Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

URL filtering licensing

$
0
0

Hi. Please see these questions regarding url-filtering on TMG.

Is URL filtering a licensed product that is part of web protection services? I have seen differing answers, but the post on the ISA Blog seems to indicate so: http://blogs.technet.com/b/isablog/archive/2010/02/02/forefront-tmg-2010-web-protection-services-licensing.aspx

How does a small business with a handful of users purchase the url-filtering license if they do not have an EA? They are not interested in purchasing the malware protection, but just the url-filtering.

Also, if they do not want to spend any extra money, can I simply configure url-filtering via excluded domains, the way it was recommended with ISA 2006 and ISA 2004?

Will url-filtering be unavailable if the license expires, or will it just not be updated regularly?

Thanks.


web publishing Apache secure server

$
0
0

Our vender recently updated the Apache web server for our ticket sales. But now our web publishing no longer works. The error I get when I test the connection is 12030 "the connection with the server was terminated abnormally"

The log error is the following.

 Failed Connection Attempt ISATHEATRE 10/6/2015 2:15:27 PM Log type: Web Proxy (Reverse) Status: 12030 The connection with the server was terminated abnormally.  Source: Local Host (Connectivity Test) (192.168.2.1:58096) Destination: 192.168.2.4:443 Request: GET https://tickets.CompanyDomain.ca:443/ Filter information:  Protocol: http  Additional information Client agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Fetch API RequestObject source: Internet (Source is the Internet. Object was added to the cache.)Cache info: 0x0Processing time: 1 MIME type:  

The apache server works and certificates work properly. I am fairly sure the export of certificate and import into TMG is fine. It imported into TMG correctly.

The publishing rule is set up as follows: -General: Tickets web site, Enable check. -Action: Allow, log requests check. -From: Anywhere. -To: (published site and computer name or ip) tickets.companydomain.ca, Also tried IP Address. Same error. Forward the original host is checked. Request to appear to come from the original client is radio buttoned. -traffic: both http and https. (Originally I had just https) -Listener: -network: external                   -connections: enable http and https (originally I tried just https) do not redirect traffic.                    -certificates: the correct one is selected.                   -Authentication: no authentication -public name: correct domain name is listed. It’s entered into DNS and for giggles I entered it into hosts file. -path: no changes -authentication: No delegation, but client may authenticate directly. -users: all users -bridging: web server, redirect requests to ssl port.

Apache is 2.4 on windows 2008r2 fully patched. TMG is on 2008r2 sp2 rollup5.

Symantec endpoint is installed on Apache, but turned off right now. (But I can open web sales site inside the network anyway anyway) I have everything in a test virtualized network now and have been testing for a while now. I am thinking its apache somehow… Any help would be greatly appreciated I am out of ideas. Thanks

Mr. Kim R Korenek

$
0
0
How do I remove Safe Search and Dell Sonic Wall from my computer? Please Advise.

Reports are not showing correctly

$
0
0

hi all,

need a solution for this issue

thanks

10060 A connection attempt failed

$
0
0

10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

Failed Connection AttemptHO-TMG 10/8/2015 10:32:37 AM
Log type:Web Proxy (Forward)
Status: 10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Rule:Full Access
Source:Internal (10.1.0.200:61666)
Destination:Internal (2.19.91.31:443)
Request: i1.social.s-msft.com:443
Filter information:Req ID: 0b660783; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: SSL-tunnel
User: CSAPLHO\osama.mansoor
Additional information
  • Client agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
  • Object source: Internet (Source is the Internet. Object was added to the cache.)
  • Cache info: 0x0
  • Processing time: 0 MIME type:

I just found above error only Microsoft Related Sites Such as MS Technet,Office365 Portal.




12209 Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied

$
0
0

Hi Experts,

I got below error while logging actually i am trying to troubleshoot slow browsing experience behind proxy

12209 Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied

Are they normal error on any issue ?

Parallel TMG - disrupting traffic

$
0
0

I'm trying to troubleshoot something here.


I've got on my network 3xTMG's doing reverse proxying. Everything is fine. In parallel, there's a UAG box. Everything is fine.

The trouble starts when trying to add another TMG box in parallel to handle incoming traffic, since the proxy servers are for outgoing (web) traffic only (no listeners exist to handle incoming traffic).

External interface - public IP (connected to cable gateway, but given public IP/public IP as gateway)

Internal Interface - local LAN IP, no gateway, internal DNS (same internal network as the other TMG servers/UAG, as well as the rest of the network)


The trouble is that the new TMG begins to massively disrupt internal traffic, blocking TRAFFIC NOT DESTINED, and making any internal traffic time out. When I can get back and pause the VM, everything works fine. I've dine an access rule to allow "Internal to Internal", all protocols, and not strict RPC filtering. I've also tried the "Anywhere" to "Anywhere" rule to test, no joy.

This is the first time I've seen this (other than my very first install of TMG years ago, when it blocked my BlackBerry BES traffic)

The VM is running Server 2008R2, the NIC's on the problem TMG box are standard Network Adapters (not Legacy), and the host is running Server 2012R2. Everything else is out of the box TMG SP2, RU6.

Any help would be appreciated.

Problem with client certificate and HTTPS Inspection

$
0
0

Dear All,

Server: Windows Server 2008 R2

Application: TMG2010 Standard

Function enabled: HTTPS Inpsection

Problem:

TMG is in a workgroup serving as a web proxy for domain PCs to access Internet. I use a USB token (with certificate) provided by bank to access online banking, the TMG log shows error code 80090326 and the message "This page cannot be display" on the PC when trying to logon banking with CA option. This happens when HTTPS inspection is on, and no access problem when HTTPS inspection is off.

Since it is a requirement that HTTPS Inspection must be enabled, is that be design that TMG in workgroup does not support client certificate?

I have searched on the web with the following articles, but still not sure if it is by nature or we can have workaround to solve it?

https://technet.microsoft.com/zh-cn/library/ee796231.aspx#u56fdssd

Some solutions found on the web, but not sure if they capable for my situation.

https://support.microsoft.com/en-us/kb/982550

https://social.technet.microsoft.com/Forums/forefront/en-US/16ff2286-ef07-4127-9887-69f8651e226b/https-inspection-connection-problem-using-sp1-update-1-rollup-3?forum=Forefrontedgegeneral

Any thoughts can be shared?

Best Regards

Ben


Outlook disconnected after the installation of TMG or ISA

$
0
0

Hi,

I have an issues faced after the installation of TMG 2010. It just stop all the outlook even configured in pop3 or IMAP.I can control the Internet by this server, Only the problem with Outlook Only.

The TMG 2010 is not connected by IPSEC site-to-site to Fortigate 200D

$
0
0
OS Windows Server 2008R2 - all updates are installed.
Forefront Threat Management Gateway 2010 (Version: 7.0.9193.644)
The server is in Canada. Time Zone (UTC-05: 00) Eastern Time (US & Canada)
IPSEC tunnel has already set to 3 different points and works good.
But we have 1 point where the tunnel is not working.
 
Below the information about this tunnel:
 
IPSEC Site-to-Site
 
Options IPSEC
Phase I:
Encryption Algorithm: 3DES
Algorithm integrity check: SHA1
Diffie-Hellman Group: Group 2 (1024 bits)
Authenticate and generate new keys every 7800 seconds.
Phase II:
Encryption Algorithm: 3DES
Algorithm integrity check: SHA1
Parameters session keys: Shift keys every 3600 seconds.
Use PFS
Diffie-Hellman Group: Group 2 (1024 bits)
Authentication:
Shared key: *****
 
The error occurs at the FortiGate 200D v5.2.2,build642 side during Phase II. If the encryption algorithm was set as AES-256 we get the error during Phase I.
 
The Fortigate-200D side team has already had a discussion with the Fortinet support team, as per them firewall at our side is responding with no policy to their Fortinet side. You need to check the issue with Microsoft support team.
 
I there are anyone who had similar problem or any other information about the compatibility Fortigate and TMG2010?
 
 
There are some other details:
 
Local tunnel endpoint: 184.107.xxx.xxx
Remote tunnel endpoint: 83.111.xxx.xx
 
Options IKE Phase I:
    Mode: basic mode
    Encryption: 3DES
    Integrity: SHA1
    Diffie-Hellman Group: Group 2 (1024 bits)
    Authentication Method: Pre-secret (******)
    The lifetime of the SA: 7800 seconds
 
 
Options IKE Phase II:
    Mode: ESP-tunnel
    Encryption: 3DES
    Integrity: SHA256
    Secure mail (PFS): ON.
    Diffie-Hellman Group: Group 2 (1024 bits)
    Re-create the key on time: ON
    The lifetime of the SA: 3600 seconds
 
    Re-create the volume key: OFF
 
IP-subnet "Ex_Fortigate" remote network:
    Network = 83.111.xxx.xx / 255.255.255.255
    Network = 172.12.13.xx / 255.255.255.255
    Network = 172.17.13.xx / 255.255.255.255
 
IP-subnet "Internal" network:
    Network = 10.0.0.0/255.255.0.0
    Network = 192.168.xxx.0 / 255.255.255.0
 
The static pool of IP-VPN into the server subnet "mysrv":
    Network = 192.168.xxx.1 / 255.255.255.255
    Network = 192.168.xxx.254 / 255.255.255.255
    Network = 192.168.xxx.2 / 255.255.255.254
    Network = 192.168.xxx.252 / 255.255.255.254
    Network = 192.168.xxx.4 / 255.255.255.252
    Network = 192.168.xxx.248 / 255.255.255.252
    Network = 192.168.xxx.8 / 255.255.255.248
    Network = 192.168.xxx.240 / 255.255.255.248
    Network = 192.168.xxx.16 / 255.255.255.240
    Network = 192.168.xxx.224 / 255.255.255.240
    Network = 192.168.xxx.32 / 255.255.255.224
    Network = 192.168.xxx.192 / 255.255.255.224
    Network = 192.168.xxx.64 / 255.255.255.192
    Network = 192.168.xxx.128 / 255.255.255.192
 
Routable local IP-address:
    Network = 10.0.0.0/255.255.0.0
    Network = 83.111.xxx.xx / 255.255.255.255
    Network = 172.12.13.xx / 255.255.255.255
    Network = 172.17.13.xx / 255.255.255.255
    Network = 192.168.xxx.0 / 255.255.255.0



Logs TMG2010.
 
Closing connection MYSRV 10/12/2015 1:32:18 PM
Log type: Firewall service
Status: The connection has been completed properly, correctly implemented the process off with a tripartite confirmation, launched FIN.
Rule: [System] Allow VPN traffic such as "site-to-site" on the Forefront TMG server
Source: Local computer (184.107.xxx.xxx:500)
Purpose: Ex_Fortigate (83.111.xxx.xx: 500)
Protocol: IKE-client
 additional information
The number of bytes sent 2048 Number of bytes received: 0
Processing Time: 134000ms original IP-address of the client: 184.107.xxx.xxx
 
 
Started Connect MYSRV 10/12/2015 1:32:18 PM
Log type: Firewall service
Status: The operation completed successfully.
Rule: [System] Allow VPN traffic such as "site-to-site" on the Forefront TMG server
Source: Local computer (184.107.xxx.xxx:500)
Purpose: Ex_Fortigate (83.111.xxx.xx: 500)
Protocol: IKE-client
 additional information
The number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP-address: 184.107.xxx.xxx


Logs FortiGate 200D v5.2.2,build642
2015-10-08 01:42:44 ike 0:NAME-NAME:NAME-PHASE2: IPsec SA connect 7 83.111.xxx.xx->184.107.xxx.xxx:0
2015-10-08 01:42:44 ike 0:NAME-NAME: ignoring request to establish IPsec SA, no policy configured
2015-10-08 01:42:46 ike shrank heap by 159744 bytes

Forefront TMG 2010: publish DVR as VPN Client

$
0
0

Good day.

We need to publish DVR (Digital Video Recorder, placed in foreign office and connected to our TMG server as VPN PPTP client).

DVR's VPN IP is 192.168.10.120.

I was create simple Non-Webserver Protocol Publishing Rule, from External to 192.168.10.120 with correct protocol. But it did not work, in logs I see 0xc004000d FWX_E_POLICY_RULES_DENIED, from External to Localhost (?)...

From gate server and from office network (over other rule) - all works fine.

Windows 2012 R2 multicast NLB support

$
0
0
I would like to know if Mulitcast is supported when doing Direct Access with Windows Server 2012 R2? I know that it is supported with UAG but I have not seen anything stating that it is supported with Server 2012 R2. I would like to use multicast mode since we are a Vmware shop.

Generate New Certificate from Existing HTTPS Inspection

$
0
0

Dear All,

Months ago the TMG2010 encountered problems that all HTTPS web sites were not able to access, which returns message "This page cannot be displayed" on client PC.

Checked from TMG logging and found error message 0x8009000a, which related to a certificate problem.

I followed the article below to generate a new certificate for the environment, and finally the problem was resolved.

http://blogs.technet.com/b/isablog/archive/2014/05/28/tmg-https-inspection-is-failing-if-the-target-web-site-is-using-a-cng-certificate.aspx

After that I found the content of the new certificate has a bit difference with the original one generated from TMG ifself.

For example, from Details of the cert, there is fewer descriptions on the Key Usage and some other attributes.

I am wondering, with the existing HTTPS Inspection rule, can I regenerate a new cert from it? Does it affect any problems or applications associate with it (break the trust)?

Or I have to remove the existing HTTPS Inspection and recreate a new one from scratch?

Best Regards

Ben

Failure when calling FltCreateFile in PreCreate dispatch routine in file system Minifilter driver

$
0
0
When using the following codes to create/open a file, status will be STATUS_OBJECT_PATH_SYNTAX_BAD after calling FltCreateFile, please give me some hint, thank you very much.


RtlInitUnicodeString(&sFileDosFullPath, L"\\??\\D:\1.doc");

// init object attribute
InitializeObjectAttributes(&ob, &sFileDosFullPath, OBJ_KERNEL_HANDLE|OBJ_CASE_INSENSITIVE, NULL,NULL) ;

// create/open file
uCreateDisposition = Cbd->Iopb->Parameters.Create.Options>>24 ;
uCreateOptions        = Cbd->Iopb->Parameters.Create.Options & 0x00ffffff ;
uShareAccess          = Cbd->Iopb->Parameters.Create.ShareAccess ;
uFileAttributes           = Cbd->Iopb->Parameters.Create.FileAttributes ;

status = FltCreateFile(FltObjects->Filter,
                                        FltObjects->Instance,
                                        &hFile,
                                        uDesiredAccess,
                                        &ob,
                                        &IoStatus,
                                        NULL,
                                        uFileAttributes,
                                        uShareAccess,
                                        uCreateDisposition,
                                        uCreateOptions, 
                                        NULL,
                                        0,
                                        IO_IGNORE_SHARE_ACCESS_CHECK
                                        ) ;
if (!NT_SUCCESS(status))
{
       FltStatus = FLT_PREOP_COMPLETE ;
       __leave ;
}

Forefront TMG 2010 DNS request timed out problem

$
0
0
Forefront TMG 2010 DNS request timed out problem

Hello everyone!

I have installed Forefront TMG 2010 on virtual machine (vmware vsphere)

OS - Windows server 2008 R2

Forefront TMG with all updates and rollups.

On this machine I have DNS request timed out problem.

When I run nslookup on TMG and enter request to external (non local) domain (for example google.com) I have DNS request timed out error.

I have got it only on first request , if I repeat my request I can have result and nslookup show my google.com ip address.

I have got TMG with 2 network interface installation .

First interfase for internal network It have ip address, network mask and local domain (DC) dns servers.

Secondary interfase for External network It have ip address, network mask, gateway, and doesn't have dns addresses.

Also I have routes to my local networks. It works correctly.


In my local network I have this DNS configuration:

Local DNS on Domain controller -> DNS Server with Internet access to externalnetwork and can resolve external DNS requests.

Other servers and local PC in domain can resolve external DNS requests without timed out problem, only TMG server have this problem.

My ipconfig:

Настройка протокола IP для Windows

   Имя компьютера  . . . . . . . . . : vm-tmg01
   Основной DNS-суффикс  . . . . . . : domain.local
   Тип узла. . . . . . . . . . . . . : Гибридный
   IP-маршрутизация включена . . . . : Да
   WINS-прокси включен . . . . . . . : Нет
   Порядок просмотра суффиксов DNS . : domain.local

Ethernet adapter Lan:

   DNS-суффикс подключения . . . . . :
   Описание. . . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Физический адрес. . . . . . . . . :
   DHCP включен. . . . . . . . . . . : Нет
   Автонастройка включена. . . . . . : Да
   IPv4-адрес. . . . . . . . . . . . : 192.168.1.15(Основной)
   Маска подсети . . . . . . . . . . : 255.255.255.0
   Основной шлюз. . . . . . . . . :
   DNS-серверы. . . . . . . . . . . : 192.168.1.5
                                      192.168.1.6
   NetBios через TCP/IP. . . . . . . . : Включен

Ethernet adapter Internet:

   DNS-суффикс подключения . . . . . :
   Описание. . . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2
   Физический адрес. . . . . . . . . :
   DHCP включен. . . . . . . . . . . : Нет
   Автонастройка включена. . . . . . : Да
   IPv4-адрес. . . . . . . . . . . . : 192.168.2.73(Основной)
   Маска подсети . . . . . . . . . . : 255.255.255.0
   Основной шлюз. . . . . . . . . : 192.168.2.1
   NetBios через TCP/IP. . . . . . . . : Отключен



What I do wrong?

Forefront TMG error

$
0
0

Hi all,

We have a tmg server, which was recently disconnected from our network, and replaced with a hosted firewall.The tmg server was joined to the domain.

I'm trying to take a backup of the tmg config. but when i try to connect via Forefront TMG management, it keeps on giving me an error.

Forefront TMG Error

Forefront TMG management was unable to connect to configuration storage server.

Error:0x8007203a

The server is not operational

Please any help will be highly appreciated.

Kind Regards

Aden

The Object Invoked has Disconnected from its clients

$
0
0

Hi all,

experiencing an error with TMG 2010 which was never seen before. when opening the Network from the TMG 2010 console I am getting below error.

this firewall is connected to a domain and managing 6 networks ( 6 arms connected to TMG 2010).

other than the network tab, every other links are working fine.

has anybody gone through an error like this?

thanks.


Publish website internally accessed different way

$
0
0

Hi all,

A supplier has created a website that is accessible like this http://website-x/
The / at the end is needed. 

Domain of the environment is domain.local
DNS zone mostly used is domain.nl

The website 'website-x' is added to the domain.nl zone, and with an Alias in the domain.local zone, pointing to website-x.domain.nl.. This makes it possible to ping and resolve 'website-x', which is needed for users to reach the website by just typing in http://website-x/

The supplier has configured their website such a way that when you try to go to http://website-x.domain.nl/ it gives you a 401 back. 

When i publish this website in TMG, i get the same 401 on the internet when i am internally. So its obvious it is trying to reach website-x.domain.nl internally.

Is it possible to publish a website thats internally accessed on http://website-x/ ? Please note the / on the end.

In TMG i played with sending the original hostheader, etc, but i am not able to get a working result. 
On the TO tab i also played with website-x, website-x/ , but when using website-x/, it looks like TMG is putting :80/ behind it, which makes it website-x/:80/ and off course that will not work either. Anyway, whatever i try, it fails. I dont understand the working of TMG on this one so i cant manage to figure out if this works at all, and if not, why not. 

Thanks.


HTTP Status code 13 - The data is invalid on FBA login page

$
0
0

We recently started having users getting 'Page could not be displayed' when trying to logon the FBA page for our web application. Looking at the logs in TMG, the URL they are using has 'formdir=XX', which does not match the formdir I get when pulling up the page. When I load the page, I get formdir=10. The URLs from the erroring clients are formdir=8 and formdir=12.

So my question is how are these clients getting an incorrect 'formdir' in their URL. We did recently update the login page graphics, but I never cleared cache/cookies and it worked for me. Does updating the FBA graphics increment the formdir so old bookmarks no longer work?

Cross Site Framing on TMG HTML Form

$
0
0

During a recent Penetration test of a SharePoint site (published through TMG) the site was found to be vulnerable to Cross Site Framing.

I was able to remediate this by adding a http response header in IIS (Header: X-Frame-Options Value: SAMEORIGIN).

The problem now is the TMG logon HTML form can still be captured in a frame.

I can't see any way to add the header so I was thinking about adding some frame busting code to the HTML form but not sure where to put it.

Is there a way to stop the TMG form from being captured in a frame?

Viewing all 3822 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>