Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

TMGC and outlook Problem!

June 27, 2015, 7:12 am
$
0
0

hi friends.

i had configured tmg server with appropriate configuration and rule for http and https and pop3 smtp.

in internal network when client have gateway ,they can send email from office outlook , but i don't want they have gateway  because i had install tmgc on its!!! and configer tmg for wpad dhcp and dns and others.

all thing is good except outlook !!! although i configer application setting related to tmgc on tmg (set disable key for outlook to 0)

but nothing work for all users!! i cant understand where is the tmgc configuration file (application.ini) and other configuration !

off cores i monitor network and client send get/wpasd.dat and get /wpad.dat for tmg and tmg send configuration file to client but outlook cant conect to internet or send or receive. 

how i can find detail about configer outlook of Winsock application to work with tmgc or troubleshooting it or  should i configer other key related to outlook in tmgc application  tab in tmg (like disableEX or..?)? or  should i configer other things than were not in internet or Microsoft books????????????????????????????????????????????????????????????????????????????????????

i really search anywhere in internet and doing a lot of test and really need HELP

with best regard 

Search

VPN clients getting wrong default gateway and unable to access internal resources

June 28, 2015, 11:29 am
$
0
0

Hi all ,

I have installed TMG 2010 on Windows Server 2008 R2 with the intention of setting up VPN.VPN clients can dial in but they receive the wrong subnet mask and default getway.As a result when the VPN is connected from the client they are unable to connect to the internet and access internal resources such as share folders..I have tried to change VPN client properties not to use network default getway , that gets the internet working but the resources to the internal resources remain unreachable.any suggestions on what to try  ?

Using non-web server publishing rule to publish web server

July 1, 2015, 8:47 am
$
0
0

Hi

I've have to do this because of a problem with the way TMG passes authentication details to the website using the standard website publish rule. All I want tmg to do is publish the site's logon page however as soon as TMG realises the site requires authentication it steps in and passes the username/password to the site in a manner it doesn't understand, even on basic authentication. With all authentication off I just get a 403 URL denied error.

The site is running on 8080 and all I've done is point this traffic to the web server. Seems to work fine however there must be catch, is this safe?

Thanks

Rhys

TMG crashed, replaced with all ISA server, SMTP traffic not going thru

July 1, 2015, 2:17 pm
$
0
0

TMG server crashed, we have replaced it with older ISA server who has been shutdown 6 months ago, now SMTP traffic not working.

Any idea where we should first lookin?

bostjanc

TMG Listens on All Ports of DMZ Network Range

July 2, 2015, 1:21 pm
$
0
0

Hi Guys,I have an strange Issue where TMG 2010 Latest Updates Installed as a 3-Leg Firewall. Everything is working good except many attacks i have on my DMZ Public IP Range. TMG DMZ range consist of a /26 Valid Range and is accessible from internet by Route Relationship. I just tested these Valid IP Addresses from Internet and every port from 1-65535 is open to internet. however because the other Party (a Host in DMZ) don't answer to the Port telnet TMG Logs showing a Connection RST. but this is making our Edge Firewall a suitable Host for Attacks since attackers or bots can see all ports are open and answering on fist try...is this okay? isn't this a problem with TMG DMZ Range...

if i remove All Protocol Access from External to DMZ problems going away and only ports that are really open on DMZ Hosts get a successfull telnet....how can i fix this issue ?

How do I configure a SecureNAT client connecting to a ForeFront TMG 2010 Array (managed by an EMS server)?

May 21, 2015, 12:08 pm
$
0
0
Hello,

I have set up the following mini virtual network of servers:

Name:  ARRAY1
Role:  TMG Array member #1
NIC 1: 10.1.128.1/255.255.0.0 DNS: 10.1.128.3
NIC 2: External Public IP for Internet #1

Name:  ARRAY2
Role:  TMG Array member #2
NIC 1: 10.1.128.2/255.255.0.0 DNS: 10.1.128.3
NIC 2: External Public IP for Internet #2

Name:  DC
Role:  ADDS server, DNS server
NIC 1:  10.1.128.3/255.255.0.0 Default Gateway: 10.1.128.1 DNS: 10.1.128.3 (self)

Name:  EMS
Role:  EMS Server
NIC 1:  10.1.128.4/255.255.0.0 Default Gateway: NONE. DNS: 10.1.128.3 (self)
DNS Entry for the actual array called "TMGArray" points to 10.1.128.4.

Name:  VM1
Role:  Windows 7 Client
NIC 1: 10.1.128.5/255.255.0.0 Default Gateway: 10.1.128.4 DNS: 10.1.128.3

Independent internet connectivity on the two ARRAY* servers was verified and both ARRAY* servers were successfully added to an array called "TMGArray".

Now, the problem I am having is configuring clients to connect to the TMGArray for internet access, instead of directly to an individual TMG Server (which still works, btw).

In other words, for VM1:

NIC1: 10.1.128.5/255.255.0.0 DG: 10.1.128.1 DNS 10.1.128.3 <-- WORKS

but

NIC1: 10.1.128.5/255.255.0.0 DG: 10.1.128.4 DNS: 10.1.128.3 <-- DOES NOT WORK

How should I be configuring my client so that it connects to the internet via the TMG Array (EMS) and in SecureNAT mode (i.e. no browser config required)?

All help is greatly appreciated!

Thanks,
Waqqas

TMG Reporting

July 6, 2015, 1:29 am
$
0
0

I have 2 TMG server standalone array ; and the daily report is generated based on schedule but with the below view...

N.b: it was working fine with normal view so pls advise

Edward

Issue with TMG 2010 - unauthorized users have internet as if they were authorized

July 6, 2015, 2:05 pm
$
0
0

Hello,

I have TMG 2010 deployed in a remote site to serve as an Internet Proxy. In that remote site, there's a WS 2008 domain controler and a machine running WS 2008 and hosting ForeFront TMG 2010.

In the past few days, the configuration of the TMG machine has been changed, that made it as an open gateway to internet... Users even with no configuration of Internet Proxy, with no permissions... are able to connect to internet.

About firewall rules, there's a rule for every user that gives him access to Internet from just one IP address.

The default rule, "Allow all users to access Internet" is deleted by default, during the deployement of TMG.

The configuration of the Web Access policy are:

  • Proxy web: activated (port : XX)
  • authentication: proxy authentication
  • HTTP compression: deactivated
  • Web cache: activated
  • Malware inspection: deactivated
  • HTTPS inspection: deactivated

Any help, would so welcomed and thanks in advance for your help.

Regards

Search

Some Sites are denied by ISA 2006 , some wesites are working smoothly through ISA 2006

July 7, 2015, 12:04 am
$
0
0

hi,

ISA 2006 Denied Some sites with error "Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202) "

Thanks And Regards,

Ravi

Back to back firewall

July 7, 2015, 1:22 am
$
0
0
I want to set an IAG TMG server to be behind another firewall i have (sonicwall) my problem here is i have to use the external and internal IP address in same network range, is it possible ?

Testing Veaam through TMG

July 8, 2015, 5:30 am
$
0
0

Hi All,

Hoping someone can help me solve this problem as my TMG knowledge isn't the best and I'm struggling with this problem. I'll try my best to explain as it's quite a complicated setup.

I have a hyper-V host which has 3 NICS in. The first NIC has the IP 192.168.0.20 and is used for RDP management of the Hyper-V host. The other 2 NICS are teamed with the IP 192.168.0.21 and are used for my iSCSI LUN's which reside on my NAS.

I have a test Domain which has the IP range 192.168.2.1 - 192.168.2.254. I also have a stand alone workgroup member VM which runs TMG 2010 and is used to forward on traffic from the 192.168.0.1 to the 192.168.2.1 subnet. The TMG server has a NIC which sits on 192.168.0.23 and another which is the Gateway for all the test Domain Servers (192.168.2.1)

I am currently testing Veeam. Veeam is installed as a virtual machine on the test Domain with a 192.168.2.* address. I need to be able to resolve machines on the 192.168.0.* from this vm so I can add the Hyper-V box into Veeam to backup the vm's.

I can browse both the 192.168.0.* and 192.168.2.* networks from the TMG server. However I cannot browse the 192.168.0.* network from the Veeam Server. I have tried creating a network through TMG for 192.168.0.1 - 192.168.0.254, also a network rule to route traffic from the 192.168.2.* network to 192.168.0.*. I have then created a Firewall Rule to allow all traffic from the Internal Network to the Network created earlier. However this has not worked. Can anyone advise where I can going wrong?

Regards,

Matt

FF TMG 2010 on Server 2012

July 6, 2012, 11:29 pm
$
0
0

Has anyone tried successfully installing Forefront TMG 2010 on Windows Server 2012?

I tried but failed, it complained about unable to add roles and features.

Valuable skills are not learned, learned skills aren't valuable.


Rules stop working after minutes!

July 9, 2015, 5:48 am
$
0
0
I configured a lab with TMG 2010 evaluation very, everything goes well, now i have a strange problem, i configured a rule to block some web sites, and this rule added as number 1 rule, number 2 rule is two allow access to http and https, when i restart firewall service, users get the blocked pages blocked normally as expected, after few minutes users can open the blocked pages normally!!!! both rules schedule are set to always
when i tried to monitor a machine i found them bypass allow rule, without being stopped by the deny rule (no.1)

any help please ?

TMG can't let me to open my web site Panel.

July 11, 2015, 1:33 am
$
0
0

Hello.

I use TMG 2010 on my Gateway with some rules. I have a rule with the name NAT and everyone that add to this rule can use Internet without any limitation. I added my IP address to this rule but when I want to go to my Cpanle of web site it show me an error and web page can't open. I attached a photo.

What is your idea?

how to connect to printer in anotjer network

July 12, 2015, 3:32 am
$
0
0

i have two network first is 10.0.0.X and another one is 192.168.1.X

and i have  TMG routing between two networks 

and i have printer connected to pc ( 192.168.1.140) 

i need to connect to  this printer in another pc in another network (10.0.0.150)

how i can do this

Search

How can I solve "Error Code 10060: Connection Time Out" in TMG 2010?

July 12, 2015, 6:51 am
$
0
0

Hello.

When I want to upload files on a web host, My browser show me "Error Code 10060: Connection Time Out". How can I solve it?

I change my DNS Forwarder in Domain controller server too and add "8.8.8.8" and "4.2.2.1" but problem not solved? 

My Windows server is 2008 R2 X64.

Thank you.

TMG 2010 network adapter losing connectivity after application of MS updates for October 2013

November 19, 2013, 5:08 pm
$
0
0

Shortly after we applied the Microsoft October 2013 updates to our TMG 2010 SP2 server we started experiencing loss of connectivity on our Internet facing adapter (could not longer ping the gateway etc).  A reboot would resolve the issue.  The problem kept recurring so we removed a couple of the networking related updates for October (http://support.microsoft.com/kb/2888049 ) and (http://support.microsoft.com/kb/2882822 ) as a test.  After these were removed the problem stopped.

We inadvertently reapplied these two updates during the November 2013 update cycle and the problem happened again. We removed the updates and everything is back to normal.

Just wondering if anyone else has applied these two updates to their TMG 2010 SP2 server and experienced any unusual issues?

Thanks

Special Rule for my Clients.

July 14, 2015, 1:03 am
$
0
0

Hello.

I write a rule in TMG 2010 for two users as you see in pictures. My problem is that when In "condition"  I choose my special users, For example I create a new and select my username from Active directory then this rule not worked and I must select "All users". How can I solve it?

Please see my pictures.

TMG ISP Redundancy

July 15, 2015, 3:22 am
$
0
0

We have one isp which is configured with multiple ip addresses. We now need to move over to a new isp in 3 months time. I have configured tmg with the isp redundancy option.

The new isp has assigned a number of ip addresses we can use. Can you have multiple ip addresses on the second isp in tmg? I have configured the network card with the additional ip addresses but it only appears to listen on the the first ip address. On the primary isp its able to listen on all ip addresses.

We have a website which I want it to listen on one of the new ip addresses

What do you need to do to get the secondary nic/isp to listen on the additional ip addresses?


ip allow and block lists

July 15, 2015, 3:26 am
$
0
0

Dear reader,

I'm using a third party external spam filter (GFI). I also have an exchange edge with Forefront TMG and forefront for exchange in my perimeter. Ths machine will we replaced by some fortinets soon, but for now i have to find a way to only allow the ip address ranges to communicate with our exchange system.

I tried to simply allow ip addresses from GFI to communicate with port 25, but this rules seems to be a system default rule in TMG that cannot be altered.

So I have set all ip addresses from GFI in my IP allow list, to make sure the messages that are checked by GFI, are not checked again by Forefront.

All mx records point to the GFI mailservers. But I noticed backscatter on my system. I think a spammer still delivers spam on my external  ipaddress on port 25. Since it seems not to be possibel to block port 25 for all ip addresses except the GFI addressen, I thought I could enable and use the ip block list.

Now my question is:

Will the ip block list take precedence over the ip allow list or vica versa? This is what I want:

ip allow list: ip adresses GFI

ip block list: 0.0.0.0 255.255.255.255

Will everything be blocked now, or will the ip addresses from GFI be allowed?

Thanks in advance

Best regards,

Ruud Boersma

MCITP Enterprise administrator

ANSWER: Ip Allow takes precedence. Just stumbled accross a post that answers this question. Tested and confirmed.

Viewing all 3822 articles
Browse latest View live
Search