Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

Yahoo Messenger login fails with HTTPS Inspection enabled

$
0
0

Hi,

 

I ahve created a webaccess policy for allowing my users to login to Yahoo messenger and it fails when the HTTPS Inspection is enabled. If I disable HTTPS inspection, messenger works fine. The log indiates that the https-inspect protocol failed with yahoo messenger servers. I tried adding Yahoo servers to exemption list, but no luck. I tried somany combinations of exception, but nothing seems to work,. Any Idea how I can fix this issue with TMG SP1?

 

Thanks,

 


Cannot install service after SCW

$
0
0

Hello,

Have a TMG 2010 on Windows 2008 R2.  Ran Security Configuration Wizard (SCW) after installing TMG.  I am now trying to add a Remote client (ScreenConnect) using goup policys and it keeps failing.  I have tried manually installing the client and it installs successfully (shows in appwiz.cpl) but the service cannot start:

ScreenConnect Service failed to start. Verify you have the permission to start the service
It then rollback and uninnstalls the the software.  Can I get this working?


Regards Tony "Great things can be expressed In fifteen words or less And bring that to your heart" - Kaiser Chiefs

Forefront TMG 2010 Spoofing issue preventing connections

$
0
0

Been struggling with IP spoofing issues on our TNG 2010 server.

We have web services published to public IP’s all bound to a NIC called WAN-PUBLIC which then NAT’s to the internal IP’s on the web servers.

In certain scenarios we’re unable gain access to the servers and the ISA logs are full of Spoofing errors such as this:

Log type: Firewall service

Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed. 

Rule: None - see Result Code

Source: Local Host (213.122.169.54:18816)

Destination: Internal (192.168.9.130:443)

Protocol: HTTPS

The source host in this scenario is an IIS server / NLB using ARR so it’s almost acting like a reverse proxy.

Below is the relevant public IP’s bound to the WAN Nic and as you can see it has a default gateway set of un upstream ISP router.

Ethernet adapter WAN-PUBLIC:

   Connection-specific DNS Suffix  . :

   IPv4 Address. . . . . . . . . . . : 213.122.169.50

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.51

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.52

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.53

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.54

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.55

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.56

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.57

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.58

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.59

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 213.122.169.49

Below is the internal NIC of the ISA server (no gateway set)

Ethernet adapter LAN-PRIVATE:

   IPv4 Address. . . . . . . . . . . : 192.168.0.1

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . :

So the rule above that’s failing is on a 192.168.9.x network, this network has a manual route defined that’s an internal core switch.

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask         Gateway       Interface Metric

          0.0.0.0         0.0.0.0   213.122.169.49   213.122.169.50   266

       10.10.10.0   255.255.255.0      192.168.0.2     192.168.0.1     11

        127.0.0.0       255.0.0.0         On-link        127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link        127.0.0.1    306

  127.255.255.255  255.255.255.255        On-link         127.0.0.1   306

      192.168.0.0   255.255.255.0         On-link       192.168.0.1   266

      192.168.0.1  255.255.255.255        On-link       192.168.0.1   266

    192.168.0.103  255.255.255.255   192.168.0.103    192.168.0.107    31

    192.168.0.107  255.255.255.255        On-link     192.168.0.107   286

    192.168.0.255  255.255.255.255        On-link       192.168.0.1   266

      192.168.9.0   255.255.255.0      192.168.0.2     192.168.0.1     11

    213.122.169.0    255.255.255.0        On-link    213.122.169.50   266

   213.122.169.50  255.255.255.255        On-link    213.122.169.50   266

   213.122.169.51  255.255.255.255        On-link    213.122.169.50   266

   213.122.169.52  255.255.255.255        On-link    213.122.169.50   266

   213.122.169.53  255.255.255.255        On-link    213.122.169.50   266

   213.122.169.54  255.255.255.255        On-link    213.122.169.50   266

   213.122.169.55  255.255.255.255        On-link    213.122.169.50   266

   213.122.169.56  255.255.255.255        On-link    213.122.169.50   266

   213.122.169.57  255.255.255.255        On-link    213.122.169.50   266

   213.122.169.58  255.255.255.255        On-link    213.122.169.50   266

   213.122.169.59  255.255.255.255        On-link    213.122.169.50   266

  213.122.169.255  255.255.255.255        On-link    213.122.169.50   266

        224.0.0.0       240.0.0.0         On-link        127.0.0.1    306

        224.0.0.0       240.0.0.0         On-link      192.168.0.1    266

        224.0.0.0       240.0.0.0         On-link   213.122.169.50    266

        224.0.0.0       240.0.0.0         On-link    192.168.0.107    286

  255.255.255.255  255.255.255.255        On-link         127.0.0.1   306

  255.255.255.255  255.255.255.255        On-link       192.168.0.1   266

  255.255.255.255  255.255.255.255        On-link    213.122.169.50   266

  255.255.255.255  255.255.255.255        On-link     192.168.0.107   286

===========================================================================

Persistent Routes:

  Network Address         Netmask  Gateway Address  Metric

      192.168.9.0   255.255.255.0      192.168.0.2      1

       10.10.10.0   255.255.255.0      192.168.0.2      1

         0.0.0.0          0.0.0.0   213.122.169.49  Default

The 192.168.9.x network range has been defined within the ISA Network tab to the “Internal Nic”

I’ve run the ISA BPA and that’s not detected a configuration issue.

Any thoughts on how to proceed?

VPN client can not request IP address on TMG.

$
0
0

I installed FF TMG to replace and old ISA Server 2000. Now VPN clients using preconfigured static IP address can not connect and throw error 735. I found a work around going to nps.msc (Network Policy Server) -> Policies -> Network Policies -> FF TMG Default Policy -> Settings tab -> Under RRAS -> IP Setting, I can change from "Server setting determine IP assignment" to "Client may request an IP address".
This works fine as far as I do not make any change on TMG console, once I save any change on TMG management console, the configuration under NPS goes away (TMG overwrites everything). Please note that I do not want to use a RADIUS client, I just want to allow a Windows Group to have vpn access.

How or where can I configure TMG to allow vpn clients to request an IP address? Or any way to make the NPS configuration persistent?

Thanks,

R L TechNet.

How to block Google+ in TMG-2010 Standard Edition

$
0
0

Dear Friends ,

Please help me to block  plus.google.com using TMG-2010

When I query Google+ in the URL Categories , it shows google plus as "Online Communities & search engine ".

The HTTPS inspection is disabled on my TMG.

Please help .


Regards, Kumar Lokesh Singh, Assistant Manager Systems, Larsen & Toubro Ltd.-ECC Division.

Direct access to local servers

$
0
0

Hello,

I have locally Servers (Exchange and web servers), i have done the following to access the local servers. but still TMG is blocking the servers.

  • In the Forefront TMG Management console, click Networking.
  • On the details pane, click the Networks tab.
  • Right-click the required internal or perimeter network, and then click Properties.
  • On the  Domains tab, do one or more of the following:
    •                   To add an entry, clickAdd, and then type in a domain for direct access. example.localandexample.com.

do i have to do Firewall rule for this

Unidentified Traffic Blocked

$
0
0

Hi  (May day call !!!)

I hope you can help. We're using a hosted room booking system which does an LDAP lookup with user logins to our Active Directory DCs. The administrator login on the site does not require an LDAP lookup as the account is not in AD. We have a back-to-back firewall architecture with ISA2006 being the back firewall. For security reasons I don't allow LDAP on the default ports through our perimeter firewall so I use 23389 which is NATed to 389.

I've created a a custom protocol which allows LDAP inbound and used it with non-web publishing rule to allow the LDAP lookup from the external hosted service whose server IP addresses I allow in the rule. However, for some bizarre reason it gets blocked by the default rule which identifies thee protocol as LDAP and NOT the custom protocol I've defined and used in the publishing rule.

I therefore decided to use another TCP port to see how the packet was handled by ISA. I used 3389 instead and below is what happens.

NB: The strange thing is I have another LDAP lookup  from the DMZ of the perimeter firewall which works!! The only difference I see between this working rule and the room booking one is the room booking rule uses an external address.

 


TMG 2010 Firewall blocking Emails in Outlook 2007

$
0
0
All,
 I am currently using Outlook 2007 for email which uses 
POP3/SMTP for incoming and outgoing mails respectfully . I recently installed 
and configured Forefront TMG 2010 firewall on my network. Web Access Rule has 
been configured and all machines on my home network can get on the Internet 
fine. I have confirmed that the POP3 and SMTP settings are correct. They've 
been working fine before I installed the TMG 2010.

Now the problem is when I tried to send email from Outlook 2007, I receive the 
error:

Error message : 'Cannot find the e-mail 
server. Verify the server information in your account properties"

Now I cannot send and cannot receive any e-mails.

I have even created another access rule for POP3 & SMTP from the External network to the Internal 
network and this thing is still not working.
Any help will be appreciated very much.

Thanks,
Ahmad Ali

Ahmad Ali


error 0x80092013:revocation server is offline in sstp vpn connection

$
0
0

Hi guys,I set up a tmg 2010 sp2 server in our domain .i want to create a sstp vpn ,our clients have windows 7.we also have a Local Ca server for issuing Certificate.i create vpn connection setting in tmg server,also create new web listener that use a certificate that issued by our local ca.i installed root certificate in our vpn clients computer account.but when i want to connect sstp vpn ,i've got this error :

"error 0x80092013 the revocation function was unable to check revocation because the revocation server was offline"

i also disable the registrey setting in windows 7  checking for revocation and it solve the problem.

but we can not disable registrey setting for all client!! also disabling revocation check in registry make security issues.

so what should i do?whats the problem?

Thanks

Encountered Event ID 21285...

$
0
0

Hey guys,

    We are currently experiencing Event ID 21285 at Application on ISA Server 2006 Please give us information, workaround, suggestions to resolved this and it will be highly appreciated...

Thanks guys... 

How to filter isc.org ANY attacks (DNS Amplification Attack)

$
0
0

Hi,

im receiving about average 600 DNS Requests per minute - all with the same (forged) source address and content (isc.org any).

How can i configure TMG to block this traffic? I would like to create rules that would look something like that:

"Filter dns where query contains isc.org" or "limit udp traffic for port 53 to 100 packets / minute / ip"

Thanks


Windows Server 2008 R2 Standard with TMG , computer user name disappearing, unable to connect VPN

$
0
0

Setup : Windows Server 2008 R2 Standard with TMG

We have noticed strange problem recently twice, where TMG server running on Windows 2008 R2 Std, is loosing the computer user name, hence site to site vpn is failing. When we recreate the user name vpn is connecting. 

Please help

Migration TMG workgroup to domain?

$
0
0

Hi,

Just wanted to confirm the process of migrating a workgroup TMG to a domain joined TMG?

1. backup workgroup TMG & firewall rules

2. join TMG to domain

3. proceed with additional tasks if required, e.g. create an array, install second TMG array member, etc

Thank you,

SK

Error while installing Mcafee

$
0
0

Have a strange situation ,when trying to install Mcafee on TMG server it will not connect to my Enterprise server to communicate and install the antivirus .(Telnet fails on port 9080 to 9085)

I created a rule for Inbound and outboud for ports 9080 to 9085 so as TMG can communicate with the centralised server .

When i run log event test it always goes to the last rule which is default irrespective of rule above default is mcafee (Inbound and outbound rule ).





TMG report shows blank "Top Web Sites"

$
0
0

Hi All,

I am sure why but this used to work but it dont seem to anymore, if we run a report everything shows ok apart from "Top Web Sites" which just shows as a - and 100%, its not list the sites.  If you do normal logging reports you can see the sites ok, as we are a large site and to keep logs to a minimum we only log certain fields ( Client IP, Client Username, Log Date, Log Time, Destination IP, Destination Port, URL ) im not sure why it wont list the top web sites in the reports, any ideas what to check ?

Thanks, Duncan


A non-SYN Packet was dropped in TMG

$
0
0

We are deploying TMG as our front end firewall to replace ISA 2006 and have been receiving "A non-SYN packet was dropped because it was sent by a source that does not have and extablished connection with the Forefront TMG Server". We only see the error when trying to access a web hosted application over a Citrix connection and it doesn't occur in ISA. What the clients see is a Citrix generated proxy authentication dialog which does not accept the credentials when they are entered and only pops the dialog back up again. The application never starts.

I have authentication enabled in the main web access rule, and if I turn it off, (change All Authenticated Users to All Users in the Users tab of the web access rule), I am able to connect. All other internal and external traffic seems to be fine, just this one application. Any idea what might be causing the error, or how it is connected to authentication.

Our current ISA 2006 box also requires authentication (require all users to authenticate is checked in the Internal network properties), and does not have any problems connecting.

Jonathan

Disable web proxy filter and direct access list

$
0
0

Hi,

If I disable Web proxy in internal network, and use F/W client only(No secure NAT client). When f/w policy configure "all auth user" allow http/https access, the F/W client will help IE to auth to TMG. That is what I now know.

But if I configure direct access url (bypass proxy list) in Web browser of internal network, when IE browse website in the list, will the traffic go through TMG or direct access from default gateway?

George


邁格行動 技術顧問 George 小顧 部落格: http://www.magg.com.tw/blog/

publish outlook anywhere 2010 with autodiscover via TMG not work when using Basic Authen method

$
0
0

Thanks for your help.

I'm configuration publish outlook anywhere 2010 with using autodiscover to configure outlook 2010 profile via TMG.

The CAS server Autodiscover Authentication setting are "Basic" and "Windows" Authentication enabled only.

In TMG publish rule, When I select "No delegation, but client by authenticate directly" in the TMG rule "Authentication Delegation" page. I start outlook, the outlook profile can be automatically created after I enter email address and password.

But  when I select "Basic Authentication" in the "Authentication Delegation" page, I start outlook first time, I enter email address and password, the profile can't be created.

From the "Test Email Configuration" tool in Outlook, it show the autodiscover failed with:

- httpStatus=401

- httpStatus=403

What might be the migration? How I can solve it?

Thanks a lot

Patrick

Network Inspection System (NIS)

$
0
0
Hello everybody

I have inmy environmenttheForeFrontTMG 2010Enterprise,and I have a problemrelaciodotheNetworkInspectionSystem (NIS),thisdesatulizadosince the day07/08/2012.

Anyone knowhow to fixor is ita problemwithmicrosoft?

Thank you

Certificate TMG

$
0
0

friends,

I have a TMG Enterprise, and is packed with these events:

Description: Forefront TMG failed to sign a cloned SSL server certificate for a destination server using a certification authority (CA) certificate

how can I fix this?

thanks

Viewing all 3822 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>