Hi, I need authenticate AD users in Organizational Units. TMG can do this by user groups. But I have many many (20000-30000) users in my AD environment seperated by OUs. How can I authenticate them for web access in TMG ? I should not create user group. Too much user.

Also. I need download quota per user/day. Is it possible in TMG.

Or wich microsoft software can do this (can i use windows 2012 r2 web app proxy act as web access proxy)?

Dear ,

I am using Threat management gateway 2010 i am using reporting also but it is clear report because i am viewing by IE

please find the image with this discussion i will get from you positive answer

Azad Ali M.Hussian Windows Administrator

Hello All,

I am trying to bypass the tmg web proxy traffic for a website that is running on a custom https port, it works fine with all client except if they are configured as firewall clients. I have added the required entry in the domain tab and web browser tab in ther internal network properties but for some reason its not working fine with clients where i have installed firewall clients.

Any body has any ideas what can be causing this kind of issues.

-Ashish

We recently deployed servers at a new datacenter for development. Our exchange 2013 server is located at the previous datacenter. Both datacenters have standalone TMG arrays setup for external connections, and for web proxies. There is an IPsec VPN setup between the 2 arrays with a static route.

The problem is servers at the new datacenter are unable to connect with Outlook 2013. The initial setup works with no issues, and repairing the account works as well. But when the users try and start outlook they get an error that it's unable to connect to the server. I can see the requests being allowed in the logging on both TMG arrays both ways, and nothing is being blocked. The IPsec VPN is setup as a route, so NAT is not the issue here. Exchange can be pinged, and OWA works with no issues. Only outlook is unable to connect.

hello ,

i have TMG and ISA 2006 both isolated in different location, my problem is we have one user in Financial Department he can able to access all website except one bank link. here is the log from Tmg server. 

The link which am trying to open : 

https://ebank.shbonline.com/corp/BANKAWAY?Action.CorpUser.Init.001=Y&CorporateSignonBankId=SHB&AppType=corporate

feroz syed ;)

hello ,

i have TMG and ISA 2006 both isolated in different location, my problem is we have one user in Financial Department he can able to access all website except one bank link. here is the log from Tmg server. 

The link which am trying to open : 

https://ebank.shbonline.com/corp/BANKAWAY?Action.CorpUser.Init.001=Y&CorporateSignonBankId=SHB&AppType=corporate

feroz syed ;)

Hi,

I'm trying to install Forefront TMG on a Windows 2008 R2 server but it always fails set up when trying to install the SQL Express 2008 Reporting Instance.  The install log is shown below.  Any help would be appreciated as I can't find any answers on the internet other than to wipe the server.

The target server is a member server and fully patched.

13:18:58 INFO: Installer activated, command-line=''
13:18:58 INFO: Expanded full extraction path of SQL Express 2008 SP1 Package is 'C:\Windows\temp\{86A574B1-0376-449C-B202-B2E06EFAC5E6}'.
13:18:58 INFO: Install scenario
13:18:58 INFO: CMsiAttendantInstaller::Prepare: Upgrade code is not set
13:18:58 INFO: CMsiAttendantInstaller::Prepare: There is no any product code for upgrade code
13:18:58 INFO: CMsiAttendantInstaller::Prepare: Upgrade code is not set
13:18:58 INFO: CMsiAttendantInstaller::Prepare: There is no any product code for upgrade code
13:18:58 ERROR: CSSEInstaller::GetInstanceId failed to read from reg 'MSFW'
13:18:58 INFO: CSSEInstaller::Prepare: Failed to get the instace id of MSFW
13:18:58 ERROR: CSSEInstaller::GetInstanceId failed to read from reg 'ISARS'
13:18:58 INFO: CSSEInstaller::Prepare: Failed to get the instace id of ISARS
13:18:58 INFO: CMsiAttendantInstaller::Prepare: Upgrade code is not set
13:18:58 INFO: CMsiAttendantInstaller::Prepare: There is no any product code for upgrade code
13:18:58 INFO: Installing ISA (Core components)...
13:18:58 INFO: CFirewallInstaller: Activating installation, command line args = '-I "E:\ISO\SW_DVD5_Forefront_TMG_Standard_2010_64Bit_English_MLF_X16-23051\FPC\MS_FPC_Server.msi "WRAPPER=1 ARPSYSTEMCOMPONENT=1 MEDIAPACKAGEPATH=\FPC\ REBOOT=ReallySuppress'
13:23:55 INFO: Process completed successfully
13:23:55 INFO: Calling CreateAddRemoveEntry
13:23:55 INFO: Creating an entry in ARP
13:23:56 INFO: Add/Remove entry was created
13:23:56 INFO: Installing Additional components...
13:23:56 INFO: Activating Extration of SQL Express 2008 SP1 Package, command line args = '-s -f "C:\Windows\temp\{86A574B1-0376-449C-B202-B2E06EFAC5E6}" -e'
13:23:56 INFO: SQL Express 2008 SP1 Package path is .\Program Files\Microsoft ISA Server\SQLE\SQLExpress2008SP1.exe
13:24:53 INFO: Process completed successfully
13:24:53 INFO: SQL Express 2008 SP1 Package was sucessfully extracted to 'C:\Windows\temp\{86A574B1-0376-449C-B202-B2E06EFAC5E6}'
13:24:53 INFO: Activating SQL Express installation, command line args = '/QUIET /ACTION=Install /FEATURES=SQLEngine /INSTANCENAME=MSFW /SQLSYSADMINACCOUNTS="BUILTIN\Administrators" /BROWSERSVCSTARTUPTYPE=4 /SAPWD=************** /SQLSVCACCOUNT="NT AUTHORITY\SYSTEM" /NPENABLED=0 /TCPENABLED=0 /SKIPRULES=RebootRequiredCheck /HIDECONSOLE /PCUSource="C:\Windows\temp\{86A574B1-0376-449C-B202-B2E06EFAC5E6}\PCU"'
13:24:53 INFO: SQL Express 2008 installation path is C:\Windows\temp\{86A574B1-0376-449C-B202-B2E06EFAC5E6}\setup.exe
13:28:51 INFO: Process completed successfully
13:28:51 INFO: SQL Express 2008 successfully installed
13:28:51 INFO: Starting SQL Express service
13:29:02 INFO: Changing network service permissions to allow access to SQL Express
13:29:03 INFO: Changing SQL Express tempdb size
13:29:03 INFO: Failed to change Tempdb MAXSIZE, error = ,, 0x80040e09. Ignoring...
13:29:03 INFO: Moving SQL Express tempdb to stingray logging directory
13:29:08 INFO: AdjustSSEConfiguration completed successfully.
13:29:08 INFO: Activating SQL Express installation, command line args = '/QUIET /ACTION=Install /FEATURES=SQLEngine,RS /INSTANCENAME=ISARS /SQLSYSADMINACCOUNTS="BUILTIN\Administrators" /BROWSERSVCSTARTUPTYPE=4 /SAPWD=************** /SECURITYMODE=SQL /SQLSVCACCOUNT="NT AUTHORITY\SYSTEM" /RSINSTALLMODE=DefaultNativeMode /RSSVCACCOUNT="NT AUTHORITY\SYSTEM" /RSSVCStartupType=Automatic /NPENABLED=0 /TCPENABLED=1 /SKIPRULES=RebootRequiredCheck /HIDECONSOLE /PCUSource="C:\Windows\temp\{86A574B1-0376-449C-B202-B2E06EFAC5E6}\PCU"'
13:29:08 INFO: SQL Express 2008 installation path is C:\Windows\temp\{86A574B1-0376-449C-B202-B2E06EFAC5E6}\setup.exe
13:30:00 ERROR: Setup failed. Error returned: 0x84be03f4
13:30:00 ERROR: Installation of SQL Express 2008 failed. hr = 0x84be03f4
13:30:00 ERROR: Installation failed. hr = 0x84be03f4
13:30:00 ERROR: Installation failed, hr=0x84be03f4
13:30:40 ERROR: InstallProducts:Install Additional components failed, hr=0x84be03f4
13:30:40 INFO: Rollback: Performing rollback after installation failure.
13:30:40 INFO: CMsiAttendantInstaller::Prepare: Upgrade code is not set
13:30:40 INFO: CMsiAttendantInstaller::Prepare: There is no any product code for upgrade code
13:30:40 INFO: CMsiAttendantInstaller::Prepare: Upgrade code is not set
13:30:40 INFO: CMsiAttendantInstaller::Prepare: There is no any product code for upgrade code
13:30:40 INFO: The instance Id of instace MSFW is MSSQL10.MSFW
13:30:40 INFO: GetUninstallCode: Prepare: product code is {9FFAE13C-6160-4DD0-A67A-DAC5994F81BD}
13:30:40 ERROR: CSSEInstaller::GetInstanceId failed to read from reg 'ISARS'
13:30:40 INFO: CSSEInstaller::Prepare: Failed to get the instace id of ISARS
13:30:40 INFO: CMsiAttendantInstaller::Prepare: Upgrade code is not set
13:30:40 INFO: CMsiAttendantInstaller::Prepare: There is no any product code for upgrade code
13:30:40 INFO: The instance Id of instace MSFW is MSSQL10.MSFW
13:30:40 INFO: Activating SQL Express uninstallation, command line args = '/QUIET /ACTION=Uninstall /FEATURES=SQLEngine /INSTANCENAME=MSFW /SKIPRULES=RebootRequiredCheck /HIDECONSOLE'
13:30:40 INFO: Uninstall command line is C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Release\Setup.exe
13:32:27 INFO: Process completed successfully
13:32:27 INFO: Uninstall of SQL Express 2005 instance MSFW finished successfully
13:32:27 INFO: Deleting previous SQL Express installation directory <C:\Program Files\microsoft sql server\MSSQL10.MSFW>
13:32:27 INFO: Activating Reconfigure with cmdline='REBOOT=ReallySuppress WRAPPER=1'
13:32:27 INFO: Activating setup cmdline='C:\Windows\system32\msiexec.exe /qn /X {AEBCA466-489C-4e03-B667-C89DCD5EFF24} REBOOT=ReallySuppress WRAPPER=1 /Lvoicewarmup+ C:\Windows\TEMP\ISAFWSV_254.log LOGSESSIONNUM=254 FWUILOGFILE=C:\Windows\TEMP\ISAFWUI_254.log '
13:33:34 INFO: Process completed successfully
13:33:34 INFO: CFirewallInstaller::DeleteAddRemoveEntry
13:33:34 INFO: CFirewallInstaller::DeleteComUIRegistry
13:35:55 ERROR: Wrapper: Install failed, hr = 0x84be03f4
13:35:55 ERROR: Wrapper: DoSetup failed, hr = 0x84be03f4
13:35:55 ERROR: Wrapper: DoSetup failed, hr = 84be03f4
13:35:55 ERROR: Setup of SSE Reporting failed. Return value: SETUP_ERROR_SSE_SSRS

Hi,

I have a ConfigMgr/WSUS Server in my internal LAN and a TMG Server as Firewall/Gateway/Proxy. When I try to use Windows Update on my Test-Client (TMG Client installed), it fails with Code 80244021 (which more or less means it can't connect to it's update server). When I look at the TMG Log, it shows that it blocked access to mentioned WSUS Server. What I don't understand is why, because since the connection from the client to the wsus server is purely LAN-based, why does it even touch the proxy? Both the domain suffix and the ip range is configured for the TMG Network "Internal", so it should be possible to connect directly.

Do I have to create a firewall policy or publish policy to allow local access to my wsus?

Regards,
Pharao2k

Let me first say I am getting ready to retire this server, but still have to keep it going for the next few week.

A little under a month ago all of the sudden my ISA Server 2006 Standard stopped allowing more than 2 VPN connections at a time. It is configured to allow 15, but for some reason as soon as 2 users connect in it stops allowing any more connections and those users who attempt get an 806 error.

This is PPTP VPN connection by the way, so simple, no shared key or certificate to contribute to the issue.

Nothing has changed on this server as far as updates, patches or configuration is concerned, and we did not have any issues prior to this. That is on top of the fact that it does still allow connections, but only 2 at a time.

All of that said, around the time this started happening, though I can't say whether it was before or after, I ran Forest and Domain prep for 2012 so that I could add a 2012r2 server to my network to run as volume license manager for Office.

Could the forest/domain prep have caused this issue, or could it simply be that the old hardware, one of the NICs maybe is failing and is causing issues?

Manning

Hi,

i am using TMG2010 with two NICs, one for internal and 2nd for External(Internet), the configuration for both NICs are as below the order of NICs are Internal and then External,

Configuration Internal Network: IP: 192.168.0.0 DNS: 192.168.0.1

External Network: IP: 73.67.87.x GW: 73.67.87.x

External Network  Default Gateway defined  DNS Servers defined  Register this connection’s address in DNS – Disabled File and Print Sharing for Microsoft Networks – Disabled Client for Microsoft Networks – Disabled  NetBIOS over TCP/IP – Disabled  Show icon in notification area when connected - Enabled 

Internal Network

Default Gateway not defined DNS Servers defined  Register this connection’s address in DNS – Enabled File and Print Sharing for Microsoft Networks – Disabled Client for Microsoft Networks – Enabled  NetBIOS over TCP/IP – Enabled  Show icon in notification area when connected – Enabled

i am using internal DNS server like 192.168.0.1 and i use dns forwarder. i am using ISP DNS server ip in DNS forwarder tab.

My DNS server is working fine for internal and external name resolution, after some time internet browsing stop suddenly, some time its stop after 2 to 3 hour some time it after 7 to 8 hour. when internet browsing stp then i can ping to external site like google, cnn and yahoo etc. i can also tracert to external sites and my request complete, its working ok, but when i donslookup then it show request timeout for external sites, but dns working ok for internal site. i have dns installed on active directory. i did not have dns server on TMG2010. My tmg2010 is upto date with SP2 and rollup5 from Microsoft.

I got following error

Technical Information (for support personnel)

• Error Code 10060: Connection timeout
• Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties.
• Date: 9/24/2014 3:30:18 PM [GMT]
• Server: abc.com
• Source: Firewall

Then i have to do following task for internet working.

TMG Managenment Console-->Networking--> Network rules-->NAT address section and i have to change my External ip address then browsing start and working fine for some time.

with these setting i have rum tmg2010 for 2 to 3 years its ok now it crated problem however i did not any change in rules or configuration, i have some publishing rules for exchange and websites which always working even when dns not working properly.

can anyone help me to sort-out this issue.

Thanks in advance.

Hi,

i am using TMG2010 with two NICs, one for internal and 2nd for External(Internet), the configuration for both NICs are as below the order of NICs are Internal and then External,

Configuration Internal Network: IP: 192.168.0.0 DNS: 192.168.0.1

External Network: IP: 73.67.87.x GW: 73.67.87.x

External Network  Default Gateway defined  DNS Servers defined  Register this connection’s address in DNS – Disabled File and Print Sharing for Microsoft Networks – Disabled Client for Microsoft Networks – Disabled  NetBIOS over TCP/IP – Disabled  Show icon in notification area when connected - Enabled 

Internal Network

Default Gateway not defined DNS Servers defined  Register this connection’s address in DNS – Enabled File and Print Sharing for Microsoft Networks – Disabled Client for Microsoft Networks – Enabled  NetBIOS over TCP/IP – Enabled  Show icon in notification area when connected – Enabled

i am using internal DNS server like 192.168.0.1 and i use dns forwarder. i am using ISP DNS server ip in DNS forwarder tab.

My DNS server is working fine for internal and external name resolution, after some time internet browsing stop suddenly, some time its stop after 2 to 3 hour some time it after 7 to 8 hour. when internet browsing stp then i can ping to external site like google, cnn and yahoo etc. i can also tracert to external sites and my request complete, its working ok, but when i donslookup then it show request timeout for external sites, but dns working ok for internal site. i have dns installed on active directory. i did not have dns server on TMG2010. My tmg2010 is upto date with SP2 and rollup5 from Microsoft.

I got following error

Technical Information (for support personnel)

• Error Code 10060: Connection timeout
• Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties.
• Date: 9/24/2014 3:30:18 PM [GMT]
• Server: abc.com
• Source: Firewall

Then i have to do following task for internet working.

TMG Managenment Console-->Networking--> Network rules-->NAT address section and i have to change my External ip address then browsing start and working fine for some time.

with these setting i have rum tmg2010 for 2 to 3 years its ok now it crated problem however i did not any change in rules or configuration, i have some publishing rules for exchange and websites which always working even when dns not working properly.

can anyone help me to sort-out this issue.

Thanks in advance.

Hi, i'm using TMG 2010 and i have two problems. 

1/ I want to block https://www.mediafire.com so i created a rule like this :

Action : Deny

Protocol : DNS, HTTP, HTTPS 

From : Internal, Localhost

To : Domain name set  ( *.mediafire.com , *.mediafire.com.*)
       URL sets (www.mediafire.com:443/*)
But my users still access this website and i dont know why. 

2/ If i want to use Skype while HTTPS inspection enabled, i must uncheck Web Proxy Filter of protocols : HTTP, HTTPS but i cannt block users upload files anymore . I think my HTTP Filter was disabled. This is my rule : 

Action : Allow

Protocols : DNS, HTTP, HTTPS

From : internal , localhost

To : URL Categories ( Chat )

Please help me :). Thank you very much.

Best Regard!

We have an IPsec site to site VPN setup between PFsense at our local office, and TMG in our datacenter. This works for the default subnets at both office. Below are the subnets for the current IPsec.

Office: 192.169.0.0/22 (192.168.0.0 - 192.168.3.255 which covers all 3 private adapters on pfsense)

Datacenter: 10.1.1.0/26 (10.1.1.0 - 10.1.1.127  This is the default subnet for the Internal Adapter on TMG)

The issue is we have a second subnet at the datacenter (10.88.1.0/26) that we need to include in the site to site route. I have added the subnet to the internal adapter, along with the network route. This works on TMG and I can ping the servers on that subnet.

On the PFSense side, I created a second PhaseII connection with the same local subnet (192.1688.0.0/22) and the additional subnet (10.88.1.0/26). Pfsense was able to connect both PhaseII connections with no issue. When I attempt to send traffic across the tunnel, it tries to use the correct access rule for the VPN, but fails with the following 2 errors:

"A socket operation was attempted to an unreachable network: 0x80072743 WSAENETUNREACH"

I am going to be evaluating a new firewall to replace my existing ISA Server 2006 Standard and I have a concern about its required configuration.

I have an AD network at current functional level of 2003 with one Windows Server 2003r2 DC, and one Windows Server 2008r2 DC both acting as DNS servers. The 2008r2 DC is also a DHCP server and the 2003r2 is a WINS server. ISA Server is a caching only DNS server. ISA is configured to allow client to site VPN, obviously relaying requests for addresses to the 2008r2 DHCP server.

The new firewall I am considering is a Barracuda X300. It can function as a DHCP server, and since it does not currently support DHCP relay would pretty much have to server as my DHCP server if I wanted to allow VPN access with dynamic address assignment.

Question is, do I want that? And would I then remove the DHCP service from my 2008r2 server? I will gladly consider other firewall options.

A side question, this firewall can also act as an authoritative DNS server, or simple cache DNS requests. I'm pretty sure I don't want it to act as an authoritative DNS server, am I right to think this?

Thanks

Manning

Hi,

I havean application thatexecutescallsto ajetty serverlocally.When I try to run the applicationI getthe error below.

HTTP/1.1 502 Proxy Error ( Connection refused )\nVia: 1.1 TMG01-SP\nConnection: Keep-Alive\nProxy-Connection: Keep-Alive\nPragma: no-cache\nCache-Control: no-cache\nContent-Type: text/html\nContent-Length: 3904  \n

 
But, this error only occurson a particular machine, when I runthe the same application on other machines have no problems.

Someoneknows what could be? I disabledthe firewall, proxy, includesrules on the firewall but nothing does thisapplication working.

Hello,

I'm running two ISA 2006 servers in my network for internet access and running as SecureNAT client. How can I automatically route traffic of one ISA server to another ISA server if one ISA goes down? I mean without going to client side and changing their default gateway IP to second ISA which is UP.

Here is how it is configured:

Two ISA Servers:
ISA1 IP: 192.168.1.4 (ISP 1)
ISA2 IP: 192.168.1.5 (ISP 2)

User Workstation:
IP: 192.168.1.10
Default Gateway: 192.168.1.4 (IP of ISA1)

What if ISP 1 (ISA1) goes down then how can I let users to route their internet traffic to ISP 2 (ISA2)?

There are around 50 clients in my network and their LAN adapter is configured with static IPs (no DHCP).

Hi ...

I am using TMG 2010 SP1 as Edge FW on Win Server 2008 R2 having 02 NICs. The problem is that my TMG server providing internet services properly without any problem and delay, but when i ping and RDP my TMG it respond only for 40-50 seconds and after this time connection time out for ping requests and connection lost for RDP. also Ms outlook didn't send or receive email after 40-50 secs. When i restart my server it again start responding for 40-50 seconds only for once.

1. I have configured System policy editor to allow ping and RDP and created firewall rules to allow both protocols and same for MS outlook.

2. I have verified that both of NICs of TMG (Broadcom) are working properly and NICs Driver Ver. is 5.2.05

3. My TMG can ping all the clients and DNS, DC server. 

4. there is no updates KB2888049, KB2882822 and KB2913431 are installed on my Win Server 2008 R2 as i have read blogs about these updates are creating issues like that.

If any body have an idea about this mystry issue please help.

Shahzad 

Need the settings to be applied in TMG proxy to allow WebSockets to work with the following ports 

• HTTP: 80
• HTTPS: 443
• XMPP: 5222
• XMPP: 5223
• Flash Player (TCP): 843

Appreciate any help in sorting this ASAP.