broadcast packet

January 29, 2013, 2:40 am

≫ Next: Need to stop Internet in smartphones using TMG2010

≪ Previous: ISA 2006 SSO to Remote Desktop Web portal

Hello everybody,
I have aWindowsServer2008 R2Enterprise-Enterprisewith TMG 2010,
On the monitoralerts,accused ablockingconnectionsper minutefrom a
Determinedmicro, I analyzed thelogsand sawthat there aremany blocksofbroadcast
Thismicrocomingport 5355.
TheTMGby defaultblocks thebroadcast, howeverwhat makes mepuzzledis the amount ofblockingcoming this specificmicro.
I analyzedthe logsofantivirusand nothing wasdetected,themachine isinstalledSymantecendopoint.

I would liketheopinion of colleagues, I am postingthefollowingproblem:

Cliente IP Destination ip Destination Port

192.168.0.130 224.0.0.252 5355 Link-local multicast name resolution Denied

FWX_E_BROADCAST_PACKET_DROPPED

Denied Connection	SRVTMG 22/01/2013 11:31:30
Log type:Firewall service
Status:A broadcast packet was dropped by the Forefront TMG policy.
Rule:None - see Result Code
Source:Internal (192.168.0.130:64558)
Destination:External (224.0.0.252:5355

↧

Need to stop Internet in smartphones using TMG2010

January 29, 2013, 2:59 am

≫ Next: ISA Server 2006 Enterprise Repeated Password Prompts Web Proxy Clients

≪ Previous: broadcast packet

Dear All,

I am using fore front TMG2010 and its working fine but i want to know that can i restrict my users to use internet on smartphones. Is there any way to stop internet in mobile devices in TMG2010.

Regards,

Shakeel Shahid.

↧

ISA Server 2006 Enterprise Repeated Password Prompts Web Proxy Clients

January 19, 2013, 9:30 pm

≫ Next: Forefront TMG Client certificate authentication - forwarding of client certificate

≪ Previous: Need to stop Internet in smartphones using TMG2010

There are 2 ISA servers that are at the same point subnet on the network so there will be redundancy if one crashes or needs to be rebooted. I tried accessing the Internet from a computer that was not joined to the domain and received and authentication prompt as expected, but instead of one prompt, there were 4 prompts 2 password prompts for each ISA server.

There is KB about this issue but it is from 2004 and the instructions on where the settings are do not apply:

http://support.microsoft.com/kb/822458

Microsoft ISA Server

If you use Microsoft Internet Security and Acceleration (ISA) Server, follow these steps to configure the downstream ISA Server-based server to pass credentials upstream:

Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Management.
Expand Servers and Arrays, expand <var>Your_Server_Name</var>, expand Network Configuration, and then expand Routing.
Right-click the routing rule that you want to configure, and then click Properties.
Click the Action tab, click Routing them to a specified upstream server, and then click Settings.
In the Server or array box, type the name or the IP address of the upstream server.
In the Port box, type the port number that the upstream server uses to listen for Hypertext Transfer Protocol (HTTP) requests. Typically, this is port 8080.
In the SSL Port box, type the port number that the upstream server uses to listen for Secure Sockets Layer (SSL) requests. Typically, this is port 8443.
Click OK two times.

I tried following that, but the options are different now.

Is there something similar to fix this issue for ISA 2006?

↧

Forefront TMG Client certificate authentication - forwarding of client certificate

January 19, 2013, 4:25 am

≫ Next: Need help with ForeFront TMG as Hyper-V guest connected to DMZ VLAN

≪ Previous: ISA Server 2006 Enterprise Repeated Password Prompts Web Proxy Clients

We would like to set up a forefront TMG listener with client certificate authentication, which will pass on information from the client certificate to the web farm for application side validation.

While the authentication part of the listener works, i.e. only users presenting a certificate from the configured CA will be able to establish an HTTPS connection, the application on the web farm is not able to determine which certificate was used to authenticate against TMG.

It appears to be possible to pass on user identity information to the web server by using Kerberos/delegation in conjunction with Active Directory. However since the smart card based certificates issued within the organization do not contain information which can be directly mapped to an Active Directory Account (requires custom processing of certificate attributes), this seems not to be an option.

The authentication part should be completely handled by the web application based on the public key presented by the user. This works well if a single web server which accepts client certificates is transparently published through TMG. In that case, client certificate information is made available by IIS.

Since the SSL connection is terminated on TMG, it would be necessary provide certificate information from the SSL layer within the HTTP header. Can this be achieved through configuration options or by adding custom logic on the firewall?

Similar to this post which refers to UAG: http://blogs.technet.com/b/edgeaccessblog/archive/2010/05/09/how-to-configure-uag-to-send-request-headers-to-published-web-applications.aspx

↧

Need help with ForeFront TMG as Hyper-V guest connected to DMZ VLAN

January 17, 2013, 3:40 pm

≫ Next: ISA 2006: Have problems getting bypass ISA "direct access" to work

≪ Previous: Forefront TMG Client certificate authentication - forwarding of client certificate

I have a ForeFront TMG server configured as Hyper-V guest connected to a DMZ VLAN on switch.

The host has 2 nics, one connected to the internal network and another to the external network (DMZ) on the switch. The TMG guest has access to both internal and external nics. The external NIC shows as 'internet access' on the network settings.

I have the firewall NATed correctly, and the ports opened, but when I run a port checker I can't find open port 443 from outside on the IP.

I also cannot load the mobile Lync app and have it connect.

All the certs and DNS settings have been validated by a 3rd party.

Is there something the host computer is doing that may affect this configuration? The host firewalls are off.

TMG server 443 ports listening screen cap (below)

↧

ISA 2006: Have problems getting bypass ISA "direct access" to work

January 25, 2013, 10:15 am

≫ Next: exclude the URLs for the certificate revocation lists

≪ Previous: Need help with ForeFront TMG as Hyper-V guest connected to DMZ VLAN

There is an IP range outside of our LAN that we need users to be able to reach without going through ISA.

I have tried adding the *.domain.com and domain.com the "Domains" tab of Internal network properties.

I have also gone to the Web Browser tab and checked all the bypass and "directly access" check boxes and added *.domain.com and domain.com and the ip range there.

Despite this, clients are still being routed through ISA. The reason I can tell is when I have the proxy disabled for the client, the client reaches the site with no issues. When I enable the proxy, there is an error that says:

Failed Connection Attempt PROXYSERVER*** 1/25/2013 10:07:03 AM
Log type: Web Proxy (Forward)
Status: 10061 No connection could be made because the target machine actively refused it.
Rule: [Enterprise] Allow All Users Internet Access
Source: Internal (xxxxxxxxxxxxxx)
Destination: External (xxxxxxxxxxxxxx:80)
Request: GET http://xxxxxxxxxxx.net/slash
Filter information: Req ID: 0cbc7814; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous

So the receiving host sees the traffic coming from the proxy and actively blocks it when the proxy is enabled in the browser and lets it connect when the proxy setting is unchecked in the browser.

We have not required users to go through the proxy yet because we have to get these types of issues fixed first.

Is there another setting needed to "really" bypass the proxy?

↧

exclude the URLs for the certificate revocation lists

January 26, 2013, 3:47 am

≫ Next: unable to configure Gmail account in Windows Live Mail 2012

≪ Previous: ISA 2006: Have problems getting bypass ISA "direct access" to work

TMG 2010 (latest updates dates back to Dec 22, 2012)

Win2k8 R2 SP1, 6GB RAM

i'm using VAMT2.0 for our Office product activations and when IE is configured to use a proxy, VAMT doesn't work. only if i remove the use of a proxy server does VAMT works.

i saw this article Windows activation fails and method 2 says "to exclude the URLs for the certificate revocation lists (CRLs) from the requirement for Basic authentication"

how does one exclue a URL from basic authentication? i can create firewall policies to exclude or allow certain sites but "exclude from basic authentication"?

↧

unable to configure Gmail account in Windows Live Mail 2012

January 22, 2013, 10:55 pm

≫ Next: TMG 2010 - Prevent DNS Open Resolver towards external addresses that we don't host

≪ Previous: exclude the URLs for the certificate revocation lists

hi,

i am trying to configure Gmail Account in Windows Live Mail 2012 behind the TMG 2010, so far i couldn't make it, i created below rule with no lock

name=GMail Protocols="GIMAPs,GSMTPs,DNS,Random-ports" from=internal to=external allusers

GIMAPs = 993,995

GSMTPs = 465,587

Random-Ports = 49152-65535

when i configured it try to download the folder from Gmail, and getting error "connection to the server failed"

any help will be appreciated.

↧

TMG 2010 - Prevent DNS Open Resolver towards external addresses that we don't host

January 30, 2013, 1:21 am

≫ Next: Tmg Implemantation In multiple VLan

≪ Previous: unable to configure Gmail account in Windows Live Mail 2012

We are getting a notice from our ISP that we could be an object for attacks due to an Open DNS Resolver because of our current configuration. It seems as if our DNS Server on the TMG 2010 Firewall is also resolving, or at least contributing in the process to resolve, incoming requests for names/adresses that are not defined in our Forward Lookup Zones. If I perform a DNS test on one of the multiple IP adresses facing the internet to resolve microsoft.com, our firewall responds to the client it self...

Does anyone know how we can prevent all external DNS requests for other adresses, than those we have defined in our Forward Lookup Zones, to be resolved on our Firewall?

Current config:

TMG 2010 is our external firewall which has DNS Server installed. One internal NIC and one external NIC. The DNS has several Forward Lookup Zones that publishes our own adresses and that resolves all incoming requests from any external clients towards the adresses and aliases in these FL Zones. Internal NIC has this config: own IP-address, subnet mask, internal DNS servers (not the DNS Server installed on the TMG 2010). External NIC has this config: all own IP addresses, subnet mask, gateway (ISP), ISP's DNS Servers.

Firewall Policy: DNS Server, From: External (all), To: TMG internal NIC address (not the external NIC's IP addresses)

Our internal DNS Server on a DC is configured with the TMG internal NIC as Gateway, a 2nd DNS server as optional DNS server. This DNS Server hosts only internal Forward Lookup Zones for computers, servers and services.

I have tried to include all relevant information to this issue. If more is needed I will add this on request.

Thanks for any replies/tip on how to prevent external DNS requests to our TMG 2010 not to answer unless the request involves the Forward Lookup Zones we have configured.

//John

↧

Tmg Implemantation In multiple VLan

January 29, 2013, 11:26 pm

≫ Next: TMG 2010 PPTP site to site VPN

≪ Previous: TMG 2010 - Prevent DNS Open Resolver towards external addresses that we don't host

Dear Tmg Support Team,

We are not able to implement Tmg server as a transparent proxy in a multiple Vlans, what configuration should i give to internal NIC as well to external NIC.

when we are assinging default gateway 10.100.10.2 to external nic internet is not working (as we want the traffic to be out through firewall)

↧

TMG 2010 PPTP site to site VPN

January 30, 2013, 3:34 am

≫ Next: [TMG 2010] Setting up VPN with static address pool and no DHCP

≪ Previous: Tmg Implemantation In multiple VLan

hi All,

i m going to connect site-to-site VPN between two of my location Main office to Branch Office here i have posted all my scenario please help me out one more thing both TMG server have two NIC one Nic is for LAN and other is connected to my DSL modem but my modem is not in bridge mode

"WAN NIC IPs are configured as DMZ server in DSL modem setting on both sites"

TMG1:
LAN IP: 172.16.0.0/16
WAN IP (Connected to DSL Modem): 192.168.1.2/24======>>192.168.1.1/24 (DSL LAN Port)

TMG2:
LAN IP: 10.0.0.1/8
WAN IP (Connected to DSL Modem): 192.168.2.2/24======>>192.168.2.1/24 (DSL LAN Port)

my Live IPs are as unber:
203.135.xx.xx
119.115.xx.xx

please help me out if i can configure site-to-site VPN with same configuration or should i need to configure my DSL modem in Bridge Mode

↧

[TMG 2010] Setting up VPN with static address pool and no DHCP

January 30, 2013, 4:47 am

≫ Next: Need help with routing issue on Forefront TMG

≪ Previous: TMG 2010 PPTP site to site VPN

Hello,

I would like to enable VPN access to a small network. I've followed through the usual steps in TMG 2010 and can get a VPN connection from the outside. However the internal network is in the IP range of 172.0.x.x but the VPN connection gives my machine an address in 192.168.0.x range. I have setup a static address pool in TMG for 172.0.10.1 - 172.0.10.101. Another thing is that there is not DHCP server in this network and we do not wish to use one.

How do I correctly configure IP assignment?

↧

Need help with routing issue on Forefront TMG

January 29, 2013, 12:53 pm

≫ Next: publishing an http site with https

≪ Previous: [TMG 2010] Setting up VPN with static address pool and no DHCP

I need some help setting up Forefront TMG to allow access to other subnets.

Site 1 Subnet 192.168.100.1 to 192.168.100.254

Site 2 Subnet 10.0.1.1 to 10.0.0.254 and 10.0.1.1 to 10.0.1.254

MPLS connection between Site 1 and Site 2 with static routes for traffic to pass through each other's gateway.

We use Forfront TMG for VPN and to access Internet from both sites. All site 1 internet traffic passes through MPLS and out to Site 2 via a Forefront TMG server.

All computers in site 1 are able to connect to all shares and ping computers in Site 2.

All computers in Site 2 with 10.0.0.1 to 10.0.0.254 IP are able to connect to all shares and ping computers to site 1

All computers in Site 2 with 10.0.1.1 to 10.0.1.254 IP are able to ping any IP in site 1 but are unable to browse folders using windows explorer or access any shares.

Any help in solving this issue is much appreciated.

Thanks in advance.

↧

publishing an http site with https

January 30, 2013, 9:35 am

≫ Next: All Firewall Rules Ignored in TMG running as Hyper-V Client

≪ Previous: Need help with routing issue on Forefront TMG

i have an internal http site which i am publishing through TMG. the listener uses SSL, so it'shttps://external.com publishing http://internal.com. everything is working, except the IE address bar does not show that the connection is SSL encrypted. so i havehttps://external.com in the address bar, but there is no "Lock" icon next to it. is that expected? is the connection actually encrypted?

↧

All Firewall Rules Ignored in TMG running as Hyper-V Client

November 3, 2010, 6:21 am

≫ Next: Unable to Publish OWA with TMG - Blocked Web Destinations

≪ Previous: publishing an http site with https

Hello

I have installed a TMG server as a Hyper-V client on Server 2008 R2 and am planning to use it as an internal proxy initially and then redirect external traffic to go via the server instead of using the router to direct requests once I get it all working. The server only has a single network adapter meaning all traffic is treated as internal.

However none of my firewall rules are being detected when using the proxy and everything is dropping into either "Allow Web Access for All Users" or "Blocked Web Destinations".

I added an access rule to allow RDP to the server which has worked but it seems that any web publishing rules are just ignored whatever settings I set when using the web proxy.

I thought it might have been a bad installation so I wiped the server and started again only to end up with exactly the same problem.

As a test I am just trying to publish an IIS website which works over port 80 and currently has nothing on it so displays the IIS default welcome page. However this ends up in the blocked web destinations rule so is inaccessible.

I also tried to block all users to google.com but this too failed and google continued to load.

Is installing TMG as a Hyper-V client not supported or is it something to do with the configuration? My internal network is basically set to all IP ranges excluding the server's IP.

I have spent ages on this and am getting nowhere. I successfully published an ISA Server (on a pysical server) about 2 years ago and seem to remember it just worked as I would expect.

I am assuming I have missed something obvious!

Thanks

Robin

Robin Wilson

↧

Unable to Publish OWA with TMG - Blocked Web Destinations

September 22, 2010, 1:30 pm

≫ Next: RDP - Server Publishing Rule problem

≪ Previous: All Firewall Rules Ignored in TMG running as Hyper-V Client

Hello

I cannot seem to publish OWA with TMG 2010. The TMG server has a single network adapter for internal and external traffic. I may move the server between the internal and external networks once I have set it up correctly.

I have created a rule and a web listener for OWA and when I press to test the settings everything has a green tick in it so I believe the rule is correct.

However when I try to access the URL I get the standard "Internet Explorer Cannot Display the Webpage".

Having checked the log it seems to be missing the OWA rule and dropping into "Blocked Web Destinations" with a protocol of https-inspect. It does say the source network is External though which it is not. The internal range is set as 192.168.1.1 - 192.168.255.255.

If I turn off the Blocked Web Destinations rule it then drops into the next rule down which is to allow web access and OWA comes up with a basic authentication box.

I have set this up multiple times and even re-run the getting started wizard and setting everything again. OWA is the only rule I have tried so far as it is the main thing that needs to be published. All certificates are valid and the common name matches with the TMG certificate published to Active Directory.

The last time I set this up was with ISA 2006 and I got it all working then. I must have missed out a step somewhere but I can't work out where.

Does anyone have any suggestions of anything I could try?

Thanks

Robin

Robin Wilson

↧

RDP - Server Publishing Rule problem

January 30, 2013, 11:31 pm

≫ Next: Who can help me about this topic Proxy (Microsost TMG server)?

≪ Previous: Unable to Publish OWA with TMG - Blocked Web Destinations

I have created a server publishing rule in TMG 2010 (version 7.0.8108.200) to allow remote desktop connections from outside of our domain to connect to a terminal server within our domain (using port 3389). The rule works perfectly for a while, but after a period of time (usually a few hours) these users complain that they cannot connect. The only way that I have found to get the rule to allow these connections again, is to disable and then enable the rule. After enabling the rule, users are able to connect once more with about 1 minute to 2 minutes. Any suggestions would be appreciated.

↧

Who can help me about this topic Proxy (Microsost TMG server)?

January 31, 2013, 1:13 am

≫ Next: WebFilter TMG 2010

≪ Previous: RDP - Server Publishing Rule problem

Please !!

THANKS!

↧

WebFilter TMG 2010

January 31, 2013, 2:29 am

≫ Next: TMG 2010 Keep disconnecting a conection after 20 minutes.

≪ Previous: Who can help me about this topic Proxy (Microsost TMG server)?

Good morning,

I would like if someone can explain to me the traffic below
in which TMG denies exit as anonimous and then releases authenticated on port 80.

I've been researching and talking with several people, some linked to microsoft, and the explanation I got was that it is a normal feature of the product,

Below the sequence entering the site technet forum, he seeks wpad, then tries out the door 8080 as anonymous, and only after the traffic is released authenticated on port 80, you can see that it is the same page, and not apply the TMG NIS because I thought it was a scan of the malware inspection.

What was explained to me that this is a product feature, however still did not understand why.
Some logical explanation must have, not like this is a feature, some explanation must be logically

If anyone has more information tell me.

Allowed Connection
Log type: Web Proxy (Forward)
Status: 200 OK.
Source: Internal (192.168.0.126:50411)
Destination: 192.168.0.4:8080
Request: GET http://srv.registro.local/wpad.dat
Filter information: Req ID: 0d4a9c7e; Compression: client = No, server = No, compress rate = 0% decompress rate = 0%
Protocol: http
User: anonymous

Failed Connection Attempt
Log type: Web Proxy (Forward)
Status: 5 Access is denied.
Rule: Acesso_Internet
Source: Internal (192.168.0.126:50417)
Destination: External (192.168.0.4:8080)
Request: GET http://technet.microsoft.com/Areas/Sto/Content/Scripts/modernizr2.js
Filter information: Req ID: 0d4a9c92; Compression: client = No, server = No, compress rate = 0% decompress rate = 0%
Protocol: http
User: anonymous

Allowed Connection
Log type: Web Proxy (Forward)
Status: 0 The operation completed successfully.
Rule: Acesso_Internet
Source: Internal (192.168.0.126:50415)
Destination: External (192.168.0.4:80)
Request: GET http://technet.microsoft.com/Areas/Sto/Content/Scripts/modernizr2.js
Filter information: Req ID: 0d4a9c94; Compression: client = No, server = No, compress rate = 0% decompress rate = 0%
Protocol: http
User: Registry \ Luis

↧

TMG 2010 Keep disconnecting a conection after 20 minutes.

January 31, 2013, 1:45 am

≫ Next: What is : 13 The data is invalid

≪ Previous: WebFilter TMG 2010

Hi,

We use tmg to login into our CRM website.

When 20 minutes has been passed it disconnect the conection and ask user to log back in again, even when user are using the ssystem.

As you can see from screen below I have not ask system to disconect after maximum time. it should be active until user are using the system

Can somone please let me know what could be wrong.

Thank you in advance

↧