Will an update be released to support SHA-2 on TMG 2010, or will the end of life of the product be much shooner than the previous 2020 date that was announced?
↧
SHA-2 Suppot for TMG 2010
↧
about Client dial-in VPN MAC address binding
Hi Expert,
We configure VPN on TMG server, to achieve client dials control via MAC address binding, how to achieve
Thanks in advance!
↧
↧
Microsoft Forefront Threat management Gateway services keeps stopping
Please assist urgently
Microsoft Forefront Threat management Gateway 2010 services keeps stopping. We are on the Service Pack 2 Roll update 5
On the event viewer does not display reason why the services stopped.
Your assistance will be highly appreciated
Regards
Daniel Nkuna
↧
HTTPS site not opening
I recently configured my TMG 2010 Server for one of our sites.Most sites work perfectly well without any problem.The only sites i have problem opening are the HTTPS sites. I am talking from Google.com to personal Banking sites.
I have tried to create Domain Name Sets of these sites and assign access rules to them but all to no avail.
The frustrating thing is that there is no error all i get is page cannot be displayed. :-( :-( .
I am kindly appealing to the community to help me on this.
Kassoka
↧
Remote VPN clients associated network adapter
I have a TMG 2010 Server that acts as a 3-Leg Firewall (External, DMZ, Internal). I have 2 sets of remote VPN clients, both using separate subnets (One Staticly assigned IPs via AD, one handled through TMG/RRAS static pool). In both cases, my VPN subnet does not belong to ANY of my 3-Leg networks.
My question is due to the fact that twice over the past few weeks, the VPN clients are unreachable, both traffic from VPN clients to DMZ and DMZ to VPN clients. I will receive the "associated address does not belong to any of the interfaces on TMG" error. In both cases I have been able to resolve with a reboot.
So, in the case of having VPN clients on their own subnets, how and where should I add their subnets to the TMG interfaces?
↧
↧
pass through credentials for sharepoint list on ipad
I have a SharePoint Calendar that users are viewing on their IPAD, and I have the link to the Calendar saved as an icon on their home screen.
But everytime they open it they have to login with their username and password on the MS Forefront TMG login screen, to get to the SharePoint Calendar. This is annoying for the users.
Is there a way to pass through their login credentials to this SharePoint Calendar, so they can by-pass logging in everytime?
Their accounts are domain accounts in Active Directory.
Please help.
thank you!
↧
Question about changing the certificate used by the SSTP VPN on a TMG 2010 server
Hi,
I need to change the certificate used by the SSTP VPN because the one I originally used didn't have a publicly visible CRL which I've subsequently taken care of. I've read the instructions on how to update the certificate used by SSTP VPN since it seems like changing it is a non trivial process. I've read the following links:
http://support.microsoft.com/kb/947027
http://kingofbytes.wordpress.com/2014/01/05/nightmare-on-vpn-street-with-tmg-and-sstp-part-1-of-4/
The process seems pretty straight forward. My only concern is that when I do the "netsh http show ssl" command on my TMG 2010/SSTP VPN server I get back this:
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:443
Certificate Hash : aa8903a20156be71f9a7e3047433013574b08c70
Application ID : {1d40ebc7-1983-4ac5-82aa-1e17a7ae9a0e}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
IP:port : [::]:443
Certificate Hash : aa8903a20156be71f9a7e3047433013574b08c70
Application ID : {1d40ebc7-1983-4ac5-82aa-1e17a7ae9a0e}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
And what I'm concerned about is the Application ID reported here is {1d40ebc7-1983-4ac5-82aa-1e17a7ae9a0e} while the two links say it should be {ba195980-cd49-458b-9e23-c84ee0adcd75} which is the App ID for the SSTP server. The only thing I can think of is that my SSTP server and certificate are bound to a different IP address than the default HTTP listener. If I look up the aa8903a20156be71f9a7e3047433013574b08c70 hash in the list of certs it is an old expired machine certificate for the TMG server.
It seems since that this certificate is expired that removing it is ok, but I'm not sure about the other commands that update the SSL certs like "netsh http add sslcert" for example. Do I have to tell the netsh http commands to use a different IP address?
Thanks
Nick
↧
ForeFront TMG 2010 not scanning for malware
Hi,
Regarding the following article from technet we setup a TMG 2010 a couple of years ago for the purpose of malware inspection.
Last week we had some pentesters to run some test on our network and to our surprise a Zeus virus could be downloaded en upload to a random selfmade server via HTTP and TMG allowed the connection.
My settings are the following:
Malware inspection is enabled
No source and destination exceptions are defined
NIS and Malware inspections are up to date.
The link to the technet article is:
https://technet.microsoft.com/en-us/library/dd182018.aspx
Could you please help me find out why TMG 2010 is not scanning for the any malware? We tried with Cryptolocker and Zeus. Virustotal ratio is min. 52/57.
↧
FF TMG 2010 on Server 2012
Has anyone tried successfully installing Forefront TMG 2010 on Windows Server 2012?
I tried but failed, it complained about unable to add roles and features.
Valuable skills are not learned, learned skills aren't valuable.
↧
↧
install TMG2010 on windows server 2012
Hi
How TMG 2010 install on windows server 2012 ? please help me it's essential for me.
↧
Problems with TMG MRS Service
Is anyone experiencing any issues with the TMG MRS Service today? We're getting a lot of time out/errors causing a lot of sites to show up as unknown. These are the errors we've been seeing since about 9am this morning (UTC):
The failure is due to error: The remote endpoint was not reachable.
The failure is due to error: The remote endpoint is unable to process the
request due to being overloaded.
↧
TMG not logging correct authentication
Hello,
I have rather a strange issue where I cant seem to find any logs on any of my servers including TMG. I can log in using AD credentials to various sites we have which rely on the same TMG servers and AD servers perfectly fine with all accounts. However when I have an account which the password is going to expire in a month (4 weeks) the users are unable to log in to the OWA site and get a message stating:
"You could not be logged onto the Forefront TMG. Make sure that your domain name, user name, and password are correct, and then try again."
However if I use the same credentials on one of the other sites the account works fine as the account is still active and has not yet expired. The users are in different physical locations and different OU's but on the same AD servers and TMG. The issue is not present with accounts which have had a recent password reset or are out of scope for a password expiration within a month. In other words if they have an expiry date longer than a month they can log in to OWA perfectly fine.
The TMG will log traffic which is authenticated on OWA and I can see this on the IIS servers and DC's as well. However with the expiring account I see nothing on the TMG, IIS or DC's. The same thing happens if I fail authentication purposefully on a live
account (one not expiring in the next 4 weeks). I am not sure where to go as I have no logs to look through so I cant see the issue to resolve it.The other sites which are working as published on the TMG as well which work find regardless of expiration date
approaching.
Does anyone else have this issue or any ideas on where to go?
I hope this all makes sense.
Thanks in advance
James
↧
VPN cannot access internal resources
Hello everyone,
we got a TMG standalone, 2 nics, one with the internal network and the other to the ISP router, no firewalls between them, just this tmg.
Right now, we can connect the VPN, the server give us an internal IP with the dhcp but it got no access to any resource, not even ping.
we got rules created on the tmg that should give access, we tried ever with this access rule: allow all outbound traffic from localhost and vpnclients to external, internal and localhost condition all users.
thanks
↧
↧
Route - Internal IP to External IP
Hi,
Is it possible to route traffic between an internal IP and an external IP that's not bound to the external interface?
We have a video conferencing system that we just cannot get to work through TMG, that allows 'screen presentation' from a PC, so the PC screen is embedded in the video stream.
If we put the video conferencing system directly on the public internet (with one of our public IPs) it works absolutely flawlessly. However, because the internal PC is then on a different network to the video conferencing screen presentation now no longer works, because the 2 can't talk to each other.
http://i.imgur.com/7nAizG0.png
Thanks
↧
How can I open Jitsi or Pidgin for use in TMG.
Hello Folks.
How can I use Jitsi and Pidgin in a network that use TMG as firewall?
Cheers.
↧
Allows users to change their password and change password at next login with TMG
I have a sharepoint 2005 server running that I am publishing through TMG. This sharepoint site is for client and partner access so I would like to setup AD accounts for those users and set their AD accounts to "User must change password at next
logon". The web listener I'm using is form based. The TMG server is on domainA.com and the server i'm publishing is on a sub of that domaing clients.domainA.com. The auth servers are active directory. Currently nothing works for password management
with this particular site. I can't even click change password and create a new password at login through the forms with TMG. I continue to get a password complexity requirement error even though there are no password complexity requirements. Any ideas here?
↧
Kerberos authentication on an NLB array Managed with an EMS
Hello,
I am trying to change the Web Proxy Client Authentication on a domain joined TMG 2010 EMS Managed Array from NTLM to Kerberos Authentication. I initiated the change as described in the article below from one of the TWO node members, Firewall and other Services started successfully with the Exception of the NLB Service.
I also noticed that there was an error updating the EMS configuration store while checking the Monitoring view after making the change
https://technet.microsoft.com/en-us/library/hh454304.aspx
Must I initiate the change on the EMS or could this be case of an insufficient privilege with the account used in making the change ?
Akinzo
↧
↧
Source: Schannel
TMG 2010 Standard Edition
TMG Version 7.0.9193.515
Windows 2008 R2
Windows system logs generating schannel 3 different errors
1 -
<Data Name="AlertDesc">10</Data>
<Data Name="ErrorState">1203</Data>
</EventData>
2 -
<Data Name="AlertDesc">40</Data>
<Data Name="ErrorState">1205</Data>
33-
<EventData>
<Data Name="Protocol">TLS 1.0</Data>
</EventData>
If If someone has resolved this in the past?
Muhammad Mehdi
↧
ISP Redundancy vs. Web Publishing Rules!
Dear, we have a TMG installed and we want improve the availability, thus, we have configured the ISP redundancy. However, after this configuration all our Web Publishing Rules are not working correctly. Some internal website published beyond the TMG definitely not work, others are not available externally from both the ISP links (only from the first/main ISP link). Initially I did think after configuration of the ISP redundancy both the ISP links would be handled as the "External" network and all income rules would work transparently, independently from ISP link. This does not seem to be the case.
Please, are there some approach that we can use to configure the ISP redundancy preserving my incoming rules working? What problems I must expect in my incoming rules after enable the ISP redundancy?
↧
Error details: 64 - The specified network name is no longer available.
Dear All,
i have a tmg server 2010 sp2 used to publish our lync server serveries,suddenly it stopped working .
if run test rule i received the following error
Time reported by the Microsoft Forefront TMG Firewall Service: 0.010 seconds
Testing https://lync.xxxxxxxx:4443/
Category: Connectivity error Error details: 64 - The specified network name is no longer available.
Action: Go to http://go.microsoft.com/fwlink/?LinkId=115965
also from logging
Failed Connection Attempt | |
Log type:Web Proxy (Reverse) | |
Status: 64 The specified network name is no longer available. | |
Source: Local Host (Connectivity Test) (x.x.x.x:10322) | |
Destination:x.x.x.x:4443 | |
Request:GET https://lync.x.x.x.:4443/ | |
Filter information: | |
Protocol:http | |
I tried to install new windows but same error.
im not sure if this issue from the tmg or the front end server .I checked the event viewer and log but there are not errors.
↧