Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

Disable SSLv3 on Threat Management Gateway (TMG)

January 22, 2015, 7:06 am
$
0
0

Good morning,

I have a question or I rather I need confirmation of the correct way to disable SSLv3 support in TMG. We've finally reached a point where we can actually get this done and be done with POODLE and BEAST. All of our browsers and other clients have been upgraded so that they can support TLS 1.0 or higher (I'm pushing to be free of 1.0), so now we can start to tell the servers to ignore SSL altogether. On to TMG... from everything that I've seen in various places the method is the standard registry edit to change DWORD values, is that correct? So there is nothing to actually configure within TMG, if so where can I find that?

I'm not the admin for this system, but I am the security guy and if I want this done I have to give them the instructions how to do it... that whole "plausible dependability" or CYA thing.

Thanks everyone!

Search

HTTPS Inspection + Allow ALL untrusted certificates

January 23, 2015, 12:30 am
$
0
0

Hello,

is it possible to have HTTPSi active but dont block sites with untrusted certificates? Yes i know, i can set a exclusion but when i do so, the traffic is not inspected as well and thats not what we want

We dont care about the trust any 3rd party gave to the certificate or not, we just want to inspect the traffic and only this...no certificate checks.

Can we archive this with tmg?

Thanks in advance


My Access Point can't ping TMG server.

January 24, 2015, 7:55 am
$
0
0

Hello Folks.

I setup a Vlan on my Sisco Access point and I want to share internet for my users. The problem is that my Access point can't see TMG and users can't connect to the Internet. 

Access point can ping other servers but can't ping TMG. How can I Tshoot this problem?

Tnx.

TMG always returns blank wpad.dat file on Web Listener

July 25, 2012, 5:34 am
$
0
0

Hello, I have local web server publication on 80 port with redirection to https protocol for local and external clients. And TMG refuses to serve real "/wpad.dat" to clients — instead it serves blank html.

Now I created web publish rule with same Web Listener on 80 port on Internal network that redirects any request with path "/wpad.da*", but while this rule works for "/wpad.dad" and "/wpad.dat?" it doesn't work for "/wpad.dat"!Why?

I also created simply rule to block access to local "/wpad.dat" url, but it doesn't work either while web listener on next rule is active — TMG still returns blank html.

And when new rules are disabled request to published server for "/wpad.dat" on http protocol returns blank html while it should redirect to https and forward request to real server according to rule configuration. However, request on https is forwarded to published server.

My configuration requires local web server publication and distribution of wpad.dat file on 80 port, only workaround that i see is to make new server that will redirect requests to wpad.dat file to alternate url.

Thank you for advice on my problem.

Forefront TMG 2010-Recover transaction logs from backup

January 26, 2015, 9:57 pm
$
0
0

Hi all,

Currently we have single TMG 2010 with latest updates in place. Using SQL 2008 express. Current Firewall and Web Proxy logs have been configured to delete logs after 30 days. We need to query logs access to TMG 2010 for the last 2 months. Server only protected with full backup, there were no SQL 2008 express backup in place.

How do we recover or merger so that we are able to query logs for the last 2 months.

Regards.

TMG 3rd Party Reporting

December 12, 2011, 12:22 pm
$
0
0

Hey guys,

I was wondering if anybody knows of a free 3rd party reporting program that can take in TMG logs and do advanced reporting on them as well as alerts / automated import of logs and reporting (e.g. using scheduled tasks). I know Web Spy is a good one, but that's not free. Perhaps this is too good to be true, but I just thought I'd ask.

Thanks

3 Legged Parameter.

January 27, 2015, 2:05 am
$
0
0
I am not able to configure 3 legged parameter, is there any other way to make DMZ? Please Help!!

3rd party reporting recommendations

February 22, 2013, 5:27 am
$
0
0

Looking for recommendations on 3rd party reporting solutions.

Thanks.

Search

The computer install TMG can't access network

January 28, 2015, 7:22 pm
$
0
0

Hello Everyone

My computer has installed Winserver 2008 R2. It have 2 card network. 

Lan network Card : 192.168.1.254/24

Internet network Card: get IP automatic

My computer can access network

But when I installed TMG. My Inetrnet Card can't get IP automatic and I can't access network

I created access rule : Protocal :Allow outbound traffic, From: Internal, To: External

but It is not success

Help me 

Can't join domain on TMG Server

January 28, 2015, 11:54 pm
$
0
0

My computer has installed Winserver 2008 R2

First, I install TMG Forefront 2010 thereafter I upgrated domain controller. 

The other computer I try to join domain but it's not success. have a notice : DNS have problem .

How do it that ? 

help me

Accessing XenDesktop from External Source

January 29, 2015, 5:43 pm
$
0
0

I have a Netscaler, Storefront, and XenDesktop 7.6 infrastructure on my Internal Network. Everything Internal to my domain is working fine. I can connect to the Netscaler and launch a XenDesktop, and I can connect to the Storefront Web and launch a XenDesktop with no issues.

 

My problem is when external users try to launch a XenDesktop session. The Netscaler login is displayed, login with an authenticated user is completed and the published desktop is available. When clicking on the desktop, the Receiver Desktop viewer opens as if the desktop is connecting, however it just displays the spinning animation and Connecting.... It never connects. I have let it sit like this for 10-15 minutes.

 

I have a TMG 2010 as my primary firewall. I have not switched or migrated to a nestler yet because the TMG is working flawlessly. I have a publishing rule for the Netscaler, with SSL certificate. I am not seeing anything specific in the TMG logs that appear to be denying the XenDesktop session, yet it will not launch. It just hangs.

 

Can anyone shed any light on the situation? What I should check? All traffic should be over 443 correct; all the Citrix communication is happening between the Netscaler and the DDC etc. Any help/suggestions would be appreciated.

SK

How To Increase WEB CACHING HITS

January 30, 2015, 10:50 pm
$
0
0

Hello All,

I have configure WEB CACHING on my TMG Server 2010 , Full fill all requirements as WEB CACHING Needs but still cache results are not well GOOD.

I Tired Different type of rules but still cache utilization is around 3 to 4 % and internet traffic goes 97 %

Is there any technique to more utilization of  WEB Caching.

Alternative to TMG to block access to OWA in outside working hours.

February 2, 2015, 1:25 pm
$
0
0
Hello everyone,

I have a client who had a rule in ISA 2006 to block external access OWA outside of working hours for some users groups because of labor laws.
My client 2 months ago replaced the ISA by the Cisco ASA, in doing so he lost this restriction as before and asked for help to return to the OWA restriction after the schedule of work.
I wonder if Microsoft's solution ADFS and WAP Windows Sever 2012 R2 solve the problem of my client?

Any help will be appreciated

Dynamic port assignments

February 3, 2015, 7:48 am
$
0
0

hi all. if my question can be answered by reading TMG documentation, feel free to direct me there (i tried searching for the admin documentation but couldn't find it).

can someone tell me what the purpose of dynamic port assignment is from endpoint -> TMG? Once the traffic leaves the TMG -> Internet, the actual service port is being used but that doesn't help me for internal queries.

many thanks,

-P

Outlook 2010 cant geting emails through TMG SERVER

October 23, 2012, 5:18 am
$
0
0

Dear All,

I have recently installed TMG server in my network after configuration basic rules outlook was unable to connect , We using SSL 993 PORT and smtp 465 port. Every thing are working fine except email there is no email server in my network.

Please advise or give some steps to allow ssl ports to ge email.

Thanks

kashif

Search

Unable to browse microsoft website through ISA 2000 proxy

December 22, 2014, 1:42 am
$
0
0

Dear Team,

I have installed a server 2003 in my virtual machine & have created a DNS in the same.

Also I installed ISA 2000 with SP2 patch. I am able to browse all the websites except any of the Microsoft website.

Can anyone help me in this issue. My local PC is also able to connect to Microsoft websites without proxy.

Error I am getting is 11004 host not found when I am using the proxy in IE or Mozilla or chrome.

Thanks & Regards,

Habibur Rehman Ansari

TMG

February 4, 2015, 5:31 am
$
0
0

Dears,

customer need TMG 2010 but now it's not available

need Quotation for alternative solution(urgent)

regards,  

Setting up and Configuring WPAD

February 4, 2015, 7:15 am
$
0
0

I have a site called POS that has TMG 2010 enterprise and is used ONLY as a proxy/caching server for clients to reach out to the internet.

I have another site called PF (via WAN link) that has no internet connection, so clients from PF goes over the WAN to reach the POSTMG server being getting access to the web.

I  have PFTMG configured recently at the PF site, BUT to use the internet from the POSTMG. Pilot clients at PF are manually configured to use PFTMG.

Now I want to do something cool. I recently got ISP internet service at the PF site, so I intend to have PFTMG use the ISP at PF.

I also want to use Wpad, so clients can auto detect proxy i n case my ISP internet service at one site fails. I have one domain with different subnets which are fine.

I am concern with Wifi clients as the Wireless LAN Controller has it's own DHCP for my Wifi clients. Also VPN clients get their DHCP for my checkpoint firewall.

Should I use the Wpad DHCP or Wpad DNS or what do you recommend?

Vijay

Lync Server 2013 error with TMG 2010

February 4, 2015, 11:56 am
$
0
0

Good afternoon,

I have a problem when I connect to Lync using a cell phone, I'd love to give me a hand, checking the Forefront TMG I get these errors. Deputy images.

HTTPS Inspection causes Error 12030 ( Connection to the server ended unexpected )

February 4, 2015, 2:08 pm
$
0
0

Hi together,

since in the german TechNet plattform nobody has any ideas about this, i try it here :)

We have implemented a TMG 2010 (SP2 + Rollup 5) with HTTPS Inspection, the certificate to inspect sites is issued by an 2008 CA. We followed this blog post to generate it http://blogs.technet.com/b/isablog/archive/2014/08/29/how-to-create-a-cng-httpsi-cert-using-a-2008r2-ca.aspx

So far, so good. CNG/SHA2 Sites are no issue (twitter, Google etc pp) and work fine but some https sites throw the error 12030 code.

Examples for this behaviour are the sites httpsnow.org and https://www.nudelheissundhos.de

I dont know why this is a Problem, Proxy Service listens only on port 8080 (http + https), can this be an issue?

Another Thing i just noticed, httpsnow.org public key is 4096bit strong, the cng certificate is issued with 2048bit strength. Can this cause this issue? Can this be resolved if i issue a 4096bit certificate for inspection? Or should i use 8k to be sure there will be no further Problems with other sites?

On the other side, https://www.nudelheissundhos.de has "only" 2048bit andhttps://www.moparisthebest.com/ (some random site with sha1+4096bit) works fine

Hope someone knows about this Problem 12030 and can help me out :)

of course, the problematic sites can be reached when inspection is disabled for those....but i dont like this as a "solution" cause it is no solution and i dont understand why those sites are a problem.

Ah and this are our tls/ssl config on the server

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"AllowInsecureRenegoClients"=dword:00000000"DisableRenegoOnServer"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enable"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000001"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000001"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000001"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000001"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000001"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001"DisabledByDefault"=dword:00000000

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA"

Thanks in advance

Viewing all 3822 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>