I looked at the deployment options Microsoft listed and I don't see a suitable method.  

http://technet.microsoft.com/en-us/library/bb794739.aspx

We do not have SCCM. 

Deploying with login scripts would be ugly and slow down the user's login and assumes admin rights.

Software installation GPO using the extracted MSI would deploy the software, but no configuration would be done.  We would like there to be no icons so after the installation, users do not become "confused," suspicious or curious and start messing around and tampering with it.

We could probably setup WPAD auto configuration for server name, but why add that complexity if it can be deployed preconfigured and WPAD also would not deal with not displaying icons.

Preferred method:  Is there some way to deploy this ISA client using GPO software installation with a MST transform or some other method of preconfiguring the server IP and installing without system tray icons or even no UI at all in the Programs menus?

Alternative:  Maybe a startup script that can install it with these settings silently during a reboot and also has the ability to check if it's already installed so it doesn't attempt reinstallation at every reboot?

I'm setting up ISA 2006 to monitor but not block internet access.  We will let people do what they will do, but have recording and reporting.  

I'm trying to think of ways users will either inadvertently or purposely bypass the ISA so they can surf on the local network without any accountability.

One way I can see is to change their gateway settings to bypass the ISA server.

Other ways are to use some kind of SSL connection external proxy anonymizing  service as well as use virtual machines and other computers that are not managed by group policy to do shady web surfing.

We have managed domain-joined Windows computers along with non-managed hardware from vendors and other business partners with their company's laptops that are not joined to our domain, smartphones on wifi, non-Windows computers like Linux workstations as well as employees with virtual machines on their company workstation (that are intended for software testing purposed) that they have configured with access to the LAN and internet.

I plan to use the ISA 2006 Firewall Client for our domain-joined company-owned workstations and laptops.

That leaves maybe 1/3 of computers plus other devices that cannot have the firewall client installed for various reasons.  So, we will use SecureNat for the rest so there won't be any need to configure proxy settings in browsers or do anything else to the other devices.  We should still be able to run reports and manually look up the host name of the IP address of any problem devices that do not have the client installed and therefore will not list user or computer names in the ISA monitoring reports.

In a test lab I have got this to work by setting up a simple 1 NIC ISA 2006 server with the client's gateway set to the IP address of the ISA server.  I did this manually, but I suppose we could change DHCP to do this when it goes to production users.

However, this setup would not stop anyone from manually changing their gateway to point directly to the regular gateway to bypass ISA.  Plus there will be computers that are on static IPs that will not get their gateway settings updated to point to the ISA since the owner of the device has no motivation to make this change.

Is there a way to place the ISA server in a position on the network so either the existing gateway IP address works but routes through ISA or else set the current gateway to not allow any traffic to go through it unless it is coming from the ISA server? In that case the users will not have access to the internet unless their connection goes through ISA.  Problem I see with this is that everyone loses web access every time the ISA server is restarted or if it had a serious malfunction and needed to be rebuilt. 

If a user is surfing the net through a virtual machine installed on their PC will the traffic still show in ISA monitoring reports with the IP address of the host machine as opposed to the IP address of the VM's virtual nic which may or may not get it's IP address from our DHCP or register in DNS depending on how the user sets it up?

Can anything be done to report on SSL proxies used to obfuscate their web usage?  We do not want to block anything.  If users do what they are not supposed to do, it will be dealt with in other ways afterwards.  It is more important that things that should not be blocked don't get blocked in error.

Hi all,

We have Forefront TMG 2010 configured as Forward Proxy. All internal users need to pass through TMG before they can access internet. Right now all the settings seems working well. User will set FF TMG IP address on internet browser proxy setting.

I just want to know, is there any way to restrict user session to internet. My point is, let say Alex want to access internet from his pc, he open web browser. Authentication will prompt and Alex need to supply his username and password. Then, he able to access internet. How can we restrict the same user Alex, from using his own username and password to access internet from different pc at the same time. In simple word, Alex cannot use his own username and password from different pc at the same time.

Is there any ways to do it?

Cheers.

Have a strange situation ,when trying to install Mcafee on TMG server it will not connect to my Enterprise server to communicate and install the antivirus .(Telnet fails on port 9080 to 9085)

I created a rule for Inbound and outboud for ports 9080 to 9085 so as TMG can communicate with the centralised server .

When i run log event test it always goes to the last rule which is default irrespective of rule above default is mcafee (Inbound and outbound rule ).

I have set up a test of a rule requiring computers to authenticate through the web proxy and it seems to work.

However, we would also like to use Securenat for some computers that cannot work with web proxy authentications due to incompatible applications or other reasons .  We would like them to use Securenat so we can at least have records of their traffic by IP address instead of having nothing at all if they are allowed to go around the proxy.

Is it possible to have a web proxy authentication rule for most PCs and simultaneously have another rule that allows a specific list of computers (mostly computers not joined to the domain running processes that need Internet access and are not proxy-aware) to access the network  through Securenat with no user credentials needed?

I have a Linux laptop that I am trying to add and exception and once it works, I would like to create a computer set that I can add more computers to as we find more computers that need to be excluded from the authentication requirement.  

I created a new rule allowing all outbound traffic to all networks  from all users and added the computer name and IP to the rule and added it to the top of the list of Firewall Policy Rules.  I set the gateway on the Linux laptop to point to the ISA server and the DNS to point to our DNS server and I cannot get it to connect to Internet that way.  

Can this be done?

After uninstalling and reinstalling ISA 2006 Enterprise and SP1 on a Server 2003 SP2 server, I noticed that I can only use the session monitoring during one boot of the server.  Whenever the server is rebooted and I open Monitoring, this error pops up again and nothing works.

I did a search and someone said it was related to the user profile, so I deleted the profile and logged in with a new profile and it was temporarily fixed until the next reboot of the server.

I even created a brand new user account and logged in and had the same issue of only being able to use the Monitoring until the server is rebooted and then having to delete the profile.

Other searches about this referred to a database being too large.  ISA has only been installed for 2 days and there are only a few rules and clients, so there is no huge database.

The error message is very generic and I don't see anything related to this in Windows event logs.

What else can be done to fix this other than deleting the user profile at every restart?

Hi,

I have an array TMG setup with my first TMG server as the reporting server. When I run a report from the EMS server for a specific user and date I get the following error.

ForeFront TMG Error|
The Operation Failed
The Microsoft Forefront TMG Control service could not be accessed.

The error occurred on object 'Reports' of class 'Reports Configuration' in the scope of array 'TMG Array'.

Any ideas why I would be getting this? If I run a normal One time report it all works fine.

i'm using forefront as proxy to publish OWA ,after renew the exchange server certificate, i got problem.

the OWA interaface not appear when the user type the email URL, https://webmail.skm.gov.my\owa

it appear in different method, like a pop up message box, so how to resolve this issues, the user should get the OWa interface after they

type the url above...i'm do any changes during my certificate installation

Hi

We are currently running TMG 2010 in our production environment. We wish to block torrents.

I have done some research and found that the only way, at least to my knowledge, is to block these torrent applications (clients) based on their application signatures. Is this correct?

Microsoft has a list of most common application signatures here: http://technet.microsoft.com/en-us/library/cc302520.aspx , though it seems to be be old and out of date.

If this is the best way of blocking torrents, where can I find a more up to date list for common torrent application signatures, or at least how will I be able to determine by myself what these signatures are for specific torrent applications (clients)?

Thanks.

Regards,

CTV

hi

I have TMG server with Nap service and sql service install on it,I have vpn client who connect to Internet Via vpn connection from my Internal network.I want to enable Accounting that report which client frome which computer start vpn connection.

after config and enable log accounting from nap console which save record on sql databse  ,it creat the databse ,but when i query the databse in (Client_IP_Address) filed insted of real client machine ip address is show me the TMG ip address .

but there is a log file start with(IN*) in c:\windows\system32\report\  folder which show me the vpn machin client ip address and user propertise connection correctly.

I print screen the Database and select the problem.

you will be kind enough if you help me.

Hi Guys,

Is this setup possible. I know it should be.

TMG 2010 ipsec tunnel to cisco router.

We have a two node TMG implementation with no EMS.  On each node I have tried setting the HTTP proxy as some posts suggest (either through the netsh command line or within IE).  That got rid of the 80072EE2 error but now I am getting a 80244004 when attempting updates.  The only posts I have found on that error seem totally unrelated (usually referring to ESET which we are not running).

I also added a firewall policy in TMG to allow HTTP and HTTPS from the localhost of each machine to the Windows Update sites (a predefined list in TMG).  I am able to browse external sites from each machine just fine.  FWIW according to the page below that error code means the SOAP client failed to connect.

http://technet.microsoft.com/en-us/library/dd939837(v=ws.10).aspx

If anyone has any ideas any suggestions would be greatly appreciated.

Thank you.

Hi,

We are configuring a TMG array which belongs to Forest A (domain member). Users from Forest A will use this as their Web Proxy solution.

Users from Forest B will also use this as their Web Proxy solution. Forest A trusts Forest B.

What must be configured on the TMG array in order that users from Forest B can utilize it?

Will the configuration be different if we select "Require all users to authenticate" ?

Thank you,

SK

We have TMG Essential Business Server. The TMG management console fails to open:

Refresh Fail Error. Error 0x8009005, Bad Data.

We are not running VPN so this solution does not apply http://support.microsoft.com/kb/2006046?wa=wsignin1.0 (There is no VPN heading in ADSIEdit console)

Has anyone found a solution this apart from re-installing see http://social.technet.microsoft.com/Forums/en-US/Forefrontedgesetup/thread/d6696c0d-d279-4723-8d1b-a09259a53b2f.

The problem occured shortly after adding some firewall changes.

Is it possible to edit firewall policy settings from the console to see if it will clear the error ?

Hi,

I want to use the external owa url in the internal network, but this didn't work.

We are using a exchange 2010 sp2 server infrastructure with OWA Publishing in the TMG 2010. The Internal and external urls are different.

For Extern we use mail.domain.de/owa and for intern owa.sub.domain.de/owa.

I have created a rule to publish the owa. Then I configure the listener to use the external and internal adapter for this rule.

Now I can access to the extern url from an external network. But I return an unspecified error when I access to the external url from the intranet.

In the TMG log I can see many initial and closed connection with an abortive shutdown.

In mytestscenarioall thishad worked well.

Have you some ideas or answers for me?

thx for help, Henry.

I have looked high and low for the answer to this error.

Error: 21022

The action to summarize all period summaries from the array, into report "zeus" failed. The error description is:

Unrecognized database format 'C:\Documents and Settings\Administrator\Desktop\isa2006\REPD77.tmp'.. Use the source

location 1200.225.5.0.5720.100 to report the failure.

Please direct me to where I need to ask this question.

Thank you.

Hi,

i have this scenario:

1) SharePoint is in the internal network
2) I have written a simple application, which gives me the state of the authentication protocol (e.g. Kerberos) and the impersonation state (e.g. Impersonation, Delegation). I have configured delegation, SPNs, all works fine: If i access the site, it says: Kerberos with Delegation

Now we come to the TMG:

1) I have published the SharePoint-Site with TMG2010 using FBA (of course)
2) I have the publishing rule configured to use constrained delegation and i have done the necessary configuration in the ad => enable the TMG's computer account for constrained delegation and configured the SharePoints SPN

If i access the published SharePoint-Site and look for the status with my tiny little app, it says: Kerberos with impersonation. I expected to see Kerberos with delegation.

To make it more clear:
The scenario is like this:

User ---> TMG ---> SharePoint ---> Database

1) user autheneticates to TMG
2) TMG delegates the credentials to SharePoint
3) and NOW: SharePoint needs to delegate the credentials to the database-server

It seems to me, that the ticket, provided by the TMG does not has the ok_as_delegate flag.

But i cannot see the problem.

Eventually, my planned scenario is not possible?

Any ideas?

Uli

Please help me.

 I have successfully implemented two Microsoft Forefront TMG 2010 servers in a load balanced environment as a reverse proxy for several web servers. The TMG1 IP:xxx.xxx.xxx.43, TMG2 IP: xxx.xxx.xxx.44 and the shared TMG IP:xxx.xxx.xxx.45. The web server is configured with internal IP WEB1:xxx.xxx.xxx.183 and WEB2:xxx.xxx.xxx.187. All TMG servers and web servers are configured with gateway IP:xxx.xxx.xxx.254. Both web servers are clustered Domino Servers. At TMG, both web servers are configured as Web Farm. Everything is working fine and both LAN and internet users are able to access the web server via http and https to url myfinance.domain.com.

<image removed>

The problem came when the web server needs to see the client IP. For this to happen, i have to configure the following:

 1. Both web servers need to reconfigure the gateway IP from xxx.xxx.xxx.254 to xxx.xxx.xxx.45 - now the web servers are pointing to TMG as a gateway.

 2. Subsequently,at the main Firewall/Gateway (xxx.xxx.xxx.254) i am creating two static routes to both web servers to use xxx.xxx.xxx.45 as gateway.

 3. Finally, I am setting the TMG to forward the original client ip to the web servers as shown below.

<image removed>

The above setting makes client IP visible to WEB1 and WEB2. However, it is not functioning well and the following are the diagnosis and symptom:

 1.  At any point of time, one of the TMG server does not function. For example, if TMG1 is working then TMG2 is not working. Therefore if a client requesting to access myfinance.domain.com and being processed by TMG1 the client will not experience any problem whereas if it is processed by TMG2, then the client will experience request timeout.

 2. Further to this, if the TMG1 is drained, TGM2 will work fine. Subsequent to that, if TMG2 is drained, TMG1 will work fine.

 3. A simple ping from WEB1 (linux) and WEB2 (linux) to external IP will produce duplicate IP.

 Am I doing something wrong? Is the intended outcome not supported by FFTMG 2010? Is there any workaround? Please help.

 Thanks.

HI

I have a TMG Server 2010 (Version: 7.0.9193.540 Rollup 2 for TMG 2010 SP2)

The problem is thatonlysome users or computer clients loseconnectionto server and can notbrowse on interent or do a PING toTMG server, this problem is solvedautomatically after a few minutes or even hours. I found a way to solve the problem immediately, doing a PING from TMG to client, after PING works fine, connection is restablished.

This problem happends sporadically.

Any idea how to solve this problem??

thanks

LFF

Dear All,

we're having the following strange situation:

our setup is 2008R2 AD, Sharepoint 2010 STD with accounts sync to/from AD set, TMG2010.

Access rights on Sharepoint are set using AD groups.

In particular, group Domain Users is giving read access to a top level site.

We have our SP website posted via TMG for some time already.

Authentication for web publishing rule has been set to NTLM.

There are no issues with standard users (who are members of Domain Users group).

However, if I create a user who's not a member of Domain Users group, but a specially create group Share, problem begins.

Group Share (Global-Security) is also given read access to a top level site.

Until we are within internal network, users from group Share can access website without any issues.

When they're trying to do the same from outside via TMG, all they've got is:

• Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202) 

On TMG Default rule is hit with a message: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).  

Same time users from Domain Users can access site from outside without issues.

If I move user from group Share to Domain Users, that user can also access site.

To me that looks like an issue from TMG side. Maybe somewhere at a level of authenticating user against AD.

Thank you in advance for any help.

Regards,

Denis