Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

TMG recurring reports are empty after moving firewall and webproxy loging o centeralized SQL server


cache file

$
0
0
a Software name to see or check inside the cache file in TMG?

TMG 2010 Blank Page after login into rsa

$
0
0

Hi,

Client PC: Windows 7 enterprise 64 bits

TMG 2010 server: Windows 2008 R2

Sage Server: Windows 2008 R2

When user are login into tmg using rsa they get "Authentication Success" but it wont redirect to.

When you re-enter the website name again it just show blank page.

It was working last week, we haven't change anything on our firewall or the tmg server.

I have checked

1. Firewall( all the tariff is going through)

2. Checked our dns

3. Check tmg 2010 settings all ok.

The thing is that other sites are working fine but not this one. they is no different between these sites.

ISP redundancy and reverse proxy

$
0
0

Greetings, community!

We have two EDGE TMG servers and two INTERNAL TMG servers.

We have two providers with two dedicated external IP addresses each.

I configure ISP Redundancy for each EDGE TMG servers with parameters:

Each EDGE TMG server has two External NIC and one Internal NIC. 

EDGE 1: Provider1_IP1 and Provider2_IP1

EDGE 2: Provider1_IP2 and Provider2_IP2

ISP Connections:

Provider1 and Provider2

So, the trouble:

We have some published Web-Services, like OWA, ActiveSync, TerminalGatewayServers and others.

Also we made 4 external DNS records for each Web-Service.

For example:

mail.domain.com Provider1_IP1

mail.domain.com Provider1_IP2

mail.domain.com Provider2_IP1

mail.domain.com Provider2_IP2

If we try to connect from external to any published Web-Services, we have big delay (~ 30 sec), and then it connected.

After some tests we find that ONLY ONE EDGE TMG server is used for reverce proxy. IP Addresses from EDGE 1 is unavailable from external access. But it still works as Web-Proxy from Internal connections. Reverse-Proxy works only for EDGE 2 IP Addresses.

If we shutdown EDGE 2 TMG server, then Reverse-Proxy for EDGE 1 IP addresses are works correctly.

Why all 4 my external IP addresses are not works for reverse-proxy? Only 2 from one of my EDGE servers.

Remove internal network . TMG 2010 SP2

$
0
0

Hello,

I used to have a TMG with three networks: Internal, Perimeter, External.

Now, due to a change in the design, I would like to remove the internal network, but I cannot.

I thought it was harmless if I just removed the NIC (vmware) and removed the ip range of that internal network, but I am having some issues and I think it is best practise to remove such network (the physical network is removed, well, it is a vmware network card)

I can't figure this out.

Thanks in advance!


Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)


TMG dosnt need To make any cahange

$
0
0
  Hi
  I have problem in my tmg  it dosnt save any thing that i do
 in monitring tap configration it appers  updating 29/11/1999 5:00 pm
please help

Publishing Echange EDGE via TMG

$
0
0
Greetings, community!

We have that infrastructure: 



Each EDGE have: 

As a gateway Front-End DMZ NLB VIP (172.16.0.20). 

Manual static route to the Internal through the Internal Back-End DMZ NLB VIP (172.16.0.100). 

Each DMZ TMG servers have forwarding SMTP traffic rules: 

If the SMTP came to Provider1_IP1 or Provider2_IP1, then redirect all on EDGE-01, saving the source IP 

If the SMTP came to Provider1_IP2 or Provider2_IP2, then redirect all on EDGE-02, saving the source IP 

Also each DMZ TMG have 2 network rules: 

If the request is from the EDGE-01 goes to the External, then NAT traffic through Provider1_IP1 or Provider2_IP1 

If the request is from the EDGE-02 goes to the External, then NAT traffic through Provider1_IP2 or Provider2_IP2 

ISP is enabled on the DMZ TMG for these two providers. 

Actually, the problem: 

Connectivity on 25 port outside only go to one of EDGE servers. In this case, the logs on the DMZ TMG shows that the incoming request "fell off" times out after 21 seconds: 

Failed Connection Attempt DMZ-02 03.09.2014 14:11:46 
Log type: Firewall service 
Status: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. 
Rule: Publish SMTP to EDGE-02 
Source: External (184.72.226.23:53214) 
Destination: Internal (172.16.0.22:25) 
Protocol: SMTP Server 
Additional information 
Number of bytes sent: 0 Number of bytes received: 0 
Processing time: 21094ms Original Client IP: 184.72.226.23 

But connections to the second server, to any of its two external IP, is connected correctly. 

If I choose SMTP publishing rules instead of saving the source IP address to replace with the IP address of DMZ TMG servers, then all SMTP requests properly reach all 4 my EDGEs IPs. 

However, it's bad solution for me because of Anti-Spam, which needs an IP source to test it (SPF, MX, PTR, Greylisting, etc.) 

Question: What could be the problem? 


I thought that it was problem with routing... For example, EDGE does not know through which server it came to the request and sends the response to VIP DMZ servers, and then triggered by NLB, which throws these packages on the other DMZ-server. Fixed  with a network rule that makes DMZ TMG NAT requests from EDGEs correctly. 

And Wireshark shows that the incoming packet arrived correctly, without errors, but answer-packet with some error: 

Header checksum: 0x0000 [incorrect, should be 0x4f09 (may be caused by "IP checksum offload"?)] 

[GOOD: False] 

[BAD: True] 

Expert Info (Error / Checksum): Bad checksum 

Message: Bad checksum 

Severity level: Error 

Group: Checksum 

Source: 172.16.0.22 (172.16.0.22) 

Destination: 184.72.226.23 (184.72.226.23)

WP8 device in TMG log

$
0
0

Could my Lumia 920 showing up in the TMG logs like this

instead of like this

cause an issue with Exchange ActiveSync?

I only ask here because our EAS policy is correct and working fine, I just get prompted occasionally that my domain password is incorrect. Entering the password allows it to sync but backing out of the prompt and manually pressing the sync button allows it to sync as well.

Server is 2008 R2 SP1, Exchange 2010 with update rollup 7. TMG version 7.09193.540.


59 An unexpected network error occurred

$
0
0

Hi everyone,

This is a strange one.

We are using a TMG for a VPN (amongst other things such as web publishing etc) 

We are using some software called 2X  to connect to something on a part of our network,  internally this works ok, but users on our VPN cant connect to it, but they can connect to everything else.  2X is a program that connects on port 80. From the VPN we can ping the host that the 2x software connects to, we can even RDP to the servers the 2X software is pointing to (once we set up a standard 3389 rule for this) but it wont work as it should via port 80.  Its something to do with this port 80 connection.

In TMG logs we get - 59 An unexpected network error occurred. 

I have tried a block and allow rule, in various orders but cant get it to work.

Any ideas ?

Thanks

TMG 2010 - Some external locations/IPs cannot reach sites published by TMG but others can - A connection was abortively closed after one of the peers sent an RST packet

$
0
0

Hi there,

This issue has been driving me crazy for the last month, and I thought I had it solved but definitely don't.

I have TMG configured for the sole purpose of being a reverse proxy for SharePoint, SAP BusinessObjects, and some other services to follow.

Everything works great... usually....

I put this in place for a client, I had it all configured, and I could reach both sites without any issue from home as well as my office. However, the client I put it in place for was unable to reach it from home, from his office, or from his cell, or anywhere really. The site would time out for him. On the TMG server I would receive an error stating: A connection was abortively closed after one of the peers sent an RST packet.

I searched all over the internet for this, and found a million posts about this error, and none of them helped me. I decided to reconfigure everything on TMG. I reconfigured everything from scratch, and it worked for me from home, on my cell, and worked for my client from his cell and from home, so we thought we were good. However, I am now trying to access it from my office, and it times out, and I receive: A connection was abortively closed after one of the peers sent an RST packet on the TMG server.

I tried from both of our external connections here at the office and I can't get to it, and the TMG server gives this error. I can still reach it from my phone and from home.

This is all done on the same laptops, so clients are not the issue. I've done packet sniffing, and the traffic makes it to the TMG and then nothing. Just a TCP Reset. The only difference at all is where the traffic is coming from...

I need to make sure that no matter where you connect from, if you have internet access, you can reach these sites... I have no idea why TMG is dropping the packet or why the reset happens from certain IPs.

Does anyone have any possible information that might help me?


Thanks

ISA 2006 publish Exchange 2010 Outlook Anywhere with KCD/NTLM and IPSEC - Problem

$
0
0

Hi

I have setup ISA 2006 to publish Exchange 2010 Outlook Anywhere with Kerberos Constrained Delegation and IPSEC.

The clients have an IPSEC policy pushed to them via GPO.  The clients are windows 7 laptops and the ISA server is server 2003, so the IPSEC connection is IKE not AuthIP.

However, it seems that the connection will work for a while, then all of a sudden stop working with zero trace of why.  I cant get the Oakley log to work and I cant see any traffic on the ISA.

I am wondering if I need to publish the CRL's externally?  Currently we don't, and the Outlook Anywhere uses private certificates (as the whole point of IPSEC is to validate the internal certificate, there is no point in using public certificates).

I have tried using the StrongCRLCheck=0 registry key in the IPsec Policy Agent on the windows 7 machine but it doesn't seem to make a difference.

Any advice would be appreciated.

Steven

TMG - Getting proxy authentication required when trying to access Citrix

$
0
0

Hi guys, I've setup a new proxy array and most things seem to work fine. I have enabled integrated authentication and set a web access rule to allow HTTP, HTTPS and FTP out to the internet for all "Domain Users". Users can access the internet and I can see the user names under "monitoring" / sessions.

The problem I'm facing is, when users try to access a citrix page, they can log in to the front portal but when they try to launch an application they are prompted for credentials "Proxy authentication required". The message shows the IP address of the array and mentions "NTLM".

To get things working I've added the "All users" to the web access policy which has fixed the problem, of course this is not ideal as security is a little loose now and all sessions under monitoring shows "anonymous" against every connection.

What could be causing the prompt for credentials?

Any advice or suggestions would be much appreciated.

Use HTTP as connection verifier returns Failed Connection Error 70

$
0
0

Hi,

I have TMG farm which publishes SharePoint web sites, in my configuration,

- 2 TMG servers with 2 NICs: internal (virtual IP 192.168.xx.xx) and external (e.g. 10.12.xx.xx) 

- 2 SharePoint web servers are in the 10.12.xx network.

- The HTTPS request is from external network to access SharePoint sites via TMG.

- TMG publish SharePoint sites, web farm consists of 2 servers Web1 and Web2.  Server host name e.g. Web1 instead of FQDN name is used in TMG web farm configuration.

- In the farm configuration, Internal site name, public name and host header are all the same. Public name in DNS points to TMG virtual IP 192.168.xx.xx

- Run Test Rule returns Success status.

Problem: When connection verifier is configured as HTTP/HTTPS (https://*/) with host header, system returns error "70 the remote server has been paused or is in the process of being started", however it works once changed to TCP connection.  

Any idea what's wrong with the configuration and how to troubleshoot.

Thanks in advance.


tmg 2010

$
0
0

Hi

I have internal share point server running portal xyz.com but external wan to access abc.com so please let me how I can configured on tmg so external user if type abc.com it will resolve to my internal server xyz.com


Don't forget to mark helpful or answer

connect me :-

http://in.linkedin.com/in/satya11

http://facebook.com/satya.1000

Open port on TMG 2010

$
0
0

dears

I need to open port 1521 for oracle listener on my TMG 2010 , and have no idea about this .

can anyone help me please?..

thanks in advance 


Creating new Site to Site VPN kills internet access

$
0
0

We have two TMG 2010 servers in our office.  The primary one has a 50/50 fiber that is being used for internet and VPN access into our network and the secondary one has a 10/5 fiber dedicated to a site to site VPN with one of our clients.  Both have been working fine for the past two years.

We are trying to establish another site to site VPN on the primary server but each time I setup the connection (through the wizard) we lose our internet access.  If I disable the site to site VPN under the Networks tab and disable the network rule then reboot TMG internet works fine.  As soon as I reenable those two internet again drops. 

Routing looks correct, VPN settings correct, I don't see what would cause it.  We have 5 external IP addresses, internet access is on one IP, incoming VPN on another, OWA on a third, the fourth is open, and the site to site VPN was setup on five.  Our internal IP range is 10.0.0.0/16, the VPN being setup is 10.20.30.0/24. 

What would cause this and how do I even go about troubleshooting?  I've tried watching the logs and it just fills up with connection timed outs when it happens and nothing that points to anything.

-Allan

ISA 2006 - Disable NAT on internal IP's

$
0
0

How on earth do I disable NAT when the traffic is all internal? I have checked so many settings and I cant seem to figure this one out. If anyone knows, can you please share.

Thanks,

EDIT: Let me add a little more detail.

My internal network is all set. Network Rules show that it is a "Route" relationship not NAT. When I try to ping, or simply connect to another server that is on a different LAN segment (Multihomed 4 NIC's), I get the IP address of the ISA server instead of the actual host sending the request!

Array Member stopped responding, but was not dropped from NLB

$
0
0

We have had a standalone TMG array running for ~2 years now and recently had an issue come up we haven't seen before. Some users started complaining that all of our sites were unreachable. It would not even load the Forms Based Auth pages from the TMG server. It would just spin, then time out. After investigation, it appeared 1 of the array members was not responding to requests, but was still in the NLB pool and trying to process requests.

The only symptoms I saw on the problematic array member were:

1- The servers was using 100% of the ram. They have 8GB allocated, and have never gone over 6GB.

2- There were 'Intrusion Detection' warnings about an all port scan attack from the TMG server to itself. So array member 1 was warning about a scan attack from a it's own public IP.

The issue was fixed with a reboot, but now I need to figure out the cause of this issue, and figure out a way to detect when it happens again.

Outlook 2013 unable to connect to exchange 2013 over IPSec VPN between TMG arrays

$
0
0

We recently deployed servers at a new datacenter for development. Our exchange 2013 server is located at the previous datacenter. Both datacenters have standalone TMG arrays setup for external connections, and for web proxies. There is an IPsec VPN setup between the 2 arrays with a static route.

The problem is servers at the new datacenter are unable to connect with Outlook 2013. The initial setup works with no issues, and repairing the account works as well. But when the users try and start outlook they get an error that it's unable to connect to the server. I can see the requests being allowed in the logging on both TMG arrays both ways, and nothing is being blocked. The IPsec VPN is setup as a route, so NAT is not the issue here. Exchange can be pinged, and OWA works with no issues. Only outlook is unable to connect.

PAC file

$
0
0

Hi,

I have a question on below syntax.

if(dnsDomainIs(host, ".intranet.com") ||
    shExpMatch(host,"(*.intranet.com|intranet.com)"))

    return"DIRECT";

Is there a difference between the dnsdomainis and shexpmatch or they serve the same purpose?

Thank you.

Viewing all 3822 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>