Hi,
I have two questions which are as follows.
1. how can i create a policy wherein I can give access to INTERNET to all the users for ONE HOUR only through ISA 2006.
2.how can i create a policy where in i cam give access to a particular site only to a user blocking all other sites through ISA 2006.
Thank you
Nayeem Mohammed Network Administrator
Hi,
Need help. I am trying to access a server using HTTPS and port 4130 from behind the ISA 2006. The server is in front of the ISA 2006.
How should i do this.
example to access the server is https://ip of the server:4130
Thanks.
Hi,
Forefront TMG opens to many UDP ports from 10xxx to 65xxx. Sometimes server rejects the connection in case of lack of ports. Please, help me! Command "netstat -anb" show something like that(part of output):
" UDP 192.168.1.1:10110 *:*
[wspsrv.exe]
UDP 192.168.1.1:10164 *:*
[wspsrv.exe]
UDP 192.168.1.1:10165 *:*
[wspsrv.exe]
UDP 192.168.1.1:10318 *:*
[wspsrv.exe]
UDP 192.168.1.1:10352 *:*
[wspsrv.exe]
...
UDP 192.168.1.1:63689 *:*
[wspsrv.exe]
UDP 192.168.1.1:63722 *:*
[wspsrv.exe]
UDP 192.168.1.1:63977 *:*
[wspsrv.exe]
UDP 192.168.1.1:64048 *:*
[wspsrv.exe]
UDP 192.168.1.1:64093 *:*
[wspsrv.exe]
UDP 192.168.1.1:64207 *:*
...
"
192.168.1.1 - is ip address of TMG SERVER
PS Sorry for my English
Can you configure TMG to use 2 dissimilar WAN connections with separate rules for the connections?
We have an ADSL connection and a Wireless connection at the office.
We have traffic on both connections but I'm only running the one connection through TMG server at the moment.
Can you run both connections through the TMG server with seperate rules for the 2 connections and how do you set that up on the TMG server?
Hi
we were using ISA 2006 NLB and we have disable the NLB and we are using the proxy server separately but one of them we are getting error while accessing the internet using the particular ISA 2006 server.
Error: 502 proxy error . ISA server denied the specified Uniform Resource Locator. (12202).
I think I'm in serious trouble. ISA 2006 EE array (no service pack), firewall and proxy, no firewall client installed on clients, two nodes, each Windows Server 2003 R2 SP1. The CSS is another server running Windows Server 2003 R2 SP2. All members of the same AD domain. The standard config (except I should have made another CSS to be safe). Things have been working fine for...almost 2 years?
Today I started getting these alerts in the ISA log (didn't notice until I tried to make a change that didn't seem to really take effect):
The ISA Server configuration agent was unable to upload the configuration to the ISA Server services.
This could be due to a corrupt configuration. The ISA Server configuration agent is reverting the configuration back to the last known configuration.
The service that failed to load the configuration is: fwsrv.
The failure is due to error: 0x8007000d
Event Viewer has this repeatedly:
Event Type: Error
Event Source: Microsoft ISA Server Control
Event Category: None
Event ID: 21209
Date: 7/9/2009
Time: 1:31:38 PM
User: N/A
Computer: ISA1
Description:
The ISA Server configuration agent was unable to upload the configuration to the ISA Server services. This could be due to a corrupt configuration. The ISA Server configuration agent is reverting the configuration back to the last known configuration. The service that failed to load the configuration is: fwsrv.
Other specific errors about policies are listed there, too, but I think they are red herrings because ISA can't read the config. But I could be wrong.
It ends up with what you think might be a GOOD event (sort of):
Event Type: Information
Event Source: Microsoft ISA Server Control
Event Category: None
Event ID: 21211
Date: 7/9/2009
Time: 3:43:44 PM
User: N/A
Computer: ISA1
Description:
A new configuration cannot be loaded, and configuration settings have been successfully reverted to last known good values. Check previous error events for possible reasons for the failure. The error description is: Some configuration changes were not applied. See the Windows event viewer for more details.
But it's not really good. I cannot export array or firewall policies. Event viewer whines about routing and other policies that should be (have been) fine. One event I find interesting is this, though:
Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 14019
Date: 7/9/2009
Time: 3:41:54 PM
User: N/A
Computer: ISA1
Description:
ISA Server failed to load the firewall policy configuration. The failure occurred while loading the policy rule "FTP Access Rule".
It's interesting because when I try to export array or firewall policies it doesn't quite finish - I get this error:
The Computer referenced by Policy Rule FTP Access Rule does not exist.
The error occurred on object 'FTP Access Rule' of class 'Policy Rule' in the scope of array 'BHSArray'.
Hmmm...I though - could this really be the root, or just a red herring? Maybe I should track down the computer that doesn't exist and remove it from the rule.
But if I go to the aforementioned FTP Access RUle and click on the From tab, I get the error:
ISA Server cannot load the property page.
The system cannot find the file specified.
I seem to be able to open up other rules, etc...but changes don't seem to do anything but visually update.
Oh, this feels so, so bad...from my searching every other person who has had this problem doesn't seem to have a resolution other than "I reinstalled", it was specific to Exchange/OWA (which I don't run) or they opened a PSS, which I may have to do, also.
I did see this blog (thanks Tom for the link):
https://blogs.technet.com/isablog/archive/2009/01/26/Rebuilding-ISA-Configuration-Cache.aspx
And I wondered if I should do that. I do have daily tape (or SAN, whatever) backups of my CSS server, so if there's a file or files I could restore, I can. I do NOT have backups of each ISA node...Netbackup didn't seem to play nicely and we never sorted that out.
Any help would be greatly appreciated. In fact - half off your next heart transplant if you stop by our hospital. (We'll just charge more for the gown or something).
Thanks,
Bruce Lautenschlager
P.S.
Hi Guys,
I have been trying to create a network that contains only one particular subnet range to allow that subnet access to External through AD/TMG groups. Here is what i have done so far:
I can replace the new network with the builtin Internal network (which has the same addresses as the new network i created) and successfully access the Internet but not when the new network is in the From field.
Our system: Win2K8 R2 + TMG 2010 SP2 w/ all windows and Microsoft updates installed.
Any ideas? Please let me know if you require more information
I am running FF TMG 2010 on Server 20008 R2. The reports are blank. The alerts seem to be funcitoning as I can see results. I have attemped to apply SP1, but I am uncertain if it took. Version 7.0.7734 is show in the Control Panel - Remove Programs.
I have a user activity report set to run every 24 hours and one set to run every week. Both have all users (DOMAIN\user1;DOMAIN\user2;...) specified in the report interface.
I also have an onging daily report for web site usage.
I have been working on this for some time. Any ideas would be appretiated. Thanks,
Hello,
I have the following setup and problem:
2 offices with site-to-site IPSec VPN. Branch office has TMG 2010 SP2 installed used as edge firewall and main office has Cisco router. I created the VPN based on the following article: http://www.carbonwind.net/ISA/CiscoVPN/CiscoRouterISAVPN.htm. Only difference is that I use certificate, not a shared password.
Everything works as a charm - DNS, AD, RDP, pings, etc.
Issues I have are the following:
From branch office, domain joined computers cannot connect to SQL server over 1433 and to sharepoint site running on port 81. What I see when I turn on logging on TMG is:
0x80074e21 FWX_E_ABORTIVE_SHUTDOWN with Status: A connection was abortively closed after one of the peers sent an RST packet. RST packet is sent from client - this message is not red.
then I get the red message:
0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED with Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer.
When connection to the SQL/SharePoint is established from a standalone computer behind the TMG, everything works as a charm.
Any ideas? I am thinking it might be related to some Application/Web filters in TMG, but I am not that sure in that.
Regards
In TMG 2010 SP2, I have set up a web listener allowing users to change their password. It is using windows authentication. The domain controller has a server certificate that is trusted by TMG.
But it fails when a user selects to change their password. (Change password works if the user "must change their password on next logon".)
I cannot see any warnings/errors recorded on the TMG server. On the domain controller, I see an audit failure entry for "An attempt was made to change an account's password" (id 4723) but no explanation why it failed. Using netmon, LDAPS seems to be okay.
I would appreciate any suggestions on what I might be doing wrong, or what additional diagnostics I can collect.
Regards, Steve.
Hi All, new in TMG, required help in deploying TMG in TWO AD Sites.
I have below environment.
Purpose: I want ménage my all server centrally, let say if i create a firewall policy it sould be propagate in my both location TMG servers
Environment:-
AD SITE A AD SITE B
Internet ISP1 Internet ISP2
Physical Server 1 Physical Server 2
Query:
Can I deploy TMG standard Edition on both location and manage it centrally?
If in case NO
Which version of TMG I have to install on both AD Sites?
Are only two physical servers are enough?
I have a problem , i need open port 5150 and 5160 from external to internal network, i use forefront TMG 2010 for my proxy. My question is what configuration that i can allow port 5150 and 5160 in forefront TMG?? what do i must?
Today Condition :
my firewall (Pfsense) is forwarding port 5150 and 5160 to my proxy (Forefront TMG) but the status is DOWN. I dont know what i must do now, please help me, thanks
Hi,
I have several customers that wanted to deploy TMG Server as a web proxy/firewall back-end, but we all know that TMG is dieing? Which product offers exactly the same functionalities?
Cristian L Ruiz
i have windows server 2008 R2 with TMG 2010 and i want to change the change the deny page to a complete different HTML file , i have installed the IIS7 but the local network can't access the files on the IIS7 .
please Advice
Hi All,
We have Exchange published with TMG. If a user miss his password, how can I see which user did that.
When I go over TMG logs the user filed is empty, the only why I can see that a user missing his password is to go over the security log.
Is there another way?
Or are the sec logs the only way?
Thanks
Zarko
Hi
I need some advice on setting up TMG.
I work for an academy and have a license for TMG we would like to use. We currently have two internal IP ranges 10.165.x.x and 172.16.x.x. We have multiple VLANs and all client computers on the network use the core switch as their gateway, the core switch then connects to our router. The router NATs the 10.165 range for us but we have just introduced the 172.16 range and would like to position the TMG server between the core switch and router to NAT the 172.16 range, and also for filtering purposes.
As we are an academy we use a proxy server that is based at the county for internet access, we have different ports for staff and students which we will need to carry on using.Is this possible?
Could someone advise on what configuration we would need for the above set up or if it is evan possible?
Thank you in advance
Shane
http://my.ebay.co.uk/ws/eBayISAPI.dll?MyEbay&gbh=1
This has happened before. MRS has it categorised as Shopping AND Phishing. Not sure how to convey the message that the Phishing category is wrong.
How do we get it fixed and how long should it take?
Thanks
Nick
Dear all,
I have fftmg 2012 on win2k8 r2 box, edge firewall. Recently, I setup a wireless access point (Dlink DWL-2100AP, IP: 192.168.1.10) and link to local network. Purpose is to let staff using laptop to connect to local network via wifi signal [connection successful, got ip from dhcp(let say 192.168.1.107), able to login to domain and can browse internet). When doing the test, I found out that as long as there is one staff connected to network via wifi signal, there rest of the staff not able to connect anymore. When nobody connects via wifi, I can ping the wireless access point (192.168.1.10). When one staff connected via wifi(got ip from dhcp, let say 192.168.1.107), there is no ping reply from the wireless access point (192.168.1.10). Ping 192.168.1.107, got reply. Besides, I can’t view the configuration page in browser of that wireless access point (192.168.1.10). It seems like after one staff successfully connected to local network via wifi, the access point is merges with it. The wireless access point becomes transparent.
Appreciate for any help. Thanks guys!
Hello together,
how can i change the following behaviour:
i have:
2x TMG Enterprise Servers as Array
NLB on inside and perimeter network
between preimeter network and the internet/outside network is an cisco asa firewall
-> the primary nlb address of the perimeter network has an NAT entry for public ip address
Now if i publish a website or connect through vpn on the outside ip address, all works fine.
But if i use the TMG Enterprise Array as Proxy Server i end up in an timeout of the request.
-> i use the inside NLB address to access the proxy server
-> the traffic should go through the perimeter network to the cisco asa
Ok so far so good but the tmg servers use their own "physical" ip addresses to communicate with the asa instead of the preimeter nlb address. How can i change or route around this problem that the cisco asa only has to communicate with the nlb address
instead of the physicals?
Thanks in advance