Hi

I have publishing rules for external users, these are working just fine. The problem is internal users can't access the internal websites.

Engr. Ripon Kanti Dutta

I am looking for a system/Program/solution which allow to replace a proxy. The solution allow to edit source IP address before it reach destination, meaning to say, it allows to replace Proxy. I also explore on firewall option, but I am not familiar with firewall, is any firewall allows to map a traffic to an IP address & port before it reach destination, and second request to second IP address & port.

If you know about any solution, please kindly advice. Thanks in advances. 

Hi all,<o:p></o:p>

We have a TMG 2010, <o:p></o:p>

The Problem was our internal web application is not working when TMG is down. The scario was our domain isabc.ad, <o:p></o:p>

We access our internal web application byhttp://pa.abc.in, forabc.inwe have created DNS zone on Active Directory. But when we try to access the http://pa.abc.in the all the request forwarded to TMG. Internally the host was resolved through nslookup without issue. <o:p></o:p>

Please clarify where we need to check for  the issue, AD or DNS or TMG.<o:p></o:p>

Regards,<o:p></o:p>

Mariappan S<o:p></o:p>

Thanks, Mariappan Shanmugavel

Hello Everybody,,

I have Forefront Threat Management Gateway Server Version: 7.0.7734.100 installed on windows server 2008 R2 standard edition , 

Iam facing issue with reporting where i have made both daily schedule reports and and other reporting jobs which

can be run one time and none of them worked ,,

notice that when i tried to run the one time report manually "generate and view report"  i get the following error 

"" error 0xc0040432

The report test could not be generated. Report Serve r error information: Unable to connect to the remote server.

The error occurred on object 'Reports' of class 'Reports Configuration' in the scope of array 'TMG-SRV'. ""

can anyone help??!!!

In our environment following application are running:

Active Directory

DHCP

TMG

all my users receiving ip via DHCP.

I have a specific group of user who are restricted to access internet but as i mentioned above that we have dhcp running so ip will be changed dynamically.for that i need to create a rule for specific user so that they cant access internet or specific websites.

do help me someone what should i need to do.

electrifying

Dear All,

TMG_2010 was working properly since 1 year. Yesterday all clients receives the following error

and on TMG the log is as below;

all clients are receiving the same issue.

Please guide if anyone have the perfect solution, I had already checked all solutions on TechNet. 

Hey Guys

I am ready to install the following release updates for TMG 2010 SP2: TMG Rollup 4 and TMG Rollup5. However I checked the installation directions (from here:http://technet.microsoft.com/en-us/library/ff717843.aspx) first and noticed this caveat:

Before you install the updates on Forefront TMG Enterprise Edition, you must log on to the EMS by using the same credentials that were used to install the EMS during the initial Forefront TMG setup. If you install the update by using a different administrator account, the installation may fail. In this case, you will receive a "Setup cannot initialize Forefront TMG settings" error message.

We do have an Array/Array Manager setup where we have 2 nodes, but we do not use NLB (that I am aware of) and we don't use an EMS Type Array.

If I got to FF TMG >> System >> Servers, under "Config. Management" I see

Server 1 - Array Managed

Server 2 - Array Manager

I think that's the Standalone array configuration and not the EMS array configuration. However the documentation above does state:

These instructions are relevant if you have a standalone array or Enterprise Management Server (EMS). When upgrading Forefront TMG to SP1 or SP2, you must upgrade each of the following, if they exist in your deployment:

• Enterprise Management Servers (master and replicas).
• Array managers.
• Array members.

Basically my question is do I really need to log onto the FF TMG servers as the account that originally installed TMG?

Thanks,

Robert

Robert

Wondering if anyone in this forum has considered the KEMP Edge Security Pack (ESP) as a TMG replacement. We have only very good things to say about the Kemp LoadMaster devices as load-balancers, having used them since early 2010 with Exchange and SharePoint without any downtime, but have no experience with the ESP, which is an add-on.

The KEMP Edge Security Pack

http://kemptechnologies.com/emea/microsoft-load-balancing/microsoft-forefront-tmg-replacement/

MCTS: Messaging | MCSE: S+M

Hi together,

we want to enable HTTPS Inspection at our TMG Cluster....but the counterpart is, Mac OS X Clients wont be able to connect to SSL Sites after we activate it.

So i am aware of this blogpost http://blogs.technet.com/b/isablog/archive/2012/04/20/mac-os-clients-fail-to-access-ssl-websites-after-you-enable-https-inspection-in-forefront-tmg-2010.aspx

We had a certificate generated by our own internal CA, generated like described in this blogpost http://blogs.technet.com/b/isablog/archive/2014/08/29/how-to-create-a-cng-httpsi-cert-using-a-2008r2-ca.aspx

After we faced the problems with os x we didnt do more research and renewed the certificate with the options of the second blogpost but as Windows Server 2008 CA Cert.

But still, MAC OS X (Safari) cant reach HTTPS Sites, Firefox on MAC OS X works fine.

I`ve downloaded the certificates to check if it is ASCII or Unicode...here are the results:

Aussteller:
    CN=TMG HTTPS CNG Inspection
    [0,0]: CERT_RDN_PRINTABLE_STRING, Länge = 40 (40/64 Zeichen)
        2.5.4.3 Allgemeiner Name (CN)="TMG HTTPS CNG Inspection"
[...]

Antragsteller:
    CN=*.facebook.com
    O=Facebook, Inc.
    L=Menlo Park
    S=CA
    C=US
    [0,0]: CERT_RDN_PRINTABLE_STRING, Länge = 2 (2/2 Zeichen)
        2.5.4.6 Land/Region (C)="US"
        55 53                                              US
        55 00 53 00                                        U.S.

    [1,0]: CERT_RDN_PRINTABLE_STRING, Länge = 2 (2/128 Zeichen)
        2.5.4.8 Bundesland oder Kanton (S)="CA"
        43 41                                              CA
        43 00 41 00                                        C.A.

    [2,0]: CERT_RDN_PRINTABLE_STRING, Länge = 10 (10/128 Zeichen)
        2.5.4.7 Ort (L)="Menlo Park"
        4d 65 6e 6c 6f 20 50 61  72 6b                     Menlo Park
        4d 00 65 00 6e 00 6c 00  6f 00 20 00 50 00 61 00   M.e.n.l.o. .P.a.
        72 00 6b 00                                        r.k.

    [3,0]: CERT_RDN_PRINTABLE_STRING, Länge = 14 (14/64 Zeichen)
        2.5.4.10 Organisation (O)="Facebook, Inc."
        46 61 63 65 62 6f 6f 6b  2c 20 49 6e 63 2e         Facebook, Inc.
        46 00 61 00 63 00 65 00  62 00 6f 00 6f 00 6b 00   F.a.c.e.b.o.o.k.
        2c 00 20 00 49 00 6e 00  63 00 2e 00               ,. .I.n.c...

    [4,0]: CERT_RDN_UTF8_STRING, Länge = 14 (14/64 Zeichen)
        2.5.4.3 Allgemeiner Name (CN)="*.facebook.com"

So i think the problem is the last one while this is still as utf8 issued...but why? Shouldn`t this also a printable/ASCII one? How can i fix it?

The template which generated the TMG Certificate has the following settings:

General
Validity: 10 Years
Renewal period: 2 Years

Issuance Requirements
-

Suspended Templates
-

Extensions
Application Policies: Code Signing (Codesignatur), Private Key Archival (Archivierung des privaten Schlüssels), Server Authentication (Serverauthentifizierung)
Basic Constraints: everything is checked
Certificate Template Information: -
Key Usage: Digital signature, Signature is proof of origina (nonrepudiation), Certificate signing, CRL signing, Make this Extension critical

Have you any ideas why i still get utf8 subjects?

Thanks for your help in advance

Hi experts,

One one of the computers on which tmg client is installed when I click on test server it gives me error message "Operation failed as a result of network error".

I have checked online solutions of this problem like giving full access to local admin on the temp folder, but it still didn't resolve the problem...

Any Suggestions....????

Hi,

I have published an extended Sharepoint web application through TMG 2010 and at first with ordinary Windows atuthentication it worked just fine. But the thing I wanted to test was to use Azure AD and ACS as the authentication provider. Set it up as instructed on TechNet and internally (LAN) it works perfect now. But when I'm trying to access the site from the internet side it just throws " Internal Server error 500. The request was rejected by the HTTP filter. (12217)"

Normally this is solved by un-checking "Verify Normalization" and "Block high bit characters" but not this time.

I have tried different listeners in TMG, rebuilt the publishing rule and all I can think of. But it just does not work.

I don't even have the filters active on the https protocol and if I activate Web proxy I do not get the option to Configure HTTP. Is this correct or is there something wrong with my TMG.

/Joakim

Hi,

My company has an MSDN license and media for TMG 2010 SP2. My customer has an MSDN license for TMG 2010 SP2, but they are unable to download the ISO.

Under Ms licensing am I allowed to give my customer the TMG 2010 ISO

en_forefront_threat_management_gateway_2010_enterprise_x64_dvd_SP2.iso?

Thanks

Our company is using Forefront TMG as proxy server. By LAN settings on client computers the are able to access internet. I am trying to install outlook 2007 as email client on each PC. I have search in many forums and all but still Im not able to establish the outside mail server connection. At least not allowing me telnet to the server. Please help me to solve the problem and configure Outlook.

Thank you

I have a 2010 Edge box with TMG installed, and every time I change the IP ranges in the Receive Connector, it gets overwritten by TMG. As a workaround, I can stop the EdgeSync service in TMG and change the individual IP addresses, but I cannot add a range (I want to add a whole subnet).

What if I remove the receive connector completely and replace it with a new one with a different name? Would that still get overwritten by TMG?

Running Forefront TMG 2010 Service Pack 2, Exchange 2010 Service Pack 3 RU4     

Here is the situation:

Internet ------ TMG (DMZ not joined to Domain) ---- Exchange 2007

I can ping the exchange server from TMG and vice versa.

I have setup the following rules on TMG

Outlook Anywhere Rules

Lisener

General: HTTPS Exchange Listener

Networks: External Selected IP address xxx.xxx.xxx.xxx

Connections: Enable SSL HTTPS Connections on Port: 443 Checked Advanced: Unlimited Checked

Certificates: My UCC Certificate is selected and the Certificate has all the names for Subject. Have triple checked this

Authentication: no auth

Forms: All grey out

SSO: all grey out

Exchange Rule:

General: Exchange Outlook Anywhere (Name)

Action: Allow

From: Anywhere

To: exchange2007.abc.local

Forward the original host header instead of actual one is checked

Request appear to come from the Forefront TMG computer is checked

Traffic: HTTPS

Listener: Above settings and chosen

Public Name: autodiscover.abc.com

Paths: Default for Exchange 2007 /unifiedmessaging/* /rpc/* /OAB/* /ews/* /AutoDiscover/*

Authentication Delegation: No delegation, but client may authenticate directly

Users: All Users

Rest of the tabs are all default after rule is created.

Exchange 2007 side:

Outlook anywhere: Basic Authentiacation

Here is the problem:

I can run autodiscover test from Outlook Connection Test comes back successful

I can run testexchangeconnectivity: Logs here (I changed the domain to reflect abc.com as I do not want my info out on the web)

Now when I try to setup a new email account in Outlook 2010 I do the following

1. Create Profile

2. New Email account and type Name: EM Email: em@abc.com Password: xxxx (twice) and hit next.

3. I get prompted for username and password for AD abc\em Password: xxx

4. I can see it autheticates to the the exchange server in the security logs but after that it gives me errors on TMG logs and then back to the client it reports

I have enclosed the output for outlook anywhere from powershell test and auth settings.

Others steps I have done.

Put https://autodiscover.abc.com/autodiscover/autodiscover.xml in web browser and get prompted for username and password and then invalid 600 from TMG, Exchange, and External client and all the same which is normal.

TMG Log:

This is what happens after I get successful connection and after prompts me for username and password.

Exchange Output for Testing Outlook ANywhere powershell and Authentication Settings:

testexchangeconnectivity log:

ExRCA is attempting to test Autodiscover for em@abc.com.

Autodiscover was tested successfully
Test Steps
Attempting each method of contacting the Autodiscover service.

The Autodiscover service was tested successfully.
Test Steps
Attempting to test potential Autodiscover URL https://abc.com/AutoDiscover/AutoDiscover.xml

Testing of this potential Autodiscover URL failed.

Test Steps
Attempting to resolve the host name abc.com in DNS.

 The host name couldn't be resolved.

Tell me more about this issue and how to resolve it
Additional Details

Host abc.com couldn't be resolved in DNS InfoNoRecords.

Attempting to test potential Autodiscover URL https://autodiscover.abc.com/AutoDiscover/AutoDiscover.xml

Testing of the Autodiscover URL was successful.
Test Steps

Attempting to resolve the host name autodiscover.abc.com in DNS.

The host name resolved successfully.

Additional Details

IP addresses returned: xx.xx.xx.xx

Testing TCP port 443 on host autodiscover.abc.com to ensure it's listening and open.

The port was opened successfully.

Testing the SSL certificate to make sure it's valid.

The certificate passed all validation requirements.

Test Steps

ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.abc.com on port 443.

ExRCA successfully obtained the remote SSL certificate.

Additional Details

Remote Certificate Subject: CN=webmail.abc.com, OU=IT, O=ABC, L=SOMEWHERE, S=NJ, C=US, Issuer: CN=ABC-ADDEV1-CA, DC=abc, DC=local.

Validating the certificate name.

The certificate name was validated successfully.

Additional Details

Host name autodiscover.abc.com was found in the Certificate Subject Alternative Name entry.

Testing the certificate date to confirm the certificate is valid.

Date validation passed. The certificate hasn't expired.

Additional Details

The certificate is valid. NotBefore = 6/13/2012 2:50:46 PM, NotAfter = 6/13/2014 2:50:46 PM

Checking the IIS configuration for client certificate authentication.

Client certificate authentication wasn't detected.

Additional Details

 Accept/Require Client Certificates isn't configured.

Attempting to send an Autodiscover POST request to potential Autodiscover URLs.

 ExRCA successfully retrieved Autodiscover settings by sending an Autodiscover POST.

Test Steps:

ExRCA is attempting to retrieve an XML Autodiscover response from URL https://abc.zgaforge.com/AutoDiscover/AutoDiscover.xml for user em@abc.com.

 The Autodiscover XML response was successfully retrieved.

Additional Details

Autodiscover Account Settings
XML response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
 <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
 <User>
 <DisplayName></DisplayName>
 <LegacyDN>/o=4sdev/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=em</LegacyDN>
 <DeploymentId>0afee656-467c-4108-b4b3-e17f03dfd98f</DeploymentId>
 </User>
 <Account>
 <AccountType>email</AccountType>
 <Action>settings</Action>
 <Protocol>
 <Type>EXCH</Type>
 <Server>EXCHANGEDEV1.abc.local</Server>
 <ServerDN>/o=4sdev/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHANGEDEV1</ServerDN>
 <ServerVersion>72038053</ServerVersion>
 <MdbDN>/o=4sdev/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHANGEDEV1/cn=Microsoft Private MDB</MdbDN>
 <ASUrl>https://autodiscover.abc.com/ews/Exchange.asmx</ASUrl>
 <OOFUrl>https://autodiscover.abc.com/ews/Exchange.asmx</OOFUrl>
 <UMUrl>https://autodiscover.abc.com/unifiedmessaging/Service.asmx</UMUrl>
 <Port>0</Port>
 <DirectoryPort>0</DirectoryPort>
 <ReferralPort>0</ReferralPort>
 <AD>addev3.4sdev.local</AD>
 <EwsUrl>https://autodiscover.abc.com/ews/Exchange.asmx</EwsUrl>
 </Protocol>
 <Protocol>
 <Type>EXPR</Type>
 <Server>webmail.abc.com</Server>
 <ASUrl>https://legacy.abc.com/EWS/Exchange.asmx</ASUrl>
 <OOFUrl>https://legacy.abc.com/EWS/Exchange.asmx</OOFUrl>
 <UMUrl>https://webmail.abc.com/UnifiedMessaging/Service.asmx</UMUrl>
 <Port>0</Port>
 <DirectoryPort>0</DirectoryPort>
 <ReferralPort>0</ReferralPort>
 <SSL>On</SSL>
 <AuthPackage>Basic</AuthPackage>
 <EwsUrl>https://legacy.abc.com/EWS/Exchange.asmx</EwsUrl>
 </Protocol>
 <Protocol>
 <Type>WEB</Type>
 <Port>0</Port>
 <DirectoryPort>0</DirectoryPort>
 <ReferralPort>0</ReferralPort>
 <External>
 <OWAUrl AuthenticationMethod="Fba">https://webmail.abc.com/owa</OWAUrl>
 <Protocol>
 <Type>EXPR</Type>
 <ASUrl>https://legacy.abc.com/EWS/Exchange.asmx</ASUrl>
 </Protocol>
 </External>
 <Internal>
 <OWAUrl AuthenticationMethod="Basic">https://webmail.abc.com/OWA</OWAUrl>
 <Protocol>
 <Type>EXCH</Type>
 <ASUrl>https://autodiscover.abc.com/ews/Exchange.asmx</ASUrl>
 </Protocol>
 </Internal>
 </Protocol>
 </Account>
 </Response>
</Autodiscover>

Hi All,

I'm new to ISA and corrently just setup a TMG 2010 server as edge firewall (two network card mode.)

As the special situation here, i need to set the server as a transparent agent so everyone does not need to setup web proxy for internet access.

Issue 1: I ran the TMG server status report, and looks fine. when I copy and paste the report folder(html) to my computer or any other computer, the report content messed up as the picture shows:

issue 2: If I want the AD user name & site domain name shows to replace current IP in report, but no web proxy setup for users, what should I do?

Thank you.

Jack,

Hi Team

how could i know, which rules are actively working and which rules are not being used in ISA server 2004 and 2006 . based on this we are going to disable the rule initially and delete the rules which is currently not being used in later stage. since we have lot rules in ISA , we need to segregate this 

Could you please able to help me

Consider the following scenario: we have a company (contoso.com) with 2 geographic distinct sites - New York and London. There are a number of sites published under web.contoso.com - most are hosted on web servers located in New York but some are hosted in London. The only difference between these sites is the path used (eg https://web.contoso.com/products,https://web.contoso.com/research etc.). There are 2 standalone TMG servers that can do reverse proxying - one in New York and one in London. web.contoso.com is added as an entry in the public DNS as to point to the public IP of the TMG in New York. The company's internal link between New York and London is an expensive one and already congested. For the company's clients, it's important that for the pages they're browsing they always get to seehttps://web.contoso.com/..... in their browsers (as opposed to a sligtly different name such as https://london.web.contoso.com/...).

We now want to publish the Research site which is hosted on an IIS server in London, using the name  https://web.contoso.com/researchand also keeping in mind the restrictions above. In order to avoid using the internal WAN link the TMG server in London could be used for publishing. However, since web.contoso.com is pointing to the TMG server located in New York, this would mean that the client will first reach the New York TMG, then get redirected to the London TMG, at which point he'll get to the Research site. I've somehow implemented this functionality using a simple publishing rule forAll Users on the New York TMG server so that requests for https://web.contoso.com/researchget sent to the public IP address of the London TMG server. On the London TMG server there's another rule for https://london.web.contoso.com/researchusing Forms Authentication. Since the Forms Authentication actually generates a 302 Redirect, it's the client itself that will talk to the 2nd TMG server, in effect achieving the request of not using the WAN link, and even better not using the New York's TMG own Internet link. The problem is that the URL gets rewritten (client sees https://london.web.contoso.com/research from the point he's offered the Forms Based authentication). Is there a way to achieve this as well ?

It would be ok for the TMG server in New York to use its own Internet connection to send requests over to the TMG in London, as well as the whole setup works. Please let me know what you think. Would it be possible, or would it need some additional mechanism (eg geoDNS) to make it work using TMG ?

Hi All,

I just installed Forefront TMG 2010 Standard on Window Server 2008 R2. Machine is joined to domain. “All Authenticated users” are allowed to access internet

Previously we use ISA2004 on Windows 2000 platform.

We had both WinXP Professional and Windows7 Professional machine in office.

When use ISA2004, both WinXP and Windows7 users had no problem to access internet

(User no need input username/password. Once launch IE, they can access to internet directly)

Once we swapped to TMG2010,

1. WinXP users had no problem to access internet (User no need input username/password. Once launch IE, they can access to internet directly)

2. Windows7 users, once launch IE, a popup window will displayed and ask for username/password. Even though user input their domain username/password, the popup screen still re-appear.

3. I had checked TMG log, and seems that “User: anonymous” are always passed to TMG server under Windows7 machine, that the authentication failed

4. If I change “All Authenticated users” to “All Users” in TMG “Web Access Policy” rules, then Windows7 users can also internet without problem.

The problem seems Windows7 had not sent correct user information to TMG server to perform authentication.

Can you pls help ?

Thanks in advance