Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

Install two TMG servers in DMZ and using hardware load balancer

August 7, 2016, 11:35 pm
$
0
0

Dears,

I have the below scenario:

1. Install two TMG servers in DMZ (workgroup) and configure high availability using hardware load balancer

2. Use one NIC (DMZ) on each TMG server

3. TMG servers will be acting as forward proxy servers and used as well for HTTPS inspection, URL filtering based on predefined block lists and for web caching.

4. TMG servers will be acting as Radius clients and Radius server will be installed on domain controllers

5. External DNS will be installed on both TMG servers and conditional forwarding to DCs will be used to resolve internal DNS zones. Also root hints will be used to resolve internet DNS names.

6. A server certificate from internal CA will be installed on both TMG servers for authentication and data encryption.

I am not that strong in TMG so please guide me on how to install and configure the setup above, most importantly points: 1, 3, 4, and 6.


Search

test ports are allowed from TMG in DMZ (one network adapter configuration) to domain controllers in loca LAN

August 10, 2016, 1:56 pm
$
0
0

Dear,

I setup today a standalone array of two workgroup TMG servers in DMZ (one NIC setup), now I need to install RADIS (NPS) on domain controllers to authenticate outbound traffic, the ports we asked network team to open are as below:

           
  

Source

   		  

Destination

   		  

Service

   		  

Action

   		  

Comments

  

Internal Network

Domain Controllers

TMG servers

microsoft-ds_tcp_ 445

nbdatabram_tcp_138

nbname_tcp_137

nbsession_tcp_139

Allow

AD communication

TMG servers

Internal Network Domain Controllers

nbdatabram_tcp_138

nbname_tcp_137

nbsession_tcp_139

Kerberos_v5-TCP/UDP_88

DNS TCP/UDP-53

microsoft-ds tcp445

ad_logon_tcp_1025

emap_tcp-tcp_135

ldap_tcp/udp 389

ldaps_tcp_636

GC_3268_tcp

ntp-tcp/udp 123

RADIUS_1812_TCP

RADIUS _accounting_1813_TCP

icmp protocol

Allow

AD communication

Network team confirmed all ports are allowed from internal network to DMZ, however how can I confirm ports from TMG to DCs are allowed?

I did a telnet from TMG server (after installing TMG) on the ports mentioned in the last raw in the table above to the domain controllers with no luck, do I need to allow telnet in TMG? If yes how?

allowed Websites are not accessible showing blocked

August 12, 2016, 1:51 am
$
0
0

Hi,

We have opened websites and was working properly but all of sudden these opened sites are not opening in TMG 2010.

I have tried to create separate access rule also for these sites but no success.

 

TMG Web farm for Outlook anywhere

August 14, 2016, 6:41 am
$
0
0

Hello experts,

I'm looking for help on below issue:

We're running TMG2010 with 1 Array Manager and 5 child servers. Web farm is created to distribute the traffic to 10 CAS 2010 servers in the site and all CAS servers IP is added in web farm. TMG is receiving all the traffic from single ip of load balancer sitting in front of TMG servers. We see that all the Outlook Anywhere traffic is going to single CAS server (say CAS1) and not all CAS servers in web farm.

As soon as we reboot/shutdown CAS1 server, all OA traffic is routed to next CAS server and once that CAS1 server is up again and traffic shifted back to CAS1. What could be the problem here? any idea?

FYI, activesync and OWA traffic is being load balanced to all CAS servers without any issues. It is only the OA traffic which is going to single CAS server.

Thanks, Vik

Configure RADIUS server for authenticating outbound Web proxy requests

August 16, 2016, 10:36 am
$
0
0

Hi all,

I have a standalone TMG array of two servers in DMZ (workgroup scenario, one NIC), I need to configure it as forward proxy. I installed NPS role on all DCs and configured TMG servers as Radius clients in each DC in its NPS role (just configure the radius clients, no network policies). In TMG, I configured DCs as radius servers and LDAP servers. IO allowed TCP ports 1812 and 1813 from TMG to DCs then discovered I have to allow UDP ports 1812 and 1813 reference to this article:

https://technet.microsoft.com/en-us/library/cc441598.aspx?f=255&MSPPError=-2147217396

Is  my configuration right? Am I missing anything?

Automatically Detect Settings - don't want to use

August 29, 2016, 3:49 am
$
0
0

My TMG is deployed in a back firewall topology. Everything seems to be running fine except for this: I can only view the front firewall management web UI from (1) internal network web browsers which are configured to "automatically detect settings," or from (2) the TMG server itself, or from (3) within the perimeter network.

Why might this be so, and how can I make it unnecessary to turn on "automatically detect settings?"

Thank you!


VPN - Original Client IP Field Not Populated

August 31, 2016, 9:21 am
$
0
0
We are running Forefront TMG 2010 SP2, fully updated. When a client connects to the VPN, we don't see the original client IP field being populated in the FW logs. We need this value for our records. Should this field be populated? Is there additional configuration that needs to be completed? Thank you! 

Exchange Autodiscover and EWS for Skype for Business

August 31, 2016, 12:36 pm
$
0
0

Hi Everyone,

I am stuck with some problem with Exchange autodiscover, EWS and skype for business when I try to publish using TMG.

 

Currently I have Autodisocover and EWS publish using TMG, both services are configure and working, for Exchange, everything is good. If I test the services usinghttps://testconnectivity.microsoft.com all test pass

 For EWS

For Autodicover

But for skype for business I got the “Outlook integration Error” because Skype isn’t able to find EWS information. If I look into TMG logs it shows

From the internal network services are working good. It Looks like TMG is blocking anonymous request.


Can you help me?

 

Thanks!

JJ

Search

Configuring TMG redirection using paths on the same public name

September 1, 2016, 2:07 am
$
0
0

We have a TMG that current is configured to allow access to authenticated users to our SharePoint server. The public name for this rule is set to "All Requests", it accepts connections from anywhere and redirects to the Sharepoint server.

What we want to do is to be able to have a path redirection to somewhere different

e.g. requests to extranet.example.com carry on as normal but requests to extranet.example.com/time are redirected to a different internal site.

We have tried to set this up using extranet.example.com/time in the Public names and setting the rule to the top of the list but it is getting ignored and falling through to the original rule

If I add a different hostname e.g. time.example.com to the Public Names and add time.example.com to the clients host file (just for testing) it works as expected.

Are we going about this the wrong way? My gut feeling is that we are and the extranet.example.com/time is considered invalid and ignored, hence the rule being skipped.

Any help / pointers would be gratefully received.

Thanks

Alastair

Office 2016 integration with SharePoint 2013 through TMG server problem

January 22, 2016, 4:58 am
$
0
0

Hi,

We connect to our SharePoint 2013 farm through TMG server. Everything works perfect with Office 2013

Since Office 2016 our users having problems when open and save documents through TMG.

For example:

When you click on a  Word document on SharePoint, Word open but only in read only mode. Normally you should see a yellow information bar with a ‘Edit document’ button.

I can go to the ‘view’ tab-> ‘Edit document’ but the document stay in read only mode but I can edit the document. When I save the document, Word trying to connect to the SharePoint document library again but that fails. Instead Word open the local c:\drive.

In fiddler I see the error “Error code: 403 Forbidden. The server denied the specified uniform locator (URL)” when Word trying to connect to the document library on SharePoint.

I did a little research and found that that the ‘Modern authentication’ in Office 2016 is set as standard.

http://techblurt.com/2015/09/29/office-2016-authentication-against-legacy-sharepoint-online-bpos/

When I set the “EnableADAL =0” then everything works perfect but that is not an option because we don't have control on all the clients with Office 2016 installed.

My question: Is there a workarounf or hotfix for TMG.

Regards,

Johan

High volume website blocked

September 4, 2016, 8:47 pm
$
0
0

Hi

We have a TMG 2010 with a mapping website behind it. The traffic to and from the site has a large number of connections because of the map layers.

After some testing we found Flood Mitigation was blocking outgoing traffic so the internal server IP was added to the exclusion list but our customers are still having issues using the maps.

 A customer can load the site ok and click around the map a few times but then the map stop being displayed. We created a jMeter test and can run this test internally (by-passing the TMG) and get 100% success but if we run the same test externally it fails 30%. 

If  we add the external IP address of the computer running the test to the Flood Mitigation Exclusion list the external test runs successfully with no failures. We can replicate this from many different external computers using different ISP's etc.

My question is, is there some way to add the web server to a rule for high traffic sites? i.e. an IP exclusion of incoming traffic.

From what I can see, the Flood Mitigation exclusions are only on source address, we need it on destination address. We do not want to disable Flood Mitigation completely.

Thanks

New install: Event Log - Schannel Event ID: 36888

January 15, 2010, 12:50 pm
$
0
0
I am in the process of setting up a Microsoft TMG server on a new Dell PowerEdge R610

I have installed Windows Server 2008 R2 Enterprise, Exchange 2010 Edge Transport Service, ForeFront 2010 for Exchange and finally TMG 2010 as per the TechNet TMG installation guides.  All the latest updates have been applied including Exchange 2010 rollup 1.

Around the point at which I installed Exchange 2010, the system event log started filling up with the following entries:

Source: Schannel
Event ID: 36888
User: System
Message: The following fatal alert was generated: 10. The internal error state is 10.

TMG seems to be working correctly - proxy, web filtering, server publishing etc.  However I can access any HTTPS websites from the TMG server, this seems to be causing problems with Windows Update/Forefront 2010 updates.

I have installed two SSL certificates - one was requested from our internal certificate server and I have Exchange enabled that certificate for SMTP.  The other certificate is our public SSL certificate we use for website publishing - and ultimately SMTP but in case their were problems with the intermediate certificates I haven't yet enabled it for SMTP.

I'm having trouble finding any useful information about the Schannel error - can anyone help?

Thanks.

How to create pac file for tmg-reg

September 14, 2016, 3:35 am
$
0
0

Sir,

We are using forefront tmg 2010 as a proxy server.

we are assign  directly proxy ip in browsers like...

Manual proxy configuration .....  HTTP Proxy: 151.151.15.2 port: 6588

we want to create Automatic proxy configuration URL in browser for clients systems,instead of Manual proxy configuration

how to create URL configuration in forefront tmg 2010 .. Help me about procedure

Thanking you.





Troubleshooting Site to Site VPN Connection

September 19, 2016, 6:00 am
$
0
0

Hello,

I have two locations that i want to connect to each other with VPN.

Both of the two locations have a domain controller and tmg server serving as internet proxy, but there is two completely separate active directory domains.

Location 1 :

AD1.site1.loc as domain controller of domain SITE1

TMG1.site1.loc as proxy server of domain SITE1 with public ip address IP1

Location 2 :

AD2.site2.loc as domain controller of domain SITE2

TMG2.site2.loc as proxy server of domain SITE2 with public ip address IP2

I configured PPTP site to site VPN connection in both of TMG1 and TMG2, but when trying to initiate connection i have an error in the event viewer :

User TMG2\Site1 is connected from IP address IP2 but failed trying to authenticate due to the following reason : the specified username and password are not recognized or the selected authentication protocol is not supported in the remote site

I precize, that TMG2\Site1 is a local account with permission of remote access, and has the name of the remote site configured in TMG2. Same thing, is configured in SITE1. And same error is found in the other TMG server.

What can i do to resolve this issue, please?

Thanks in advance, and regards. 







How to block google play store in tmg 2010

September 21, 2016, 3:35 am
$
0
0

How to block google play store in mobiles, they are using with wifi in our lan

we are usnig firewal tmg 2010

Search

How to block youtube in tmg 2010

September 23, 2016, 2:00 am
$
0
0

We are using TMG 2010 as web proxy server for internet

I want to block youtube in our organization level and

if client enter url in browser then  message must be displayed in blocked page

Help me

Remote Management of TMG Server

February 3, 2010, 5:58 pm
$
0
0
Hi-

I have a new TMG server running in a VM in my home lab. I'd like to be able to manage it via Remote Desktop as well as access it via SMB (e.g. \\tmgserver\c$). Right now the only way I can get in to it is via the ESX console. I tried creating access rules which permit this access to the box but they don't seem to be effective.

How do I go about permitting RDP and SMB to the TMG server?
Active Directory, 4th Edition - www.briandesmond.com/ad4/

publish ftp to internet via forefront

September 27, 2016, 11:22 pm
$
0
0

Hello.

I would like to know if someone could point me to the right direction when it comes to how could i publish an ftp server, residing on the internal network, to internet, in order to allow access to it from internet, via Forefront TMG.

I have seen a few examples on youtube and followed them, but I must say that I did not manage. Something is missing somewhere.

Thank you!

block streaming but not facebook

September 30, 2016, 11:01 pm
$
0
0

Hi

I am relatively new to TMG 2010 and i need to block all the streaming videos (any video on any web page) but i would like to let facebook open for all the messages etc. I have tried to add a deny rule to the top of firewall policy from internal to external with the content filter checking video and shockwave entry i have created (i have check the link: http://www.microsoftnow.com/2010/06/blocking-youtube-videos-and-flash-content-using-forefront-tmg.html) but it seems that the rule is not working. 

I have added a deny rule with some of the URL Set that TMG 2010 has and it is has blocked youtube but also facebook but i would like to let facebook work.
Does HTTPS inspection might help or not (cause at the moment is not enabled)?

Please support

Many Thanks

Fatherland


TMG Services not Starting - Control Service is in a hung state

October 2, 2016, 12:10 am
$
0
0

Hi Everyone,

I was wondering if someone could shed some light or point me in the right direction.

On my TMG box (Server 2008 R2 SP1) when i reboot it the Control service gets stuck on starting. As a result the other services won't start.

The manual workaround is to either restart the windows firewall service then restart that service and the others.

I've updated TMG to version 7 with the latest rollouts and even modified the every 7 days and even tried repairing the database. I even tried changing the RAM to 8GB static instead of dynamic memory which I use on everything else.<o:p></o:p>

My wildcard cert is only a few months old so it won;t expire.<o:p></o:p>

I'm using TMG as both a forward and reverse proxy at this stage and I've even tried the command sc config isactrl depend= RasMan/SSTPSVC/FwEng/ISASTG/bfe/mpssvc/HTTP/KeyIso as admin. I've also tried setting all services to Automatic Delayed start.<o:p></o:p>

I've even tried tombstoning the ADLDS Instance as well.<o:p></o:p>

Short of reinstalling TMG and re-importing my rules and configs I'm out of ideas.

Kind Regards,<o:p></o:p>


Viewing all 3822 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>