Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

TMG 2010 network adapter losing connectivity after application of MS updates for October 2013

$
0
0

Shortly after we applied the Microsoft October 2013 updates to our TMG 2010 SP2 server we started experiencing loss of connectivity on our Internet facing adapter (could not longer ping the gateway etc).  A reboot would resolve the issue.  The problem kept recurring so we removed a couple of the networking related updates for October (http://support.microsoft.com/kb/2888049 ) and (http://support.microsoft.com/kb/2882822 ) as a test.  After these were removed the problem stopped.

We inadvertently reapplied these two updates during the November 2013 update cycle and the problem happened again. We removed the updates and everything is back to normal.

Just wondering if anyone else has applied these two updates to their TMG 2010 SP2 server and experienced any unusual issues?

Thanks


ISA 2004

$
0
0

HIi,

I am using ISA 2004 as a firewall. And i have blocked all traffic only smtp,pop,imap is allowed on some PCs. 

Anyone tell me how can i allowed Security Essentials virus definition updates on pc using ISA2004.

Because i have installed this anti virus on all the pc and i want to update is virus definition autocratically using internet 

Torrent Hang aftar update

$
0
0
Torrent hang aftar update please do something

برنامج ال hamachi لا يمعل مع ال tmg

$
0
0

لدى tmg 2010 وجهاز يتصل بالانترنت من خلاله وهذا الجهاز عليه برنامج ال log me in hamachi 

ولكن البرنامج لا يستطيع الاتصال بالانترنت بسبب ال tmg فى حين ان البرنامج يعمل اذا كان الجهاز متصل مباشره بالانترنت بدون ال tmg

فكيف استطيع تشغيل البرنامج اذا كان الجهاز يتصل بالانترنت من خلال ال tmg

hamachi dosent work with tmg

$
0
0

i have tmg 2010  and ihave one pc with hamachi 

but hamachi dosent work throw tmg 

 what can i do to solve this problem

Clients can access blocked websites

$
0
0

Hello,

 

First I blocked websites like (facebook, youtube, 4shared) but I discovered that client can access the websites normally 

the rule was ..

block rule- from -> internal  , To category URL (online communities & P2P/File sharing) ,User --> All Users 

 

then I add a custom URL & add  ...

www.facebook.com,www.youtube.com ...etc 

and it works but then I discovered that users can still access the websites using https instead of http even if I meantion that in the custom URL

 

the Client type are SecurNat & TMG Client  

 

why the block role are not working with category URL ?? what can I do to block the website with its sub names ????

 

thanks

 

Cannot access via RDP and Ping TMG server remotely

$
0
0

Hello,

I have windows server 2008 R2. Frontfron TMG is installed on it, I can do RDP within internal network but when i access TMG server from outside systems than cannot access it.TMG server has been assigned a static IP. I even cannot ping the IP of the server from outside, it gives request time out. I have disabled a windows firewall as well as TMG firewall. I am still unable to ping the static IP assigned to TMG server? I can browse internet on my TMG server. I guess when ping issue is resolved i would be able to access system remotely. What else should i do? Thanks in advance.


my TMG server cannot connect with Outlook .

$
0
0

I have TMG server connected with proxy server , i have added the record for email and added the IP address for my mail server ( outcoming , incoming ) now i can ping to the mail server but when i configure the outlook still cannot connect to your server .

what  should i do


TMG Proxy abnormally blocked google Access

$
0
0

I am facing a unusual, TMG Proxy behaves something abnormal [ say in random cases I find Google domains are not accessible for certain random duration]

I am using TMG [TMG 2010 SP2     7.0.9193.601     till Rollup 4] on windows server 2008 R2 Standard Edition

initially I doubted on DNS list under my Network Details, after chasing ISP I made parallel Linux Squid proxy [ with exactly same Network configuration , Note I am not talking about Proxy Rules].

Now whenever I find this issue, I switch proxy from internet properties to this squid proxy IP & I find It working.

Even after re-installing windows &  TMG [with all Rollups] still I face this issue.

Please help me in proper troubleshooting steps I should fallow to drill down this issue.

Thanks in advance

SecureNAT Devices - Slow Internet speeds

$
0
0

Secure NAT devices are experiencing very slow internet connection. Devices with Firewall client via Web Proxy are OK.

We use SecureNAT on non Windows devices particularly mobile devices. The speed is usually tested on bandwidth monitoring websites and speeds fluctuates between between 50% and 10% of the speed achieved using Web proxy devices. 

TMG is fully patched (7.0.9193.644) running on fully updated Windows Server 2008R2. 


Setup: 

Internal Network Card:
IP : X.X.X.X
Subnet: 255.255.248.0
Gateway: no gateway defined
Dns 1 (pointing to internal DNS server 1 )
Dns 2 (pointing to internal DNS server 2 )

External Network Card 1:
IP : X.X.X.X
Subnet: 255.255.255.248
Gateway: X.X.X.X
Dns 1: no DNS defined
Dns 2: no DNS defined

External Netwrok Card 2:
IP : X.X.X.X
Subnet: 255.255.255.248
Gateway: X.X.X.X
Dns 1: no DNS defined
Dns 2: no DNS defined

Binding Order

Internal
External 1
External 2

ISP Redundancy: Load Balancing

We were able to replicate this same problem on a bare TMG configuration with just 2 Network cards (internal and external) and 1 simple firewall rule.

Kind regards,
Evan

TMG 2010 SP2 Service Crash

$
0
0

Hello.-

We have a TMG 2010 which main service crashes randomly. This is a SP2 Roll Up 4 and windows 2008 R2 full patched. The error reported is:

"The Firewall service stopped because an application filter module C:\Program Files\Microsoft Forefront Threat Management Gateway\GwpaFltr.dllgenerated an exception code C0000005 in address 000007FEF40422B4 when function CompleteAsyncIO was called. To resolve this error, remove recently installed application filters and restart the service"

SU 1 for Service Pack was applied and following Roll Ups to number 4. Roll Up 5 points out to a issue related to DiffServ filter, but in our case this filter is not enabled.

There is no a specific condition when service fails, this happens after some time (even weeks) running without problem, even with less load than usual.

Thanks in advance.


Forefront TMG 2010 Lockdown - No traffic from/to LAN or WAN

$
0
0
Another 'unique' issue with TMG. After a somewhat successful migration from ISA 2004 SP3, TMG seems to lock itself down without notice. I can replicate the issue if from my client, I download any .torrent file. I'm not sure if it's P2P clients all together, or just .torrent, but the server must then rebooted to restore functionality. To ensure it wasn't something affected from the migration, I've gone through and created each rule on a clean 2008 R2 box with TMG 2010 Sp1, Update 1 Rollup 3. On 3 separate occasions, I've noticed Event ID15009 - SYN Attack on or around the time of the failure. How can I get TMG to stop locking itself down? 
jev

Rule to Allow Traffic for non authenticated users/workgroup users

$
0
0

Hi All,

We have multiple rules for allowing traffic for authenticated users to access internet and these authenticated users are our domain users.

now we have some guest user whose machine are not on domain and we need to provide internet.i have separated rule from them like

Rule name : Allow computer

Protocol : HTTP,HTTPS

Action : Allow

From : IPs of guest Machines Computers

TO : Internal (It one nic )

Users : All Users

when user is opening their browser each time pop windows ask for authentication which is annoying for them.

Is there any way that it not ask for authentication and allow internet on there browsers.

pls help

TMG 2010 publishing Exchange 2010 OWA cannot change password if user must change password at first logon is set

$
0
0

Hi,

 I have an odd issue whereby if I set "user must change password" on an AD account, the end user cannot logon, they're simply taken back to the OWA login page as if their password is incorrect.

My setup is as follows:

outer TMG -- uses a listener for email.contoso.com and is configured for no authentication.This uses a publishing rule to publish the inner TMG server. This server is not a domain member.

inner TMG - uses a listener for email.contoso.com and is configured for NLTM\kerberos negotiation with forms authentication (Windows Active Directory). This server is a domain member and use a publishing rule to publish the internal CAS. Allow users to change password is selected in the publishing rules.

Exchange 2010 SP1 - uses integrated windows and basic authentication. Has the appropriate registry key configured to allow users to change their AD password on first logon.

I've registered an snp for "http/email.contoso.com mailserver-dc1", all SSL certificates being used are valid and my configuration used to allow users to login and change their password with "user must change password on first login" set in AD.

If I launch a web browser on an internal server and point it to email.contoso.com I'm immediately presented with a generic Windows authentication request (similar to what's seen in ADFS) rather than the standard OWA page. No matter what I do, I cannot login and change my password using the correct URL. However if I point my browser at http://192.168.4.10/owa I'm prompted to login and I can change my password using the sam credentials.

The only recent changes made are:
- Disabling SSL 3.0 and enabling TLS  (http://www.isaserver.org/articles-tutorials/configuration-security/improving-ssl-security-forefront-threat-management-gateway-tmg-2010-published-web-sites.html)
- Replacing the TMG listener certificates so that they now use SHA2 rather than SHA2 (certificates are trusted on each TMG server)

Looking on the outer TMG and the DC logs I can see schannel errors which I believe are related to the problem. TMG monitoring also shows "Failed connection attempt: 1907 The user'spassword must be changed before logging on for the first time"

I've checked that my inner TMG and DC are using the same certificate for server authentication and gone through this guide: http://blogs.technet.com/b/keithab/archive/2012/02/29/setting-up-and-troubleshooting-ldaps-authentication-in-forefront-tmg-2010.aspx

If I try to use ldp.exe on the inner TMG, I get the error in the pic below

Thanks


IT Support/Everything


Download Interrupted

$
0
0

Hello,

 

We are using TMG 2010 SP2 update 5. We are using web chaining. Out upstream proxy server is Messagelabs. Since a few weeks we are having problems downloading large (>1GB) files. It al started when Messagelabs changed something. Since a few weeks / months they pre-download and scan the files. It seems while Messagelabs is downloading the file there is a timeout. On the client we see a message "the download was interrupted".

I'm not sure how to fix this.

Any ideas?


SecureNat not working for HTTPS

$
0
0

I have created secure NAT rule for allowing some IP based computer (Like WORK GROUP , MOBILE USERS) now issue is that HTTP based site is working perfectly fine but HTTPs sites are not opening , i created rule like that

Rule name : Secure NAT

Protocol : All outbound traffic

Action : Allow

From : IPs of guest Machines Computers

TO : Internal (SINGLE NETWORK ADAPTER ON TMG SERVER)

Users : All Users

when i check logging i found that

A connection was closed because no SYN/ACK reply was received from the server.

Any Help Pls

Publishing rules

$
0
0

Hi ,

We have isa 2006 server , this server we using to publish internal website.

Generally we publishing this method.

1.creating a listener IP with DMZ subnet IP .

2.while creating the web publishing rule we add this listener IP address to the rule.

3.In AD we creating DNS host record like  local host name to listener IP address.

But we have little bit confusion in this .

Which method is most preferable

1.DNS host record host name to listerner IP or

2.DNS host record host name to local IP address.

Regards,

Velu M


Regards, Velu M

TMG Internet Stop Working On Dual Gateway

$
0
0

i have avail MPLS Layer3 VPN  service from my isp for data only internet is not included in that link, i have 100 plus remote location, each location have different subnet on their router.

i want to use tmg for internet proving to all the locations, in my remote location i have totally differant subnet. now i have 2 gateways 1 for internet and the other for data.

when i am giving on the data interface gateway internet is not working.

please help me


Blocking Web-Email Issue...

$
0
0

Hey Hi All of you!!!

I'm using TMG 2010 and I want to block web based email like gmail, hotmail yahoo-mail. I've added web-email URL category, Domain set and URL set as well, I checked and it worked for yahoo and hotmail and I say even for gmail but only in Internet explorer but when I checked in other browsers like chrome and firefox gmail couldn't be blocked by these browsers. One more thing when set TMG proxy in browsers then it worked but not with SecureNAT, Why firefox and chrome can't blocked gmail? Your help help would be appreciated...!


HTTPS traffic is not excluded from webproxy and traffic is being NAT-ed instead of Routed

$
0
0

We have the following problem with HTTPS traffic from a client (10.40.40.47) on our Internal network to an outside client (172.24.3.2)
on the external network.
This traffic must be routed but is being NAT-ed.

To accomplish this I have used the advice from this blog entry from technet:
http://blogs.technet.com/b/keithab/archive/2012/01/17/creating-a-rule-to-bypass-the-web-proxy-filter-in-isa-server-or-forefront-tmg.aspx

This means I have created the following 2 rules (exactly in this order):

1. Allow HTTPS and custom HTTPS(unbound from webproxy filter) from 10.40.40.47 --> 172.24.3.2
2. Deny HTTPS from 10.40.40.47 --> 172.24.3.2

On the Network rule tab:

Route relationship between 10.40.40.47 and 172.24.3.2

Despite the exact network route relationship this traffic is still being NAT-ed:

Failed Connection Attempt SZ0961 9-12-2014 9:48:30
Log type: Web Proxy (Forward)
Status: 10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. 
Rule: Test EPIC Interconnect to Test LSP omgeving
Source: Internal (10.40.40.47:54909)
Destination: External (172.24.3.2:443)
Request: zim.xto1.lsp.aorta-zorg.nl:443
Filter information:
Req ID: 108ffd81;
Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: SSL-tunnel
User: anonymous
Additional information

Is there something I am missing here why it is still using the general NAT rule instead the specific Route rule?

Maybe someone can guide me what else to look for because I do not understand why it is following the general NAT rule.
Any help/ideas where else to look for is highly appreciated!

Viewing all 3822 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>