Hi all,
The problem is the OWA publishing over the Internet via TMG. TMG is not able to Catch the OWA LogOff URL page. So it will instead receive the "Close all your Browser Settings.." and no log out from OWA.
Does anyone get that "Real LogOut" fixed via TMG.
We like to route our RDP traffic through our TMG server, I read a lot on how to do this. My question is what will the filter give us, will it prevent malicious attacks over RDP and stop that traffic. Are there any technet articles on what attacks it can prevent?
Thanks in advanced.
Hello,
our company is using Office365 Exchange.
When I want to add an account to the Outlook desktop client, which is behind TMG firewall, it takes about 30 minutes when Outlook prompts for password again. Once I enter, account is provisioned.
When I do the same on the same PC, without TMG, it asks me for these credentials within 10 seconds.
I have All Outbound enabled - so no traffic is blocked from internal to external network.
I see an error on TMG - "The Connection was refused"
TMG is in factory defaults - tried on 2 instances.
DNS and other stuff is set correctly - validated several times on O365 portal. All DNS entries are available for PC behind the TMG.
There was exactly same problem with no resolution:
https://community.office365.com/en-us/f/156/t/225752
Can you please advise?
Thanks
I have Windows 2008R2 x64 server with Tmg 2010 Sp2 RU4 installed at it.
At the time there are 2 NICs at server: Lan and Wan, but Wan is disabled now.
There are some Win XP/7 clients at Lan combined to one workgroup.
Now I have 2 rules regarding Lan:
LocalHost->Internal - All allow
Internal -> LocalHost - All allow
After server started it is shown at Network places in clients and is at 'Net view' command output.
I mean Network neighborhood, that is browsing service.
All clients are presented at here (Network places and 'Net view' output) also.
That is all works as needed.
After some time server and only server is disappeared as from clients Network places as fron 'net view' output.
And then will not be appeared anymore.
But if Tmg service stops, and following Tmg goes to lockdown mode, server is appeared again as at Network places as at 'Net view' output.
Also, server is appeared here if Tmg stops fullly (with stopping fweng.sys driver) .
So, as I saw that Tmg allow all outgoing traffic to all networks in lockdown mode and very strict in inoming traffic.
If server is appeared in lockdown Tmg mode and is disappeared in normal mode that It can be a result of some outgoing traffic from LocalHost blocked.
But I have 'Allow all' from and to LoalHost rules.
In the case what is blocked in normal mode and/or what network is traffic blocked to that works in lockdown mode ?
And what additional rule/rules do I have to insert to Tmg ?
By the way, I tried fweng.sys from the latest Roll Update for SP1 with my SP2 Ru4 and server is appeared at clients Network places but wasn' t at 'Net view' output.
What changes were made at SP2 driver in comparing with fweng.sys from SP1 line ?
Name resolving via NetBios works at both cases fine, moreover I have Wins server installed.
P. S.: I know that browsing server is mostly reling on Broadcast as on unicast too.
But I examined network traffic at clients with Wireshark and saw network broadcast packets succesfully are outgone from server.
More over as I said clients also are visible at as server as at clients itself, that is all works fine regarding broadcast except server itself.
Name resolving via NetBios works fine, nbtstat -a Server from client show all necessary name registered as workgroup, as server, as loal master browser mail slot special name.
And server is disappeared from browsing list if after 12 minutes or 3 times of 12 minutes server as LMB (my server is locl master browser also) does not receive LMB packets from itself ( I saw with Wireshark that it send it) .
And that is why server is disappeared from some time.
But I don' t understand what Tmg blocks and what network for that such packets can not come to server itself (as I understand, may I am wrong) .
Actually it is broadcast packets sent by server to destination IP 192.168.0.255. And server has to receive such packets.
And it works fine without Tmg or with Tmg but in lockdown mode.
Can somebody additional to answers for questions above explain what is it LocalHost ?
Is it fully isolated network with it own workgroup differing from internal net workgroup ?
We have one isp which is configured with multiple ip addresses. We now need to move over to a new isp in 3 months time. I have configured tmg with the isp redundancy option.
The new isp has assigned a number of ip addresses we can use. Can you have multiple ip addresses on the second isp in tmg? I have configured the network card with the additional ip addresses but it only appears to listen on the the first ip address. On the primary isp its able to listen on all ip addresses.
We have a website which I want it to listen on one of the new ip addresses
What do you need to do to get the secondary nic/isp to listen on the additional ip addresses?
Hi,
I want to control download limit for users through ISA server 2006.
Anybody have any Idea about it. How we can set download limit in ISA 2006.
Regards,
Ravi
Hi,
I need to forward all HTTPS traffic that hit one of my TMG external public IP addresses (20.100.123.100) to an internal HTTPS server (10.0.0.100).
The internal https server runs multiple customer websites and I have no control over their domain names and SSL certificates so creating a SSL web publishing rule will not help here.
I created a non-web server publishing rule but the TMG denies the traffic as its destined for the localhost (20.100.123.100) and doesn't forward it on to my internal https server.
Is their a way to simply forward all https traffic from 20.100.123.100 to my internal https server 10.0.0.100?
If so what rule would I need?
Thanks,
Microsoft Partner
Hi,
I am newbie to TMG and need help to configure our TMG 2010.
In a nutshell, I need to allow users to access https://www.facebook.com/fanpage but www.facebook.com is blocked.
Can this be done? Would appreciate if you could share some pointers. Thanks!
Hello.
Some times my Clients can't Download Gmail Attachments and I collect Logs from TMG. What is your idea ?
My Gmail Rule is :
In this image I disable my rule.
Thank you.
Hello.
In TMG 2010 how can I write a rule that just let users for connect via my proxy name and port and users can't ping and anonymous application like Tor ?
Any idea?
Thank you.
Hello.
I exported my TMG config as XML file but can you introduce any application to me for viewing it?
Thank you.
Hello.
When I want to browse any web site, It show me "SSL CONNECTION ERROR". My TMG web access is as below :
As you see, I disabled "HTTPS Inspection" but I got "SSL Connection error". my Log is :
Any idea? My clients are Down and can't work with the internet :(. My Rule is :
Please advice.
Thank you.
Hello, i need help with Forefront TMG . the problem is simple, look at number #3-5
1. Forefront TMG 2010 were installed on Windows Server 2008 R2 Standard and updated via Preparation Tool TMG .
2. TMG Client requirement to join TMG Server [ Auto Detection / Name or Ip Address ] But I pick Auto Detect
3. So How Do I set up TMG Server to make sure my Client could join in ? Please Guide Me one by one .
4. Someone said to me about " Configure WPAD Server " on TMG Server . If I have to, do i need to set DNS on Windows Server first before Installing TMG ? but If I am, only "Forefront TMG Management only" options are available, the others are not.
Hi together,
since in the german TechNet plattform nobody has any ideas about this, i try it here :)
We have implemented a TMG 2010 (SP2 + Rollup 5) with HTTPS Inspection, the certificate to inspect sites is issued by an 2008 CA. We followed this blog post to generate it http://blogs.technet.com/b/isablog/archive/2014/08/29/how-to-create-a-cng-httpsi-cert-using-a-2008r2-ca.aspx
So far, so good. CNG/SHA2 Sites are no issue (twitter, Google etc pp) and work fine but some https sites throw the error 12030 code.
Examples for this behaviour are the sites httpsnow.org and https://www.nudelheissundhos.de
I dont know why this is a Problem, Proxy Service listens only on port 8080 (http + https), can this be an issue?
Another Thing i just noticed, httpsnow.org public key is 4096bit strong, the cng certificate is issued with 2048bit strength. Can this cause this issue? Can this be resolved if i issue a 4096bit certificate for inspection? Or should i use 8k to be sure there will be no further Problems with other sites?
On the other side, https://www.nudelheissundhos.de has "only" 2048bit andhttps://www.moparisthebest.com/ (some random site with sha1+4096bit) works fine
Hope someone knows about this Problem 12030 and can help me out :)
of course, the problematic sites can be reached when inspection is disabled for those....but i dont like this as a "solution" cause it is no solution and i dont understand why those sites are a problem.
Ah and this are our tls/ssl config on the server
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL] "AllowInsecureRenegoClients"=dword:00000000"DisableRenegoOnServer"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enable"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "Enabled"=dword:00000001"DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "Enabled"=dword:00000001"DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "Enabled"=dword:00000001"DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:00000001"DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "Enabled"=dword:00000001"DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "Enabled"=dword:00000001"DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:00000001"DisabledByDefault"=dword:00000000 Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002] "Functions"="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA"
Thanks in advance
Hi Guys,
Would someone be able to help with this error:
HTTP/1.1 401 Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server
administrator. )
WWW-Authenticate: Basic Realm="xx.xx.xx.xx"
Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 2073
We are using TMG forefront but i am unable to find where to change the realm name so it stops leaking the private IP. Any help is greatly appreciated.
Thanks
Hi all,
experiencing an error with TMG 2010 which was never seen before. when opening the Network from the TMG 2010 console I am getting below error.
this firewall is connected to a domain and managing 6 networks ( 6 arms connected to TMG 2010).
other than the network tab, every other links are working fine.
has anybody gone through an error like this?
thanks.
Hi, I have a client that asked about an unusual request related to a web sniffer that shows a private IP address that TMG uses to publish the OWA site.
The web site: http://web-sniffer.net, when you run a URL request for the OWA site it shows this setting:
WWW-Authenticate: Basic Realm="172.16.x.x" which is the External Listening IP Address on the TMG for the OWA Web Publishing rule. The Pubilshing rule was created using the Exchange Publishing Wizard on the TMG. It has its own web listener, listening only to that IP address.
The TMG Server is behind a Checkpoint Firewall, so he doesn't have the public external IP Address directly assigned to the external NICs, that's why you can see it's a Private IP.
The Security Department considers this as a vulnerability and wants to hide this Private IP Address from showing there. Is there a way to do this? I'm not sure if this can be changed at all but let me know if anyone knows how...
Thanks for the replies
Eduardo Rojas
Hi All,
Due to slowness i need to by pass proxy server from my client computer.
What is the best method of by passing to user office365 portal ?
Hi Experts,
We have recently migrated to office365 therefore our client needs to access https://login.microsoftonline.com portal and it’s all application like SharePoint we feel that something is wrong when accessing this portal or Microsoft related Sites site time out errors, slowness and browser hanging issues so we check internet speed all fine all other sites like daily motion, Facebook all are working fine.
We also checked logging (From TMG) that anything blocking but nothing is blocking.
Our Setup (Scenario)
Client Configuration:
IP : 10.1.x.x
Mask : 255.255.0.0.
Gateway : 10.1.0.1 (Router IP)
DNS 1 : 10.1.0.50 (Domain Controller)
DNS 2 : 10.11.0.24 (Domain Controller)
DNS Configuration:
Active Directory Integrated DNS Server
Forwarding set :
8.8.8.8 (Google Public DNS)
10.11.0.24 (Domain Controller)
TMG Server Configuration:
Edge Firewall
Internal network
IP : 10.1.x.x
Mask : 255.255.0.0.
Gateway : 10.1.0.1 (Router IP)
DNS 1 : 10.1.0.50 (Domain Controller)
DNS 2 : 10.11.0.24 (Domain Controller)
External network
IP : 10.6.0.3
Mask : 255.255.0.0.
Gateway : 10.6.0.1 (Router IP)
DNS 1 : 10.1.6.0.1 (Router IP)
TMG RAM Utilization is 80 %