I've seen this issue has been logged a few times in the past, but none of the tips mentioned have resolved my issue, so I'm posting a new thread.

Basically we have a problem where any of our staff who are connected remotely as a VPN client to our network are limited to around 1.5-2Mbps upload or download from our head office to their home. Whereas our internet connection is capable of just over 5Mbps up/down. So if a remote user connects to the VPN, then maps a network drive to one of the servers in our head office and copies a large file down to their laptop/PC, the maximum file copy speed is only about 1.5-2Mbps.

This speed limit only seems to be restricted to VPN Clients accessing via the Forefront TMG server. For example if the same remote user disconnects from the VPN, then downloads a file from our head office via ourFTP site (which uses the same network connection, just a different protocol and therefore different Firewall Policy rule), they achieve the maximum expected bandwidth speeds of around 5Mbps up/down. Same goes for HTTP traffic from within the head office downloading via Forefront TMG. Speedtest.net shows the expected 5Mbps for internet traffic through the firewall.

Any suggestions or ideas as to why this is the case? Here's some info about our configuration.

Forefront TMG 2010 server v7.0.9193.575 (SP2, Rollup 3) running on Windows Server 2008 R2 enterprise SP1 (as a VM).

Forefront TMG Server VM hosted on Windows Server 2012 R2 with internal/external NIC's allocated to the TMG VM.

Network Load Balancing disabled.

Malware Inspection disabled

Hi There!

Currently I am using ISA 2006 on windows server 2003. now I want to upgrade it the TMG also discontinues now tell me what can I install in place of ISA 2006 or TMG?

Regards

Mohammad Bilal 

Hi

I have TMG 2010 SP2 on Windows Server 2008 R2, I downloaded RU5 and Try to install but when is installing the setup freeze on status "Creating the services Configuration..."I letit run for 5 hoursbut does not changethe state.

Before install RU I installed all critical updates for Operating System and Disable AV (Symantec)

Any ideato solvethis problem?

Thanks.

Hello

We are using ISA 2006 server for managing internet for the users in our domain. Sometimes what happens is even we have internet but the internet is not working in the ISA 2006 server. Though we check the alerts if there is Concurrent connections from a particular ip or any attacks from the user or the service is properly running. we are not able to browse the internet for sometime or unknown reasons. If we restart the firewall the internet is working fine lets says the internet is working fine for 5 days and suddenly not working if we check the internet from internet service provider side its good. Why this happens??? Any solution or suggestion is welcomed.

Thanks

Regards

Raj (Subadee)

I'm trying to install TMG SP2 Rollup 1 and I keep getting this error, and then it rolls back.

I did the lodctr /R and it didnt work

I also tried bring it in from PerfStringBackup.ini

I added The double word "Disable Performance Counters" to both the isactrl and IsaManagedCtrl services, and no go.

I brought up perfmon and tried to rebuild the counters and it still rolls back.

Does anyone have any other suggestions except what you see in google?

0- Greetings from mirth

Hi all,

I have TMG 2010 SP1 (without update 1 installed-there's a problem with this I'll describe in a new thread), installed in the domain with Exchange 2007 SP3 (with latest rollups) Edge role. Everything's been running fine for nearly a year, until it came to renewing the Edge subscription (certificate was about to expire). That went well enough, but at the same time the Exchange server ran out of disk space, so I had to migrate the user mailboxes elsewhere. Since then, I've had this recurring problem where the Control service on TMG crashes (not sure if the subscription/mailbox move is relevant, but I'm providing as much info as possible).

In summary, I've managed to narrow the failure down to being caused by any firewall rules that use our External web listener (that is, services such as OWA, ActiveSync, and SharePoint). Internal access using an Internal web listener work fine (the only difference between the 2 listeners is Internal is configured to listen on the Internal network, External on the External network, both listeners use the same wildcard cert).

When a user accesses the services above, they can log in but once they try to do something the session stops because the Control service has crashed (I'm presented with a 'Send Report to Microsoft' box on the server), the Firewall service stops itself and nothing comes in or goes out. When I restart the Firewall service, the TMG Managed Control service crashes which I then have to restart too.

I've been running with these firewall rules disabled for a little while now, and haven't had the service crash (yet), but that's not a good solution as users can't check their emails from home. I have tried creating a new listener and new rules, but that still causes a crash. Here are some logs from the Event Viewer;

When the Control Service crashes;

Log Name:  Application
Source:  Application Error
Date:   25/02/2011 17:33:49
Event ID:  1000
Task Category: (100)
Level:   Error
Keywords:  Classic
User:   N/A
Computer:  server.domain.local
Description:
Faulting application mspadmin.exe, version 7.0.8108.200, time stamp 0x4c17aca0, faulting module ncrypt.dll,
version 6.0.6002.18005, time stamp 0x49e0419b, exception code 0xc0000005, fault offset 0x000000000000310e,
process id 0xb9c, application start time 0x01cbd50653ba6415.
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Application Error" /><EventID Qualifiers="0">1000</EventID><Level>2</Level><Task>100</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime="2011-02-25T17:33:49.000Z" /><EventRecordID>311227</EventRecordID><Channel>Application</Channel><Computer>server.domain.local</Computer><Security /></System><EventData><Data>mspadmin.exe</Data><Data>7.0.8108.200</Data><Data>4c17aca0</Data><Data>ncrypt.dll</Data><Data>6.0.6002.18005</Data><Data>49e0419b</Data><Data>c0000005</Data><Data>000000000000310e</Data><Data>b9c</Data><Data>01cbd50653ba6415</Data></EventData></Event>

This appears to be caused by 'ncrypt.dll', searching for this revealed that a 'fix' may be to copy a good version of this file, I have done this and it's made no difference.

Then, the TMG Firewall stops;

Log Name:  Application
Source:  Microsoft Forefront TMG Firewall
Date:   25/02/2011 17:34:01
Event ID:  14182
Task Category: None
Level:   Information
Keywords:  Classic
User:   N/A
Computer:  server.domain.local
Description:
The Firewall service was stopped gracefully.
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft Forefront TMG Firewall" /><EventID Qualifiers="16384">14182</EventID><Level>4</Level><Task>0</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime="2011-02-25T17:34:01.000Z" /><EventRecordID>311228</EventRecordID><Channel>Application</Channel><Computer>server.domain.local</Computer><Security /></System><EventData></EventData></Event>

And then, if I restart the Firewall while Managed Control is running;

Log Name:  Application
Source:  Application Error
Date:   28/02/2011 09:39:20
Event ID:  1000
Task Category: (100)
Level:   Error
Keywords:  Classic
User:   N/A
Computer:  server.domain.local
Description:
Faulting application IsaManagedCtrl.exe, version 7.0.8108.200, time stamp 0x4c17ac26, faulting module unknown,
version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x000000006fe6f37c,
process id 0x%9, application start time 0x%10.
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Application Error" /><EventID Qualifiers="0">1000</EventID><Level>2</Level><Task>100</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime="2011-02-28T09:39:20.000Z" /><EventRecordID>313832</EventRecordID><Channel>Application</Channel><Computer>server.domain.local</Computer><Security /></System><EventData><Data>IsaManagedCtrl.exe</Data><Data>7.0.8108.200</Data><Data>4c17ac26</Data><Data>unknown</Data><Data>0.0.0.0</Data><Data>00000000</Data><Data>c0000005</Data><Data>000000006fe6f37c</Data></EventData></Event>

I have found that I can typically stop the Managed Control service first, then restart the Firewall with no problems. I also have an ongoing alert that is new;

Log Name:  Application
Source:  Microsoft Forefront TMG Control
Date:   28/02/2011 11:29:39
Event ID:  32572
Task Category: None
Level:   Error
Keywords:  Classic
User:   N/A
Computer:  server.domain.local
Description:
Cache log failure: Failed to write content to the cache log; this may interfere with cache utilization monitoring. 




The failure is due to error: Category does not exist.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft Forefront TMG Control" /><EventID Qualifiers="49152">32572</EventID><Level>2</Level><Task>0</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime="2011-02-28T11:29:39.000Z" /><EventRecordID>314616</EventRecordID><Channel>Application</Channel><Computer>server.domain.local</Computer><Security /></System><EventData><Data>Category does not exist.</Data></EventData></Event>

I don't know if this is relevant, a topic for another thread, or nothing to worry about.

Thanks

Hello,

Hello, Do you know if SHA2 will work with Isa2006 on Windows 2003.

i know that we must install the patch 968730 on the Windows 2003.

Best regards

Hi

I have a TMG 2010 server acting as a proxy server for all my internal clients.  We have migrated to office365 for mail and everyone can use ok.  I am trying to let our users connect to other office365 prosucts such as sites Skype but even though I think I have added all the domains and ports TMG seems to be blocking as it thinks it anon access.  Even though I have added all the office365 domains to the networking tab to bypass proxy for those domains.

I can access all these sites if I bypass the proxy which makes me think my firewalls are setup correctly.  Has anybody had issues like this?

GUys i have a TMG Box which has 3 NICs for LAN, Perimeter and External.

LAN IP Range: 172.16.14.0/24

Perimeter Range: Valid Range (First IP has been Set on TMG Perimeter Interface and Servers behind TMG with a Valid Public IP Address have Internet)

External Range: Other Valid Range ( Some Lan resources Published, Like Mail and Web Server)

currently we have an Apache Server in Perimeter Zone with a Public IP Address and Customers can Browse the Website. the problem is when i want to check for Customers IP Addresses Browsed this Web Server by HTTP I just see the Perimeter Address of TMG Box not Real Addresses. but if users try to browse the HTTPS Website in the same Apache Server i can determine which IP Source tried and browsed the WebSite. there seems to be a default rule that is trying to NAT the Traffic from External to Perimeter Network Range. how ever i'v configured TMG BOX using 3-Leg Template and Network Relationship between Perimtere and External Network is Route. i also tried to modify the Perimeter Network Rule to match like this:

From: Perimeter,External

To: Perimeter,External

Network Relationship: Route

-----------

 but yet it's not working and i can only see the IP Address of Perimeter Interface in Apache Server for HTTP Traffics.

i also tried to unbind HTP Filter and defined a custom HTTP Protocol and separate Firewall ruled for that but nothing changed.

any help please?

hi all,
I am experiencing this strange issue with my TMG 2010 in a vm on hyper-v 2008 R2 running on a Fujitsu RX300 S7 with an HP NC360T and Intel I350:

When I am using a synthetic network adapter in hyper-v as my external nic it looses every about 2-3 days its connection with the default gateway. ARP:
xxx.xxx.227.153                 Unreachable                 Incomplete

I have a second "external" nic (legacy) running, which never lost its connection and arp was always good.
Additionally with the synthetic driver I had a feeling that TMG was unable to route packets correctly through either of the two nics...

An example:

Nic 1: 10.1.1.10-.1.15 / DG: 10.1.1.1 (synthetic, Intel I350)
Nic 2: 192.168.1.10-.1.15 / DG: 192.168.1.1 (legacy, HP NC360T)

I set up a network rule, which says From Computer XY -> External | Outbound IP: 10.1.1.14
While this rule was active with nic1 being a synthetic adapter this computer XY never got any replies back... I found out with wireshark, that the windows tcp ip stack sent all packets through NIC2 but with the source ip of NIC1!?

I then read the article about how server 2008 + manages outbound ip connections and interface selection (longes prefix) and  everything was clear and understandable.

But now I changed nic 1 to legacy because of the three-day-GatewayARP-dying problem and suddenly with both nics being legacy my example from above works perfectly correct!

I am now able to set up a static nat by selecting some pcs that should surf through nic (and isp) #1 and the rest surfs through nic #2.

Is this possible or just a coincidence?? Has anyone a good explanation why legacy adapters seem to be better suited in my case?

Thank you!

I'm an administrator for a shipboard TMG 2010 server which acts as a proxy for client workstations to interact with a shipboard router (to acess external addresses). Our afloat LAN requires satellite communication so slow connections are normal and the current rule set is a bit of a mess in the organization department. Here is a synopsis of the setup:

• 58 Total rules
• ~1200 assets on our network
• Most traffic leaves the firewall on rules 33-36
• Server/Application specific rules are at the top of the list
• Low priority users towards the bottom half

The question is it worth reshuffling the high traffic rules higher up over our server specific rules or is it best left as is?

In other words will reordering the rules have a noticeable effect?

Thanks in advance for any assistance.

We are trying to get our TMG 2010 to accept SMTP STARTTLS traffic, does anyone have any documentation on how that setup would look like?

Thanks in advanced

Hello TMG experts,

I am new to TMG fore front management.

I have a TMG Forefront Environment as Stand Alone Array with NLB (Load Balanced) in Workgoup environment. This is acting as reverse proxy for as many as 40 Public Facing and very critical websites. It has SP2 and Roll up 1 installed already. The system is working absolutely fine since last 1 year.

Our compliance team has asked us to install the latest patches on it which is SP2 Roll up 5. I have following questions regarding it.

1. Is it mandatory to install Roll Up 5 on our environment when SP2 Rollup 1 is already installed and working absolutely fine?

2. Can we directly install Roll UP 5 just after Roll up 1. (what about Rull up 2 , 3 and 4) ?

3. what are the steps to install Rull UP 5 on a Load Balanced (NLB) stand Alone array in work group Environment.?  Honestly I can not afford if the system goes down after the installation of Rollup :-(.

Please suggest.

Regards

Lalit

Hi

Not able to access the Networking settings tab on the TMG array, keeps popping up with a error 0xc004041c.

"This network adapter gateway is not defined using a valid IP address.

The error occured on object '' of class 'StaticRoute' in the scope of the array 'Zebra1'."

Can't see any correlation with the errror and plus it's not defining which interface is the problem on.

Any clues?

Blog Link: http://blogs.cyquent.ae | Follow us on Twitter:@cyquent | ADRMS Wiki Portal: Technet Wiki

Hello all,

I'm trying to publish an addressBook throuhg my firewall but get a very strage error. When I'm trying to synchronize my calendar, it works but only in 1 way. when I'm trying to synchronize from the cloud to my addressbook, i get the following error : Status: 207 The ring 2 stack is in use.
Rule: Own Cloud
Source: External (xxxxx)
Destination: (MyServer 192.168.100.21:80)
Request: PROPFIND MyInternalWebSite/remote.php/carddav/addressbooks/A6D4157C-2DCC-49F7-AF77-5432428F2C99

I googled this error but I cannot find the source of this problem. Does someone have an idea ?
Per advance, thanks to all for your help
Regards

Sorry this is long, but trying to get as much info into the initial post.

Basic configuration: Windows 2008 R2 server running TMG 2010 acting as passthrough (not NAT) router and firewall for an internally hosted application. External network of TMG is on our intranet; perimeter network hosts a W2K8R2 server running Terminal Services; internal network has DCs and certificate server for the environment. A few other servers for database, FTP and file services.

Users connect via secure RDP from outside the environment though TMG to Remote Desktop server. Once on that server they do various tasks, including download of data from secure FTP sites (over https) on our intranet.

Three main issues, which we believe are related and caused by TMG, but not able to find a root cause. These started approximately 1 month ago, but cannot see a connection with any changes in the environment or patches in May:

1. intermittent issues establishing RDP connection from clients on our intranet to the Remote Desktop server. Can fail when initially try to connect (generic "This computer can't connection with the remote computer" message). Sometimes they can get to enter their credentials, but then next stage when certificate for the secure connection is being checked they get same message and can't connect. In both instances within TMG log we see a Failed Connection with "The Object is shutting down" as the error message. Searching for help on this error message just comes back with lists of all the error messages on TMG and nothing useful to indicate what is actually shutting down. If they do make the connection it is stable - no reported dropouts or reconnections.

We have verified that making an RDP connection from the TMG to Remote Desktop server works each time, every time (and that a connection from outside the environment immediately after fails). Users working with the database and other internal FTP/file servers do not report any issues accessing these - all the issues seem to be with connection in to and out of the environment.

2. intermittent issues accessing externally hosted secure FTP sites from the Remote Desktop server to download data. These sites are accessible with no issues from outside the environment. Users have to authenticate with a smart card, select an option for the service they want and then either get to the FTP portal or get a "Service Unavailable" message (even though the service is definitely working). No Failure messages on the TMG. Again, once they do manage to get connected (which can take up to an hour after numerous attempts), connection is stable but can be slow.

3. intermittent issues accessing MS Exchange on our intranet from Outlook client running on the Remote Desktop server. Failed Connection message on the TMG for this https connection is "A socket operation was attempted to an unreachable network".

All the servers are VMs running on a single VMware ESXi 5.5 host. VMs have VMXNet3 NICs, so communicate at 10G between themselves. Physical NICs on host are 1G. There are many other VMs on the same host but no reported issues with any of these. The TMG and Remote Desktop VMs have sufficient CPU/memory, etc. with reservations set. The host has sufficient host and CPU.

We have run Wireshark from the client and Network Monitor on the TMG. In both we can see when making RDP connection you get Syn from client, Ack/Syn from RD, Ack from client, X224 request from client and then an Ack/Reset apparently from RD, but we are not seeing anything on the RD server indicating anything reaching it for the connection.

Can anyone make any suggestion on where to look next?

TIA

I have installed all updates up to Service Pack 2 Rollup 5 (released June 2014) but I still have trouble with the Firewall Service Failing every 3-10minutes with Error ID 14079.

Is there a permanent fix for this apart from:

1. Disabling Caching, or Deleting and Re-creating Cache.

2. Disabling, or Enabling URL Filtering.

Hi

we have ISA 2006 and we have configured NLB for Two members servers.

We are not able access URL https://domain.com:8090. we tried to add the SSL port by using the tool and created the Web Access Rule but still we are not able to connect.