We recently deployed servers at a new datacenter for development. Our exchange 2013 server is located at the previous datacenter. Both datacenters have standalone TMG arrays setup for external connections, and for web proxies. There is an IPsec VPN setup between the 2 arrays with a static route.

The problem is servers at the new datacenter are unable to connect with Outlook 2013. The initial setup works with no issues, and repairing the account works as well. But when the users try and start outlook they get an error that it's unable to connect to the server. I can see the requests being allowed in the logging on both TMG arrays both ways, and nothing is being blocked. The IPsec VPN is setup as a route, so NAT is not the issue here. Exchange can be pinged, and OWA works with no issues. Only outlook is unable to connect.

Hello,

Here is the situation. We have two AD domains, Domain A and Domain B. Domain A has an AD called domainA.local in the DMZ where all external users are. This domain also hosts SharePoint 2013 and TMG. We have another domain, internal this time called Domain B. This domain has an AD called domain.local when all our internal users are located. The internal domain also hosts a third party claim provider that we intend to use to authenticate both internal and external users. The issue we are having is that when external users authenticate to TMG (this is a requirement for us) then they are passed to sharepoint where the Claim provider kicks in but the issue is that we can't figure out how to pass the credential of the authenticated user in TMG to sharepoint in header so we can achieve some sort of SSO. Right now the users get also prompted at the SharePoint level after they get through TMG. I know we can do this through a header variable on TMG but I am not sure where to start. Any help would be appreciated.

Thanks

Hi,

i am using TMG2010 with two NICs, one for internal and 2nd for External(Internet), the configuration for both NICs are as below the order of NICs are Internal and then External,

Configuration Internal Network: IP: 192.168.0.0 DNS: 192.168.0.1

External Network: IP: 73.67.87.x GW: 73.67.87.x

External Network  Default Gateway defined  DNS Servers defined  Register this connection’s address in DNS – Disabled File and Print Sharing for Microsoft Networks – Disabled Client for Microsoft Networks – Disabled  NetBIOS over TCP/IP – Disabled  Show icon in notification area when connected - Enabled 

Internal Network

Default Gateway not defined DNS Servers defined  Register this connection’s address in DNS – Enabled File and Print Sharing for Microsoft Networks – Disabled Client for Microsoft Networks – Enabled  NetBIOS over TCP/IP – Enabled  Show icon in notification area when connected – Enabled

i am using internal DNS server like 192.168.0.1 and i use dns forwarder. i am using ISP DNS server ip in DNS forwarder tab.

My DNS server is working fine for internal and external name resolution, after some time internet browsing stop suddenly, some time its stop after 2 to 3 hour some time it after 7 to 8 hour. when internet browsing stp then i can ping to external site like google, cnn and yahoo etc. i can also tracert to external sites and my request complete, its working ok, but when i donslookup then it show request timeout for external sites, but dns working ok for internal site. i have dns installed on active directory. i did not have dns server on TMG2010. My tmg2010 is upto date with SP2 and rollup5 from Microsoft.

I got following error

Technical Information (for support personnel)

• Error Code 10060: Connection timeout
• Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties.
• Date: 9/24/2014 3:30:18 PM [GMT]
• Server: abc.com
• Source: Firewall

Then i have to do following task for internet working.

TMG Managenment Console-->Networking--> Network rules-->NAT address section and i have to change my External ip address then browsing start and working fine for some time.

with these setting i have rum tmg2010 for 2 to 3 years its ok now it crated problem however i did not any change in rules or configuration, i have some publishing rules for exchange and websites which always working even when dns not working properly.

can anyone help me to sort-out this issue.

Thanks in advance.

Our company is trying to establish a site to site VPN with another company using TMG 2010 on our end and a Cisco router on their end.  We currently have another tunnel up with a different vendor that has been working for over a year so I am familiar with the setup.  However with this one it seems to fail on Phase 2 (IKE Quick Mode).  Here is the log (some information hidden).  The first entry is a Audit Success for IPsec Main Mode (4650):

An IPsec main mode security association was established. Extended mode was not enabled.  Certificate authentication was not used.

Local Endpoint:
    Principal Name:    -    Network Address:    208.*.*.*    Keying Module Port:    500

Remote Endpoint:
    Principal Name:    -    Network Address:    75.*.*.*    Keying Module Port:    500

Security Association Information:
    Lifetime (minutes):    120    Quick Mode Limit:    0    Main Mode SA ID:    3

Cryptographic Information:
    Cipher Algorithm:    (hidden)    Integrity Algorithm:    (hidden)    Diffie-Hellman Group:    (hidden)

Additional Information:
    Keying Module Name:    IKEv1    Authentication Method:    Preshared key    Role:    Initiator    Impersonation State:    Not enabled

Then afterward I get a Audit Failure for IPsec Quick Mode (4654):

An IPsec quick mode negotiation failed.

Local Endpoint:
    Network Address:    10.1.10.0    Network Address mask:    255.255.255.0    Port:            0    Tunnel Endpoint:        208.*.*.*

Remote Endpoint:
    Network Address:    10.10.30.0    Address Mask:        255.255.255.0    Port:            0    Tunnel Endpoint:        75.*.*.*    Private Address:        0.0.0.0

Additional Information:
    Protocol:        0    Keying Module Name:    IKEv1    Virtual Interface Tunnel ID:    0    Traffic Selector ID:    0    Mode:            Tunnel    Role:            Initiator    Quick Mode Filter ID:    87602    Main Mode SA ID:    3

Failure Information:
    State:            Sent first (SA) payload    Message ID:        1    Failure Point:        Remote computer    Failure Reason:        IKE security attributes are unacceptable

If they initiate the tunnel I get the exact same message about the IKE security attributes are unacceptable.  We have gone over all the rules multiple times to verify they are correct.  We even changed some Phase 2 settings on both ends (again making sure they match) to see if that was it ans still the same message.  Anyone have any ideas why this would happen?

-Allan

Hello.

I stuck and i'm really need assistance

We has a TMG 2010 RTM version and i decide to update it to latest rollup and SP (dumb head)

So at now we have TMG 2010 SP2 rollup 4.

Before i update TMG reports work fine but at now reports not working at all.

When i try execute a report ( or shedule daily or weekly report) i have same issue 

Error 31289:

The report "Daily" could not be generated. Report Server error information: The report Daily could not be generated. Report Server error information: The operation has timed out.

The error occurred on object 'Reports' of class 'Reports Configuration' in the scope of array 'TMG`
. 

I read all guidliness( include this http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-How-to-use-SQL-Server-2008-Express-Reporting-Services.html) and not find something useful.

Settings correct, and i not changed any settings.

And at now my ideas end i ask your help.

Hello community!

I'm having issue uninstalling TMG from my server. We moved to gateway security and TMG was no longer needed.

Today I attempted to uninstall it but it failed. Application disappeared for "Programs and Features" list and it's blocking incoming traffic. Outbound traffic flows just fine, I can get outside but incoming is blocked. I have office shares on this server and it's very important for me to restore connectivity.

I tried some third party uninstallers like "Perfect Uninstaller" but no luck. TMG services are all there stopped and cant be started.

Any advice will be highly appreciated.

Thank you

Hi,

im receiving about average 600 DNS Requests per minute - all with the same (forged) source address and content (isc.org any).

How can i configure TMG to block this traffic? I would like to create rules that would look something like that:

"Filter dns where query contains isc.org" or "limit udp traffic for port 53 to 100 packets / minute / ip"

Thanks

Hello Everyone,

We are working to move ISA Server 2004 Logs to SQL Server 2012. Everything configured fine. After applying changes to ISA Server and restarting its services, firewall gets stopped. Please refer below event logs and suggest a workaround.

Event Type:Error
Event Source:Microsoft ISA Server Control
Event Category:None
Event ID:14048
Date:10/2/2014
Time:11:08:47 AM
User:N/A
Computer:**************
Description:
Failed to stop the fwsrv during Execution of alert actions. Use the source location ************ to report the failure. The computer should be restarted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 06 00 07 80               ...?   

Thanks

-Ahmed Khan

 We have an issue with our TMG array where one of the servers doesn't display outlook.com/hotmail/other microsoft bits and bobs correctly. For example, I log into my hotmail, and I get a page that looks like this

however the same page accessed through the second server in the array displays fine. The arrays (obviously) share the same config and both are Up-to-Date and synced. 

Things we've tried so far....

Each proxy has an individual NAT to an external IP address - we've changed these and swapped them over, but the errors always happen via PROXY1 - so it wouldn't appear to be any IP blocking on MS part

It does appear to work the first time you login, but after that, you get the incorrectly drawn page

If you change the URL from dub110 to dub109/dub122 then it appears to redirect ok to dub110 and display correctly. Subsequent refreshes give you the junk page. 

Other MS 'live' sites do seem to have wierd issues through PROXY1 - for example the picture is missing off the login.live.com page via PROXY1

So, given that both TMG servers in the array are sharing the same config, what can be happening? No Dashboard alerts, no AD issues, all connection verifiers show ok etc etc.....

Thanks in advance

We recently deployed servers at a new datacenter for development. Our exchange 2013 server is located at the previous datacenter. Both datacenters have standalone TMG arrays setup for external connections, and for web proxies. There is an IPsec VPN setup between the 2 arrays with a static route.

The problem is servers at the new datacenter are unable to connect with Outlook 2013. The initial setup works with no issues, and repairing the account works as well. But when the users try and start outlook they get an error that it's unable to connect to the server. I can see the requests being allowed in the logging on both TMG arrays both ways, and nothing is being blocked. The IPsec VPN is setup as a route, so NAT is not the issue here. Exchange can be pinged, and OWA works with no issues. Only outlook is unable to connect.

Hi,

I recently purchased a TMG W-78D. It was working fine (for a month) however I noticed the Wifi would screw up in the way that I had to turn it off than on again to find a Wifi. Then my tablet would reboot every so often but it was ok. Now every time I turn on the Wifi it will continually reboot. Some times it will do it straight away over and over again until I turn off the Wifi. Some times it will be fine for a while then start to reboot. I have done a factory reset? What can I do? Can I manually update the system? There is no way on the tablet.

Thank you

Hi,

i had successfully deployed and configured external access via TMG to SharePoint 2013 with Office Web Apps 2013. Everything works fine, except PowerPoint Web App, when the farm is accessed externally. User becomes following error message:

Either you´ve lost network connectivity or our server is too busy to handle your request. Please check your network connection and try again later. 

PowerPoint Web App is working fine, when accessing SharePoint form local network or through VPN.

Ive searched TMG Logs and found this 415 ERROR:

Allowed Connection
Log type: Web Proxy (Reverse)
Status: 415 Unsupported Media Type
Rule: (SERVER FQDN)
Source: Internal ()
Destination: Local Host ()
Request: POST http://(SERVER FQDN)/p/ppt/view.https.svc/jsonNtlm/GetPresentation
Filter information: Req ID: 0be8d6bf; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=yes, valid=yes, updated=no, logged off=no, client type=public, user activity=yes
Protocol: https
User: domain\name

Additional information
Client agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x40020000 (Response includes the CACHE-CONTROL: PRIVATE header. Response should not be cached.)
Processing time: 16 MIME type:

Thank you for answers! 

Regards

Lubomir

We are using tmg as a reverse proxy to publish sharepoint the following querystring gets us to an unwanted logon form

/CookieAuth.dll?GetLogon?curl=Z2F&reason=0&formdir=2

How do I remove the logon form associated with this querystring?

thanks

jon

Hi all,

The problem is the OWA publishing over the Internet via TMG. TMG is not able to Catch the OWA LogOff URL page. So it will instead receive the "Close all your Browser Settings.." and no log out from OWA.

Does anyone get that "Real LogOut" fixed via TMG.

Dear ,

I am using Threat management gateway 2010 i am using reporting also but it is clear report because i am viewing by IE

please find the image with this discussion i will get from you positive answer

Azad Ali M.Hussian Windows Administrator

Hi,

i am using TMG2010 with two NICs, one for internal and 2nd for External(Internet), the configuration for both NICs are as below the order of NICs are Internal and then External,

Configuration Internal Network: IP: 192.168.0.0 DNS: 192.168.0.1

External Network: IP: 73.67.87.x GW: 73.67.87.x

External Network  Default Gateway defined  DNS Servers defined  Register this connection’s address in DNS – Disabled File and Print Sharing for Microsoft Networks – Disabled Client for Microsoft Networks – Disabled  NetBIOS over TCP/IP – Disabled  Show icon in notification area when connected - Enabled 

Internal Network

Default Gateway not defined DNS Servers defined  Register this connection’s address in DNS – Enabled File and Print Sharing for Microsoft Networks – Disabled Client for Microsoft Networks – Enabled  NetBIOS over TCP/IP – Enabled  Show icon in notification area when connected – Enabled

i am using internal DNS server like 192.168.0.1 and i use dns forwarder. i am using ISP DNS server ip in DNS forwarder tab.

My DNS server is working fine for internal and external name resolution, after some time internet browsing stop suddenly, some time its stop after 2 to 3 hour some time it after 7 to 8 hour. when internet browsing stp then i can ping to external site like google, cnn and yahoo etc. i can also tracert to external sites and my request complete, its working ok, but when i donslookup then it show request timeout for external sites, but dns working ok for internal site. i have dns installed on active directory. i did not have dns server on TMG2010. My tmg2010 is upto date with SP2 and rollup5 from Microsoft.

I got following error

Technical Information (for support personnel)

• Error Code 10060: Connection timeout
• Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties.
• Date: 9/24/2014 3:30:18 PM [GMT]
• Server: abc.com
• Source: Firewall

Then i have to do following task for internet working.

TMG Managenment Console-->Networking--> Network rules-->NAT address section and i have to change my External ip address then browsing start and working fine for some time.

with these setting i have rum tmg2010 for 2 to 3 years its ok now it crated problem however i did not any change in rules or configuration, i have some publishing rules for exchange and websites which always working even when dns not working properly.

can anyone help me to sort-out this issue.

Thanks in advance.

Hello,

Here is the situation. We have two AD domains, Domain A and Domain B. Domain A has an AD called domainA.local in the DMZ where all external users are. This domain also hosts SharePoint 2013 and TMG. We have another domain, internal this time called Domain B. This domain has an AD called domain.local when all our internal users are located. The internal domain also hosts a third party claim provider that we intend to use to authenticate both internal and external users. The issue we are having is that when external users authenticate to TMG (this is a requirement for us) then they are passed to sharepoint where the Claim provider kicks in but the issue is that we can't figure out how to pass the credential of the authenticated user in TMG to sharepoint in header so we can achieve some sort of SSO. Right now the users get also prompted at the SharePoint level after they get through TMG. I know we can do this through a header variable on TMG but I am not sure where to start. Any help would be appreciated.

Thanks

Hi,

I am trying to publish Microsoft Azure Pack Tenant Websites using SSL 443 for multiple sites with the recent Server Name Indication (SNI) feature. For the life of me I cannot get this working (no denied traffic on TMG).

does TMG 2010 SP2 UR5 support (sorry work with) SNI?

Microsoft Partner

Hi,

im receiving about average 600 DNS Requests per minute - all with the same (forged) source address and content (isc.org any).

How can i configure TMG to block this traffic? I would like to create rules that would look something like that:

"Filter dns where query contains isc.org" or "limit udp traffic for port 53 to 100 packets / minute / ip"

Thanks