We are running TMG 2010. We have set up PTPP, L2TP (PSK) and SSTP.
VPNs work fine apart from android devices. Connecting via PPTP has to be done with encryption turned off and the connection is dropped after about 5 seconds. L2TP PSK connects but again drops after 5 seconds. Has anyone else experienced this or know what might be going wrong?
Thanks
I have setup a new Hyper-V test environment consisting of:
• TMG 2010
• Exchange 2010 Standard
• Windows Server DC
So far I have:
• Set up DNS (external & internal)
• Created a self-signed certificate
• Created an Exchange publishing rule complete with listener using the certificate
• Enabled and configured all the relevant client access settings on Exchange
• Made sure that the OWA web site in IIS was set to allow Windows and basic authentication
When I browse to our OWA site through TMG (either internally or externally) I get the usual certificate error (it’s a self-signed certificate so it’s ok) the OWA page appears but when I log on I get: "Error Code: 500 Internal Server Error. The target principal
name is incorrect. (-2146893022)"
HOWEVER, when I connect to OWA on the Exchange server locally (https://127.0.0.1/owa) it all works fine so the credentials are correct.
So I think I have narrowed down the issue to TMG.
TMG shows the following entry in the log:
Failed Connection Attempt TEST2008TMG 06/07/2012 10:56:02
Log type: Web Proxy (Reverse)
Status: 0x80090322
Rule: <Exchange> Outlook Web Access
Source: External (**.**.***.**:51656)
Destination: Local Host (192.168.51.3:443)
Request: GET http://mail.subdomain.domain.org/owa
Filter information: Req ID: 0b7caac3; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=yes, valid=yes, updated=no, logged off=no, client type=private, user activity=yes
Protocol: https
User: domain.org\user@domain.org
Additional information
Client agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 31 MIME type:
Marco S
All, I am currently using Outlook 2007 for email which uses POP3/SMTP for incoming and outgoing mails respectfully . I recently installed and configured Forefront TMG 2010 firewall on my network. Web Access Rule has been configured and all machines on my home network can get on the Internet fine. I have confirmed that the POP3 and SMTP settings are correct. They've been working fine before I installed the TMG 2010. Now the problem is when I tried to send email from Outlook 2007, I receive the error:Ahmad AliError message : 'Cannot find the e-mail server. Verify the server information in your account properties" Now I cannot send and cannot receive any e-mails. I have even created another access rule for POP3 & SMTP from the External network to the Internal network and this thing is still not working.
Any help will be appreciated very much. Thanks,
Ahmad Ali
Hi,
I have forefront TMG that is configured as Porxy Server for our Network. The Access Rules are configured correctly and all users and applications are working Perfectly. I have Created an Access Rule for Live messenger that allows all ports used by MSN Messenger, but We are still unable to sign In.
There is one article in Microsoft website says that Users behind some authenticating proxy servers may experience sign-in issues. They might have to configure the proxy servers to force authentication for the following User Agent string: MSN Explorer/9.0 (MSN 8.0; TmstmpExt).
So The Question is how to configure ForeFront to force authentication for MSN Explorer/9.0 (MSN 8.0; TmstmpExt) to allow the Users to Sign In ??????TMG 2010 at our main office. Cisco 887VA at our remote office. Remote office XP clients can't authenticate to the domain. Cannot access client machines at the head office site. Typing\\"machine name" at the remote site hangs and I ether get "machine cannot be found" or I get an authentication box. Once I authenticate using a domain username and password I can connect to the other machines at the head office without a problem.
Noticed also that I can't ping the inside interface of the TMG box from the remote site.
I can however, ping the inside interface of the Cisco from head office and I can access client machines at the remote site from head office without a problem.
Event log on the machines at the remote site say "cannot find domain controller for your domain" Athough I can resolve and ping the domain from the remote site.
TMG has an any-any rule set to allow traffic to and from the tunnel to the internal and local host.
James Reeve
I have TMG 2010 server. i Want to block facebook game application & new version of ultrasurf proxy.
pls give me write solution about this topic.
Hi guys!
I`m configuring NIS within TMG and i have a little trouble with definition signatures for common SQL injection techniques. Firtsly, I tested the NIS engine using a wide variety of signatures, as XSS, TEST, and exloiting, and the NIS system works fine. But definitions for SQL Injection (Expl:Win/HTTP.URL.SQLInj!0000-0000) doen´t seem to work. Does this signature need a special configuration?
Thanks guys for your and a big congratulations to all MVPs. Your work help us to understand better Microsoft technologies.
Hello,
I'm having a bit of trouble adding exceptions to TMG firewall rules. I created a web access rule to block websites like facebook etc., on the users tab i have this rule applied to "All users", and in the Exceptions part I have a User Set called Admins, where Admins contain the Active Directory built-in Administrator account (the Enterprise Administrator in my case)
Problem is that now I am logged on using the administrator account, and the blocked websites rule is not excluding the administrator account, I tried to exclude a whole OU, but I had the same result.. the websites are TOTALLY blocked from being accessed by anyone at the "internal" interface side.
My last attempt was to exclude the Enterprise admins/Domain admins groups, and again, I failed.
Any ideas?
Hi!
I have vmware esxi 5 host and vm with tmg 2010 sp2 installed at windows server 2008 r2.it has 90 firewall rules and 7 network rules. I have checked nic duplec and speed, they are ok. I have also dns settings on one nic.
I have 8 subnets and 8 nics. When i transfer files from server to server when routed through tmg, speed is about 10mb/sec.
Server to server on same subnet is about 70mb/sec.
Next i installed new tmg and tried testing, i exported whole tmg settings and imported it to new tmg installation. Same transfer speed! Deleted every rule and just made 2 rules to allow testing. Same speed!
Next i installed it allover again and tested it with only two fw rules. Speed is about 50mb/sec.
I just dont understand why this is happening?
Hi,
I've published a rule in TMG from Exchange to Internet with port 25. But, the emails are being denied at TMG as shown from the log below.
my TMG is using one arm network topology (i.e., only one NIC)
Further, the log shows the source is internal, the destination is internal.
How do I port forward port 25 from TMG (internal) to Exchange: 10.0.0.111
Useful info:
TMG: 10.0.0.1
Router: 10.0.0.21
Exchange: 10.0.0.111
Internal DNS: 10.0.0.100
Good day
Im busy trying to test that our TMG is able to take https request for OWA on its external IP before getting our networks guys to configure the firewall to send external requests for OWA through it from its external IP. The TMG is currently configured as a back firewall. I have configured a rule that sends requests to our cas array. If I send a request directly to the cas array eg. https://*.*.*.*/owa/ I get the web app logon screen. If I try to do it through the TMG I get the message below. Im not sure what Im doing wrong. Your help would be greatly appreciated.
<id id="L_defaultr_3">The page cannot be displayed</id> | |
| <id id="L_defaultr_5">Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.</id> | |
Try the following:
Technical Information (for support personnel)
| |
This is from the TMG live log
Denied Connection ********* 11/17/2012 2:00:30 PMA little intro - I am not into security or access by trade I have a background in Exchange and wound up being assigned this task because I once supported Proxy 2.0. I was asked to use TMG to complete this but I am not sure its the right tool for the scenario. I have some training lined up but before I waste days of my time learning about TMG could someone let me know if this scenario fits the product. My sincere thanks in advance for your advice.
This large company has many sites and domains globally. They want users that login from domain A (regardless of physical site) to have access to resources in the primary corp domain. Of course there are firewalls separating many of these users from the corporate domain. What they want is a solution that 'proxies' their connections into the corp domain. Can TMG (or another product?) recognize that someone is currently logged into Domain A and allow them to automatically access resources in the Corp Domain?
Customer statement : "this is an internal network that another region would not have direct visibility to due to firewall rules not allowing all global IP networks. For those regions that do not have direct IP access through the perimeter firewall, they should go through a proxy and this proxy would give them visibility into the network as if they were at that location. It will allow 'Domain A' users and reject users from any other Domain."
What I worry about is it seems TMG / UAG are designed to publish web sites, exchange, etc or to allow use via Direct Access from another 'entity' and I think UAG / Direct Access is out because they are not 100% Windows 7 and still have XP clients. I need these people to be able to use all resources not just a published app or web space. This is why I decided to come to the forums, it seems to me that there should be a way to enable this in AD easier than a complicated 'proxy' solution.
Thanks again.
Hi Guys,
I have been trying to create a network that contains only one particular subnet range to allow that subnet access to External through AD/TMG groups. Here is what i have done so far:
I can replace the new network with the builtin Internal network (which has the same addresses as the new network i created) and successfully access the Internet but not when the new network is in the From field.
Our system: Win2K8 R2 + TMG 2010 SP2 w/ all windows and Microsoft updates installed.
Any ideas? Please let me know if you require more information
Hi,
How can do the following on Forefront TMG :
I have the following Internal URLS
http://Internal_domain/directory1/SubDirectory2/page1.aspx
http://Internal_domain/directory2/SubDirectory3/page2.aspx
I want the end user to access these two internal pages from outside via the following URLs by hiding internal path and using short name
ex.
http://external_domain/page1 => http://Internal_domain/directory1/SubDirectory2/page1.aspx
http://external_domain/page2 => http://Internal_domain/directory1/SubDirectory3/page2.aspx
thanks
Hi,
If we have 2 TMG servers in an array, and we log to SQL Express (local to TMGs)...what happens to the Reports? Will each TMG server only displays its own reports? Does it combine the reports from both servers? If not, what are the options for combined reports from both members of the array?
Thank you,
SK
I have a problem in my client outlook account that after installation of TMG Server and Active Directory on windows 2008 r2 operating system I unable to send and received mail, Although all others functions are working properly. I am attaching my settings of outlook and rules of tmg server just please go through and resolve my issue, I am very glad of yours.
I just tell you my settings
OUTLOOK 2007 SETTINGS
emai id: jawad@pharmafive.com.pk
type: imap
outgoing and incoming : mail.pharmafive.com.pk (Now here i want to confirm that I just configure the tmg server ip address or my mail.pharmafive.com.pk)
In more settings outgoing sever there is a check on log on using and i have written my username and password
But after clicking on check account testing the result is:
(1) Log onto incoming mail server (IMAP): The host 'mail.pharmafive.com.pk' cannot be found. Verify that the server name is typed correctly.
(2) Send test e-mail message: Cannot find the e-mail server. Verify the server information in your account properties.
TMG Server Setting
TMG Server ip add: 10.10.10.3
I have configure edge firewall
I have created the rule in firewall policy that all outbound are allow from internal to external to all users
Allow all mail server such as smtp, imap, pop3 from internal to external
Result no connectivity in receiving and sending the mail and other services is working quiet smoothly.
Please tell me the solution.
Been struggling with IP spoofing issues on our TNG 2010 server.
We have web services published to public IP’s all bound to a NIC called WAN-PUBLIC which then NAT’s to the internal IP’s on the web servers.
In certain scenarios we’re unable gain access to the servers and the ISA logs are full of Spoofing errors such as this:
Log type: Firewall service
Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed.
Rule: None - see Result Code
Source: Local Host (213.122.169.54:18816)
Destination: Internal (192.168.9.130:443)
Protocol: HTTPS
The source host in this scenario is an IIS server / NLB using ARR so it’s almost acting like a reverse proxy.
Below is the relevant public IP’s bound to the WAN Nic and as you can see it has a default gateway set of un upstream ISP router.
Ethernet adapter WAN-PUBLIC:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 213.122.169.50
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 213.122.169.51
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 213.122.169.52
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 213.122.169.53
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 213.122.169.54
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 213.122.169.55
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 213.122.169.56
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 213.122.169.57
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 213.122.169.58
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 213.122.169.59
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 213.122.169.49
Below is the internal NIC of the ISA server (no gateway set)
Ethernet adapter LAN-PRIVATE:
IPv4 Address. . . . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
So the rule above that’s failing is on a 192.168.9.x network, this network has a manual route defined that’s an internal core switch.
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 213.122.169.49 213.122.169.50 266
10.10.10.0 255.255.255.0 192.168.0.2 192.168.0.1 11
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.1 266
192.168.0.1 255.255.255.255 On-link 192.168.0.1 266
192.168.0.103 255.255.255.255 192.168.0.103 192.168.0.107 31
192.168.0.107 255.255.255.255 On-link 192.168.0.107 286
192.168.0.255 255.255.255.255 On-link 192.168.0.1 266
192.168.9.0 255.255.255.0 192.168.0.2 192.168.0.1 11
213.122.169.0 255.255.255.0 On-link 213.122.169.50 266
213.122.169.50 255.255.255.255 On-link 213.122.169.50 266
213.122.169.51 255.255.255.255 On-link 213.122.169.50 266
213.122.169.52 255.255.255.255 On-link 213.122.169.50 266
213.122.169.53 255.255.255.255 On-link 213.122.169.50 266
213.122.169.54 255.255.255.255 On-link 213.122.169.50 266
213.122.169.55 255.255.255.255 On-link 213.122.169.50 266
213.122.169.56 255.255.255.255 On-link 213.122.169.50 266
213.122.169.57 255.255.255.255 On-link 213.122.169.50 266
213.122.169.58 255.255.255.255 On-link 213.122.169.50 266
213.122.169.59 255.255.255.255 On-link 213.122.169.50 266
213.122.169.255 255.255.255.255 On-link 213.122.169.50 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.1 266
224.0.0.0 240.0.0.0 On-link 213.122.169.50 266
224.0.0.0 240.0.0.0 On-link 192.168.0.107 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.1 266
255.255.255.255 255.255.255.255 On-link 213.122.169.50 266
255.255.255.255 255.255.255.255 On-link 192.168.0.107 286
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
192.168.9.0 255.255.255.0 192.168.0.2 1
10.10.10.0 255.255.255.0 192.168.0.2 1
0.0.0.0 0.0.0.0 213.122.169.49 Default
The 192.168.9.x network range has been defined within the ISA Network tab to the “Internal Nic”
I’ve run the ISA BPA and that’s not detected a configuration issue.
Any thoughts on how to proceed?
Hi there,
I am trying to pull out report from TMG 2010 by creating user activity report but for some reason I cannot generate for a specific user. I tried other users and it works but for this certain user, it shows an empty report. Kindly advice.
Is there anywhere to pick up an installation guide for TMG, and also like an administration/management guide for general maintenance/monitoring/management of the product.
Also, if you were tasked with doing an audit review/healthcheck of a TMG configuration and checking for best practice monitoring/maintenance, what areas would you look at?