I Have a server that is running RDS gateway, and RDS virtual hosting. I can attach to it with the same computer from multiple WAN networks except one, the one I can't connect with is behind a TMG 2010 server it gets stuck at the "initiating remote
session" status. I'm thinking I am missing a published rule allowing the connection from the internal network.
↧
Accessing RDS virtual desktop pool
↧
TMG2010 - Exhcange 2010, Publishing.
Hey Guys,
I have a pretty noob question for you and am almost embarrassed to ask. I am trying to clear up a confusion that I may have. It has to do with TMG2010 and the SSL Bridging Tab.
This particular TMG server Is used for Publishing Exchange 2010, OWA, ActiveSync, Outlook Anywhere etc. The client does not have IIS on the Exchange servers set to "Require SSL" - Which is a bad idea.
Here is my question:
If on the bridging tab, (Web Server, selected as type) and (Redirect Requests to SSL port: 443) > Is selected then does that mean that all traffic that hits TMG will be "Redirected to port 443" for any request that comes from the internet to this TMG server?
Also on the listener itself it is set to Enable SSL, However the listener is not set to "Redirect traffic form HTTP to HTTPS". That's what's confusing me.
In short, I want to be sure that TMG is "Forcing" encryption, or denying the connection.
Thanks,
Robert
Robert
↧
↧
Block Https://youtube.com
Hi Team,
I want to block YouTube in my environment irrespective of the protocol it uses. I created an Access rule to block few websites, details provided below
Action: Deny, redirect to another site
Protocols: Http, HTTPS, HTTPS server, Http Proxy and all streaming media protocols
From: Internal
To : Blocked Websites (Domain name set)
Rule applies to: All users
Youtube gets blocked when accessed through Http protocol, whenever it’s accessed using HTTPS protocol it just connects. After few days of research I found that issue is only with Google Chrome. Whenever I accessHTTPS://youtube.com in Internet explorer the page is not displayed, but somehow Google Chrome overrides my proxy settings for this site alone.
Note: This same rule works fine for other secured websites. (ie) I am able to blockHTTPS://Facebook.com using this same rule.
Workaround:
I have also found a workaround to make this work. Goto Internet Explorer, Proxy server settings page, Uncheck ‘automatically Detect settings‘ . .. Now HTTPS://youtube will be blocked in all the browsers including Chrome if it’s importing proxy settings from Internet Explorer.
Question:
- When I select ‘ Automatically detect settings ‘ option in local proxy settings why is TMG not able to blockHTTPS://youtube.com when used in Chrome .
- Whenever a HTTPS site is blocked, redirection doesn’t work. As per the rule that I have set whenever a site is blocked the page should be redirected to another Webpage. This works absolutely fine when a site using Http protocol is blocked. Whenever a HTTPS site is blocked it just says ‘Cannot display the webpage’
Thanks in advance .
↧
How to make Forefront TMG build VPN site-to-site tunnel with reduced subnet
I am trying to implement a Site-to-Site VPN tunnel with a supplier. We are using Forefront TMG 2010 SP2 (Site A) and they are using Cisco ASA (Site B)
I have complete access to SITE A, but no access to Site B (suppliers end)
We have set up the VPN tunnel, but it will only come up if it is initiated from the Site B end. We know this is because there is a mismatch in the expected network size. Site B fits within Site A, but not the other way round.
The tunnel is set up at Site A with an allowed route of 10.0.2.60/30 and matched with a configuration at the other end. This configuration is If I look at the "Site-to-site" summary on TMG.
However, my counterpart at site B tells me that when the TMG actually tries to build the tunning, it is not specifying 10.0.2.60/30 but 10.0.2.0/24
I should also mention that TMG internal ip is 10.0.2.6 ,that we only 10.0.2.61 and 10.0.2.62 should be allowed through the tunnel, and that due to existing VPNs on the supplier site, they cannot increase the size of the network on their side to match the 10.0.2.0/24 range
I am a at a bit of a loss why this is happening. Does any one have any guidance, I don't really even know what terminology to use to effectively search for an answer
↧
ISA2006 - How to allow anonymous access for only specific URLs
A user in our organization is using Adobe Illustrator's cloud feature, and their support indicates it doesn't support proxy authentication:
http://helpx.adobe.com/creative-cloud/kb/proxy-authentication-support-creative-cloud.html
What I'd like to do is allow anonymous authentication from this application so long as the desination is the list of protocol/domain provided by Adobe. I've tried to create an access rule both using a URL set and a domain name set, but it keeps passing over the rule and being blocked by our general purpose access rule.
This is what was provided by Adobe support:
Himanshu: Ok. For that I will provide you few urls and port numbers . Please get thoose whitelisted on your network with the help of your IT team.
Himanshu: ccmdl.adobe.com:80
Himanshu: swupmf.adobe.com:80
Himanshu: swupdl.adobe.com:80
Himanshu: https://na1mbls.licenses.adobe.com
Himanshu: https://ims-na1.adobelogin.com
Himanshu: https://adobeid-na1.services.adobe.com
Himanshu: https://na1r.services.adobe.com
Himanshu: http://activate.adobe.com
Himanshu: https://activate.adobe.com
Himanshu: http://adobe.activate.com
Himanshu: https://adobe.activate.com
Himanshu: ccmdls.adobe.com:443
Himanshu: ims-na1.adobelogin.com:443
Himanshu: na1r.services.adobe.com:443
Himanshu: prod-rel-ffc-ccm.oobesaas.adobe.com:443
Himanshu: lm.licenses.adobe.com:443
Himanshu: www-du1.adobe.com
Himanshu:
Himanshu: These are the links.
If someone could tell me which process would work best that would be appreciated. Thank you.
http://helpx.adobe.com/creative-cloud/kb/proxy-authentication-support-creative-cloud.html
What I'd like to do is allow anonymous authentication from this application so long as the desination is the list of protocol/domain provided by Adobe. I've tried to create an access rule both using a URL set and a domain name set, but it keeps passing over the rule and being blocked by our general purpose access rule.
This is what was provided by Adobe support:
Himanshu: Ok. For that I will provide you few urls and port numbers . Please get thoose whitelisted on your network with the help of your IT team.
Himanshu: ccmdl.adobe.com:80
Himanshu: swupmf.adobe.com:80
Himanshu: swupdl.adobe.com:80
Himanshu: https://na1mbls.licenses.adobe.com
Himanshu: https://ims-na1.adobelogin.com
Himanshu: https://adobeid-na1.services.adobe.com
Himanshu: https://na1r.services.adobe.com
Himanshu: http://activate.adobe.com
Himanshu: https://activate.adobe.com
Himanshu: http://adobe.activate.com
Himanshu: https://adobe.activate.com
Himanshu: ccmdls.adobe.com:443
Himanshu: ims-na1.adobelogin.com:443
Himanshu: na1r.services.adobe.com:443
Himanshu: prod-rel-ffc-ccm.oobesaas.adobe.com:443
Himanshu: lm.licenses.adobe.com:443
Himanshu: www-du1.adobe.com
Himanshu:
Himanshu: These are the links.
If someone could tell me which process would work best that would be appreciated. Thank you.
↧
↧
client ip ends with 255 inaccessible
Good day all,
I have several installed TMG and ISA with ordinal config: 1 ext 1 int
in all TMGs have externally published web and other resources which work well
Here is a problem I met:
we have one external client who unable to get any tmg published resources, this client has external ip like x.x.193.255
When client is trying to get tmg resources log shows:
Denied Connection Log type: Firewall service Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed. Rule: None - see Result Code Source: External (x.x.193.255:50567) Destination: Local Host (x.x.100.202:443
When i'm trying to tracert this client IP on TMG or behind it i see that all hopes are fall and logs says:
Denied Connection Log type: Firewall service Status: A broadcast packet was dropped by the Forefront TMG policy. Rule: None - see Result Code Source: Internal (192.168.27.18:2048) Destination: External (x.x.193.255)
If i try to tracert this ip from another source without tmg tracert goes well
So i have tried other ips which end with .255 but real (not broadcast) are not working
Is it a bug? How can i fix it
↧
DHCP Relay through another firewall
Hello,
I have set up two ISA Servers in my lab (learning environment).
One faces the internet, the other one is in between the lan and the perimetral network.
Sort of:
LAN <--- ISA2---> DMZ <---ISA1---> INTERNET.
The thing is that the other office connects to ISA1 through a VPN-Site-to-Site, and it goes all fine except that ISA1 cannot take any ip from the dhcp server standing on the lan.
I have read this: http://technet.microsoft.com/en-us/library/cc302680.aspx
But in my lab, there are two isa servers , so I don't know how to send dhcp requests from isa1 to isa2 excepto for broadcast 255.255.255.255 , but the isa1 does not know how to forward that to the dhcp server in the lan.
I am mixed up because I am not an expert and am learning now about this dhcp relay thing now.
Thanks in advance!!
Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)
↧
TMG synchronization time issue with EMS
for one of our customers, we have a TMG (7.0.9193.575) array with about 200 webpublising rules and a couple of server publishing rules. The TMG’s and EMS are running on different virtual machines.
The problem is, if I apply a change it takes a very long time one of the TMG is in sync with the EMS. Sometimes it will take 3 hours (during working hours). The other TMG is synced within 15 min. In front of the TMG’s there are hardware balancers and the load is equally.
The EMS is also used for other TMG arrays, without any problems.
I tried to copy a large file from EMS to both TMG’s, the result was no problem, so in my opinion there is no network problem.
To pinpoint, I created some connections verifiers to some web publishing sites. In the alerts, I see a lot of errors and warnings about the connection verifiers, mostly from the TMG with the slow sync. So , somehow there must be some relation. Also the connection verifiers for the webfarms, shows slow connections from the TMG with sync problems.
To simplify the webfarm connections verifiers, I changed them from TCP check to ping.
To lower the CPU load (between 15-30% during working hours), we changed the logging from SQL to text. No result.
We have a lot of TMG arrays, some with even a larger rulebase, however this one has the most web publishing rules. So there must be a relation with the syncing time and the number of web publishing rules.
Can someone give me a hint to resolve this problem ?
↧
TMG 2010 SP2 Service Crash
Hello.-
We have a TMG 2010 which main service crashes randomly. This is a SP2 Roll Up 4 and windows 2008 R2 full patched. The error reported is:
"The Firewall service stopped because an application filter module C:\Program Files\Microsoft Forefront Threat Management Gateway\GwpaFltr.dllgenerated an exception code C0000005 in address 000007FEF40422B4 when function CompleteAsyncIO was called. To resolve this error, remove recently installed application filters and restart the service"
SU 1 for Service Pack was applied and following Roll Ups to number 4. Roll Up 5 points out to a issue related to DiffServ filter, but in our case this filter is not enabled.
There is no a specific condition when service fails, this happens after some time (even weeks) running without problem, even with less load than usual.
Thanks in advance.
↧
↧
POP3 and SMTP Only
Dear Sir
Hope you well
I just allow only pop3 and SMTP services on outlook via TMG please help me
i allow all mail protocol but unable to send receive email
ALSO TMG client installed in client PC
↧
(0x8004102A) outlook connector via forefront
I have TMG Server i can not receive Email via Outlook connector in outlook 2010 please help me
Best regards
Sameer Ahmed
↧
(0x8004102A) outlook connector via forefront
I have TMG Server i can not receive Email via Outlook connector in outlook 2010 please help me
Best regards
Sameer Ahmed
↧
HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )
17:06:13 Synchronizer Version 14.0.6123
17:06:13 Synchronizing Mailbox 'sameer.ahmad@live.com'
17:06:13 Synchronizing Hierarchy
17:06:13 4 folder(s) added to online store
17:06:13 1 folder(s) updated in online store
17:06:13 Synchronizing local changes in folder 'Inbox'
17:06:13 Error synchronizing folder
17:06:13 [80041004-0-0-430]
17:06:13 Error with Send/Receive.
17:06:13 There was an error synchronizing your folder hierarchy. Error : 80041004.
17:06:13 Synchronizing server changes in folder 'Calendar'
17:06:13 Synchronizing server changes in folder 'Contacts'
17:06:13
*******************
17:06:13
*Request*
17:06:13 17:06:13:0590
17:06:13 POST
17:06:13 http://
17:06:13 contacts.msn.com
17:06:13 /ABService/ABService.asmx
17:06:13
17:06:13 <ABFindAll xmlns="http://www.msn.com/webservices/AddressBook"> <abId>00000000-0000-0000-0000-000000000000</abId><abView>Full</abView><deltasOnly>false</deltasOnly></ABFindAll>
17:06:13
*Response*
17:06:13 17:06:13:0870
17:06:13 HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )
Via: 1.1 TMG
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Connection: close
Proxy-Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 707
17:06:13
17:06:13
17:06:13
*******************
17:06:13 Error with Send/Receive.
17:06:13 There was an error synchronizing a contacts folder. Error : 80004005.
17:06:13 Synchronizing server changes in folder 'Drafts'
17:06:13 Synchronizing local changes in folder 'Inbox'
17:06:13 Error synchronizing folder
17:06:13 [80041004-0-0-430]
17:06:13 Synchronizing server changes in folder 'Sent Items'
17:06:13 Synchronizing server changes in folder 'Deleted Items'
17:06:13 Synchronizing server changes in folder 'Junk E-mail'
17:06:13 Done
17:06:13
*******************
17:06:13
*Request*
17:06:13 17:06:13:0870
17:06:13 POST
17:06:13 http://
17:06:13 mail.services.live.com
17:06:13 /DeltaSync_v2.0.0/Settings.aspx
17:06:13
17:06:13 <?xml version="1.0" encoding="utf-8"?><Settings xmlns="HMSETTINGS:"><ServiceSettings><SafetySchemaVersion>1</SafetySchemaVersion><SafetyLevelRules><GetVersion/></SafetyLevelRules><SafetyActions><GetVersion/></SafetyActions><Properties><Get/></Properties></ServiceSettings><AccountSettings><Get><Options/><Properties/></Get></AccountSettings></Settings>
17:06:13
*Response*
17:06:13 17:06:13:0870
17:06:13 HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )
Via: 1.1 TMG
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Connection: close
Proxy-Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 707
17:06:13
17:06:13
*******************
17:06:13 Synchronizing Mailbox 'sameer.ahmad@live.com'
17:06:13 Synchronizing Hierarchy
17:06:13 4 folder(s) added to online store
17:06:13 1 folder(s) updated in online store
17:06:13 Synchronizing local changes in folder 'Inbox'
17:06:13 Error synchronizing folder
17:06:13 [80041004-0-0-430]
17:06:13 Error with Send/Receive.
17:06:13 There was an error synchronizing your folder hierarchy. Error : 80041004.
17:06:13 Synchronizing server changes in folder 'Calendar'
17:06:13 Synchronizing server changes in folder 'Contacts'
17:06:13
*******************
17:06:13
*Request*
17:06:13 17:06:13:0590
17:06:13 POST
17:06:13 http://
17:06:13 contacts.msn.com
17:06:13 /ABService/ABService.asmx
17:06:13
17:06:13 <ABFindAll xmlns="http://www.msn.com/webservices/AddressBook"> <abId>00000000-0000-0000-0000-000000000000</abId><abView>Full</abView><deltasOnly>false</deltasOnly></ABFindAll>
17:06:13
*Response*
17:06:13 17:06:13:0870
17:06:13 HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )
Via: 1.1 TMG
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Connection: close
Proxy-Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 707
17:06:13
17:06:13
17:06:13
*******************
17:06:13 Error with Send/Receive.
17:06:13 There was an error synchronizing a contacts folder. Error : 80004005.
17:06:13 Synchronizing server changes in folder 'Drafts'
17:06:13 Synchronizing local changes in folder 'Inbox'
17:06:13 Error synchronizing folder
17:06:13 [80041004-0-0-430]
17:06:13 Synchronizing server changes in folder 'Sent Items'
17:06:13 Synchronizing server changes in folder 'Deleted Items'
17:06:13 Synchronizing server changes in folder 'Junk E-mail'
17:06:13 Done
17:06:13
*******************
17:06:13
*Request*
17:06:13 17:06:13:0870
17:06:13 POST
17:06:13 http://
17:06:13 mail.services.live.com
17:06:13 /DeltaSync_v2.0.0/Settings.aspx
17:06:13
17:06:13 <?xml version="1.0" encoding="utf-8"?><Settings xmlns="HMSETTINGS:"><ServiceSettings><SafetySchemaVersion>1</SafetySchemaVersion><SafetyLevelRules><GetVersion/></SafetyLevelRules><SafetyActions><GetVersion/></SafetyActions><Properties><Get/></Properties></ServiceSettings><AccountSettings><Get><Options/><Properties/></Get></AccountSettings></Settings>
17:06:13
*Response*
17:06:13 17:06:13:0870
17:06:13 HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )
Via: 1.1 TMG
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Connection: close
Proxy-Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 707
17:06:13
17:06:13
*******************
↧
↧
Unable to access the Store with Forefront TMG Client webbrowser enabled - error 0x80072efd
Unable to access the Store with Forefront TMG Client webbrowser enabled error 0x80072efd
Hi,
I have a problem when users are trying to access the store when this option 'Enable Web Browser automatic configuration' is enabled from the Web Browser tab in Forefront TMG Client Version 7 on Windows 8.1 x64.
If this option is un-ticked and the proxy details are set in IE users can access the store ok.
The error message users receive is:
We weren't able to connect to the store. this might have happened because of a server problem or net then work connection timed out. please wait a few minutes and try again.
0x80072efd
When the option is selected in Forefront TMG everything else works ok, the user can access the internet etc its just the store which doesnt work.
↧
TMG work without adding proxy setting in web browser
i have a TMG 2010 and working as a web proxy and i want to configure the TMG using my client without adding proxy setting in their web browser. because most laptop users are using dongle or their home wifi, then they can't access internet out of
the office.
↧
TMG 2010 anonymous access
Hi all,
I upgrade from ISA server 2006 to TMG 2010 . In the ISA server we using forward proxy from authenticate and nonautheticated users . But after I upgrade to TMG 2010 nonautheticated users which try use proxy , the proxy return access denied.... in the proxy is setting all users ... How I set for nonautheticated user ?
thanx
Falcon
↧
Setup TMG 2010 on a remote domain member server
Hi,
So my question is this. Is it possible to setup TMG 2010 on a remote server machine that is a member of my domain?
Basically what I'm trying to do is setup a site to site VPN with one of our branch offices. Ideally I'd just configure the server at my office and bring it to the location but given the distance involved that is not possible. So my plan was to have the tech at the remote site build out a Windows 2008 R2 server, configure the networking as necessary. At this point I can create a VPN connection from the remote machine to our TMG VPN server and then join this remote machine to the domain.
The problem is that if I then disconnect the remote machine from the VPN I'm not able to configure TMG on the machine because the ADAM setup fails because it can't connect to the domain.
Is there a process that I can follow to resolve this? Seems like I'm stuck in a catch 22.
Thanks in advance,
Nick
↧
↧
Testing an ISA Server Rule, the recursive query to other DNS Servers test fails
Hello,
I am trying to configure the following infrastructure with ISA Server 2006 and two W2003 servers (called "Server1" and "Server2") . "Server1" is a domain controller, and in"Server2" is the ISA Server installed, which also has attached two network Ethernet cards, one called "Internal Ethernet Card", and the other one called"External Ethernet Card".
The infrastructure would be: "Internal Ethernet Card"---- ISA Server ----"External Ethernet Card"---"Router"----"Internet"
"Internal Ethernet Card" manages the internal package traffic of the infrastructure, the network segment which belongs is isolated from what we could called the Outbound traffic, which is linked to a router. "Internal Ethernet Card" it`s a virtual network.
"Internal Ethernet Card" feature configuration is the following:
- IP address: 192.168.3.3
- Subnet Mask: 255.255.255.0
- DHCP Enabled: No
- DNS Server: 192.168.3.1 (Must point to the DC "Server1" which has the DNS Service installed)
- Default Gateway: None (because doesnt point to outside)
- Primary WINS Server: 192.168.3.1
The "External Ethernet Card" provides, the outbound connection, and this card is connected to the physical router.
It`s feature configuration is the following:
- IP address: 192.168.1.50
- Subnet Mask: 255.255.255.0
- DHCP Enabled: No
- Default Gateway: 192.168.1.1
- DNS Servers: 192.168.3.1 (Must point to the DC "Server1" which has the DNS Service installed)
After configuring the network cards, I create the following rule in the ISA Server to allow the traffic towards outside from the server and the clients which have joined to the domain:
Action: Allow. Protocol: DNS. From:"Server2". To : External. Condition: All Users
After applying the changes to update the configuration, I enter in the Dns Server of "Server1" and in the "Monitoring" tab, I run a "recursive query to other DNS Servers" but fails.Only works the "simple query against this DNS Server".
I don`t know why fails, but I`m stucked on this issue, because in the "Server1" DNS Server, in the "domain forward IP address list", I have added two DNS addresses which work OK.
I would appreciate some help to solve this issue.
Thanks
Regards
↧
sharepoint publishing rule
We use a sharepoint publishing rule with constrained delegation, public ssl certificate and AAM in TMG 2010. Everything is working fine except, when we want to open a new document from a document library (word dotx), the system asked again for the password. Is this a normal behaviour?
↧
Unable to Import TMG rule
Hello,
i installed TMG 2010, create different rules and export backup. then i installed TMG to another machine and try to import rules error occur: " your tmg version is not supported. " and some kind of error.
can anyone help me out how to overcome this problem.
electrifying
↧