Hello everyone...I just wanted to know if forefront threat management gateway 2010 standard or enterprise edition can be used to block user from accessing certain websites? if not do know a product that i could use for this purpose?
↧
Forefron help
↧
TMG 2010 (SP2) as edge firewall on Hyper-V guest cannot access any other computers on same subnet
I'm hoping someone may be able to help me with this as I've been completely unable to figure out why this setup does not work on a Hyper-V guest running Server 2008 r2. I'm in the process of testing some scenarios and have successfully managed to configure TMG 2010 on a physical system but when creating the same setup on a Hyper-V guest, TMG seems to run into serious network issues...
Some details:
Physical system (Server 2008 r2) running Hyper-V and ADDS - single Domain Controller.
- 3 physical NICs
- 1 NIC setup for use by the Physical Server - no problems with Local or Internet connectivity
- 2 NICs allocated to Hyper-V Virtual Network Manager (External Connection Type, unticked "Allow Management OS to share this adapter) ie. dedicated to Hyper-V
- All three NICs are connected directly into the Switch ports on my Router.
Hyper-V Guest (Server 2008 r2 with all updates completed) running TMG2010 configured as edge firewall with following updates installed: SP1, SP1 update 2, SP2.
So on the Guest I have NICs as follows:
- VNIC1 - Renamed External for easy reference in TMG.
- Static IP address and Default Gateway. DNS servers left blank
- VNIC2 - Renamed Internal
- Static IP address, Default Gateway left blank. DNS server has IP for Hyper-V host as it is running the Domain Controller.
Prior to installing TMG 2010 I was able to fully update windows and join the domain without any problems at all (I have uninstalled TMG several times as well and when its not installed, everything works perfectly)
While TMG is installed and running, I have no connectivity to any computer running on the physical network which I am pretty certain is because the TMG is unable to make connections with the Domain Controller/DNS server.
If I enter an alternate DNS server in the IPv4 settings on the VNIC Internal, then I am able to get connection to websites etc. on the WAN.
NS Lookup correctly identifies the IP address for the domain controller but any DNS queries time out - for some reason the connection is being blocked.
Using the TMG control panel logs and reporting. I can see that DNS queries (UDP 53) are being allowed from the TMG Internal NIC to the IP of the Domain Controller/DNS server so it doesn't seem to be the firewall component that is blocking the traffic.
↧
↧
TMG capacity planning disks & logs
Hi,
Just finished with the TMG Capacity Planning Tool (http://www.microsoft.com/en-us/download/details.aspx?id=15196) for an array configuration.
However, its not clear what size disks will be required for Caching.
The result came back as follows:
- Number of disks for web caching per server: 2
- disk size for logging per server per day: 67 Gb
Does the Capacity Tool assume that the 'logs' and 'caching' will be stored on the same disk? Isn't it recommended for large deployments (10,000+) to separate the 'logs' from 'caching' and even implementing some form of RAID for caching?
Thank you,
SK
↧
Exchange 2010 readiness checks, Setup /prepareAD warning, not be able to install exchange 2003
Hi Guys,
I am installing the first exchange 2010 server into an exchange 2003 enviroment.
The second Readiness Check has a warning.
Setup is going to prepare the organization for exchange 2010 by using "setup /prepareAD". No Exchange 2007 server roles have been in this topology. After this operation, you will not be able to install any exchange 2003 or exchange 2007 servers.
My Question is this only stop me from install Exchange 2003, or Exchange 2007 server but will not stop my current exchange 2003 server from working.
I am sure this is the case but just wanted to double check.
Craig
Craig
↧
SBS windows Server 2003std - Update related error found
hello,
i found this error from some days before in all my servers, i think this is automatic update related , do any one having the solution, found this error on the WIndows server 2008 std also
-------------
Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 8
Date: 22/11/2012
Time: 11:05:23 AM
User: N/A
Computer: XXXXXXXX
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate. com/msdownload/update/v3/static/trustedr/en/authrootseq.
txt> with error: This network connection does not exist.
For more information, see Help and Support Center at
Thank you Aliasgar S J MCITP 2008
↧
↧
Resolve the issue
I have a problem in my client outlook account that after installation of TMG Server and Active Directory on windows 2008 r2 operating system I unable to send and received mail, Although all others functions are working properly. I am attaching my settings of outlook and rules of tmg server just please go through and resolve my issue, I am very glad of yours.
I just tell you my settings
OUTLOOK 2007 SETTINGS
emai id: jawad@pharmafive.com.pk
type: imap
outgoing and incoming : mail.pharmafive.com.pk (Now here i want to confirm that I just configure the tmg server ip address or my mail.pharmafive.com.pk)
In more settings outgoing sever there is a check on log on using and i have written my username and password
But after clicking on check account testing the result is:
(1) Log onto incoming mail server (IMAP): The host 'mail.pharmafive.com.pk' cannot be found. Verify that the server name is typed correctly.
(2) Send test e-mail message: Cannot find the e-mail server. Verify the server information in your account properties.
TMG Server Setting
TMG Server ip add: 10.10.10.3
I have configure edge firewall
I have created the rule in firewall policy that all outbound are allow from internal to external to all users
Allow all mail server such as smtp, imap, pop3 from internal to external
Result no connectivity in receiving and sending the mail and other services is working quiet smoothly.
Please tell me the solution.
↧
TMG - SMS 2 factor
Hi
Have a simple question. I have done this in the UAG, where a use a SMS as 2 factor. First the user is prompted for username/password, and after that a new page loads where they are prompted for a SMS/Token etc. (for OWA)
Is the same thing possible for the TMG, or do I need to custom design the second page?
↧
VIPs and DIPs on an array
Hi,
We are deploying multiple TMG servers array for Web Proxy/Caching functionality (incl. URL filtering, HTTPS inspection, HTTP Malware inspection) - web proxy & secureNAT clients.
We are thinking of using NLB and a VIP on the internal network config only, and leaving the external network cards with DIPs.
What is the recommended scenario in this case? Is there any reason why we may need NLB and VIPs on both external and internal configurations, if we are just using the secure Web Proxy scenario?
Thank you,
SK
↧
New network does not connect to Internet
Hi Guys,
I have been trying to create a network that contains only one particular subnet range to allow that subnet access to External through AD/TMG groups. Here is what i have done so far:
- Created new network containing the required subnet range i.e. 192.168.x.x - 192.168.x.x
- Created network rule to allow the new network (Source) to access External (Destination) with the Default IP address settings for NAT
- Created a Web Proxy rule to allow HTTP/HTTPS traffic from the new network to External for a user group created within TMG from AD
- Tried to access the Internet with the account assigned to the TMG group but no success
I can replace the new network with the builtin Internal network (which has the same addresses as the new network i created) and successfully access the Internet but not when the new network is in the From field.
Our system: Win2K8 R2 + TMG 2010 SP2 w/ all windows and Microsoft updates installed.
Any ideas? Please let me know if you require more information
↧
↧
When to use TMG Client?
Hi,
Under which circumstances would we need the TMG Client? From what I understand its anything that uses Winsock, is this correct?
If someone on the intranet requires to use FTP to an Internet server, will they always need the TMG Client?
Thanks,
Sk
↧
ISA 2006 in DMZ and SSL Authentication
Hello can anyone give some insight as to how this can be accomplished? Here's some setup info...
ISA 2006 Front End Firewall
DMZ - Web Proxy's - DMZ
ISA 2004 Back End Firewall
The front end firewall obviously has no connection to the domain, while the back end firewall does. I have a website that is published on the Front End Firewall, which then forwards the requests to my web proxy, which then forwards the request to the back end firewall, and then on to the actual web application. I need to add security to this setup by use of SSL Authentication. Any suggestions?
Thanks,
↧
WP8 device in TMG log
Could my Lumia 920 showing up in the TMG logs like this
instead of like this
cause an issue with Exchange ActiveSync?
I only ask here because our EAS policy is correct and working fine, I just get prompted occasionally that my domain password is incorrect. Entering the password allows it to sync but backing out of the prompt and manually pressing the sync button allows it to sync as well.
Server is 2008 R2 SP1, Exchange 2010 with update rollup 7. TMG version 7.09193.540.
↧
My ISA server blocks the Wireless router
I have the wireless router, The ip adress of Wireless router is for ex: 192.168.5.230. In Isa server 2006 this ip adress have given full access for internet.
in Wireless Router configured the DHCP as 192.168.10.10 - 192.168.10.199. There are 10 or more clients connected to Wireless router.
But sometimes the Isa server blocks the internet connection ( this ip adress 192.168.5.230) for router. the during of blocking 10 minutes or more. What's problem i don't know. I have try all variants of flood migrations confugiration.No Result!!
↧
↧
Windows Phone 7 - Proxy & ISA
Hello,
I think/know this problem is recurent, but I don't find a clear answer. So, my problem concerns the connection between a Windows Phone to an ISA Server by Wifi.
I obtain an error => Server not found OR DNS error...
But, I can connect to an internal (IIS) Website, authentifcation is filled, in ISA logs I found entry form an IP but with user field is blank...
Is this an NTLM problem ? (see here => http://www.robfe.com/2008/09/how-to-get-your-iphone-on-wifi-when-your-proxy-uses-ntlm/)
Have you an idea ?
-- Cédric GEORGEOT [MVP] Virtual Machine http://www.e-novatic.fr -- Auteur du livre "Bonnes pratiques, planification et dimensionnement des infrastructures de stockage et de serveur en environnement virtuel"
↧
ISA port open but putty gives connection timeout
Hi All,
I have created a server publishing rule for users to access CentOS from home.
Actually there are total of 10 CentOS servers and all able able to SSH using putty but just for 1 particular.
Any ideas?
Thanks.
↧
FF TMG 2010 on Server 2012
Has anyone tried successfully installing Forefront TMG 2010 on Windows Server 2012?
I tried but failed, it complained about unable to add roles and features.
Valuable skills are not learned, learned skills aren't valuable.
↧
TMG report shows blank "Top Web Sites"
Hi All,
I am sure why but this used to work but it dont seem to anymore, if we run a report everything shows ok apart from "Top Web Sites" which just shows as a - and 100%, its not list the sites. If you do normal logging reports you can see the sites ok, as we are a large site and to keep logs to a minimum we only log certain fields ( Client IP, Client Username, Log Date, Log Time, Destination IP, Destination Port, URL ) im not sure why it wont list the top web sites in the reports, any ideas what to check ?
Thanks, Duncan
↧
↧
How to allow an specific Video on YouTube
Hello, we have different networks in the company. One with Barracuda Web Filtering and another with Forefront TMG.
We have blocked all streaming sites like YouTube. But sometimes we need allow an specific video, eg. http://www.youtube.com/watch?v=ooijMw8jzoc, in Barracuda web filter is enough doing an exception to http://www.youtube.com/watch\?v\=ooijMw8jzoc, but I can't find the way to do the same in Forefront, exceptions in the blocking rule does not work.
Any idea will be appreciate. Thanks in advance
We have blocked all streaming sites like YouTube. But sometimes we need allow an specific video, eg. http://www.youtube.com/watch?v=ooijMw8jzoc, in Barracuda web filter is enough doing an exception to http://www.youtube.com/watch\?v\=ooijMw8jzoc, but I can't find the way to do the same in Forefront, exceptions in the blocking rule does not work.
Any idea will be appreciate. Thanks in advance
↧
TMG Enterprise License and virtualization
Hi all
I know there are 1000+ threads with questions about TMG licensing and virtualization but I haven't found the answer yet. I'm really confused and maybe someone can help me.
We have a Host-System with two 6Core CPU. We plan to assign 8 vCPUs to the VM.
We want to buy a TMG Enterprise License (not much time left to do that ;-))
At a TMG course we were told that with the TMG Enterprise License, we just need 1 license per physical processor available and not for every vCPU we assign to the VM.
According to many threads I found, this must be wrong. And I also found the following official document:
http://download.microsoft.com/download/B/D/3/BD3C5A07-599D-4C14-AC2E-A98F495CCFB5/Forefront%20Licensing%20Datasheet.pdf
"Forefront Threat Management Gateway 2010 is licensed under the processor licensing model, with a license required foreach physical or virtual processor accessed by an operating system environment (OSE) running a Threat Management Gateway server."
So with this statement we would need 8 TMG Enterprise licenses if the VM has 8 vCPU.
But I also found opposite statements like in this document:
http://logiciels.univ-rennes1.fr/html/intranetur1/editeurs/microsoft/Docs/TMG_PL_guide_v2FINAL%20101909.pdf
"With TMG Enterprise Edition, customers need to licenseonly the physical processors and can run the software on anunlimited number of virtual CPUs"
With this statement we would need only 2 TMG Enterprise licenses if the Host-System has 2 6-Core CPU.
(although the document looks official, I couldn't find this document on microsoft.com so it might be outdated and the statement isn't valid anymore?)
And also on this page:
http://microsoftguru.com.au/2011/01/12/forefront-tmg-2010-frequently-asked-questions-faq/
"Support for unlimited virtual CPUs -> yes"
Can please someone clarify if I need 8 or 2 TMG Enterprise licenses?
Is the second document I linked not valid anymore?
Thanks a lot
↧
0xc0040014 FWX_E_FEW_SPOOFING_PACKET_DROPPED
I have Main office and branch linked with 2 TMG 2010 (+ all SP's and all rollups) over PPTP site-to site.
Sometimes some clients can't access to main office sourses with 0xc0040014 FWX_E_FEW_SPOOFING_PACKET_DROPPED on branch's TMG; internet sill works.
Everytime diffrent client, but no more then 1 at once.
There are 2 providers on branch office with ISP.
↧