Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

RDP and Ping issue

December 1, 2014, 9:44 pm
$
0
0

Hello,

I have windows server 2008 R2. Frontfron TMG is installed on it, I can do RDP within internal network but when i access TMG server from outside systems than cannot access it.TMG server has been assigned a static IP. I even cannot ping the IP of the server from outside, it gives request time out. I have disabled a windows firewall as well as TMG firewall. I am still unable to ping the static IP assigned to TMG server? I can browse internet on my TMG server. I guess when ping issue is resolved i would be able to access system remotely. What else should i do? Thanks in advance.

Search

SharePoint 2013 publishing through a single NIC TMG 2010 solution.

December 10, 2014, 6:09 am
$
0
0

Please can someone advise if it is supported by Microsoft to publish SharePoint 2013 through a single NIC TMG 2010 server.

To be clear the TMG 2010 server only has one Network Card and is currentkly used to reverse proxy Outlook Web Access but there is now a requirement to publish HsarePoint 2013 through it.

Thanks in advance.

Dan

Allow access to specific Youtube videos though TMG 2010

December 11, 2014, 2:41 am
$
0
0

Hello,

We have TMG 2010 SP2 installed to control our Internet traffic. Access to Youtube is blocked. In addition that not all users have Internet access.

There are a need to allow all of our users to access a specific Youtube video only. I tried to create a URL set that contain this video link & connect it to access policy with Order 1. But it does not work out.

Any help how to allow access to a specific Youtube video?

How to allow Zimbra Desktop using Forefront TMG 2010

December 12, 2014, 4:06 am
$
0
0

hi

i installed Zimbra Email Server in my (DMZ) 192.168.5.0/24 , my server ip 192.168.5.5 , and i have internal network 192.168.1.0/24 . i can not connect to my zimbra mail server using (Zimbra Desktop) , i got this message:

service.FAILURE: system failure: error while proxying request to target server: HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )

any one can help me how to do the authentication for my users

my TMG server joined to my domain.com int (192.168.1.0/24) , and i used my domain users to connect through my proxy. but it seemed something wrong in my TMG.

i need my clients in internal network 192.168.1.x to access the Zimbra Server in DMZ 192.168.5.x , i can ping the Server 192.168.5.5 and i can access the mail web app , but i can not access it using Zimbra Desktop (mail Client app), where i allowed all protocols in my rule !!?.

Best Regards


Adding 2012 DC to existing domain with TMG 2010 deployed

December 12, 2014, 8:19 am
$
0
0
We have an existing 2008R2 domain with 2 sites; main location and remote office. TMG 2010 is deployed in both locations, connecting the sites via VPN. TMG 2010 is also acting as a proxy and firewall for both sites independently. The existing DCs at the main location are 2008R2 server and the remote office also has a 2008 R2 DC server. TMG 2010 is installed on separate 2008 R2 servers in both locations. We are planning to add two new 2012 R2 DCs to the main office and then demote and remove all DC AD services from the 2008 R2 servers. The 2008 R2 servers will remain as AD Member servers. One of the 2008R2 servers also contains the AD Certificate server role. There are no plans to upgrade\replace the remote DC yet. We know we have to replace TMG2010 because it is approaching the end of its lifecycle, but would like to continue to use it into most of next year. What if any impact will occur to TMG 2010 when the new 2012 DCs are added? Is this configuration supported? Do you have any recommendations?


Mac Outlook 2011 through TMG

April 25, 2011, 6:15 am
$
0
0

Hi,

I have a physical TMG server running SP1 on 2008R2.  I am also  running Exchange 2007 SP3. Exchange has been published through TMG to allow external domain users connected with 3G to access their mail in Outlook.

This has been successful with cell phone, IPad, and Outlook users running Windows to access their mail perfectly.
We have recently added some MacBooks to the mix and for some unknown reason those external users cannot access their mail in Outlook. They are running Mac OS X 10.6 with Outlook 2011. They can only access mail in Safari with OWA.

Are there any ideas as to the MAC discrimination?

 

Tks,

Guy

IIS redirect 301 behind TMG (http to https, domain.com to www.domain.com)

December 15, 2014, 12:09 pm
$
0
0

Hello,

I have IIS server running behind TMG and I need to publish website with these requirements:

website has to be accessible via addresses

http://domain.com

https://domain.com

http://www.domain.com

all addresses have to redirect to

https://www.domain.com with redirect 301 (permanent - for google page ranking and SEO).

I would like to occupy no more than 1 external IP address if it's possible.

So far my intentions were to:

1. for application in IIS create a binding with https://www.domain.com

2. create another application with bindings for http://domain.com,https://domain.com and http://www.domain.com and enable redirect to https://www.domain.com.

3. Create publishing rule in TMG with public names domain.com and www.domain.com, enable http and https on weblistener.

Expected result: in case of https://www.domain.com request, application is served. In case of other addresses, another application is accessed in IIS which issues 301 redirect tohttps://www.domain.com and therefore application is served.

Actual result: no redirection happens, instead application always gets served with any address (https/http/domain/www) I enter in my browser.

Can I tweak some settings to make it work, or this simply won't work by design?



Array - Firewall Server wont start

December 16, 2014, 8:36 am
$
0
0

Hi together,

i dont know what rly happened, but we have at the Moment the big Problem our TMG ist down (Forefront Firewall Service stopped working). Only "special" is we had Socks 5 Sample dll registered on both nodes, which was unregistered a few months ago and we had done a custom fba....6 months ago. Everything worked fine until todays reboot.

we use TMG SP2 Rollup 5, Errormessages we get (sorry its german)

Forefront TMG konnte den Anwendungsfilter Webproxyfilter
({4CB7513E-220E-4C20-815A-B67BAA295FF4}) nicht laden. FilterInit ist mit Code
0x80004005 fehlgeschlagen. Beenden Sie den Firewalldienst, und starten Sie ihn
anschließend erneut, um den Anwendungsfilter zu aktivieren.
Microsoft
Forefront TMG Firewall
14060

Der Webproxyfilter konnte nicht
initialisiert werden (Fehlercode 505.93.7.0.9193.644).
Microsoft Forefront
TMG Web Proxy
14127

Der Webproxyfilter konnte nicht initialisiert
werden (Fehlercode 501.3200.7.0.9193.644).
Microsoft Forefront TMG Web
Proxy
14127

Webfilter können entweder nicht initialisiert werden, oder
aktuelle Konfigurationsänderungen können nicht angewendet werden. Überprüfen Sie
die Webfilterkonfiguration auf die aktuellsten Änderungen, um diesen Fehler zu
beheben.
21159
Microsoft Forefront TMG Web Proxy

Forefront TMG
konnte die Webfilter-DLL C:\Program Files\Microsoft Forefront Threat Management
Gateway\\CookieAuthFilter.dll nicht laden.
14146
Microsoft Forefront TMG
Web Proxy

Der Webfilter Formularbasierter Authentifizierungsfilter konnte
die Konfiguration nicht neu laden. Wenn Sie vor kurzem Konfigurationsänderungen
angewendet haben, stellen Sie sicher, dass diese Änderungen richtig konfiguriert
sind.
Microsoft Forefront TMG Web Proxy
21177

And last but not least the Service error

Der Dienst "Microsoft Forefront TMG-Firewall" wurde mit folgendem dienstspezifischem Fehler beendet: %%-2147467259.

Service Control Manager

-----------------------

When i trace the start with process Monitor the Startup process for Access denied stuff, i get several Access denied for the process in the reg for

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing (regcreatekey)

HKLM\System\CurrentControlSet\Services\WinSock2\Parameters (regopenkey)

HKLM\Software\Microsoft\SystemCertificates\CA (regcreatekey)

But i am unsure if i should give him Access to this

furthermore there are the following entrys

C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT

Desired Access: Read Attributes
Disnbsp;Open
Options: Open Reparse Point
Attributes: n/a
ShareMode: Read, Write, Delete
AllocationSize: n/a

I searched for depencies on the CookieAuthFilter.dll like described in http://systemcentercore.com/?GetElement=Microsoft.Forefront.TMG.ISA_Server_failed_to_load_a_Web_Filter_DLL.Rule&Type=Rule&ManagementPack=Microsoft.Forefront.TMG&Version=7.0.7695.100

I found some mf.dll, mfplan.dll and placed them from a Windows 7 System in the System32 dir on the tmg...nothing changed

We restored our last backup 3 months ago, nothing changed

I have no real idea how to go on? Have u any sugestions? Hope so...

Kind regards

Matthias

Search

TMG 2010 SP1 PPTP Passthrough for Clients

February 23, 2011, 4:11 am
$
0
0

Hi there,

 

since two weeks we are using TMG 2010 SP1 as a Back-End Firewall. We have some Clients (XP and Win7) that have to use VPN connections to some customer (most of them pptp)

Unfortunately they can´t connect to our customers and have to use our standby internetline (ADSL with soho Router). I have read some articles about pptp filtering, but i didn´t find the configuration for that. On System->Filter i can´t change anything at the pptp Filter.

The Access Rule for our network allows http,https,ftp, ike-client,ipsec-client,l2tp-client and pptp. I´ve tested almost everything (allow all network traffic to external), extra access rule only for vpn on top.

I´ve read a tipp to allow incoming VPN connections on the internal interface, which doesn´t work for us.

 

Thanks for your help.

 

Kind Regards,

 

Andre Braun

TMG NLB Issues

December 17, 2014, 7:41 am
$
0
0

Hi 

Just picking up a NLB issue for TMG.  Trying to add a VIP but i see the following errors:

In NLB Manager - 'The RPC Server is not available on the specified computer' - This is the other TMG server that it cannot contact

In TMG under Monitoring > Configuration The following Sync messge is displayed:  Server Configuration Does not Match the Stored Configuration

When I attempt to converge NLB I see an denied TCP Packket for 10002.  I have created a protocol for this but it shows as unidentified IP traffic?

any thoughts?

Thanks

Unable to browse microsoft website through ISA 2000 proxy

December 22, 2014, 1:42 am
$
0
0

Dear Team,

I have installed a server 2003 in my virtual machine & have created a DNS in the same.

Also I installed ISA 2000 with SP2 patch. I am able to browse all the websites except any of the Microsoft website.

Can anyone help me in this issue. My local PC is also able to connect to Microsoft websites without proxy.

Error I am getting is 11004 host not found when I am using the proxy in IE or Mozilla or chrome.

Thanks & Regards,

Habibur Rehman Ansari

Link translation without content type

December 24, 2014, 7:56 am

Which product replace TMG functionality?

November 8, 2012, 11:57 am
$
0
0

Hi,

I have several customers that wanted to deploy TMG Server as a web proxy/firewall back-end, but we all know that TMG is dieing? Which product offers exactly the same functionalities?

Cristian L Ruiz

Certificates cannot longer be used in TMG - Incorrect Key Type

September 30, 2011, 7:37 am
$
0
0

After TMG 2010 mysteriously failed to start firewall service I have identified that there are some firewall rules/web listeners possibly corrupted. I have fixed that and proceeded to troubleshoot and I have suspected problems with certificates. So I decided to create certificates from scratch and import them in TMG 2010 (as it has worked for number of years since ISA 2004).

I have followed the pretty much know procedure of requesting certificate from IIS server, installing it at IIS, exporting it with private key and importing it to TMG however I cannot link certificate to listener as TMG says it has Incorrect Key Type.

One thing indeed changed which is that we had reinstalled our PKI (Microsoft Windows 2008 R2). So basically keys that have been issued and imported to TMG (long ago) seem to be working fine. I however, cannot import the new one.

I have searched the Internet a lot but for no avail. The only particular thing I found is that TMG doesn't work well with CNG (version 3) certificates. I have looked into certificates quite well and found only significant difference between working ones and not working ones in the order of properties.

I don't think my CA is issuuing version 3 certificates but I am not 100% sure.

Any ideas how I can verify this or any idea what else could be wrong with the certificate so TMG cannot recognize it?

 

Many thanks.

 

Oggi

HTTP/1.1 502 Proxy Error ( Connection refused )\nVia: 1.1 TMG01 -SP\nConnection

September 24, 2014, 2:17 pm
$
0
0

Hi,

I havean application thatexecutescallsto ajetty serverlocally.When I try to run the applicationI getthe error below.

HTTP/1.1 502 Proxy Error ( Connection refused )\nVia: 1.1 TMG01-SP\nConnection: Keep-Alive\nProxy-Connection: Keep-Alive\nPragma: no-cache\nCache-Control: no-cache\nContent-Type: text/html\nContent-Length: 3904  \n

 
But, this error only occurson a particular machine, when I runthe the same application on other machines have no problems.

Someoneknows what could be? I disabledthe firewall, proxy, includesrules on the firewall but nothing does thisapplication working.


Search

TMG 2010 network adapter losing connectivity after application of MS updates for October 2013

November 19, 2013, 5:08 pm
$
0
0

Shortly after we applied the Microsoft October 2013 updates to our TMG 2010 SP2 server we started experiencing loss of connectivity on our Internet facing adapter (could not longer ping the gateway etc).  A reboot would resolve the issue.  The problem kept recurring so we removed a couple of the networking related updates for October (http://support.microsoft.com/kb/2888049 ) and (http://support.microsoft.com/kb/2882822 ) as a test.  After these were removed the problem stopped.

We inadvertently reapplied these two updates during the November 2013 update cycle and the problem happened again. We removed the updates and everything is back to normal.

Just wondering if anyone else has applied these two updates to their TMG 2010 SP2 server and experienced any unusual issues?

Thanks

forefront TMG with 3 Vlans

December 31, 2014, 9:30 am
$
0
0

HELLO 

i have TMG server to handle internet access on school network and Cisco L3 switch  as core SW for routing between vlans . all pcs and servers on same vlan 10 /network as TMG are able to access the internet . 

but problem that i have is that  vlan 20 and vlan 30 on different subnet can't access the internet. i can ping between clients on different vlans and from TMG to vlan 10 ..

i  have tried

1. adding vNIC from each vlan 

2. add the ip range of each vlans to the internal NIC 

3. access rule from vlan 20/30 to internal 

4. from vlan 20/30 to external 

 

add static routing on TMG 

tmg ip INTERNAL NIC: 192.168.1.5 

Core SW IP: 192.168.1.1 

VLAN 20 IP : 192.168.2.1  gateway 192.168.2.1

vlan 30 ip 192.168.3.1 gateway 192.168.3.1

ip route 0.0.0.0  0.0.0.0 192.168.1.5 

MultiCash Auth against TMG 2010

September 15, 2011, 3:09 pm
$
0
0

Hi,

we are using TMG 2010 and authentication is required to access the internet via the TMG proxy. Most of the applications are working but MultiCash from Omikron is not able to authenticate. The vendor is saying that they using NTLM based on"[MS-NLMP]: NT LAN Manager (NTLM) Authentication Protocol Specification but iall we see in the TMG log is that the application is only using anonymous and the auth negotiation is failing.

Does any one have this app running with proxy auth or is there maybe a chance to get a debug log from the auth process to see in detail what is failing?

Marco


TMG ISA is End of Life

January 5, 2015, 5:09 am
$
0
0

Dear Members

I was using ISA for many years for publishing my website. what may the alternative application of ISA. is any similar software like ISA

Regards

Rabbani

RaSa

Allow Only Skype in TMG 2010

January 5, 2015, 5:29 am
$
0
0

Hi Experts,

I have a group of users who are only allowed to access 3 websites on the internet.

For those websites rule I have allowed http,https protocol to allow.

Now they want to use skype. Can anyone help me in making a rule that allows the group of users to only access required websites

and use skype only. But they should not be able to access any website other than 3 required websites thank you. 

Viewing all 3822 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>