Hi,

I'm running websense + Forefront TMG.  Up until 2 weeks ago, facebook hasn't been working properly.  The sign in page loads up fine but as soon as I'm logged in, I get "Internet Explorer cannot display the webpage", this problem can be caused.......etc.

I've posted a question on Websense forums and someone suggested this article

https://developers.facebook.com/blog/post/499/

Now I have a feeling the issue lies with Forefront.  I need to configure Forefront the way that https traffic works properly.  I've never had any issues in the past with https but it looks like this is now the issue.

Can anyone please advise?

Thank you,

James.

My Forefront TMG 2010 server shows "Target computer not accessible" under the Manageability column of Server 2012 Datacenter Server Manager.  The TMG server is a VM running Server 2008 R2.  I cannot Telnet to the machine on port 5985. 

I have added the Hyper-V host to the list of Remote Management Computers, and have tried creating an Access Rule for HTTP traffic on port 5985.  When triggering a refresh from the Server 2012 Server Manager while using TMG to log traffic from the Hyper-V host, the packets destined for the TMG are blocked by the Default Rule.  So, it doesn't seem to care that the Hyper-V host is in the Remote Management Computers list, and my rule attempt isn't working.

Does anyone have any suggestions?

Thanks in advance.

Hi,

I started getting these errors in the Forefront TMG server. I am new to TMG technology. Can anyone share any ideas on this errors? I get many errors similar to this one.

Log Name:      Application
Source:        Microsoft Forefront TMG Report Generator
Date:          12/6/2012 1:32:10 AM
Event ID:      30974
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      tmg0301.domain.com
Description:
The daily summaries could not be summarized into a monthly summary for "08/2012". This may cause the report for this period to be inaccurate. Verify that no prior reporting configuration alerts exist, and that the reporting services on the designated Forefront TMG report server are running and accessible from all the array members. Use the source location 1001.163.7.0.9193.500 to report the failure.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Forefront TMG Report Generator" />
    <EventID Qualifiers="49152">30974</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-12-06T09:32:10.000000000Z" />
    <EventRecordID>28242</EventRecordID>
    <Channel>Application</Channel>
    <Computer>tmg0301.domain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>08/2012</Data>
    <Data>1001.163.7.0.9193.500</Data>
  </EventData>
</Event>

Tom Jacob

Hi All,

Purpose: Customer wants to manage all policies centrally where as respective users will use their owl location TMG server as proxy.

For this I have taken 3 server machine with below details.

Setup:

 AD Site 1: SRVEMS1 (TMG Enterprise edition, EMS Array created)

   AD Site 1: SRVTMG1 (TMG Standard edition, Added in EMS array 'TMGARRAY1')

   AD Site 2: SRVTMG2 (TMG Standard edition, need to add in EMS array 'TMGARRAY1')

I installed the TMG Enterprise management server role on server (SRVEMS1) and create a EMS array 'TMGARRAY1'. Later on I added one TMG standard edition server (SRVTMG1) into TMG Array.

Problem: While I try to add the 2^nd TMG standard edition server (SRVTMG2) it did not resolve the TMG array name TMGARRAY1 name. At that time it ask to create a new Array.

I do not know what is blocking to add the 2nd TMG to be add in EMS array.

Please help to resolve it.

Many thanks

Thanks in advance NKumar

hi

i want to know friends,i have 2008 sp2 End price server so i plant to install forefront threat management  Gateway (TMG) 2010 to block and filter some web site but our company is small so we have only internet connection but we do not have any own public ip address so please help me how to config this on my purpose of block some web site and filter web addressing please how to by local ip how to connect my local ip with internet .

HI,

We have 2 proxy server installed, one is ISA Server 2004 & second is Forefront TMG 2010. Some of the systems in our internal network goes out via proxy server and some systems directly with out proxy server.
Suddenly, we started facing a below issue.

When we try to reach the following web page over a machine that goes out via proxy server,
http://www.dishtv.in

we get the following error in browser:

ERROR

The requested URL could not be retrieved

While trying to retrieve the URL:http://www.dishtv.in/

The following error was encountered:

• Read ErrorThe system returned:

   (104) Connection reset by peer

An error condition occurred while reading data from the network. Please retry your request.

Your cache administrator iswebmaster.

When we try to reach the same page on a machine that goes out to the internet with out a proxy server, wecan reach the page.

We are facing same error on both the proxy servers.But after bypassing the proxy server, above URL is opening properly.

In proxy server logging, it allows the above URL but showing message as below.

502 bad gateway

kindly help me to resolve this issue.

Thanks in advance.

Best Regards,

Hi!

Our OWA publishing has for some reason started to work differently.

If a user has a password that has less than 14 days lifetime left, usually these users would see the yellow warning banner on their OWA screen.For some time (approx. 2 months), these users haven't been able to login again.

They just keep on being redirected to TMG login screen (not the normal "Exchange" login screen, but the TMG default) without any explanation or warning. They can use the "change my password" option, and gain access the OWA after this.

If same users try to access the OWA from intranet (connecting directly to Exchange), they can see the yellow warning banner.

No error messages, nothing on the event logs (DC, TMG or Exchange). No configuration changes on any computer. Only change is Microsoft updates that we run periodically, as soon as MS releases them.

TMG 2010 SP2 running on Win Srv 2008 R2 SP1, latest MS updates

Exchange 2007 SP3 no rollups, running on 64 bit Win Srv 2008 SP2, latest MS updates

AD 2008 funtionality

All suggestions are welcome!

Yours,

Antti

I have recently set up TMG 2010 on our server (Windows Server 2008 R2). Every thing seems to be working fine on the clients running win xp and win 7, except for two things

1.) Outlook

2.) RDP

We use outlook to access our emails hosted by our ISP. The problem is that when outlook is launched it doesn't even check anything and an error occurs "could not connect to server". I created a rule in the firewall allowing POP3, SMTP and DNS from internal to external but this did not help. Kindly tell me what I need to to do.

Furthermore, RDP also fails to establish connection.

Any help will be much appreciated. 

Thanks.

We have 2 node TMG array with Sp2 Rollup2 installed. Logging to local SQL fails in array node - secondary. On master, logging is ok. SQL Server (MSFW)-service fails to start with service-specific error 1814...

I have a problem in my network.While users try to browse microsoft.com they will see an error which indicates dns cannot resolve the name to ip .clients forwarde their dns queries to the internal dns of the domain.although I have set forwarders in dns but the problem stiil remains.

tnx to every one

Hi,

I take backup of my TMG 2010 EE SP2 array manager server and restore this backup on new server. Then I shutdown old server and start new which was restored from backup without any problems. New server is named like old and network configuration is identical. Now array managed server stay in Non Synced status. ldp.exe with SSL can connect from managed server. Can you please found the reason?

Server configuration:

Windows 2008 R2

TMG 2010 EE

Stand-alone array

servers non-domain joined

We are in the process of setting up ISA 2006 for monitoring web traffic via web proxy, ISA Firewall Client and SecureNat.

The sole purpose is to monitor and report on all the traffic of both authenticatedand anonymous web proxy users plus Securenat clients.  We have hardware firewalls in place and do not want to use ISA as another layer of firewalls inside our LAN.

We don't want to use ISA to block anything when it is first implemented.  After rolling it out and looking through the web use reports, decisions will be made on what, if anything, will be blocked or if we will just keep all access to all sites open and have others deal with problem users through HR or other departments as needed.

It is critical that we do not block anything inadvertently when ISA is rolled out due to ISA being designed to block anything that it considers non standard.  

We will block what we want to block actively and do not want things simply getting "stuck" in ISA because ISA has default settings enabled to block things even when there is no specific deny rule we have configured to block that traffic.

So far, we have found out that ISA does not allow https to go through any non standard SSL ports.  To fix this, a workaround script was used to open large ranges of ports so we didn't have to add ports one at a time and that took care of that issue.

Now, I have found that ISA will also block http traffic that it determines as being non standard.  To fix that, you are supposed to configure special filters for each item you want to make an exception for.  This would be a massive amount of work because there is alot of this type of traffic and unusual applications used in our environment.

Is there some way to configure ISA so it stops trying to be a firewall automatically blocking things it doesn't like and instead just monitors and reports on traffic?  Either that or is there a way to create some kinds of wide-ranging, all-inclusive wildcard filters so we do not need to make individual filters for every individual protocol, port and application?

Eric Kim

We are in the process of securing our iPhone fleet using Airwatch. In order to enroll devices with Airwatch you go to a website from the device, enter a group name and your credentials. This then talks to the Exchange server and configures the device with email. Unfortunately the Forefront TMG server seems to be blocking this traffic from going through and I can't figure out why. All ActiveSync traffic works fine, so devices which are already connected, remain connected and working, but enrollment from the Airwatch website does not work.  When we have all ActiveSync traffic routed to Exchange through our Juniper devices there are no issues with enrollment so I know the problem is not with Exchange. The error in the TMG logs is "12309 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator." I suspect the Airwatch website is trying to make an anonymous connection to our Exchange server which is being blocked by TMG. When I try to change the ActiveSync rule to allow All Users I get an error message that "The Web listener selected for this rule requires authentication. However, when the All Users user set is selected for a rule, authentication is not performed. To apply authentication to this rule using this configuration, select the Require all users to authenticate check box in the Web listener Advanced Authentications dialog box."

Has anyone else come across this issue and can they suggest what settings might be required on the ActiveSync rule or the Exchange Web Listener, in order to make this work.

Regards Kate

Hi,

I have TMG server with Nap service and sql service install on it,I have vpn client who connect to Internet Via vpn connection from my Internal network.I want to enable Accounting that report which client frome which computer start vpn connection.

I want to Use Microsoft NAP service As a Radius for LOG Accounting Instead Of Using Third Party Radius  to record vpn connection Log. after I configured  log accounting From NAP Console in Accounting Section , which save record on sql database . I query the database ,in (Client_IP_Address) Table instead of real client machine Ip address ,it show me the TMG IPADDRESS.

there is a log file start with(IN*) in c:\windows\system32\report\  folder which show me the vpn machine client IP address and user properties connection correctly.

I print screen the Database and select the problem.

you will be kind enough if you help me.

Hello, I'm trying to publish Lync and OWA sites through TMG 2010 in my lab environment. Here is my setup

My topology is like that:
    Server1 = Windows Server 2012 Domain Controller
    Server2 = Exchange Server 2013
    Server3 = Lync Server 2013
    Server4 = Lync Edge server 2013 - (which is placed in the DMZ network)

Forefront TMG is set up with 3 NICs. One facing Internet, one perimeter (DMZ) and one internal.Lync Edge have one NIC connected to DMZ.

Also : I have  two different SAN certs.

1- SAN Certificate : For Lync Web Client Access  and Lync edge Services

2- SAN Certificate : For Exchange Web Client Access

Also ,  I have one public IP(internet ip). Lync server listens to 4443 and 8080 for external webservices request.

My question is:Whenever I browse to mail.mydomain.com it redirects correctly to the secured site. However if I browse to meet.mydomain.com it presents me with my owa cert.

Also ,is there any restriction here with the public ip address?What require I do to working with the single public address?or How many IPs needed?

King Regards,

I need to publish an application that requires HTTP Compression using TMG 2010. The application is a web service that communicate through JSON queries and responses.

Compression is defined by content type, and content types is based on MIME types. Ideally I would like to enable compression for application/json MIME type, but that is not in the list in my TMG server.

Is there a way to add own MIME types in TMG?

We have installed Forefront TMG 2012 server in our network. But some times, it blocks certain URLs.

There is one gov site http://www.eproc.bihar.gov.in/ which get redirected to https://www.eproc.bihar.gov.in/ROOTAPP/BELTRON.jsp?company=BELTRON. This site is not browsing through TMG server. Without TMG Server or through ISA 2004 server, sites opens properly. But with TMG server, "Session Lost. Please Login" web page appears. 

We really do not understand what is problem with TMG server? why is it not browsing web page?

Kindly help to resolve this.

Thanks in advance.

Best regards,

hello,

we have SQL Server 2008 Express Edition (with FTMG 2010 installation).

When I open SQL Configuration Manager console, I dont see only MSFW service. I see it on services.msc, logs are ok.

checking rights:

sc sdshow MSSQL$MSFW
sc sdshow MSSQL$ISARS

this shows that for MSSQL$MSFW is missing

(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

I add these rights and after that MSFW is showed in Conf Manatager. But after restart I have same situation. I dont see MSFW through Configuration Manager. with rights are also same situation - for MSFW is missing (A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU).

I check domain and local GPO fof this server, and I didnt find any important differences.
Also check WMI - it seems ok.

If you have any suggestion pls write.

thank you for your time,

Keli

keli

Hi

we have 1 AD with FTMG 2010 Std SP1 with two adapters. i have workgroup machine on which web proxy is configured in internet explorer 9.we are using integrated authentication in FTMG 2010. now when we are going to use yahoo messenger it's not getting connected.

i have gone several docs and says install firewall client to connect i have also tried that but i got below errors in yahoo messenger logs

Checking virtual IP servers...
[VIP Raw] Connecting to Virtual IP server 10.30.1.252... [PASSED]
[VIP Raw] Sending HTTP request to the server... [PASSED]
[VIP Raw] Receiving response... [PASSED]
[VIP Raw] Receiving response... [PASSED]
[VIP Raw] Receiving response... [PASSED]
[VIP Raw] Receiving response... [PASSED]
[VIP Raw] Receiving response... [PASSED]
[VIP Raw] Receiving response... [PASSED]
[VIP Raw] Sending HTTP request to the server... [PASSED]
[VIP Raw] Receiving response... [PASSED]
[VIP Raw] Sending HTTP request to the server... [PASSED]
[VIP Raw] Receiving response... [PASSED]
[VIP Raw] Checking HTTP response code... [PASSED]
[VIP Raw] Parsing connection server IP address... [PASSED]
[VIP Raw] Sending HTTP request to the server... [PASSED]
[VIP Raw] Receiving response... [PASSED]
[VIP Raw] Checking HTTP response code... [PASSED]
[VIP Raw] Parsing connection server IP address... [PASSED]
[VIP Raw] PASSED *** 67.195.187.244 ***

Checking connection servers...
[CS Raw] Connecting to connection server port '5050'... [FAILED]
 ***  'COMPONENT_TYPE_YCP_EX' YCP EX Error: ('FND.0210', 0, 0) ***
[CS Raw] Connecting to connection server port '80'... [FAILED]
 ***  'COMPONENT_TYPE_YCP_EX' YCP EX Error: ('FND.0210', 0, 0) ***
[CS Raw] Connecting to connection server port '23'... [FAILED]
 ***  'COMPONENT_TYPE_YCP_EX' YCP EX Error: ('FND.0210', 0, 0) ***
[CS Raw] FAILED
 ***  'COMPONENT_TYPE_YCP' YCPError: 'PortSelector::AllPortsFailed' ***

Checking HTTP virtual IP servers...
[VIP Http] Sending HTTP request to the server... [PASSED]
[VIP Http] Receiving response... [FAILED]
 ***  'COMPONENT_TYPE_WININET' value: '12017' ***
[VIP Http] Connecting to HTTP Virtual IP server 10.30.1.252... [PASSED]
[VIP Http] Sending HTTP request to the server... [PASSED]
[VIP Http] Receiving response... [PASSED]
[VIP Http] Receiving response... [PASSED]
[VIP Http] Receiving response... [PASSED]
[VIP Http] Receiving response... [PASSED]
[VIP Http] Receiving response... [PASSED]
[VIP Http] Receiving response... [PASSED]
[VIP Http] Sending HTTP request to the server... [PASSED]
[VIP Http] Receiving response... [PASSED]
[VIP Http] Sending HTTP request to the server... [PASSED]
[VIP Http] Receiving response... [PASSED]
[VIP Http] Checking HTTP response code... [PASSED]
[VIP Http] Parsing HTTP connection server IP address... [PASSED]
[VIP Http] PASSED *** 98.139.60.34 ***

Checking HTTP connection servers...
[CS Http] Sending HTTP request to the server... [PASSED]
[CS Http] Receiving response... [PASSED]
[CS Http] Checking HTTP response code... [PASSED]
[CS Http] Validating HTTP connection server response... [PASSED]
[CS Http] PASSED

Checking login servers...
[Login] FAILED
 ***  'COMPONENT_TYPE_WININET' value: '12057' ***

Regards

Devang