks in advance!
Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)
Could my Lumia 920 showing up in the TMG logs like this
instead of like this
cause an issue with Exchange ActiveSync?
I only ask here because our EAS policy is correct and working fine, I just get prompted occasionally that my domain password is incorrect. Entering the password allows it to sync but backing out of the prompt and manually pressing the sync button allows it to sync as well.
Server is 2008 R2 SP1, Exchange 2010 with update rollup 7. TMG version 7.09193.540.
Hi everyone,
This is a strange one.
We are using a TMG for a VPN (amongst other things such as web publishing etc)
We are using some software called 2X to connect to something on a part of our network, internally this works ok, but users on our VPN cant connect to it, but they can connect to everything else. 2X is a program that connects on port 80. From the VPN we can ping the host that the 2x software connects to, we can even RDP to the servers the 2X software is pointing to (once we set up a standard 3389 rule for this) but it wont work as it should via port 80. Its something to do with this port 80 connection.
In TMG logs we get - 59 An unexpected network error occurred.
I have tried a block and allow rule, in various orders but cant get it to work.
Any ideas ?
Thanks
Hi there,
This issue has been driving me crazy for the last month, and I thought I had it solved but definitely don't.
I have TMG configured for the sole purpose of being a reverse proxy for SharePoint, SAP BusinessObjects, and some other services to follow.
Everything works great... usually....
I put this in place for a client, I had it all configured, and I could reach both sites without any issue from home as well as my office. However, the client I put it in place for was unable to reach it from home, from his office, or from his cell, or anywhere really. The site would time out for him. On the TMG server I would receive an error stating: A connection was abortively closed after one of the peers sent an RST packet.
I searched all over the internet for this, and found a million posts about this error, and none of them helped me. I decided to reconfigure everything on TMG. I reconfigured everything from scratch, and it worked for me from home, on my cell, and worked for my client from his cell and from home, so we thought we were good. However, I am now trying to access it from my office, and it times out, and I receive: A connection was abortively closed after one of the peers sent an RST packet on the TMG server.
I tried from both of our external connections here at the office and I can't get to it, and the TMG server gives this error. I can still reach it from my phone and from home.
This is all done on the same laptops, so clients are not the issue. I've done packet sniffing, and the traffic makes it to the TMG and then nothing. Just a TCP Reset. The only difference at all is where the traffic is coming from...
I need to make sure that no matter where you connect from, if you have internet access, you can reach these sites... I have no idea why TMG is dropping the packet or why the reset happens from certain IPs.
Does anyone have any possible information that might help me?
Thanks
Hi
I have setup ISA 2006 to publish Exchange 2010 Outlook Anywhere with Kerberos Constrained Delegation and IPSEC.
The clients have an IPSEC policy pushed to them via GPO. The clients are windows 7 laptops and the ISA server is server 2003, so the IPSEC connection is IKE not AuthIP.
However, it seems that the connection will work for a while, then all of a sudden stop working with zero trace of why. I cant get the Oakley log to work and I cant see any traffic on the ISA.
I am wondering if I need to publish the CRL's externally? Currently we don't, and the Outlook Anywhere uses private certificates (as the whole point of IPSEC is to validate the internal certificate, there is no point in using public certificates).
I have tried using the StrongCRLCheck=0 registry key in the IPsec Policy Agent on the windows 7 machine but it doesn't seem to make a difference.
Any advice would be appreciated.
Steven
Hi guys, I've setup a new proxy array and most things seem to work fine. I have enabled integrated authentication and set a web access rule to allow HTTP, HTTPS and FTP out to the internet for all "Domain Users". Users can access the internet and I can see the user names under "monitoring" / sessions.
The problem I'm facing is, when users try to access a citrix page, they can log in to the front portal but when they try to launch an application they are prompted for credentials "Proxy authentication required". The message shows the IP address of the array and mentions "NTLM".
To get things working I've added the "All users" to the web access policy which has fixed the problem, of course this is not ideal as security is a little loose now and all sessions under monitoring shows "anonymous" against every connection.
What could be causing the prompt for credentials?
Any advice or suggestions would be much appreciated.
Hi,
I have TMG farm which publishes SharePoint web sites, in my configuration,
- 2 TMG servers with 2 NICs: internal (virtual IP 192.168.xx.xx) and external (e.g. 10.12.xx.xx)
- 2 SharePoint web servers are in the 10.12.xx network.
- The HTTPS request is from external network to access SharePoint sites via TMG.
- TMG publish SharePoint sites, web farm consists of 2 servers Web1 and Web2. Server host name e.g. Web1 instead of FQDN name is used in TMG web farm configuration.
- In the farm configuration, Internal site name, public name and host header are all the same. Public name in DNS points to TMG virtual IP 192.168.xx.xx
- Run Test Rule returns Success status.
Problem: When connection verifier is configured as HTTP/HTTPS (https://*/) with host header, system returns error "70 the remote server has been paused or is in the process of being started", however it works once changed to TCP connection.
Any idea what's wrong with the configuration and how to troubleshoot.
Thanks in advance.
Hi
I have internal share point server running portal xyz.com but external wan to access abc.com so please let me how I can configured on tmg so external user if type abc.com it will resolve to my internal server xyz.com
Don't forget to mark helpful or answer
connect me :-
http://in.linkedin.com/in/satya11
http://facebook.com/satya.1000
dears
I need to open port 1521 for oracle listener on my TMG 2010 , and have no idea about this .
can anyone help me please?..
thanks in advance
We have two TMG 2010 servers in our office. The primary one has a 50/50 fiber that is being used for internet and VPN access into our network and the secondary one has a 10/5 fiber dedicated to a site to site VPN with one of our clients. Both have been working fine for the past two years.
We are trying to establish another site to site VPN on the primary server but each time I setup the connection (through the wizard) we lose our internet access. If I disable the site to site VPN under the Networks tab and disable the network rule then reboot TMG internet works fine. As soon as I reenable those two internet again drops.
Routing looks correct, VPN settings correct, I don't see what would cause it. We have 5 external IP addresses, internet access is on one IP, incoming VPN on another, OWA on a third, the fourth is open, and the site to site VPN was setup on five. Our internal IP range is 10.0.0.0/16, the VPN being setup is 10.20.30.0/24.
What would cause this and how do I even go about troubleshooting? I've tried watching the logs and it just fills up with connection timed outs when it happens and nothing that points to anything.
-Allan
How on earth do I disable NAT when the traffic is all internal? I have checked so many settings and I cant seem to figure this one out. If anyone knows, can you please share.
Thanks,
EDIT: Let me add a little more detail.
My internal network is all set. Network Rules show that it is a "Route" relationship not NAT. When I try to ping, or simply connect to another server that is on a different LAN segment (Multihomed 4 NIC's), I get the IP address of the ISA server instead of the actual host sending the request!
We have had a standalone TMG array running for ~2 years now and recently had an issue come up we haven't seen before. Some users started complaining that all of our sites were unreachable. It would not even load the Forms Based Auth pages from the TMG server. It would just spin, then time out. After investigation, it appeared 1 of the array members was not responding to requests, but was still in the NLB pool and trying to process requests.
The only symptoms I saw on the problematic array member were:
1- The servers was using 100% of the ram. They have 8GB allocated, and have never gone over 6GB.
2- There were 'Intrusion Detection' warnings about an all port scan attack from the TMG server to itself. So array member 1 was warning about a scan attack from a it's own public IP.
The issue was fixed with a reboot, but now I need to figure out the cause of this issue, and figure out a way to detect when it happens again.
We recently deployed servers at a new datacenter for development. Our exchange 2013 server is located at the previous datacenter. Both datacenters have standalone TMG arrays setup for external connections, and for web proxies. There is an IPsec VPN setup between the 2 arrays with a static route.
The problem is servers at the new datacenter are unable to connect with Outlook 2013. The initial setup works with no issues, and repairing the account works as well. But when the users try and start outlook they get an error that it's unable to connect to the server. I can see the requests being allowed in the logging on both TMG arrays both ways, and nothing is being blocked. The IPsec VPN is setup as a route, so NAT is not the issue here. Exchange can be pinged, and OWA works with no issues. Only outlook is unable to connect.
Hi,
I have a question on below syntax.
if(dnsDomainIs(host, ".intranet.com") || shExpMatch(host,"(*.intranet.com|intranet.com)")) return"DIRECT";
Is there a difference between the dnsdomainis and shexpmatch or they serve the same purpose?
Thank you.