Hi Folks!

Just a quick question, we're using TMG 2010 and have it configured to filter out ads on websites. It's working pretty well but the only thing I'd like to change is that when we view a site with lots of ads they get replaced by the default TMG box (grey/brown) that carries a message from TMG saying the ad was blocked.

It would be nice if we could change that so nothing appears. For instance, we go to a site that has 20 ads that TMG blocked and it shows nothing where the ads used to be. Is that possible?

Thanks in advance for any tips on this :-)

On a Windows 2008 R2 server joined to the domain and with an Edge template configuration we have the following issue:

The Active Networks (in Nework and Sharing Center) keep changing to a single network. Normally they should be like:

domain network----- LAN

Public----WAN

They get joined and show like

domain.local----LAN/WAN

OR like:

Public network ---- LAN/WAN

We have exhausted troubleshooting, Internet and forum search. Anyone has experienced something like this?

The Dunadan Raptor

We have TMG 2010 Installed on windows 2008 R2 OS
There are two interfaces on TMG server External and Internal Network
There are three IP subnet behind the TMG firewall into two different locations connected over WAN

Location 1 is using 10.15.16.0 subnet.
I have no issue connecting to 10.15.18.0 and 192.168.15.0 subnet from 10.15.16.0 over the WAN

Location 2 over the WAN connected to 10.15.18.0 and 192.168.15.0 subnet
I do have two static route on TMG connecting to 10.15.18.0 and 192.168.15.0 subnets
the route for 10.15.18.0 works and 192.168.15.0 does not work

Clients are connecting using IPsec tunnel and sure the DHCP IP to VPN client is into 10.15.16.0 subnets.

They can RDP to 10.15.16.0 and 10.15.18.0 (WAN) Network
They cannot RDP to 192.168.15.0 Network.

I can form this is TMG issue
I have create firewall rule to allow external to computers (192.168.15.0) subnets using RDP 3389

The TMG logs showing denied connections as below

Log type: Firewall service
Status: An ingoing packet was dropped because its destination address does not exist on the system, and no appropriate forwarding interface exists. 
Rule: None - see Result Code
Source: VPN Clients (10.15.16.167:53901)
Destination: External (224.0.0.252:5355)
Protocol: Link-local multicast name resolution
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 10.15.16.167

Rule Error 0xc0040050 fwx_e_tcpip_drop_ip_not_locally_destined

I have applied this blog solution but did not fix it

http://blogs.technet.com/b/isablog/archive/2009/02/04/how-to-enable-multicast-routing-with-isa-server.aspx

Muhammad Mehdi

Our company is trying to establish a site to site VPN with another company using TMG 2010 on our end and a Cisco router on their end.  We currently have another tunnel up with a different vendor that has been working for over a year so I am familiar with the setup.  However with this one it seems to fail on Phase 2 (IKE Quick Mode).  Here is the log (some information hidden).  The first entry is a Audit Success for IPsec Main Mode (4650):

An IPsec main mode security association was established. Extended mode was not enabled.  Certificate authentication was not used.

Local Endpoint:
    Principal Name:    -    Network Address:    208.*.*.*    Keying Module Port:    500

Remote Endpoint:
    Principal Name:    -    Network Address:    75.*.*.*    Keying Module Port:    500

Security Association Information:
    Lifetime (minutes):    120    Quick Mode Limit:    0    Main Mode SA ID:    3

Cryptographic Information:
    Cipher Algorithm:    (hidden)    Integrity Algorithm:    (hidden)    Diffie-Hellman Group:    (hidden)

Additional Information:
    Keying Module Name:    IKEv1    Authentication Method:    Preshared key    Role:    Initiator    Impersonation State:    Not enabled

Then afterward I get a Audit Failure for IPsec Quick Mode (4654):

An IPsec quick mode negotiation failed.

Local Endpoint:
    Network Address:    10.1.10.0    Network Address mask:    255.255.255.0    Port:            0    Tunnel Endpoint:        208.*.*.*

Remote Endpoint:
    Network Address:    10.10.30.0    Address Mask:        255.255.255.0    Port:            0    Tunnel Endpoint:        75.*.*.*    Private Address:        0.0.0.0

Additional Information:
    Protocol:        0    Keying Module Name:    IKEv1    Virtual Interface Tunnel ID:    0    Traffic Selector ID:    0    Mode:            Tunnel    Role:            Initiator    Quick Mode Filter ID:    87602    Main Mode SA ID:    3

Failure Information:
    State:            Sent first (SA) payload    Message ID:        1    Failure Point:        Remote computer    Failure Reason:        IKE security attributes are unacceptable

If they initiate the tunnel I get the exact same message about the IKE security attributes are unacceptable.  We have gone over all the rules multiple times to verify they are correct.  We even changed some Phase 2 settings on both ends (again making sure they match) to see if that was it ans still the same message.  Anyone have any ideas why this would happen?

-Allan

Hello.

I stuck and i'm really need assistance

We has a TMG 2010 RTM version and i decide to update it to latest rollup and SP (dumb head)

So at now we have TMG 2010 SP2 rollup 4.

Before i update TMG reports work fine but at now reports not working at all.

When i try execute a report ( or shedule daily or weekly report) i have same issue 

Error 31289:

The report "Daily" could not be generated. Report Server error information: The report Daily could not be generated. Report Server error information: The operation has timed out.

The error occurred on object 'Reports' of class 'Reports Configuration' in the scope of array 'TMG`
. 

I read all guidliness( include this http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-How-to-use-SQL-Server-2008-Express-Reporting-Services.html) and not find something useful.

Settings correct, and i not changed any settings.

And at now my ideas end i ask your help.

Hello Everyone,

We are working to move ISA Server 2004 Logs to SQL Server 2012. Everything configured fine. After applying changes to ISA Server and restarting its services, firewall gets stopped. Please refer below event logs and suggest a workaround.

Event Type:Error
Event Source:Microsoft ISA Server Control
Event Category:None
Event ID:14048
Date:10/2/2014
Time:11:08:47 AM
User:N/A
Computer:**************
Description:
Failed to stop the fwsrv during Execution of alert actions. Use the source location ************ to report the failure. The computer should be restarted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 06 00 07 80               ...?   

Thanks

-Ahmed Khan

Hello All, Can any one assist me with that issue:

I have two servers are configured with Microsoft TMG VPN Site to site, when I try to connect them though Remote access console it give me error as attached please help me I can't connect the two sites!!!

Hello community!

I'm having issue uninstalling TMG from my server. We moved to gateway security and TMG was no longer needed.

Today I attempted to uninstall it but it failed. Application disappeared for "Programs and Features" list and it's blocking incoming traffic. Outbound traffic flows just fine, I can get outside but incoming is blocked. I have office shares on this server and it's very important for me to restore connectivity.

I tried some third party uninstallers like "Perfect Uninstaller" but no luck. TMG services are all there stopped and cant be started.

Any advice will be highly appreciated.

Thank you

We plan to publish our new Exchange 2013 SP1 servers (3 in DAG) outside corporate network using TMG 2010. I am looking for some guide how to do it in the proper way. What I found is little old and does not take into consideration Exchange 2013SP1

http://blogs.technet.com/b/exchange/archive/2012/11/21/publishing-exchange-server-2013-using-tmg.aspx

Any advice how to publish Exchange 2013 OWA using form-based authentication and how to use Kerberos Constrained Delegation?

Hi Folks;

I just checked my NIS signature set and they appear to be from late 2012. 

When Microsoft abandoned all the customers they sold TMG 2010 to I thought part of the deal, for abandoning their customers, was that NIS updates and the like would continue for years to come.

Has Microsoft reneged on that or do I have it wrong?  

Q: Marking a question as answered when it's not - is this something new? A: Not at all, it's standard Nick Gu!

When I look up alternatives to TMG many other answers say something like "Don't worry about it. TMG 2010 is under support until 2020."

Well, we don't have TMG and can't buy it since it is off the market.  Can it still be legitimately purchased through any resellers?

We need a reverse proxy that specifically supports SSL-Bridging so that device certificate authentication is not broken when the connection passes through the proxy.

Which reverse proxies that are currently on the market are known to work successfully with System Center Config Manager Internet-Based Client Management and also with other Microsoft products such as Lync 2010 and RD Gateway 2012 R2?

Do any Cisco ASA or ACE models support the required functionality for machine certificate authentication?

We have ISA 2006 licenses available, but I would hate to roll that out and then have to replace it in only 2 years rather than using something that can stay in place long term.  Maybe we could use ISA 2006 temporarily as a stopgap if the next version released of Windows Server Web Application Proxy would meet the requirements and can be deployed in production before ISA 2006 is completely EOL.

I hate that Microsoft keeps discontinuing all the related products to this before they have their replacements ready.

To avoid the 403.7 errors when the destination server requires certificate authentication, how does SSL bridging reverse proxy inspect the traffic for safety without breaking the certificate authentication?

I'm not asking for specific configuration steps on this.  I just want an easy to understand overview on the process of how the laptop or smartphone authentication device certificate would pass through while TMG/ISA is still protecting the destination from attacks. 

Hi ,

I am running Forefront TMG 2010 and the NIS update failed to install , it is showing Fatal Error under Monitoring Tab , I presume that due to NIS update failure some of my clients PC in LAN is not able to ping " Forefront TMG 2010 (Ver-7.0.9193.500)"- it is acting as the gateway of my LAN.

Tried to download the NIS update manually from the update center and tried to install but failed.

The log which I got from ISA_Updatelog folder is below .

Two primary error codes are reflected here "hr = 0x80070643 " &  "hr = 0x  240003".

Please help on this problem , as some of the client PCs in LAN are not able to reach the Gateway - Forefront TMG 2010.

Regards, Kumar Lokesh Singh, Assistant Manager Systems, Larsen & Toubro Ltd.-ECC Division.

I know that this topic has been under discussion for many times, but i still want to keep up hope..

Does anyone happen to know if Security Advisory 2949927 that brings SHA-2 support to underlaying OS of TMG, would also bring it to TMG? Since TMG is relying on OS schannel process..

s

Antti Laatikainen IT Security Manager Santen Europe

I have a strange and intermittent problem. I use Forefront TMG 2010 to publish Exchange 2010 (using separate rules for webmail, Active Sync, and Outlook anywhere + autodiscover. Normally this works correctly but we have instances where traffic is being dropped by TMG, but at the very same time, traffic from other networks into the same TMG are working correctly.

So I get a complaint from one user located somewhere that whenever he tries to reach the webmail URL he gets " internet explorer cannot display the page", whilst at the very same time, I am able to access OWA from my home, when using my phone and even from the office. Now if troubleshooting the issue, and using TMG's log I can see that from the IP address at which the complaining users is at, packets are being dropped with messages similar to :

0x80074e21 FWX_E_ABORTIVE_SHUTDOWN

Whilst at the very same time, people from other locations have no problems whatsoever to reach the very same published website. The only fix is to restart the Microsoft Forefront firewall, after the recycle of this service connectivity is restored for the complaining user.

Morning all, I’m trying to solve a rather annoying issue with two of our TMG servers (virtualised on ESXi).

It started with the VPN connections for uploads being very slow. After more testing, I found that it affected all traffic that was uploading!

We have a 50 up, 50 down internet connection.

Both TMGs are less than a month old, and were installed with all updates before they were used/configured.

Background testing & notes

• Our old physical ISA box doesn’t have the fault - This takes internal switching and internet connection problems out of the equation.
• The issue appears on both of our TMG servers.
• Doing a file transfer to/from each TMG server to machines in the local LAN doesnt show there to be a problem with that, with speeds hitting 80-100MB/s - this takes a problem with the virtual hosts nic/MTU setup out of the equation.

Steps tried:

• EnablePMTUDiscovery has been tried as on (but not off yet).
• The knowledge base article listed here: http://support.microsoft.com/kb/2452980 has been applied to the SP2 w/Update 2 boxes.
• One of the TMGs has had all patches and updates removed all the way back to SP1 Update 1, and then re-applied in order, with SP1 Update 2 having the reg keys and script ran before testing, then further upgrades to the latest.

Notes:

The registry keys, at any point and patch level don’t exist, nor do the DWORD values.

So what I have done is to create under the registry key location:

HKLM\System\CurrentControlSet\Services\W3Proxy is the following:

A key called “Paramaters”

And created the 32bit DWORD Values with 16 in hexadecimal

.\W3Proxy\

.\W3Proxy\Parameters\

.\W3Proxy\Performance\

.\W3Proxy\Performance\Parameters\

The script to modify the TCP Buffer was set to use a value of 60,000.

The issue has been logged with Partner Support Services, but they only operate Monday to Friday, and I was hoping to make some progress on this over this weekend.

Any help would be much appreciated.

Thanks in advance all.

Shortly after we applied the Microsoft October 2013 updates to our TMG 2010 SP2 server we started experiencing loss of connectivity on our Internet facing adapter (could not longer ping the gateway etc).  A reboot would resolve the issue.  The problem kept recurring so we removed a couple of the networking related updates for October (http://support.microsoft.com/kb/2888049 ) and (http://support.microsoft.com/kb/2882822 ) as a test.  After these were removed the problem stopped.

We inadvertently reapplied these two updates during the November 2013 update cycle and the problem happened again. We removed the updates and everything is back to normal.

Just wondering if anyone else has applied these two updates to their TMG 2010 SP2 server and experienced any unusual issues?

Thanks

We have a publishing rule on our TMG's for managing mobile devices. We have a mixture of iPhone's and Android phones that are connecting to Airwatch.

We recently enabled TLS 1.1 and 1.2 on our TMG servers. After we enabled these new protocols, all of our iPhones could no longer connect to our Airwatch server. Our Android phones continued working. 

After some troubleshooting through the TMG, we see that with TLS 1.1/1.2 enabled, the iPhones no longer authenticate. The 'client username' shows anonymous. When we disable TLS 1.1/1.2, it authenticates with its AD credentials.

I have pasted the log entry showing an iPhone that could not connected. I sanitized the IP's, TMG name and Rule name.

Has anyone else seen anything similar?

Our TMG's are 2010, Service Pack 2 Rollup 3

The OS is Win2008 R2, sp1 Datacenter

Hey guys,

I was wondering if anybody knows of a free 3rd party reporting program that can take in TMG logs and do advanced reporting on them as well as alerts / automated import of logs and reporting (e.g. using scheduled tasks). I know Web Spy is a good one, but that's not free. Perhaps this is too good to be true, but I just thought I'd ask.

Thanks

Hello.-

We need to publish an internal server which demands Access in two different schedules. This schedules are applied in accordance to FROM the server is accesed. The issue here is that when the publishing rules are applied the following Alert is reported

"The server publishing rule NAME, which maps x.x.x.x:TCP to
y.y.y.y for the protocol PROTOCOL Server, was unable to bind a socket for
the server. The server publishing rule cannot be applied.
The failure is due
to error: You were not connected because a duplicate name exists on the network.
If joining a domain, go to System in Control Panel to change the computer name
and try again. If joining a workgroup, choose another workgroup name"

A workaround to this is to change the published sockect adding an IP to the EXTERNAL Network or listening on a different port in the the publishing rule , however we would like to know if there is a better way to define distinct publishing rules which applies in different schedules for the same protocol.

Thanks in advance.