Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

Authentication failed on mobiles (Exchange 2010) after Migrating ISA 2004 to TMG 2010

November 12, 2012, 5:20 am
$
0
0

Good Day,

Have migrated all settings from ISA 2004 server to TMG 2010 (including certificates) and it was good.

* Mail flow: went through TMG successfully after changing the Exchange 2010 server's gateway to the TMG. (Client Access Server role & Hub Transport server role are on the same server)

* OWA clients : they can connect successfully to their mailboxes through both http://mail.company.com/owa&https://mail.company.com/owa

*Outlook Anywhere clients: I didn't test them yet & don't know if they will connect successfully or not

Active sync clients were unable to logon to their mailboxes . password prompts keep appearing.

on the TMG Server log & Report : "12309 the server requires authorization to fulfill the request.access to the web server is denied."

any suggests to solve this issue

Regards

Elias Dayeh

Search

TMG Standalone Array - changing configuration Manager?

November 12, 2012, 5:34 am
$
0
0

Hi folks

My predecessor installed a number of TMG servers in a standalone Array fashion, 1 server holding the config and all other servers connected to it.

I notice that when the Configuration Array Manager server is off for maintenance, the other servers cant connect. I need to rectify this. So my options are:

1. Develop a process that allows me to easily change the Configuration Array manager from 1 Server to the other when the former is unavailable/broken.

2. Create a seperate Enterprise management Server and connect all 6 LIVE TMG nodes to it - not worked out the impact of this yet, considering we are already LIVE.

I suspect both are possible, and I presume my predecessor chose the standlone option because fewer servers were needed.

Is there a nice easy way to change the Configuration array manager Server in a standalone array environment?

I presume i would need to do this if the existing Configuration array manager was unresponsive for instance...meaning the other nodes couldn't connect to the config Database....so how would I get access to the config??

Tom

Cannot Upload FTP through TMG

November 5, 2012, 11:45 am
$
0
0

So I have read thousands of posts, spent too much time trying to allow FTP uploads through the TMG Firewall. I have tried everything that I can think of but I still get this error message; "The Folder xxxxxxxxx:xxxxxxx@ftp.usa.hp.com is read only because the proxy server is not setup for full access. I have right clicked on the rule and unchecked read-only. I have allowed active FTP, etc. I am missing something and I need help! 

Our setup is very simple...internal network is made up of several servers "ops boxes" that have proxy connectivity to the internet for support sites. I need to allow the "ops boxes" the ability to upload logs to HP. I have also installed the TMG client on one of the boxes for testing. 

TMG Server is a VM with two NICs; one for internal and the other for external. 

Switching authentication method based on user membership

November 12, 2012, 6:50 am
$
0
0

I have a sharepoint site that uses windows authentication.

We have the site behind TMG and it works fine.

We now have a requirement that users belonging to a particular AD group must enter a passcode (Securid) in addition to the windows username & password (NTLM authentication)

( Note that users who do not belong to that spl AD group will till continue to use just username & password)

Is there a way to

1) Display user name & password to begin with,

2) After user authenticates & we determine that it belongs to the spl group, display a second screen to enter passcode?

is this something that tmg supports

Browsing Delay with TMG 2010

November 12, 2012, 7:13 am
$
0
0

I recently had to switch from having a non Nat router to a Nat router as I had to change ISP.

At the moment I have the router the ISP has supplied me, I use the standard configuration with DHCP on the device and I use it as my mac and wireless network. I have then created my self a Windows 2012 separate network with TMG 2010 server as my firewall with a network cable plugged into the router; this is classed as my WAN NIC in TMG. I also have two other cards in there called LAN and DMZ. So as you can imagine I use a separate windows server network for testing etc. etc. When you first setup TMG it asks you to create a default rule to allow Internet access through for all your devices.

Two things:

  1. The default rule for Internet access mentioned above. I have to set the protocols to 'Allow all outbound traffic' If I just say HTTP and HTTPS it stops all Internet access. Why? Am I missing something daft?
  2. Also when I am surfing, all will be ok and quick, then randomly I click on a link and it will take ages for the page to come up. Or it will just time out then I will have to click refresh. Then the page loads correctly. This is happening all of the time and is annoying. If I plugged my Laptop into the router it will be fine and loads pages quick as a flash. After loads of testing I can only put it down to the TMG server. When I had a non Nat router it was spot on!

Can anyone shed some light on this problem?

Many Thanks

Run Client VPN Cisco from Internal Network

November 12, 2012, 11:24 am
$
0
0

Dear Experts,

I have installed TMG2010 and it is working very well

Problem is when some user internal the company need to run Cisco VPN Client software to access to another company 


error messages shows : 

                 secure vpn connection terminated locally by the client reason 429

Reason 429: Unable to resolve server address.

Notes:

I did rule policy to allow all protocols in the LAN but nothing happen 

Can you help me please

problem with remote desktop connection

November 12, 2012, 11:21 am
$
0
0

hi

I have windows server rented from a company for hosting website
When I remote desktop server from home or anywhere over Wi-Fi .. works great, but  I tried to remote server from my work network , not accept

we have at work (LAN,TMG)

Is something must be done? such as opening a port .. Etc.?



The proxy is Refusing Connections problem

November 12, 2012, 9:05 pm
$
0
0

Hi all,

I have a problem with my TMG . My client sometime can not be accessing internet with the error "The proxy is Refusing Connections", where is the prooblem? i see in my TMG all the configurations works fine. Any helps would be appreciated . Thanks

Search

TMG denying SQL connections

November 9, 2012, 12:41 am
$
0
0

Hello,

I have the following setup and problem:

2 offices with site-to-site IPSec VPN. Branch office has TMG 2010 SP2 installed used as edge firewall and main office has Cisco router. I created the VPN based on the following article: http://www.carbonwind.net/ISA/CiscoVPN/CiscoRouterISAVPN.htm. Only difference is that I use certificate, not a shared password.

Everything works as a charm - DNS, AD, RDP, pings, etc.

Issues I have are the following:

From branch office, domain joined computers cannot connect to SQL server over 1433 and to sharepoint site running on port 81. What I see when I turn on logging on TMG is:

0x80074e21 FWX_E_ABORTIVE_SHUTDOWN with Status: A connection was abortively closed after one of the peers sent an RST packet. RST packet is sent from client - this message is not red.

then I get the red message: 

0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED with Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer. 

When connection to the SQL/SharePoint is established from a standalone computer behind the TMG, everything works as a charm.

Any ideas? I am thinking it might be related to some Application/Web filters in TMG, but I am not that sure in that.

Regards

Outlook 2010 can send and receive email behind FFTMG

November 12, 2012, 11:30 pm
$
0
0

I installed FFTMG to restrict web access in my internal network.

I am not sure how to create an allow access rule for outlook 2010 to get access to internet through FFTMG.

Exchange server is not installed.

DNS and DC are installed on one machine, while FFTMG is installed on a separate machine.

Below is the list of software installed on network

MS Server 2008 Enterprise edition (eval)

MS FFTMG 2010 (eval)

MS Office Pro 2010 (eval)

forbiden email access

November 13, 2012, 5:06 am
$
0
0

Hi everyone

I want to add a TMG firewall to my network and I have some question about configuring its rules

1) my boss needs to limit client's access to global emails , actually he needs that non of employers can access global email so they have to use company email accounts for sending or receiving emails

2)also he needs that no one can use any proxy for double cross my limits but I found that some of my employees use a windows based software that works with 443 port and SSL protocol , is there any way that I can use to stop using that software?

Thank you all

TMG 2010 - PPTP VPN not allowing some clients to connect.

November 13, 2012, 7:58 am
$
0
0

Hi!

I have installed TMG 2010 STD on Windows Server 2008 R2 STD, This server is installed on an Hyper-V machine, also running Windows Server 2008 R2 STD. On the hyper-v I removed the TCP-IP/v4 check mark to ensure no comunitation is established througt that network connection.  On TMG i've turned on VPN connection for PPTP clients. All fine and running.

When the users started to connect some of them connected fine... BUT some couldn't... They receive error:A connection between the VPN server and the VPN client **.***.***.** has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47).

After a lot of time... and trying to solve the problem, I though... hey... maybe it is some problem on the Router... so... I bough another... same problem... So I bought yet another (Cisco LincSys/SMC/Cisco LincSys). Nothing... didn't worked. I shutdown the 1st TMG, removed it from the Domain (Windows 2008) and... installed another TMG 2010... puff... same problem.

Still a clue, If those clients that cannot connect to the VPN, connect first to another VPN also on PPTP with TMG... they can connect with no problems.

I have NO idea of what the problem is... can someone help me?

There are some how says "The Solution is to disable PPTP filter on PPTP protocol" but my TMG doens't give me the option to disable it... just shows me properties.

The lan is configured as this:

Router-> 192.168.1.1 (default gateway) -> TMG 192.168.1.3

TMG -> 10.10.1.224/255.255.0.0

DC -> 10.10.1.221

>netstat -ano |findstr ":1723"
  TCP    0.0.0.0:1723           0.0.0.0:0              LISTENING       4
  TCP    192.168.1.3:1723       10.10.1.1:50280        TIME_WAIT       0
  TCP    192.168.1.3:1723       94.173.190.42:50457    ESTABLISHED     4
  TCP    192.168.1.3:1723       95.136.26.169:25606    CLOSE_WAIT      4
  TCP    192.168.1.3:1723       95.136.26.169:25609    CLOSE_WAIT      4
  TCP    192.168.1.3:1723       95.136.26.169:25610    CLOSE_WAIT      4
  TCP    192.168.1.3:1723       192.168.1.24:57254     ESTABLISHED     4
  TCP    192.168.1.3:13135      192.168.1.3:1723       ESTABLISHED     2888
  TCP    192.168.1.3:16684      192.168.1.3:1723       ESTABLISHED     2888
  UDP    192.168.1.3:17238      *:*                                    2888


TMG 2010 outbound VPN does not work (PPTP), Error 619

August 4, 2011, 6:24 am
$
0
0

Hi,

We just deployed TMG 2010 NLB (SP1 with all 4 rollups) for a customer and one outbound VPN connection stopped working. I have searched the forums, google and tried everything I could find but with no result. The ruleset in TMG and the routing is configured properly  and I can open other VPN connection (PPTP aswell, same port, same protocol, same encryption) with no problem, except this one.

So whenever I try to connect to this VPN connection I immediately get Error 619 (almost instantly). TMG shows that the connection opened successfully and then closed in the same second. I can not figure out what is TMG altering in the connection as it works via 3G modem or any other internet connection which is not protected with TMG. (I tried it on 3 different TMG installations and one ISA 2006 and the problem is with all of them) but from my home wifi router everything works like a charm. I have no control over the other end of the VPN tunnel but I know that it is not IP bound.

I am almost ready to give up and configure a static route to this VPN server and circumvent TMG. :(

 

 


Cannot establish outbound VPN through TMG (PPTP, IPsec)

November 13, 2012, 9:22 am
$
0
0

Hi,
I have the Problem, that I can not establish outbound VPN through TMG. Here is the Logging:

PPTP:

Initiated Connection
<id id="L_LogPane_LogType">Log type:</id><id id="L_LogPane_FirewallService">Firewall service</id>
<id id="L_LogPane_Status">Status: </id>The operation completed successfully.
<id id="L_LogPane_Rule">Rule:</id>[INTERN] - Sonstige Dienste
<id id="L_LogPane_Source">Source:</id>Internal (10.10.14.192:58793)
<id id="L_LogPane_Destination">Destination:</id>External (mailsecure.emz.de 89.245.153.218:1723)
<id id="L_LogPane_Protocol">Protocol:</id>PPTP
Denied Connection
<id id="L_LogPane_LogType">Log type:</id><id id="L_LogPane_FirewallService">Firewall service</id>
<id id="L_LogPane_Status">Status: </id>The policy rules do not allow the user request.
<id id="L_LogPane_Rule">Rule:</id>Default rule
<id id="L_LogPane_Source">Source:</id>Internal (10.10.14.192)
<id id="L_LogPane_Destination">Destination:</id>External (mailsecure.emz.de 89.245.153.218)

<id id="L_LogPane_Protocol">Protocol: </id>Unidentified IP Traffic (GRE:0)

IPsec

Closed Connection
<id id="L_LogPane_LogType">Log type:</id><id id="L_LogPane_FirewallService">Firewall service</id>
<id id="L_LogPane_Status">Status: </id>A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
<id id="L_LogPane_Rule">Rule:</id>[INTERN] - Sonstige Dienste
<id id="L_LogPane_Source">Source:</id>Internal (10.10.14.192:4500)
<id id="L_LogPane_Destination">Destination:</id>External (213.217.115.205:4500)

<id id="L_LogPane_Protocol">Protocol: </id>IPsec NAT-T Client

Closed Connection
<id id="L_LogPane_LogType">Log type:</id><id id="L_LogPane_FirewallService">Firewall service</id>
<id id="L_LogPane_Status">Status: </id>A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
<id id="L_LogPane_Rule">Rule:</id>[INTERN] - Sonstige Dienste
<id id="L_LogPane_Source">Source:</id>Internal (10.10.14.192:500)
<id id="L_LogPane_Destination">Destination:</id>External (213.217.115.205:500)
<id id="L_LogPane_Protocol">Protocol:</id>IKE Client
Denied Connection
<id id="L_LogPane_LogType">Log type:</id><id id="L_LogPane_FirewallService">Firewall service</id>
<id id="L_LogPane_Status">Status: </id>An ingoing packet was dropped because its destination address does not exist on the system, and no appropriate forwarding interface exists.
<id id="L_LogPane_Rule">Rule:</id>None - see Result Code
<id id="L_LogPane_Source">Source:</id>Internal (10.10.14.192:62355)
<id id="L_LogPane_Destination">Destination:</id>External (239.255.255.250:1900)
<id id="L_LogPane_Protocol">Protocol:</id>Unidentified IP Traffic (UDP:1900)

I am using the TMG 2010 SP2 on Windows Server 2008 R2 SP1, I installed following Updates/hotfixes:

- KB 980674 - VPN site-to-site connections may not work after enabling NLB.
- Rollup 2 for TMG 2010 SP2

Only the outbound VPN doesn't work, inbound VPN is no Problem.

ISP Redundancy mode is: load balancing with failover capability. 

failure code XP: 721

failure code Win7: 806

I really hope you can help me.



TMG array, NLB and published websites

November 13, 2012, 5:04 pm
$
0
0

Hi,

Have a single TMG server publishing 10 websites. Plan is to add another TMG and setup an Array & NLB.

The currently published 10 websites all have an individual IP address (external TMG IP) in the DMZ.

If we enable TMG Array & NLB how would we handle the published websites - would they all need an individual NLB IP address? potentially redoing all the web listeners too?

Second question: if we setup TMG Array with EMS, could the EMS database reside on both TMG servers?

Thank you,

SK



Search

Site Redirection to another ISA

November 13, 2012, 11:55 pm
$
0
0

Hi Everyone,  i have question about one issue, i dont know its possible or not, but i decide create topic.

so,  i have internal network with two ISA2006 servers , isa01  and isa02 (  isa01 is just only for the site publishing ,  isa02 is for proxy server) ,

Our users need browse the site  "domain.com" which is not allow  access from  isa02 public IP address (for example public is  2.2.2.2), so users can't access to that site.

But , from isa01  public adress  that site  (domain.com)  is opening normal.

---

so, my questions is:
can i redirect   specific site to another isa  (isa01 in my situation) , 
for example :  when  user access "domain.com"  , it request to opening site  from isa02 (proxy isa),   then  isa02 forward  domain.com  to opening through isa01  and respond client as normal   (but only domain.com) .. is it possible?

i dont know, how can i explain ,, will glad any assitance

Thanks,




TMG 2010 does not allow vpn clients!

August 25, 2010, 7:12 am
$
0
0

Hi!

 I have installed TMG 2010 STD on Windows Server 2008 R2 STD. On TMG i've turned on VPN connection for PPTP clients and all was fine during 2 months. But 2 days ago i found a problem with clients connecting to VPN server. They receive error 806 and in event log on TMG i see event 20209 about GRE problem from RasMan. So i used to check connection from my local network to vpn server and the same issue. I turned off VPN access for clients and turned on it again...but the same problem. So finally, i've installed routing and remote access service on another server and created rule on TMG for this VPN server...and bingo...it works.....TMG redirect correctly all pptp traffic to another vpn server.
 So what the problem might be? I can't understand....maybe problem with Windows Server or TMG?

allow url with certain port No

November 13, 2012, 10:42 am
$
0
0

Dear guys ,

can any one help in this issue ,,,,   how to deny or allow this url with PORTS

www.anywebsite .com:2082

www.anywebsite.com:2095

the previous urls forward us to webmail so i want to just allow it , cause then i ll apply default deny all

thanks

Reason 429 ?

November 14, 2012, 5:45 am
$
0
0

Dear Experts,

I installed TMG 2012 and it is work very well except the clients cant run Cisco client VPN software any more

and messages shows up when try to connect :

Reason 429: Unable to resolve server address.

Note: I allow all protocols to all users 

Is their any solution ?

Help for PowerPivot Access BadaBase in TMG 2010

August 12, 2012, 9:20 pm
$
0
0

Hello Friends
Good morning.
I'm with a doubt and would like your help.
I have a Microsoft Forefront TMG 2010 SP2 Firewall that uses SQL Server 2008 Express.
I have an application that is Microsoft PowerPivot workbooks that accesses the TMG database and must have access permission to the database, but I'm not getting any way.
Anyone know which SQL Server must provide permission to can access this information or will that this could be inside the firewall rule issues.
Remembering that the application Microsoft PowerPivot will access internally from one workstation to the DataBase of the TMG Firewall
I will publish the image of error when the Microsoft PowerPivot attempts to access or when I try to access SQL Server 2008 Express.

Thanks

Julio Vaz http://jvaz.wordpress.com

Viewing all 3822 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>