Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

https response header for anticlick jacking in TMG2010 Sp2

June 26, 2016, 2:20 pm
$
0
0

Hello, 

The company I am doing some work for needs to implement a http response header "X-Frame-Options" "SAMORIGIN" on our published websites via TMG. 

Now I have researched it and found some previous questions asked here, but they all seem to point to "https://tmgblog.richardhicks.com/2009/03/27/using-the-isa-http-filter-to-modify-via-headers-and-prevent-information-disclosure/"

But when I go here and look, its not very intuitive and I am left confused on how to implement the above change. 

if someone could describe a plain english version, and how to use this function inside TMG to control the "X-Frame-Otions" header, that would be great. 

Regards,

Andy


Search

internet exporer 10 voor windows

June 27, 2016, 10:03 am
$
0
0
waarom heb ik steeds geen internet exporer 10 op mijn laptop

nijn google frame wordt niet juist gedownload, ik kan hem niet gebruiken, de pagina lijkt op een gekopieerde pagina

Create NAT for LifeSize Camera

June 27, 2016, 3:29 pm
$
0
0

Hi, need to publish a lifesize voip camera to internet via NAT, because this camreas call each other via public natted addresses, this Camera was previusly configured behind a NAT on an Untangled server and it was really easy to set up, just NAT the provate ip to the public ip, choose chequeboz for all protocols needed and thats it it worked fine.

With Forefront it a hole other story, I am exausted trying to figure out how to make the same.

I thought that I just had to create a NAT from the internal to the external ip and that was that but that Doesnt work, wehn I do that the only thing I can do is ping the external ip from internet but anithing else.

So my question is if the is and forefront TMG expert here:

How do i access this camrea from internet the same way i access it from the internal network?

This is what I've got from lifsize website:

----------------------------------------------------------

To place calls to other systems through the firewall, you must configure your firewall to allow incoming and outgoing traffic to the system through the following: • TCP port 1720 (for H.323 call negotiation) • UDP port 5060 (for SIP call negotiation) • TCP port 5060 (for SIP call negotiation if TCP signaling is enabled for SIP calls) • TCP port 5061 (for TLS signaling in SIP calls if TLS signaling is enabled) • Required TCP and UDP ports in the range : 60000 - 64999

On your firewall, whether standalone or built into your router, you must do one of the following:

 Use one to one NAT and open the ports listed in the previous table over that connection bidirectionally with an access list.

 Forward the ports listed in the previous table to your LifeSize system. Refer to your firewall vendor’s documentation for more information.

-------------------------------------------

Can any body help with step by step instructions to achieve this?

Browser is continously Prompting the login name and password after client PC login credential updates

June 28, 2016, 1:23 am
$
0
0

Dear All, 

I am facing an issue today, one of our associate update his AD user password and after login when he will try to access any site the browser prompting a login credential

We are using the proxy on every PC all other pcs are working great with out any issue. 

Do any one know what is the cause behind it 

RB

Can't get WMI connections through the TMG server

June 29, 2016, 2:28 pm
$
0
0

Hey all,

I've been googling relentlessly trying to get this to work. I have a monitoring server in this case PRTG and I'd like to monitor a service on one of the servers hosted between the monitoring server and the TMG firewall.

I launched WBEMtest on the monitoring server to ensure that WMI first off succeeds with my account than would proceed to go on with a dedicated PRTG based account.

Sure enough I created an access rule on the TMG from my Monitoring server to my Server hosting the service. Sure enough the Wbemtest fails.

Alright... google.. Helpful by Marc Grote ... and even more helpful by Ori Yosefi as well as this helpful one from the great Richard Hicks.

All great guides however, As mentioned by the first two links, I created a rule

1) access rule that allows RPC (All Interfaces) from the Internal network to the Local Host network.

on the next Step they both claim to uncheck the strict RPC check box by clicking the rule and selecting

"To do so, right click the Firewall Policy rule and select the RPC setting." - Marc Gotes

or

"After creating the rule, right-click it and select Configure RPC Protocol." - Ori Yosefi

However whenever I right click the rule I don't have either of these options.. and click the protocols tab from the properties on the rule All I can do is get basic settings for the protocol and not this required checkbox anywhere.

What am I missing here?

They also mention removing the check box from the Active Directory section of teh System Policy Editor. Which I already have Enforce Strict RPC compliance unchecked.

I then created a Rule to Allow "ALL Outbound traffic" from my monitoring Server to the server which I need monitored. As specified by Ori Yosefi's post.

Yet when I run the WBEMtest it still fails to connect... I even verified all local firewall rules on the server I need and tested wbemtest from a server in the same subnet and it connected just fine.

Please someone... what did I miss?!?!?!

TMG rule for O365

June 29, 2016, 8:07 pm
$
0
0
I am in the process to migrate our user to O365 using Hybrid migration. Microsoft want me to allow a long list to IP address range by my TMG firewall to make this process done. I really need a help to understand the shortest way to add multiple IP addresses.

Site to Site VPNs

June 30, 2016, 8:59 am
$
0
0

Just to clarify a point, most documentation on TMG site-to-site VPNs assume that both ends of the pipe are TMG boxes. But, that doesn't have to be true, correct? If I need to create a VPN connection between a TMG box and, for example, a Cisco box, I would still use the site-to-site facilities built in to TMG, correct?

Thanks

Bert

SSTP VPN Configuration through TMG 2010 Using 3rd party certificate

June 30, 2016, 6:45 pm
$
0
0

Hi TMG Community:

   Im willing to configure SSTP VPN through TMG 2010 using a 3rd Party certificate. I need help in making this configuration. Any step by step instruction will be a great help!!!

Thanks a lot!!!

MF

thanks, MF

Search

TMG Reverse Proxy using JSON

July 1, 2016, 3:30 pm
$
0
0

We are using TMG 2010 as a reverse proxy for some API-based services and all is good when HTTP 200's are returned.  When an HTTP 403 is returned, the TMG is not passing along the JSON error response, but instead wrapping the 403 with some HTML with the message "Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)".  Since this is an API server, I want the pure JSON returned back to the client instead as shown below.  How do I disable the HTML responses for > 399 error codes and pass along the pure response?

{
  "request": "ZFNAp28ate",
  "code": "403",
  "message": "Bad timestamp format. Use UTC [yyyy-MM-dd'T'HH:mm:ss'Z']"
}

ISA and 2X client

July 4, 2016, 9:13 am
$
0
0

Hello,

Please I need help on the following scenario;

We have 2 office locations (the head office and the branch office). 

In the Head office, we have an ISA 2004 server. A server publishing Rule was configured on the ISA to enable a user in the branch office connect to the accounts software in the head office through Parallel 2X client.

The branch office is a shared block that houses other organisations. Individual organisation is not allowed to have its own ISP but rather shared. A designated IT staff manages a mikrotik router that shares the link to the various org. At each block a linksys router is used behind a switch that connects the computers.

The user in the branch office has been able to connect without hassle by indicating on the 2X client the public IP of the ISA in the head office.

My boss wanted to restrict internet access at the branch office. So we got another ISA 2004 installed on a server 2003. 

DHCP is configured on this server and rules for DHCP reply and request set since no domain controller in place. It is a small office with about 7 staff.

Since we do not want to use a public IP, the WAN port of the branch ISA has an IP of same subnet as the one on the linksys router. The GW is the IP add of the linksys itself. The DNS as obtained on the router.

The LAN side is configured appropriately.

The whole setup was tested and the rules to restrict access confirmed working.

The bigger challenge came with creating access rule for 2X client on the branch office ISA.

How do we create a rule when the branch ISA sits with both legs on a private network.

Remember for 2X client to connect, the public IP address of the destination server needs to be inputted.

I cant just get this working.

thanks

Limited or no connectivity

July 14, 2016, 6:04 am
$
0
0

Dear friends

I am facing a problem leaving me almost crazy Ha several weeks I have been faced with a problem with zero or limited connectivity, to start Windows 8.1 stations in the company.

Before the user to enter the login password, or even after the icon is little or no connection.

This problem started to occur after Forefront TMG change for Dell SonicWall.

However I have Dell SonicWALL supporting documents confirming that it is not a problem in their product. to do a check on my network, taking into account the exchange of messages between a workstation and the (domain controller) server in search of an answer to the WPAD.

Report that before I had the Forefront TMG client workstations, however, it was removed, and also the wpad traffic was blocked in DNS.

So it would be a light to this problem, what can I do to find out? Below is the image of the conversation between so2ri53 station and the domain controller (srvdc01).

I'm on the right track?

ISA Server 2006 Publishing Rule

July 15, 2016, 1:55 pm
$
0
0

Hello,

I have an External ISA Server 2006 SP1 with:

WAN: 192.168.1.250 (talking to the home ADSL Router)

DMZ: 192.168.2.1

I have an internal ISA Server 2006 SP1 with:

DMZ: 192.168.2.3

LAN: 192.168.8.1

In the DMZ I have placed a Edge Transport Role, with a NIC: 192.168.2.2

So, I am trying to publish the OWA in the External ISA Server, but I don't know whether the external ISA Server should point to the Edge Transport Server or to the internal ISA Server in that Publishing OWA Rule.

The SAN Certificate (Autodiscover.domain.com, mail.domain.com) has been placed in the CAS Server, both ISA Servers and even in the Edge Transport Server, and the Root Domain certificate also has been place on those servers, because none are domain-joined.

Thanks in advance.

P.S: Maybe this is more of a Exchange related question?


HTTPS ACCESS OVER PORT

July 19, 2016, 9:10 pm
$
0
0

Afternoon Everyone, 

My knowledge of TMG isn't that great so bear with me. I would like to access a certain URL over port 60443 via https, up until now I created a Web Access rule and it's been working. Recently when I access the site from IE 11 I get the error "Page cannot be displayed" with a 502 error but if I use Google Chrome I can access the site easily. Looking at the TMG logs I found out that it's using the SSL-Tunnel protocol instead of the protocol I have defined which Google Chrome uses. Also TMG gives me a Status 12202 error in regards to 443 being the default port. Any help please?

how to allow team viewer through (TMG) proxy server

June 12, 2012, 3:18 am
$
0
0

how to allow team viewer through (TMG) proxy server?

Top urgant

Required ports for TMG placement in DMZ

July 27, 2016, 12:06 am
$
0
0

Dears,

We will install two TMG servers in the DMZ (not joined to domain, one array) to use it as a forward proxy.

The main features of the solution include:

 Forward Web Proxy requests using HTTP and HTTPS.

 HTTPS inspection

 URL Filtering based on a predefined block lists

 Web caching

 Windows Load balancing to ensure high availability and load distribution of TMG services.

Kindly what are the ports required between internal network and TMG, between TMG and internal network, between DCs and TMG, between TMG and DCs and between TMG and internet?

Note: Since the TMG servers need to resolve IP addresses for both Internet and internal devices, an external DNS Server will be installed on each TMG server.

The external DNS servers listening interface will be the DMZ interface and will use Internet Root DNS servers to resolve Internet DNS names. The external DNS will be configured with forwarders to the Internal DNS Servers in order to resolve internal DNS zones.

Within the TMG array, each TMG server will have its own IP address as the primary DNS server and the other TMG server as the secondary DNS server.

Search

Server Can't Detect TMG Settings and Connect to the Internet

July 27, 2016, 6:52 am
$
0
0

Good Morning,

I am trying to determine why a specific server can't connect to the Internet via TMG server using wpad.dat. The browser is setup to automatically detect settings.  

Other servers in the same IP range are able to connect to the Internet.

When the server with the issue try to access external site using automatically detect settings, I do not see the traffic on the TMG Logs and Reports screen.

Also, running netstat ano on the server with the issue, I do not see the TCP traffic initiated to the TMG server over port 8080. 

If I configure the server with the issue to use the proxy server manual configuration, then the server is able to connect to the Internet and I do see the traffic passing through the TMG server Logs and Reports. 

I am able to open the wpad.dat file on the server via a browser.

Please advice on this issue.<o:p></o:p>

Thank you in advanced. <o:p></o:p>

Raed<o:p></o:p>



Problem

September 23, 2010, 2:59 am
$
0
0

Hi,

when i try to open Forefront TMG Managment have an error:

Refresh failed - Error: 0x80070057 - The parameter is incorrect.

How can solve the problem?

 

Raf

Raffaele

TMG array member not synced

August 2, 2016, 1:33 am
$
0
0

Hi, i have 1 TMG CSS server and 12 TMG array members. In one array member server configuration not synced (Monitoring - Configuration - Configuration status synced).

I tested open ports on both's css and array member it's ok. Test ldp connection also work fine.

At the same time if to make changes on the array member, they are displayed in CSS server.

TMG 2010 - Not able to join the server to Domain

August 2, 2016, 9:58 pm
$
0
0

Hi

we had TMG 2010 server running and for some reason we have disjoined the TMG 2010 from the Domain and now trying to join to the domain but not able to do it. We tried stopping all the TMG services but same error.

can you please guide us whether it is possible.


A packet was dropped because its hop limit or time-to-live limit was exceeded

August 4, 2016, 8:05 am
$
0
0

TMG v.7.0.9193.644
3 Nics: External, internal, DHCP.
External with addressing public (NIC with gateway). 79.153.183. x / 255.255.255.240 / 79.153.183.1
Internal with internal addressing (NIC without gateway - only management). 192.168.9.1 / 255.255.255.0
DHCP with internal addressing (NIC without gateway). 192.168.8.1 / 255.255.255.0 (same VLAN as DHCP)

The internal network is 192.168.1.1 / 192.168.2.1 / 192.168.3.1

In the TMG have static routes (192.168.8.254 = core)

192.168.1.1 255.255.255.0 192.168.8.254 1
192.168.2.1 255.255.255.0 192.168.8.254 1
192.168.3.1 255.255.255.0 192.168.8.254 1

When I connect to the VPN gives me an IP of the 192.168.8.0/24, but I come get to the networks, giving this error: A packet was dropped because its hop limit or time-to-live limit was exceeded (VPNClients--> Internal)

In Networking-Networks-Internal I have this internal addresss.

Viewing all 3822 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>