Quantcast
Viewing all 3822 articles
Browse latest View live

How safe to remove TMG Logs having extension *.llq

TMG 2010 on windows 2008 R2 low disk space into active partion C: drive

After running tool I found 98.3% of space is occupied by Log files located under C:\Program files\Microsoft Forefront Threat Management Gateway\Logs

The log files named as ISALOG_72D6EDF5_xxxxxx.llq (where xxxx are numbers)

How safe it is delete or remove these log files?


Muhammad Mehdi


TMG Error code 500 Certificate chain was issued by an authority that is not trusted

Hello colleagues

I have site https://site.domain.ru:9510/pmpsvc

In site work: http://imgur.com/2cQ6vlF

I publish this site through TMG 2010, but I have error:

500 Internal Server Error. The certificate chain was issued by an authority that is not trusted (-2146893019).

On TMG server via MMC I imported certificate to: http://imgur.com/eYqjrQg and reboot TMG server, but problem is not solved.

Maybe someone solved this problem?

Thanks.

Adding SSL Port on TMG

I have would like to add ssl port 7201 on TMG which is causing the error below.

Error Code: 502 Proxy Error. The specified Secure Sockets Layer (SSL) port is not allowed. ISA server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests. (12204)

i have tried this script but its giving and error, do i need to key in the ports on the script givenhere  ?

Someone can assist with a working script.

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Copyright (c) Microsoft Corporation. All rights reserved.
' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
' HEREBY PERMITTED.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' This script creates a new tunnel port range containing a single user-specified
' port to allow clients to send requests, for example, SSL requests, to that
' port.
' This script can be run from a command prompt by entering the
' following command:
'     CScript AddTPRange.vbs RangeName PortNumber
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Option Explicit

' Define the constants needed.
Const Error_TypeMismatch = &HD
Const Error_AlreadyExists = &H800700B7
Const Error_OutOfRange = &H80070057

Main(WScript.Arguments)

Sub Main(args)
    If(args.Count <> 2) Then
        Usage()
    Else
       AddTPRange args(0), args(1)
    End If
End Sub

Sub AddTPRange(newRangeName, newTunnelPort)

    ' Create the root object.
    Dim root  ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.
    Dim isaArray     ' An ISA Server array object
    Dim tpRanges     ' An FPCTunnelPortRanges collection
    Dim newRange     ' An FPCTunnelPortRange object
    Dim port         ' An Integer

    ' Get a reference to the array and to
    ' the collection of tunnel port ranges.
    Set isaArray = root.GetContainingArray
    Set tpRanges = isaArray.ArrayPolicy.WebProxy.TunnelPortRanges

    ' Create a new tunnel port range.
    On Error Resume Next
    port = CDbl(newTunnelPort)
    If Err.Number = Error_TypeMismatch Then
        WScript.Echo "A number must be entered for the port to be included."
        WScript.Quit
    End If
    Err.Clear
    Set newRange = tpRanges.AddRange(newRangeName, port, port)
    If Err.Number = Error_AlreadyExists Then
       WScript.Echo "A port range with the name specified already exists."
       WScript.Quit
    ElseIf Err.Number = Error_OutOfRange Then
        WScript.Echo "The range of permissible ports is from 1 through 65535."
        WScript.Quit
    End If
    On Error GoTo 0

    ' Save the changes to the collection of tunnel port ranges
    ' with fResetRequiredServices set to True to restart the Firewall service.
    tpRanges.Save True
    WScript.Echo "Done!"
End Sub

Sub Usage()
    WScript.Echo "Usage:" & VbCrLf _
        & "  " & WScript.ScriptName & " RangeName TunnelPort" & VbCrLf _
        & "" & VbCrLf _
        & "  RangeName  - Name of the tunnel port range to be added" & VbCrLf _
        & "  TunnelPort - Port to be included in the new tunnel port range"

    WScript.Quit
End Sub


Meshax

TMG report content messed up after change file location

Hi All,

I'm new to ISA and corrently just setup a TMG 2010 server as edge firewall (two network card mode.)

As the special situation here, i need to set the server as a transparent agent so everyone does not need to setup web proxy for internet access.

Issue 1: I ran the TMG server status report, and looks fine. when I copy and paste the report folder(html) to my computer or any other computer, the report content messed up as the picture shows:

issue 2: If I want the AD user name & site domain name shows to replace current IP in report, but no web proxy setup for users, what should I do?

Thank you.

Jack,

Image may be NSFW.
Clik here to view.

Add extra IP to external NIC

We have a TMG server with 2 NIC (internal & External). VPN deployment exists.

I need to add a second adddress to External NIC to publish an internal web site....(so I need a listener)

How should I add this new IP ?

FF TMG 2010 on Server 2012

Has anyone tried successfully installing Forefront TMG 2010 on Windows Server 2012?

I tried but failed, it complained about unable to add roles and features.


Valuable skills are not learned, learned skills aren't valuable.


ActiveX controls or Java applets

Please assist, I get the following message on Edge "Your browser does not support either ActiveX controls or Java applets".

Forefront TMG 2010服务无法启动故障

1、以下服务无法正常启动,手动启动是提示错误码:1068
Microsoft Forefront TMG 防火墙、Microsoft Forefront TMG 控制、Microsoft Forefront TMG 托管控制、Microsoft Forefront TMG 作业计划.

2、日志错误事件ID号:36888、11004

3、更换过服务器主板及HBA卡

4、Forefront TMG 服务器高可用性陈列断开后无法加入陈列。

Configure Content-Length header rather than the Transfer-Encoding: chunked

Hi Everyone,

I have configured HTTP compression (GZIP) and can see the Accept-Encoding header. However the response out is now sending a 'Transfer-Encoding: chunked' header instead of a Content-Length header but from the tcpdump output I can see that it is the gzipped resource that is served by Jetty, so this is good:

Vary: Accept-Encoding^M
Content-Encoding: gzip^M
Content-Type: application/javascript^M
Accept-Ranges: bytes^M
Cache-Control: no-cache,must-revalidate^M
Last-Modified: Fri, 12 Oct 2018 01:57:57 GMT^M
Content-Length: 272145^M  

Is there anyway to get Forefront to return the Content-Length header rather than the Transfer-Encoding: chunked header - the response from Jetty contains this as the content size is known.

Thanks in advance.

DoJu

TMG Port


I 8080 port is known as the default port used for webproxy client usage in TMG.
I am concerned about whether this port can be changed to another port. And the degree of influence is anxious.

I miss one more thing.
1745 port is known as the port for the control channel between client and server in TMG.
This port is also concerned about whether it can be changed to another port. And the degree of influence is anxious.

TMG is requiring HTTPS

TMG 2010 SP2

Publishing an IIS 7.5 web server to the Internet. It is on a TMG perimeter network, and is a web proxy client. While TMG is a domain member, the web server is not. The site is set up to accept HTTPS (for WEBDAV publishing) and HTTP for normal browsing.

I can browse by HTTP or HTTPS from the web server itself. But from the Internet, I can only browse with HTTPS. If I use HTTP, I get this error page:

403 Forbidden. The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator. (12311)

Web searches tell me this is related to requiring authentication where I shouldn't, but I can't find any place where I'm requiring auth in TMG. 

FWIW, Test Rule is happy.

Here are all the Publishing Rule settings that seem remotely relevant to requiring auth or SSL:

Web listener

  • Do not redirect traffic from HTTP to HTTPS
  • No Authentication
  • [ ] Require all users to authenticate
  • [ ] Allow client authentication over HTTP

Authentication Delegation

  • No delegation, but client may authenticate directly

Bridging

[x] Web Server

  • [x] Redirect requests to HTTP port [80]
  • [x] Redirect requests to SSL port [443]
  •    [ ] Use a certificate to authenticate to the SSL Web server

Users

  • All Users

Here is the TMG log entry:

Failed Connection Attempt

Log type: Web Proxy (Reverse)

Status: 12311 The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator.

Rule: Publish Tenant Web Server

Source: External (10.200.10.1:54943)

Destination: Local Host (10.200.10.2:80)

Request: GET http://tenantwebfarm001.byoctechnologies.com/

Filter information: Req ID: 026ad3b4; Compression: client=No, server=No, compress rate=0% decompress rate=0%

Protocol: http

User: anonymous

Additional information

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

(No source information is available.)

0x0

1 MIME type:

Processing time:

Cache info:

Object source:

<dir><dir>

Client agent:

</dir>
</dir>

Forcing web traffic to use proxy - bypassing proxy for all other data

I have 20 clients that need to very limited access to the Web via MS TMG.  We recently went live with a product hosted by another organization (shared services agreement & we are dependent on it).  Application will not work if we have proxy configured in our LAN settings on these clients (vendor has confirmed their app will not work with a proxy).  But with no proxy defined, our internet resources are completely unavailable.

Long story short, how can I configure these clients to access the web resources without specifying a proxy.  I've attempted to configure a PAC file for the couple of sites they need but didn't have much luck w/that (also not sure if that's best practice).

Not really sure if WPAD is a solution.  Thanks in advance.

how safe is it to use tmg on 2018?

I see people who still use this software, but it's from 2010(2011) ..
What safety measures should I take? updates?

ARR in place of TMG 2010 (Kerberos Constrained Delegation)

Asking this here as I figured TMG people may have the knowledge as well... 

Trying to replace TMG with ARR and use Kerberos Constrained Delegation. 

TMG is working properly to a backend server (app-01 for example).  TMG is using the SPN of app-01.domain.com and trusted for delegation in AD to http/app-01 and http/app-01.domain.com

Now, I am trying to set up ARR to do the same thing.  ARR is trusted for delegation with the same settings as above.  However, it is not working.  I am not sure how to set the SPN for the ARR server like I did in the TMG UI. 

Any thoughts? 
Mark

TMG 2010 limiting VPN access to predefined IP adresses


Forefront isnt redirecting properly

Hi guys,


Our Forefront wasn't properly working these fewlast days. Since 2 Weeks we haven't reached our intranet via the URL "intranet.de". In ourForefront policy we gave the user 4 different options toreach our intranet:"www.intranet.de","intranet.de", "www.intranet.com" and "intranet.com".


For 3 out of the 4URLs the proxy is working fine, but for the URL "intranet.de" that isn't thecase. Nobody can reach the intranet with that URL.


The logfiles are showing that arequest with that URL is not working with the proper policy. Thepolicy that blocks theaccessis the systempolicy with the status 12202.


My Question is why one of the 3 isblocked while the others areworking?


Greetings

Service Pack 1 Upgrade Problem (TMG)

Hallo,

we are trying to upgrade TMG Standard to SP1.

Status: Saving registry information...
Setup cannot modify or create the registry entry System\CurrentControlSet\Services\Tcpip\Parameters.

And then: Setup was unable to configure TCP settings. As a result, Setup cannot continue.

Has someone a similar problem?

OS: Windows Server 2008 R2 Standard

Thomas

Site to Site VPN continuously falls over

Hi,

We still use TMG 2010 for site to site VPN between 2 offices. We have a weird problem where it just decides to block some traffic from only some machines to only some servers in the other site.

If we disconnect the VPN tunnel in routing and remote access, it self-reconnects and all is well again. We're having to do this every few days.

Our environment is 2016 Hyper-V nodes, and TMG VMs are running Windows Server 2008 R2 SP1 and TMG version 7.0.9193.644, which is the latest according to here.

I looked online and I read about a 'race condition' and a problem with afd.sys. I checked and ours are 6.1.7601.18264 dated 9 March 2018 for site 1 and 6.1.7601.17514 dated 20 November 2010 for site 2.

how to check whether a client computer has has obtained WPAD option?

hi friends

i have deployed wpad Autodiscovery via DHCP. 

now in clients how can i check whether my client has detected webproxy server & has obtained wpad.dat file? 

when i run ipconfig /all, it doesn't show me wpad option. so ipconfig /all doesn't show all options obtained from DHCP server.

is there any command to see all options which a client has obtained from DHCP server ?

thanks in advance

Working download link for Forefront TMG 2010 Rollup 5 For service pack 2?

I am looking for a working download link for Forefront TMG 2010 Rollup 5 For service pack 2

I tried to get hotfix via this link https://support.microsoft.com/en-us/help/2954173/rollup-5-for-forefront-threat-management-gateway-2010-service-pack-2 but the link https://support.microsoft.com/hotfix/kbhotfix.aspx?kbnum=2954173&kbln=en-US says that hotfix is not available.

Is there any other way to get a hold of this rollup?

I have a client which needs it since we are having some issues with their TMG currently running Serviced Pack 2 with no rollups applied.

Would really appreciate if someone could provide me with a working download source

Thank you

Viewing all 3822 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>