Hello,

I have two TMG servers running in a load balanced array. They each have an internal and external interface and everything is working as intended. I would like to create a new network with TMG for guest wireless so that the traffic will be segmented from the rest of the internal network. I've added a third network adapter to each server. The problem is, when I try to create the network in TMG, it does not discover the newly added adapters. I can see them just fine on the server individually. Can someone point me in the right direction?

I have a problem in my client outlook account that after installation of TMG Server and Active Directory  on windows 2008 r2 operating system I unable to send and received mail, Although all others functions are working properly. I am attaching my settings of outlook and rules of tmg server just please go through and resolve my issue, I am very glad of yours.

I just tell you my settings

OUTLOOK 2007 SETTINGS

emai id: jawad@pharmafive.com.pk

type: imap

outgoing and incoming : mail.pharmafive.com.pk (Now here i want to confirm that I just configure the tmg server ip address or my mail.pharmafive.com.pk)

In more settings outgoing sever there is a check on log on using and i have written my username and password

But after clicking on check account testing the result is:

(1) Log onto incoming mail server (IMAP): The host 'mail.pharmafive.com.pk' cannot be found. Verify that the server name is typed correctly.

(2) Send test e-mail message: Cannot find the e-mail server. Verify the server information in your account properties.

TMG Server Setting

TMG Server ip add: 10.10.10.3

I have configure edge firewall

I have created the rule in firewall policy that all outbound are allow from internal to external to all users

Allow all mail server such as smtp, imap, pop3 from internal to external

Result no connectivity in receiving and sending the mail and other services is working quiet smoothly. 

Please tell me the solution.

Hi,

im receiving about average 600 DNS Requests per minute - all with the same (forged) source address and content (isc.org any).

How can i configure TMG to block this traffic? I would like to create rules that would look something like that:

"Filter dns where query contains isc.org" or "limit udp traffic for port 53 to 100 packets / minute / ip"

Thanks

Hi all

I am configuring Remote logging to SQL 2008 or 2012 for my TMG array, and I wanted to use SQL mirroring so that I could avoid using my SAN shared storage as needed for SQL Clustering.

However, the TMG Firewall logging configuration appears very basic, it requests a server and a Database.  This implies that in the event that the TMG Database host Server changes, the TMG applicaton would not recognise this and i would need to manually chnage the remote logging Server and Database name on TMG......

Is that correct or is TMG smart enough to recognise the change (I cannot see how it could based on the Configuraton options available)?

If so, I wil have to go down the SQL Clustering route.

T

Tom

Hi

After upgrading a client pc from java 6.26 to java 7 I am seeing some strange behaviour.

Before allowing Java to run a tmg login screen appears. I can enter credentials and the java applet will load.

If I hit cancel... the java applet will run anyway..

The screen is a Java popup and text reads:

Enter login details to access <default> on tmg1.site.com:

At the bottom it reads:

authentication scheme unknown.

I've never seen this behaviour before.. and if I remove J7 and reinstall 6.26 then all goes back to normal...

Can this be a TMG related change that needs to be made, or something in Java?

All,

we have a very strange issue here. Our environment: We use TMG 2010 (latest SP and update rollups) on Server 2008 R2 (non-domain joined) as a simple firewall without any webproxy settings to protect our internal network against a datacenter network which hosts our SAP server. I disabled any flood mitigation settings and NIS. The network relationship is Route. Sporadically single IP addresses suddenly stops the connection to the SAP hosts. You cannot ping any of the hosts in the datacenter from this single IP address. Doing a tracert to one of the SAP hosts seems to release a kind of blocking state for this síngle IP address and after that everything works fine. We cannot reproduce this behaviour. The described blocking state doesn´t get released by itself, even for days.

I also configured the registry parameter as shown in http://support.microsoft.com/kb/2596065, no success. You cannot see any denied access things in the Logging.

Any kind of input is greatly appreciated.

Thanks

Volker

Can someone explain to me why my TMG server would have all these open ports?  Our security person was using NMAP to test this and found that these ports are open, many of them.....  Since TMG has it's own firewall why wouldn't these be closed?

This is only a partial list, there are many more:

Starting Nmap 5.51 (http://nmap.org ) at 2012-11-06 13:57 Eastern Standard Time

Nmap scan report for 10.250.20.177

Host is up (0.00011s latency).

PORT      STATE SERVICE

1/tcp     open  tcpmux

3/tcp     open  compressnet

4/tcp     open  unknown

6/tcp     open  unknown

7/tcp     open  echo

9/tcp     open  discard

13/tcp    open  daytime

17/tcp    open  qotd

19/tcp    open  chargen

20/tcp    open  ftp-data

21/tcp    open  ftp

22/tcp    open  ssh

23/tcp    open  telnet

24/tcp    open  priv-mail

25/tcp    open  smtp

26/tcp    open  rsftp

30/tcp    open  unknown

32/tcp    open  unknown

33/tcp    open  dsp

37/tcp    open  time

42/tcp    open  nameserver

43/tcp    open  whois

49/tcp    open  tacacs

53/tcp    open  domain

70/tcp    open  gopher

79/tcp    open  finger

80/tcp    open  http

81/tcp    open  hosts2-ns

82/tcp    open  xfer

83/tcp    open  mit-ml-dev

84/tcp    open  ctf

85/tcp    open  mit-ml-dev

88/tcp    open  kerberos-sec

89/tcp    open  su-mit-tg

90/tcp    open  dnsix

99/tcp    open  metagram

100/tcp   open  newacct

106/tcp   open  pop3pw

109/tcp   open  pop2

110/tcp   open  pop3

111/tcp   open  rpcbind

113/tcp   open  auth

119/tcp   open  nntp

125/tcp   open  locus-map

135/tcp   open  msrpc

139/tcp   open  netbios-ssn

143/tcp   open  imap

144/tcp   open  news

146/tcp   open  iso-tp0

161/tcp   open  snmp

163/tcp   open  cmip-man

179/tcp   open  bgp

199/tcp   open  smux

211/tcp   open  914c-g

212/tcp   open  anet

222/tcp   open  rsh-spx

254/tcp   open  unknown

255/tcp   open  unknown

256/tcp   open  fw1-secureremote

259/tcp   open  esro-gen

264/tcp   open  bgmp

280/tcp   open  http-mgmt

301/tcp   open  unknown

306/tcp   open  unknown

311/tcp   open  asip-webadmin

340/tcp   open  unknown

366/tcp   open  odmr

389/tcp   open  ldap

406/tcp   open  imsp

407/tcp   open  timbuktu

416/tcp   open  silverplatter

417/tcp   open  onmux

425/tcp   open  icad-el

427/tcp   open  svrloc

443/tcp   open  https

444/tcp   open  snpp

445/tcp   open  microsoft-ds

458/tcp   open  appleqtc

464/tcp   open  kpasswd5

465/tcp   open  smtps

481/tcp   open  dvs

497/tcp   open  retrospect

500/tcp   open  isakmp

512/tcp   open  exec

513/tcp   open  login

514/tcp   open  shell

515/tcp   open  printer

524/tcp   open  ncp

541/tcp   open  uucp-rlogin

543/tcp   open  klogin

544/tcp   open  kshell

545/tcp   open  ekshell

548/tcp   open  afp

554/tcp   open  rtsp

555/tcp   open  dsf

563/tcp   open  snews

587/tcp   open  submission

593/tcp   open  http-rpc-epmap

616/tcp   open  sco-sysmgr

617/tcp   open  sco-dtmgr

625/tcp   open  apple-xsrvr-admin

631/tcp   open  ipp

636/tcp   open  ldapssl

646/tcp   open  ldp

648/tcp   open  rrp

666/tcp   open  doom

667/tcp   open  disclose

668/tcp   open  mecomm

683/tcp   open  corba-iiop

687/tcp   open  asipregistry

691/tcp   open  resvc

700/tcp   open  epp

705/tcp   open  agentx

711/tcp   open  cisco-tdp

714/tcp   open  iris-xpcs

720/tcp   open  unknown

722/tcp   open  unknown

726/tcp   open  unknown

749/tcp   open  kerberos-adm

765/tcp   open  webster

777/tcp   open  multiling-http

783/tcp   open  spamassassin

787/tcp   open  qsc

800/tcp   open  mdbs_daemon

801/tcp   open  device

808/tcp   open  ccproxy-http

843/tcp   open  unknown

873/tcp   open  rsync

880/tcp   open  unknown

888/tcp   open  accessbuilder

898/tcp   open  sun-manageconsole

900/tcp   open  omginitialrefs

901/tcp   open  samba-swat

902/tcp   open  iss-realsecure

903/tcp   open  iss-console-mgr

911/tcp   open  xact-backup

912/tcp   open  apex-mesh

981/tcp   open  unknown

987/tcp   open  unknown

990/tcp   open  ftps

992/tcp   open  telnets

993/tcp   open  imaps

995/tcp   open  pop3s

999/tcp   open  garcon

1000/tcp  open  cadlock

1001/tcp  open  unknown

1002/tcp  open  windows-icfw

1007/tcp  open  unknown

1009/tcp  open  unknown

1010/tcp  open  surf

1011/tcp  open  unknown

1021/tcp  open  exp1

1022/tcp  open  exp2

1023/tcp  open  netvenuechat

1024/tcp  open  kdm

1025/tcp  open  NFS-or-IIS

1026/tcp  open  LSA-or-nterm

1027/tcp  open  IIS

1028/tcp  open  unknown

1029/tcp  open  ms-lsa

1030/tcp  open  iad1

1031/tcp  open  iad2

1032/tcp  open  iad3

1033/tcp  open  netinfo

1034/tcp  open  zincite-a

1035/tcp  open  multidropper

1036/tcp  open  nsstp

1037/tcp  open  ams

1038/tcp  open  mtqp

1039/tcp  open  sbl

1040/tcp  open  netsaint

1041/tcp  open  danf-ak2

1042/tcp  open  afrog

1043/tcp  open  boinc

1044/tcp  open  dcutility

1045/tcp  open  fpitp

1046/tcp  open  wfremotertm

1047/tcp  open  neod1

1048/tcp  open  neod2

1049/tcp  open  td-postman

1050/tcp  open  java-or-OTGfileshare

1051/tcp  open  optima-vnet

1052/tcp  open  ddt

1053/tcp  open  remote-as

1054/tcp  open  brvread

1055/tcp  open  ansyslmd

1056/tcp  open  vfo

1057/tcp  open  startron

1058/tcp  open  nim

1059/tcp  open  nimreg

1060/tcp  open  polestar

1061/tcp  open  kiosk

1062/tcp  open  veracity

1063/tcp  open  kyoceranetdev

1064/tcp  open  jstel

1065/tcp  open  syscomlan

1066/tcp  open  fpo-fns

1067/tcp  open  instl_boots

1068/tcp  open  instl_bootc

1069/tcp  open  cognex-insight

1070/tcp  open  gmrupdateserv

1071/tcp  open  bsquare-voip

1072/tcp  open  cardax

1073/tcp  open  bridgecontrol

1074/tcp  open  warmspotMgmt

1075/tcp  open  rdrmshc

1076/tcp  open  sns_credit

1077/tcp  open  imgames

1078/tcp  open  avocent-proxy

1079/tcp  open  asprovatalk

1080/tcp  open  socks

1081/tcp  open  pvuniwien

1082/tcp  open  amt-esd-prot

1083/tcp  open  ansoft-lm-1

1084/tcp  open  ansoft-lm-2

1085/tcp  open  webobjects

1086/tcp  open  cplscrambler-lg

1087/tcp  open  cplscrambler-in

1088/tcp  open  cplscrambler-al

1089/tcp  open  ff-annunc

1090/tcp  open  ff-fms

1091/tcp  open  ff-sm

1092/tcp  open  obrpd

1093/tcp  open  proofd

1094/tcp  open  rootd

1095/tcp  open  nicelink

1096/tcp  open  cnrprotocol

1097/tcp  open  sunclustermgr

1098/tcp  open  rmiactivation

Dream On Alice, This Ain't Wonderland

Hi Guys

Here a quick layout.

FTP server <=> ISA2006 <=> FTP Gateway server

FTP server Windows 2008 SP2

ISA Server Windows 2003 SP2

FTP Gateway Server Windows 2008 SP2

Traffic flows from FTP through ISA to FTP gateway.

Traffic allowed Ping and port 1180.

I ping FTP gateway from FTP server and Vis-versa

Problem is when I telnet to port 1180 from FTP server to Gateway server I get a blank box and any key press disconnect session. I believe this indicated traffic flow in one direct.

Rule is

Allow – Ping, TCP 1180 – DMZ02, FTP Server – All users.

There is a route on the FTP Gateway server redirect all traffic to LAN through the ISA DMZ02 Lan IP, and a rule for all DMZ02 traffic from FTP server to ISA LAN ip address.

Isa 2006 has the follow interfaces

LAN

DMZWL (Wireless Modem access to internet only.)

DMZ02 Zone

Internet

Monitor shows connection is made.

Action – Initiated Connection

Action – Closed Connection

Source Zone internal

Destination Zone External.

Anyone knows why this traffic would not be flowing. In both directions.

Thanks in Advance.

Craig

Hello

We've encountered a problem with TMG where we can no longer connect to a client of ours using a Cisco VPN client through the new TMG. The connection errors out with a reason 412: the remote peer is no longer responding.

strangely enough when trying to establish this connection I don't see any traffic going through the TMG server. I've set access rules to allow all traffic from this computer to the outside world and still no luck...am wondering if this is a known issue with ipsec tunnels?

Thanks

Bryan

I was trying to publish owa 2010 thro ISA 2006. But when i 'test Rule', an error is showing:-

"The certificate chain was issued by an authority that is not trusted"

Please give me a solution to publish OWA proprly....

Hi, we have TMG 2010 SP1 and have a login form with three fields, one for AD username, one for AD password and the "collect additional delegation credentials" field is the RADIUS response for a one-time-token.

When the listener is configured to "Collect additional delegation credentials in the form" the capability to allow users to change their passwords, and the ability to remind users that their password will expire both become greyed out and unavailable.

I have managed to create a second listener, just for these external-only users to change their passwords, but;

When users' passwords have expired and they need to change them at next logon, accessing the main logon form listener, they authenticate with all three credentials, and instead of a TMG error screen/message that their password has expired, they get a white screen error of "500 Internal server error. Logon Failure: unknown user name or bad password. (1326)".

How can I redirect users with expired passwords from this page to the other listener so they can change their passwords?

Or, is there an alternative solution which will allow the TMG login process to complete without this ugly error?

Thanks for any useful help.

Morning all,

I am in the process of setting up a new Forefront TMG server to act as a web proxy with NTLM authentication required. We are a small secondary college and need to restrict the content that students can access on the internet. I'm setting up vanilla Forefront TMG 2010 on Server 2008 R2. 

At the same time I'm testing out Windows 8 with an aim to deploying it at the end of 2013. I've noticed that very few Modern UI apps work when the "Require all users to authenticate" checkbox is checked in TMG's Web Access Policy. Further investigation reveals that Modern UI apps are all attempting to anonymously authenticate against TMG, which results in TMG denying their internet requests. 

I'm not a TMG expert, but I can fumble my way around it. If anyone could assist me in correctly setting up some rules to work around the limitations of Modern UI apps, while still retaining the ability to restrict the content that students can access?

Cheers
Michael.

Guys,

  Please your input would be very much appreciated. I have a workstation in workgroup with user account for user in AD that's connecting to TMG proxy in Active Directory. All was working fine until one day system started acting up and use a old proxy setting. In IE options, it keep filling in old proxy settings. If you manually change to correct proxy, it works for few hours and plug in back old proxy settings. Edit registry with new settings then work for few hours then same problem. Auto config in not selected in IE options. Other users with workstation in workgroup are not have this issue, just this one. Please assist.

D

Good day,

I want to allow teamviewer through the TMG 2010 server. but I dont want to allow ALL HTTP/HTTPS requests to External network. is it possible ?

Regards

Elias Dayeh

Hi Guys,

I have a client that has a domain name with and underscore in their name Name_Dom.

This stops us from installing Exchange 2007 - 2010. I review the option to rename the domain but believe there was tomuch potential risk with this solution.

So what I would like to do is a stage migration to new domain. Maybe a 4 step process.

1) Setup new trusted domain

2) Setup Exchange 2010 in new domain with client access from old domain

3) Migrate servers one at a time to new domain client access from old domain

4) Move clients to new domain.

What I am trying to find is documentation on how to do a multiple stage migration to lower risk of outage and downtime. I am quiet happy to have this migration take a few months to complete if it reduces risk and downtime, giving us roll back options.

This site has one forest with one domain in two location. Sydney - Melbourne.

4 DC (2 sydney 2 Melbourne)

2 Exchange server (1 sydney 1 melbourne)

2 File server (1 sydney 1 melbourne)

Terminal server

SQL servers

about 200 workstations 150 sydney 50 melbourne.

Thanks for the information in advance.

Craig Garland

Craig

Hello,

ive installed outlook on our domain pcs which goes trough Tmg , but i havent created any rule for outlook?
What rule shall i create can anyone explain me how the rule should be?

MR

We're upgrading an Exchange Environment from Exchange 2007 Service Pack 1 to Service Pack 3.

We have an ISA 2006 server in the environment. The ISA server is publishing Exchange 2007 to the internet.

I have familiarised myself with upgrading Exchange itself, but need to know beforehand, if I need to run the patch, or any special hotfixes on the ISA box.

I'm new to publishing Exchange behind ISA, and have inherited the system. I was looking at Outlook Web Access, which shows the following at the bottom of the login screen:

Ian