Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

TMG 2010 3 leg dns problem

January 27, 2013, 5:01 am
$
0
0

When I stared the wizard for 3 legs, everything ran Ok.
I checked that only the internal network NIC has DNSs, nothing on external nor perimeter.

Going back to TMG, I see that it is blocking all DNS tarffic.

İnternal 192.168.1.0/24 with dns but no default gateway

Perimeter 192.168.2.0/24 without dns and no default gateway

External 192.168.0.0/24 without dns but with default gateway

all dns traffic is blocked except the rule 8 "allow traffic from tmg to the selected servers" on sytem policies

any solutions??

thanks.



Search

abortively closed after one of the peers sent an RST packet

February 10, 2012, 10:13 am
$
0
0

I have my TMG server setup for firewall functionality to protect an internal application/database server. Limited testing proved positive, but in a live scenario I had a few workstations with various operating systems generating this little problem. You can see the SUCCESS entry for the TMG client and immediate "abbortive shutdown."

Most of the clients seemded to work fine, but a few would not connect and this is the only thing I could find to isolate the issue. I'm going to try again coupled with some Wireshark action, but until then, any ideas?

Log clip:

198.30.110.53198.30.110.1001745Forefront TMG Client (TCP)Initiated Connection0x0 SUCCESS
198.30.110.53198.30.110.1001745Forefront TMG Client (TCP)Closed Connection0x80074e21 FWX_E_ABORTIVE_SHUTDOWN
198.30.110.53198.30.110.1001745Forefront TMG Client (TCP)Denied ConnectionNone - see Result Code0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED
198.30.110.53198.30.110.1001745Forefront TMG Client (TCP)Denied ConnectionNone - see Result Code0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED

ISA 2006 Redundancy Options with 2 ISA 2006 Enterprise Servers With 2 NICs Each?

January 18, 2013, 5:15 pm
$
0
0
I have several questions, but they are all intertwined with each other.

What are the workable options for redundancy when one server goes offline when you have 2 servers with 2 nics each with the edge firewall configuration?

I see an option under internal network properties that says "If ISA Server is unavailable, use this backup route to connect to the Internet:"

Direct Access

Alternative ISA Server.

So, does this mean that you have some redundancy against loss of Internet access during server reboots even if you do not enable NLB?

Should you have each ISA point to the other as the backup route or should you have the first point to the second and the second server's backup route be "Direct Access"?

Do you combine these backup route settings with NLB at the same time?

If the internal nic is being used for intra-array communication, can you use also use this nic as the nic where the virtual IP for NLB is coming from?

For instance if the internal nic is 192.168.1.6 and the external nic 192.168.55.6 can you have the virtual IP set to 192.168.1.120 and also load balance the Internal network?

I read that you cannot load balance the intra-array network, but I don't want to load balance the intra-array network.  I want to load balance the Internal network, but I don't have enough nics for everything to be on a different nic.

When you enable NLB do you use VIP (192.168.1.120) as the IP address used in configuring browser settings or gateway addresses instead of the internal IP address of the first ISA servers?



TMG cannot determine array member's status

January 24, 2013, 2:43 am
$
0
0

Hello,

Yesterday we decided to upgrade our TMG servers to service pack 2 as they were still on the orginal release.

We have an EMS server and 2 TMG servers in an array. The upgrade to the EMS seemingly went well however when we ran the SP2 upgrade on the first TMG server we starting seeing the following error -

Forefront TMG cannot determine array member's status. Therefore, any attempts to establish VPN site to site tunnels may not succeed. Forefront TMG will check array member's status periodically. When the array member's status can be determined, tunnels will be established, as necessary.

All looked ok in the management console which showed the configuration is apparently up to date and the server had a green tick.

However, on looking at the logs the server is not accepting any connections and all traffic is being blocked under the default rule.

We've disabled NLB for now so all connections are going via the other array member however I am baffeled as to what has happend.

Anyone seen this before? 

Many Thanks,
Chris



Forefront TMG Installation terminates - SQL Expres 2008 Could Not Be Installed

December 12, 2010, 6:32 pm
$
0
0

I have been installing TMG for a couple of machines already and this is the first time I have encountered this issue. The installation wizard stops at the "Additional Components (Estimated time: 12 minutes)", and prompts the error message:

"Microsoft SQL Express 2008 (reporting instance) could not be installed. As a result, Forefront TMG installation cannot be completed."

I have tried uninstalling SQL from this machine, reboot, and reinstalled it, then install TMG again, but it still prompts this error message.

I am at a lost on how I should go about with this actually. Anyone has any suggestions?

TMG performing SIP manipulation?

January 23, 2013, 4:00 am
$
0
0

Hi all, 

I was wondering whether you could help us out here. We use TMG as a proxy and firewall for 3 years now, with our telephony solution, without any issues until recently.

Whenever a conversation is being estabilished I often now hear no sound from the PSTN into my CTI.

When I go and see the SIP negotiation, in the first calls I try to place, I get an invite with the IP of the TMG solution(shouldn't happen) and when this happens, no sound from PSTN to my workstation.

After two or three tries, the invite packet has the media server ip address, and now I get to hear sound in both directions correctly.

I show you the examples:

Not working:

11:35:22.498 V   7652   70  100 #default#  INVITE sip:1228@192.18.0.116:5835 SIP/2.0
11:35:22.498 V   7652   70  100 #default#  From: <sip:991234566@hostname:5060>;tag=20d06ba8-52001f0a-13d8-45026-73ab7e-470428ab-73ab7e
11:35:22.498 V   7652   70  100 #default#  To: <sip:1228@hostname:5060>;tag=ada0688-740010ac-16cb-45026-2622-7c4c7110-2622
11:35:22.498 V   7652   70  100 #default#  Call-ID: 1026f388-52001f0a-13d8-45026-73ab7e-1b88d43d-73ab7e
11:35:22.498 V   7652   70  100 #default#  CSeq: 3 INVITE
11:35:22.498 V   7652   70  100 #default#  Via: SIP/2.0/UDP :5060;received=ipaddress;branch=z9hG4bKmi!w_s!cwqGmi!w_s!cwqG0OiY4*wEqE-_WwGUYm4-Qmu*-.3-199072c8
11:35:22.498 V   7652   70  100 #default#  Record-Route: <sip:19249689162017768909AOUD@sipproxyip;lr;dayaRRParam19015319001988772821>
11:35:22.498 V   7652   70  100 #default#  Via: SIP/2.0/UDP b2bip:5080;branch=z9hG4bK-73ab85-c3d6033c-7bebf078
11:35:22.498 V   7652   70  100 #default#  Max-Forwards: 69
11:35:22.498 V   7652   70  100 #default#  Supported: timer,replaces
11:35:22.498 V   7652   70  100 #default#  Contact: <sip:mychangendnumber@b2bip:5080>
11:35:22.498 V   7652   70  100 #default#  Session-Expires: 21721;refresher=uac
11:35:22.498 V   7652   70  100 #default#  Min-SE: 300
11:35:22.498 V   7652   70  100 #default#  Allow: INVITE,ACK,CANCEL,BYE,REFER,INFO,UPDATE,MESSAGE,NOTIFY
11:35:22.498 V   7652   70  100 #default#  Content-Type: application/sdp
11:35:22.498 V   7652   70  100 #default#  Content-Length: 263
11:35:22.498 V   7652   70  100 #default#  
11:35:22.498 V   7652   70  100 #default#  v=0
11:35:22.498 V   7652   70  100 #default#  o=OneMedia 1381411 3 IN IP4 192.168.60.2
11:35:22.498 V   7652   70  100 #default#  s=Collab SDP
11:35:22.498 V   7652   70  100 #default#  c=IN IP4 192.168.60.2
11:35:22.498 V   7652   70  100 #default#  t=0 0
11:35:22.498 V   7652   70  100 #default#  m=audio 16452 RTP/AVP 18 0 8 101
11:35:22.498 V   7652   70  100 #default#  a=rtpmap:18 G729/8000
11:35:22.498 V   7652   70  100 #default#  a=fmtp:18 annexb=no
11:35:22.498 V   7652   70  100 #default#  a=rtpmap:0 PCMU/8000
11:35:22.498 V   7652   70  100 #default#  a=rtpmap:8 PCMA/8000
11:35:22.498 V   7652   70  100 #default#  a=rtpmap:101 telephone-event/8000
11:35:22.498 V   7652   70  100 #default#  a=fmtp:101 0-15

Working example:

11:40:26.485 V   7652   69  100 #default#  INVITE sip:1228@192.18.0.116:5835 SIP/2.0
11:40:26.485 V   7652   69  100 #default#  From: <sip:mychangednumber@hostname:5060>;tag=20db60e8-52001f0a-13d8-45026-73acb0-6121f523-73acb0
11:40:26.485 V   7652   69  100 #default#  To: <sip:1228@blablabla:5060>;tag=ada1f08-740010ac-16cb-45026-2753-286d9544-2753
11:40:26.485 V   7652   69  100 #default#  Call-ID: 1021ba88-52001f0a-13d8-45026-73acb0-37d84935-73acb0
11:40:26.485 V   7652   69  100 #default#  CSeq: 3 INVITE
11:40:26.485 V   7652   69  100 #default#  Via: SIP/2.0/UDP 10.31.0.21:5060;received=10.31.0.31;branch=z9hG4bKmi!w_s!cwqGmi!w_s!cwqG0OiY4*wEqE2UWwGUYmWoYm4g8.3-1998d038
11:40:26.485 V   7652   69  100 #default#  Record-Route: <sip:19249689162017768909AOUD@192.31.0.31;lr;dayaRRParam19015319001988772821>
11:40:26.485 V   7652   69  100 #default#  Via: SIP/2.0/UDP b2bip:5080;branch=z9hG4bK-73acb5-c3daa6ae-13fcdcd7
11:40:26.485 V   7652   69  100 #default#  Max-Forwards: 69
11:40:26.485 V   7652   69  100 #default#  Supported: timer,replaces
11:40:26.485 V   7652   69  100 #default#  Contact: <sip:mychangendnumber@b2bip:5080>
11:40:26.485 V   7652   69  100 #default#  Session-Expires: 21721;refresher=uac
11:40:26.485 V   7652   69  100 #default#  Min-SE: 300
11:40:26.485 V   7652   69  100 #default#  Allow: INVITE,ACK,CANCEL,BYE,REFER,INFO,UPDATE,MESSAGE,NOTIFY
11:40:26.485 V   7652   69  100 #default#  Content-Type: application/sdp
11:40:26.485 V   7652   69  100 #default#  Content-Length: 261
11:40:26.485 V   7652   69  100 #default#  
11:40:26.485 V   7652   69  100 #default#  v=0
11:40:26.485 V   7652   69  100 #default#  o=OneMedia 1381613 3 IN IP4 192.31.0.23
11:40:26.485 V   7652   69  100 #default#  s=Collab SDP
11:40:26.485 V   7652   69  100 #default#  c=IN IP4 192.31.0.23
11:40:26.485 V   7652   69  100 #default#  t=0 0
11:40:26.485 V   7652   69  100 #default#  m=audio 19730 RTP/AVP 18 0 8 101
11:40:26.485 V   7652   69  100 #default#  a=rtpmap:18 G729/8000
11:40:26.485 V   7652   69  100 #default#  a=fmtp:18 annexb=no
11:40:26.485 V   7652   69  100 #default#  a=rtpmap:0 PCMU/8000
11:40:26.485 V   7652   69  100 #default#  a=rtpmap:8 PCMA/8000
11:40:26.485 V   7652   69  100 #default#  a=rtpmap:101 telephone-event/8000
11:40:26.485 V   7652   69  100 #default#  a=fmtp:101 0-15

Note: I proposedly changed ip addresses here, but  bolded the ips I would like you to see.

In the not working scenario the Ip that the software receives the sip packet is the TMG ip address(defaut GW, and Proxy IP address).

In the working scenario, I receive the ip address from the media server, which would be the correct scenario, and lets me hear sound.

It is clear to me that sip manipulation is being made, at TMG level, but I did no change to would make this happen. 

How can I check whether it is some configuration issue, or a bug? TMG is fully updated. Maybe it may have started after the last update (it was working well at SP1 level).

the networking between TMG and the sip server, has had no configuration changes for more than a year. I see that the packet leaves the sip server ip the media server ip addres, and when arrives at the TMG, it changes the packet...

Thanks,

Nuno Silva



Prevent all Website except my corporate website in TMG

January 22, 2013, 11:42 pm
$
0
0

Hi

I want to prevent all website except our company web site. Actually, I make URL Set which included my company website and after that I set e Firewall Policy Deny IP to external Except URL Set! but it does not work. sometimes this IP have access to all external and sometimes does not have access to External! In this situation my exception did not work!

Regards

Vahid Aghakhani

Forefront TMG 2010 SP2 - Logging override web pages

December 10, 2012, 4:38 am
$
0
0
We have Forefront TMG 2010 SP2 on Windows Server 2008 R2.  Because we want to protect our network I created new firewall rule. This rule is Deny Web Destination with allow user override web page. This rule work perfectly, but now we want to logging this overrides web pages.

I try to created new Filter in Logs & Reports with Override Rule for test, but this don’t work.

Please help me find the solution for this case and how to create filter and reporting for overrides web pages?

Best regards

Ninja 4 IT

Search

Forefront TMG 2010 and Lync Server 2010

January 28, 2013, 4:02 am
$
0
0

I have just built a TMG server with two legs, one in the DMZ and one into our production network, I have configured the appropriate rule on TMG, all external DNS records that I need are pointing to the TMG box.  Word of warning, I am a TMG noob, I've never used it and am currently following documents on Google.  When I run the "Remote connectivity analyzer" it comes back with the following results:

"Testing connectivity to the Lync Autodiscover Web Service server for a secure connection on port 443 to obtain the root token.
     Connectivity to the Lync Autodiscover Web Service test failed.
     
    Test Steps
     
    Attempting to test Autodiscover Web Service URL https://lyncdiscover.xxx.org.uk/Autodiscover/AutodiscoverService.svc/root.
     Autodiscover Web Service URL can't be contacted due to failure of the following tests:
     
    Test Steps
     
    Attempting to resolve the host name lyncdiscover.xxx.org.uk in DNS.
     The host name resolved successfully.
     
    Additional Details
    Testing TCP port 443 on host lyncdiscover.xxx.org.uk to ensure it's listening and open.
     The specified port is either blocked, not listening, or not producing the expected response.
      Tell me more about this issue and how to resolve it
     
    Additional Details
     A network error occurred while communicating with the remote host."

When I look at the rule on the TMG box it all looks correct, but, running "netstat -ano" I cannot see port 443 listening.  I've checked and double checked my configuration and believe it to be correct but was wondering if someone has had the same issue themselves.

Many thanks.

Server 2008

January 16, 2013, 2:26 am
$
0
0

Hi Guys

Any help will be appreciated; I setup a new server, which I will use for a proxy server with two nic’s, one for internal network and the other for external internet.

But the problem I face is, as soon as I try to ping one of my branches it time out and from the branches to main hub where the proxy is, it times out. When I ping the DC in the same rack it replies.  The branches are connected via VPN tunneling using Juniper switches, at the sites SSG 5’s and at the main hub SSG 14.

The cards are on different IP’s and masks and the external car uses the IP range from the ISP for pure internet connection.

The funny thing is that I currently have a proxy server set up and this works perfectly, the only difference between the current proxy and the new one I am setting up is the hardware, I don’t understand why one will connect and ping out or reply on ping and the other doesn’t.

Thank you

Java Authentication and TMG

January 28, 2013, 5:03 am
$
0
0

Hello,

kindly be informed that i have a problem in TMG when i run any web application need java it is ask for authentiction

Thanks

Omar A. G. Dweik Senior System Engineer Qatar - Doha

Slow internet after moving from ISA 2006 to Forefront TMG

January 28, 2013, 6:41 am
$
0
0

Hi.

I have a proxy server that shares internet for my organization users. My internet speed is about 12 mbps.

I had a Windows 2003 standalone server with ISA2006 and everything worked fine. Now i moved to Windows 2008 R2 on a vmWare esxi and Forefront TMG 2010 and the connection is very slow.

What i mean by saying slow?

Sites open very slow and the http-downloads are also slow. Especially, speedtest.net shows maximum of 1 mbps download. The upload has also changed from 50 mbps to 5 mbps. Another words the speed is 10 times lower than it was on ISA2006.

Firstly, I thought that something in TMG settings is causing such problems but then i tried to run torrent and discovered that torrents are being downloaded with the good speed of 12mbps.

I read several topics about such kind of problems but haven't figured out the solution for my case.

outgoing email on blocked list

January 28, 2013, 6:59 am
$
0
0

We have exchange 2010 and last friday our outgoing email started to be blocked by spamhaus and prs.  I do not know why this is as I had changed nothing.  The  error is 550 and the ip it's showing is the our external internet ip not the external ip for exchange.  We use Forefront-TMG as a firewall.  incoming email works fine. Where do I look to find the settings I need?  I am a new user with this product.

Annette Zacharias

Import settings from Standalone TMG

January 28, 2013, 6:17 am
$
0
0

This question is being posted on behalf of another user.

Hello,

We received the following question from one of our users:

"Hi, just installed MS UAG2010 and realized that it has TMG bundled in it.Can i import settings from standalone TMG to work?"

Does anyone know if this is possible and if so, how to do it?

Thanks

Social Media - Dwayne W

SharePoint 2013 publishing issues

January 28, 2013, 3:22 am
$
0
0

Hi!

I have just installed TMG 2010 because I need it for reverse proxy. The server is single NIC and is located behind my edge firewall. I have several subdomains pointing to my edge firewall's WAN IP and have NAT-rules set up to allow traffic to my TMG-server.

This is working fine, and I have published several web-sites.

However, the main purpose for me setting up a TMG server was to publish Exchange 2010, SharePoint 2013 and Office Web Apps 2013. All of them secured by SSL. So far I have been able to publish SharePoint 2013, and this is what I did:

1. Created a HTTPS web-listener (Installed SSL certificate, HTTP authentication (Basic + Integrated))
2. Created a Firewall Policy (To: external host name, Traffic: HTTPS, Authentication Delegation: No delegation, but clients may authenticate directly, SSL bridging)

On desktop IE9 everything works fine, but when accessing SharePoint 2013 from Windows Phone Office Hub it says "Can only connect to SharePoint sites. Try opening the site in the browser instead". Also, I cant seem to get Basic Authentication to work. I need Basic for the new SharePoint Newsfeed Windows Phone app.

Any input is much appreciated,


Search

Unable to Publish OWA with TMG - Blocked Web Destinations

September 22, 2010, 1:30 pm
$
0
0

Hello

I cannot seem to publish OWA with TMG 2010. The TMG server has a single network adapter for internal and external traffic. I may move the server between the internal and external networks once I have set it up correctly.

I have created a rule and a web listener for OWA and when I press to test the settings everything has a green tick in it so I believe the rule is correct.

However when I try to access the URL I get the standard "Internet Explorer Cannot Display the Webpage".

Having checked the log it seems to be missing the OWA rule and dropping into "Blocked Web Destinations" with a protocol of https-inspect. It does say the source network is External though which it is not. The internal range is set as 192.168.1.1 - 192.168.255.255.

If I turn off the Blocked Web Destinations rule it then drops into the next rule down which is to allow web access and OWA comes up with a basic authentication box.

I have set this up multiple times and even re-run the getting started wizard and setting everything again. OWA is the only rule I have tried so far as it is the main thing that needs to be published. All certificates are valid and the common name matches with the TMG certificate published to Active Directory.

The last time I set this up was with ISA 2006 and I got it all working then. I must have missed out a step somewhere but I can't work out where.

Does anyone have any suggestions of anything I could try?

Thanks

Robin

Robin Wilson

LSP conflict with Forefront TMG client LSP causes crash

January 18, 2013, 9:05 am
$
0
0

I've got a customer who has Forefront TMG client installed in addition to our Layered Service Provider (LSP).

I understand Forefront uses a callout LSP while our LSP does all its logic in process. We've found that when both LSPs are installed (even when our LSP is acting as a passthrough), the system starts misbehaving. iTunes is unable to connect to the iTunes store, and other client-server applications crash (sending windows error reports).

Are there any strategies for debugging this or configuration settings that I can suggest to work around this? 

publishing troubleshooting

January 28, 2013, 5:53 pm
$
0
0

my long term goal is to publish OWA and EAS. but i've had trouble with that so i'm taking baby steps. i've read a ton of blog posts and followed instructions exactly, but i'm not getting it working. i have a single NIC TMG server in a DMZ, but it is a member of the internal domain.

i have a couple of internal test websites i have successfully published (not at the same time) using a listener with no authentication and a rule that allows direct authentication from the website. one of the websites uses integrated windows authentication, so when access it through the TMG server i am prompted for credentials. once i enter them, the website opens. this is how expect it to work.

however if delete the No Auth configuration and create a new listener that Does use authentication--either http or html form-- and configure a new Rule to publish the same website using Basic, Negotiate, or Kerberos, after i authenticate to the ISA server, i get a

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

i see this error in the TMG logs, and the rule that is blocking it is my publishing rule. i've used the LDP tool to test connectivity to the domain, and it shows a succesful connection to my domain controller on 389. and i'm able to log in to the TMG server with my internal.com domain credentials via RDP, so i don't think it's an authentication issue. but i could be wrong. if it was a host header issue on the IIS site, i would expect the No Auth method to fail as well. but it does not, and there are no host headers in the bindings of the IIS site anyway.

thoughts?

VOIP not working after installing TMG 2010

January 25, 2013, 7:22 am
$
0
0

Hi,

we have recently deployed a TMG 2010 server in our network.We have configured it for VOIP by using Configure VOIP option in TMG but it is not working.We are using Vonage box for VOIP.It is connected to our core switch that is connected to TMG and then Router i.e

Vonage Box->Cisco 3560 Switch -> TMG -> Cisco 1801 Router

The Data traffic and internet is working for internal PCs connected to core switch.

I have configured VOIP by selecting "IP phones are connected directly to external hosted IP PBX" and provided External and internal in subsequent screens for configuring "External IP PBX server" and "Internal SIP Phone Network Addresses" respectively.But it is not working and vonage is displaying "Check if ur Internet is down".However internet is working on PCs.

Plz guide me where am I wrong or how to configure TMG to allow Vonage VOIP.

Regards,

Rabnawaz

ISA 2006 SSO to Remote Desktop Web portal

January 29, 2013, 12:28 am
$
0
0

Hi ,

I'm trying to configure ISA server SSO to remote desktop services Web Portal.

The requirement is as follow.

- The user is being given a smartcard with a certificate .

- The user must authenticate to ISA WEB Listener via smartcard.

- ISA should SSO the user to the Remote Desktop Web Portal.

At the moment we have the following.

- User access the Internet-facing ISA server's Listener for RDWEB portal.

- User is prompted for certificate to authenticate .

- User is authenticated .

- User then gets an error "401-Unauthorized. Access is denied due to invalid Credentials" ( I think from the RDWEB )

Thanks

Viewing all 3822 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>