Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

What is : 13 The data is invalid

$
0
0

In our sites we have a software program called Milestone, this program is for security camera's. When we try to make connection with the camera's we get this error in our forefront and the stream for the camera's don't go open:

Failed Connection Attempt FOBE00990001 1/02/2013 11:22:44
Log type: Web Proxy (Forward)
Status: 13 The data is invalid. 
Source: Local Host (10.0.xx.200:10534)
Destination: 10.0.xx.30:80
Request: 
Filter information: Req ID: 0e28d85e 
User: anonymous
 Additional information
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 0 MIME type: 

I already disabled HTTP compresion, malware inspection, web proxy and I allowed alle outbound traffic between the internal/external and external/internal network. Also I inspected the traffic with wireshark and network monitor but can't see anything in it. I'm searching for 5 days and I can't find a solution, because this error doesn't tell anything.

How can I solve this?


TMG Server 2010: When VPN Client Initiates Connection, PPP Dial-in Adapter affecting HTTP Proxy for LAN Users

$
0
0
I am in the process of migrating from ISA Server 2006 (running on W2K3 R2 SP2) to TMG 2010 SP2 (running on W2K8 R2 SP1). I am trying to do the VPN client access at this point. I was able to configure VPN for dial-up client access (actually connecting via broadband, but they still technically call it a dial-up adapter) and it seemed to be working fantastic! I was surprised it was all too easy. I decided to monitor various points in the internal network with PING tests to ensure connectivity was fine from my external connection to any resources in the LAN/WAN. My VPN Client could access everything I tested with low latency and browse the Internet speedily. After an hour or so, I got started getting support calls that the Internet was down and IE was not displaying an error just a white screen. Sometimes, eventually after very long delays a web site might load, or it might finally timeout the browser, getting the browsers error screen for time out not TMG's error screen. Testing for myself and watching the traffic the IP address of a test workstation, which I was connecting to from and internal workstation via RDP, in the Logs & Monitoring section, I started seeing the WSACONNECTIONTIMEOUT for HTTP Proxy protocol, which was associated to the Allow Web Access for All Users Rule. The very strange thing is that the destination IP was not the internal (LAN) IP address of the NIC in the TMG Server, but was the address of the PPP Dial-In Adapter invoked when VPN Client connection was made and derived the IP Address via DHCP. I then looked at the RRAS MMC console and noticed that the PPP RAS dial-in adapter was passing inbound and outbound traffic. The web proxy is configured via WPAD DNS record and has been in use for some time now and I verified it points to the FQDN of the internal static IP address of the TMG NIC. But for some reason it is exhibiting this erroneous behavior. I looked at the ISA 2006 Server that is currently allowing VPN client sessions and finding the equivalent location in the RRAS MMC console (they are slightly different between W2K8 R2 (x64) and W2K3 R2 (x86)) I see that the PPP Dial in Adapter would not be passing any data at all even though there were 7 clients connecting via VPN. I found that Roll-Up 1 to TMG 2010 SP2 is available as a hotfix but I am reluctant to apply it since it did not address this specific problem. Additionally I noticed if I supply the IP address of the internal NIC or the FQDN of the server explicitily to the browser, IE allows end users Internet access as fast as expected without delay. Any help would be appreciated.

TMG - problems pinging the TMG server from internal clients.

$
0
0

Hello,

I am new to TMG and just inherited the management of it.  Currently our gateway of 10.0.0.10 is the TMG server.  I gather that other clients on my network should be able to ping that address however those pings time out.  Also, from the TMG server I am unable to ping outside networks such as www.google.com  The IP address resolves but the requests time out.   We have no trouble accessing other sites on the web, we would just like to have the ping functionality for troubleshooting and testing purposes.  

How do I publish an internal web site and require authencation to use that site?

$
0
0

Hi,

Here is what I'm trying to do. I have a site on my internal II 7.0 web server that I want to publish.  I have no problem doing that, and have published a couple of sites with my TMG server with no issues. But for this new site I want to publish I want to require users to enter an ID and password in order to be able to connect to this site.  I have setup a user account on the web server and in the IIS config for the site turned off anonymous access and specified the local user account I created as having read access to the site.  This all works great when I test the site internally. When I connect to the site I get prompted for the account information and that's what I want.

But I'm running into problems when I try and publish the site using my TMG server.  I'm guessing that the problem is related to the HTTP listener and the authentication options I'm using.  I don't want to use AD to authenticate because I don't want to use a domain account for this login, but rather use the local account I created on the web server.  The problem is I can't seem to connect to the published site unless I create a domain account and give it read access on the IIS server where my site is. Also, I get to login prompts when I connect to the site using this configuration. 

Any ideas about what I'm doing wrong?

Thanks,

Nick

error code : 504 proxy

$
0
0

error code : 504 proxy  time out . the connection time out (10060)

in isa server

:( :(


if you need any information ask me

ISA 2006 std. Error 403 forbidden (no further details)

$
0
0

Dear All,

I have recently installed ISA 2006 on windows 2003 server R2, standard edition. It is working with single NIC. There are no external DNS on the NIC,only internal DNS is there as this server is member of domain because I have some rules in ISA to allow certain domain users to certain websites while other group is not allowed

The problem I am facing now is that when ever I try to access any website I get message error 403 forbidden as you can see in attached image. There are no further details about this error what to diagnose, nothing. I recently installed this server it worked for 2 days fine now this problem came.

The strange thing is when I switch myself to another proxy which is also ISA 2006 running in our office, I can access the websites.

Please guide me in right direction what to check for this. See attached image.

Regards,

ISA Server 2006 Enterprise Repeated Password Prompts Web Proxy Clients

$
0
0

There are 2 ISA servers that are at the same point subnet on the network so there will be redundancy if one crashes or needs to be rebooted.  I tried accessing the Internet from a computer that was not joined to the domain and received and authentication prompt as expected, but instead of one prompt, there were 4 prompts 2 password prompts for each ISA server.

There is KB about this issue but it is from 2004 and the instructions on where the settings are do not apply:

http://support.microsoft.com/kb/822458

Microsoft ISA Server

If you use Microsoft Internet Security and Acceleration (ISA) Server, follow these steps to configure the downstream ISA Server-based server to pass credentials upstream:
  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Management.
  2. Expand Servers and Arrays, expand <var>Your_Server_Name</var>, expand Network Configuration, and then expand Routing.
  3. Right-click the routing rule that you want to configure, and then click Properties.
  4. Click the Action tab, click Routing them to a specified upstream server, and then click Settings.
  5. In the Server or array box, type the name or the IP address of the upstream server.
  6. In the Port box, type the port number that the upstream server uses to listen for Hypertext Transfer Protocol (HTTP) requests. Typically, this is port 8080.
  7. In the SSL Port box, type the port number that the upstream server uses to listen for Secure Sockets Layer (SSL) requests. Typically, this is port 8443.
  8. Click OK two times.


I tried following that, but the options are different now.

Is there something similar to fix this issue for ISA 2006?



ISA 2006 Redundancy Options with 2 ISA 2006 Enterprise Servers With 2 NICs Each?

$
0
0
I have several questions, but they are all intertwined with each other.

What are the workable options for redundancy when one server goes offline when you have 2 servers with 2 nics each with the edge firewall configuration?

I see an option under internal network properties that says "If ISA Server is unavailable, use this backup route to connect to the Internet:"

Direct Access

Alternative ISA Server.

So, does this mean that you have some redundancy against loss of Internet access during server reboots even if you do not enable NLB?

Should you have each ISA point to the other as the backup route or should you have the first point to the second and the second server's backup route be "Direct Access"?

Do you combine these backup route settings with NLB at the same time?

If the internal nic is being used for intra-array communication, can you use also use this nic as the nic where the virtual IP for NLB is coming from?

For instance if the internal nic is 192.168.1.6 and the external nic 192.168.55.6 can you have the virtual IP set to 192.168.1.120 and also load balance the Internal network?

I read that you cannot load balance the intra-array network, but I don't want to load balance the intra-array network.  I want to load balance the Internal network, but I don't have enough nics for everything to be on a different nic.

When you enable NLB do you use VIP (192.168.1.120) as the IP address used in configuring browser settings or gateway addresses instead of the internal IP address of the first ISA servers?




XenApp not working through TMG 2010

$
0
0

Good day,

After installing a new Microsoft TMG Server 2010 firewall , the XenApp Application couldn't connect , having the following errors.

====================================================================================

Error#1: SSL Error 4: the proxy denied access to ; 10 ; STA00237D35D7AA ; 213E518DB75AA083405B7BD0E3CC9814 port 1494

=====================================================================================

Error#2: Unable to launch you application.contact your helpdesk with the following information: Cannot connect to the Citrix XenApp server.

SSL Error 4: the proxy denied access to ; 10 ; STA00237D35D7AA ; C2FC9547C8B26FB0E61F6B096D30B4B0 port 1494

=============================================================================

When entering the credentials it opens the ” Launching … “  window and it keeps hanging.

Note that on the TMG server the TCP port 1494 (ICA) is allowed for the specified servers, in addition to HTTPS & ICA Session/Session reliability enabled protocols.

May you assist in solving this issue .

Regards

Elias Dayeh

ISA 2006 SSO to Remote Desktop Web portal

$
0
0

Hi ,

I'm trying to configure ISA server SSO to remote desktop services Web Portal.

The requirement is as follow.

- The user is being given a smartcard with a certificate .

- The user must authenticate to ISA WEB Listener via smartcard.

- ISA should SSO the user to the Remote Desktop Web Portal.

At the moment we have the following.

- User access the Internet-facing ISA server's Listener for RDWEB portal.

- User is prompted for certificate to authenticate .

- User is authenticated .

- User then gets an error "401-Unauthorized. Access is denied due to invalid Credentials" ( I think from the RDWEB )

Thanks

vPointHD (video conferencing)

$
0
0
Hiya,

We've just had a guy in from a reseller to demo vPointHD for us. He emailed the necessary ports to be allowed through before his arrival so I got these pre-configured.

For completeness sake, we used his iPad running a Polycom client for testing purposes.

Basically it would not work unless we allowed both the vPointHD and Polycom protocols both inbound and outbound.

So on this premise everytime we wanted to engage in a video conference call with someone, we would have to ask what system they use and the confgure TMG to suit.

He is under the impression that only TCP port 1720 is required to initiate the call, along with 5004-6004 TCP/UDP for control and voice/video. The handshaking then works out what ports each system use and allows them through automatically. He also said it's the first time he's come across this problem, and funnily enough the first time he has even heard of ISA/TMG.

So what is TMG doing to stop this from mutually working without having each manufacturer's port ranges manually configured, and how do I fix it.

Enabling the H.323 app filter made no difference. I nthe firewall log I can see this pattern on inbound calls;

1720 TCP Initiated connected
1720 TCP Closed connection (straight away)
1720 TCP Denied connection

All from the same source/destination IP;

iPad 3G IP: x.x.x.x:32xx (with 32xx being Polycoms port range)
Internal IP: x.x.x.x:1720 (which is allowed)

I have one rule for outbound and a seperate non-WP rule for inbound.

TMG 2010 NIS update failed to install , it is giving Fatal Error

$
0
0

Hi ,

I am running Forefront TMG 2010 and the NIS update failed to install , it is showing Fatal Error under Monitoring Tab , I presume that due to NIS update failure some of my clients PC in LAN is not able to ping " Forefront TMG 2010 (Ver-7.0.9193.500)"- it is acting as the gateway of my LAN.

Tried to download the NIS update manually from the update center and tried to install but failed.

The log which I got from ISA_Updatelog folder is below .

2/4/2013 11:12:44 AM INFO    Going to search Microsoft Update via proxy: localhost:8080
2/4/2013 11:12:44 AM INFO    Network Inspection System updates will be searched...
2/4/2013 11:12:44 AM INFO    Network Inspection System updates will be re-installed as requested.
2/4/2013 11:12:44 AM INFO    Proxy: localhost:8080
2/4/2013 11:12:44 AM INFO    Searching for updates, source = Microsoft Update Direct, criteria=(IsInstalled = 0 and IsHidden = 0 and CategoryIDs contains 'ae4483f4-f3ce-4956-ae80-93c18d8886a6' and CategoryIDs contains 'e0789628-ce08-4437-be74-2495b842f43b'), attempt=1
2/4/2013 11:12:55 AM INFO    Search completed with 0 warnings
2/4/2013 11:12:55 AM INFO    Search completed successfuly
2/4/2013 11:12:55 AM INFO    Found update: Definition Update for Microsoft Forefront Threat Management Gateway (Network Inspection System 4.32)
2/4/2013 11:12:55 AM INFO    Found update: Definition Update for Microsoft Forefront Threat Management Gateway (Network Inspection System 17.36.0.0)
2/4/2013 11:12:55 AM INFO    Found 2 Network Inspection System updates
2/4/2013 11:12:55 AM INFO    Downloading Network Inspection System updates...
2/4/2013 11:12:56 AM INFO    Download progress 0
2/4/2013 11:13:06 AM INFO    Download progress 0
2/4/2013 11:13:10 AM INFO    Download progress 4
2/4/2013 11:13:11 AM INFO    Download progress 5
2/4/2013 11:13:12 AM INFO    Download progress 7
2/4/2013 11:13:12 AM INFO    Download progress 7
2/4/2013 11:13:13 AM INFO    Download progress 8
2/4/2013 11:13:14 AM INFO    Download progress 8
2/4/2013 11:13:15 AM INFO    Download progress 9
2/4/2013 11:13:15 AM INFO    Download progress 10
2/4/2013 11:13:16 AM INFO    Download progress 10
2/4/2013 11:13:17 AM INFO    Download progress 11
2/4/2013 11:13:18 AM INFO    Download progress 12
2/4/2013 11:13:19 AM INFO    Download progress 12
2/4/2013 11:13:20 AM INFO    Download progress 12
2/4/2013 11:13:21 AM INFO    Download progress 13
2/4/2013 11:13:22 AM INFO    Download progress 14
2/4/2013 11:13:22 AM INFO    Download progress 14
2/4/2013 11:13:23 AM INFO    Download progress 14
2/4/2013 11:13:23 AM INFO    Download progress 15
2/4/2013 11:13:24 AM INFO    Download progress 16
2/4/2013 11:13:25 AM INFO    Download progress 17
2/4/2013 11:13:26 AM INFO    Download progress 18
2/4/2013 11:13:27 AM INFO    Download progress 18
2/4/2013 11:13:29 AM INFO    Download progress 19
2/4/2013 11:13:30 AM INFO    Download progress 20
2/4/2013 11:13:31 AM INFO    Download progress 20
2/4/2013 11:13:32 AM INFO    Download progress 20
2/4/2013 11:13:33 AM INFO    Download progress 21
2/4/2013 11:13:34 AM INFO    Download progress 21
2/4/2013 11:13:35 AM INFO    Download progress 22
2/4/2013 11:13:36 AM INFO    Download progress 22
2/4/2013 11:13:38 AM INFO    Download progress 23
2/4/2013 11:13:39 AM INFO    Download progress 24
2/4/2013 11:13:40 AM INFO    Download progress 24
2/4/2013 11:13:41 AM INFO    Download progress 24
2/4/2013 11:13:44 AM INFO    Download progress 25
2/4/2013 11:13:45 AM INFO    Download progress 25
2/4/2013 11:13:46 AM INFO    Download progress 25
2/4/2013 11:13:47 AM INFO    Download progress 26
2/4/2013 11:13:47 AM INFO    Download progress 26
2/4/2013 11:13:48 AM INFO    Download progress 26
2/4/2013 11:13:49 AM INFO    Download progress 27
2/4/2013 11:13:51 AM INFO    Download progress 27
2/4/2013 11:13:51 AM INFO    Download progress 27
2/4/2013 11:13:53 AM INFO    Download progress 28
2/4/2013 11:13:54 AM INFO    Download progress 28
2/4/2013 11:13:55 AM INFO    Download progress 29
2/4/2013 11:13:56 AM INFO    Download progress 29
2/4/2013 11:13:57 AM INFO    Download progress 30
2/4/2013 11:13:58 AM INFO    Download progress 30
2/4/2013 11:13:59 AM INFO    Download progress 31
2/4/2013 11:14:00 AM INFO    Download progress 31
2/4/2013 11:14:01 AM INFO    Download progress 32
2/4/2013 11:14:01 AM INFO    Download progress 33
2/4/2013 11:14:02 AM INFO    Download progress 33
2/4/2013 11:14:02 AM INFO    Download progress 34
2/4/2013 11:14:03 AM INFO    Download progress 34
2/4/2013 11:14:04 AM INFO    Download progress 35
2/4/2013 11:14:05 AM INFO    Download progress 35
2/4/2013 11:14:06 AM INFO    Download progress 36
2/4/2013 11:14:06 AM INFO    Download progress 37
2/4/2013 11:14:07 AM INFO    Download progress 37
2/4/2013 11:14:08 AM INFO    Download progress 37
2/4/2013 11:14:09 AM INFO    Download progress 38
2/4/2013 11:14:10 AM INFO    Download progress 38
2/4/2013 11:14:11 AM INFO    Download progress 39
2/4/2013 11:14:12 AM INFO    Download progress 39
2/4/2013 11:14:13 AM INFO    Download progress 39
2/4/2013 11:14:14 AM INFO    Download progress 40
2/4/2013 11:14:15 AM INFO    Download progress 41
2/4/2013 11:14:16 AM INFO    Download progress 41
2/4/2013 11:14:17 AM INFO    Download progress 42
2/4/2013 11:14:18 AM INFO    Download progress 42
2/4/2013 11:14:18 AM INFO    Download progress 43
2/4/2013 11:14:19 AM INFO    Download progress 44
2/4/2013 11:14:19 AM INFO    Download progress 45
2/4/2013 11:14:20 AM INFO    Download progress 45
2/4/2013 11:14:21 AM INFO    Download progress 46
2/4/2013 11:14:21 AM INFO    Download progress 47
2/4/2013 11:14:21 AM INFO    Download progress 48
2/4/2013 11:14:22 AM INFO    Download progress 48
2/4/2013 11:14:22 AM INFO    Download progress 48
2/4/2013 11:14:23 AM INFO    Download progress 48
2/4/2013 11:14:27 AM INFO    Download progress 52
2/4/2013 11:14:28 AM INFO    Download progress 53
2/4/2013 11:14:29 AM INFO    Download progress 54
2/4/2013 11:14:29 AM INFO    Download progress 54
2/4/2013 11:14:30 AM INFO    Download progress 55
2/4/2013 11:14:31 AM INFO    Download progress 57
2/4/2013 11:14:31 AM INFO    Download progress 58
2/4/2013 11:14:32 AM INFO    Download progress 59
2/4/2013 11:14:34 AM INFO    Download progress 60
2/4/2013 11:14:35 AM INFO    Download progress 61
2/4/2013 11:14:36 AM INFO    Download progress 61
2/4/2013 11:14:37 AM INFO    Download progress 62
2/4/2013 11:14:38 AM INFO    Download progress 62
2/4/2013 11:14:39 AM INFO    Download progress 63
2/4/2013 11:14:40 AM INFO    Download progress 63
2/4/2013 11:14:40 AM INFO    Download progress 64
2/4/2013 11:14:41 AM INFO    Download progress 64
2/4/2013 11:14:42 AM INFO    Download progress 65
2/4/2013 11:14:42 AM INFO    Download progress 65
2/4/2013 11:14:43 AM INFO    Download progress 66
2/4/2013 11:14:44 AM INFO    Download progress 66
2/4/2013 11:14:45 AM INFO    Download progress 67
2/4/2013 11:14:46 AM INFO    Download progress 67
2/4/2013 11:14:47 AM INFO    Download progress 68
2/4/2013 11:14:47 AM INFO    Download progress 69
2/4/2013 11:14:48 AM INFO    Download progress 69
2/4/2013 11:14:49 AM INFO    Download progress 69
2/4/2013 11:14:50 AM INFO    Download progress 70
2/4/2013 11:14:52 AM INFO    Download progress 70
2/4/2013 11:14:53 AM INFO    Download progress 70
2/4/2013 11:14:54 AM INFO    Download progress 71
2/4/2013 11:14:55 AM INFO    Download progress 71
2/4/2013 11:14:56 AM INFO    Download progress 72
2/4/2013 11:14:57 AM INFO    Download progress 73
2/4/2013 11:14:57 AM INFO    Download progress 73
2/4/2013 11:14:58 AM INFO    Download progress 74
2/4/2013 11:14:58 AM INFO    Download progress 74
2/4/2013 11:14:59 AM INFO    Download progress 75
2/4/2013 11:15:00 AM INFO    Download progress 76
2/4/2013 11:15:00 AM INFO    Download progress 76
2/4/2013 11:15:01 AM INFO    Download progress 77
2/4/2013 11:15:02 AM INFO    Download progress 78
2/4/2013 11:15:02 AM INFO    Download progress 79
2/4/2013 11:15:03 AM INFO    Download progress 80
2/4/2013 11:15:04 AM INFO    Download progress 81
2/4/2013 11:15:05 AM INFO    Download progress 81
2/4/2013 11:15:05 AM INFO    Download progress 82
2/4/2013 11:15:06 AM INFO    Download progress 82
2/4/2013 11:15:07 AM INFO    Download progress 83
2/4/2013 11:15:08 AM INFO    Download progress 85
2/4/2013 11:15:09 AM INFO    Download progress 86
2/4/2013 11:15:09 AM INFO    Download progress 87
2/4/2013 11:15:10 AM INFO    Download progress 88
2/4/2013 11:15:11 AM INFO    Download progress 89
2/4/2013 11:15:12 AM INFO    Download progress 90
2/4/2013 11:15:13 AM INFO    Download progress 91
2/4/2013 11:15:14 AM INFO    Download progress 91
2/4/2013 11:15:16 AM INFO    Download progress 91
2/4/2013 11:15:17 AM INFO    Download progress 92
2/4/2013 11:15:18 AM INFO    Download progress 93
2/4/2013 11:15:18 AM INFO    Download progress 93
2/4/2013 11:15:19 AM INFO    Download progress 94
2/4/2013 11:15:20 AM INFO    Download progress 94
2/4/2013 11:15:20 AM INFO    Download progress 95
2/4/2013 11:15:21 AM INFO    Download progress 95
2/4/2013 11:15:21 AM INFO    Download progress 96
2/4/2013 11:15:22 AM INFO    Download progress 97
2/4/2013 11:15:23 AM INFO    Download progress 98
2/4/2013 11:15:24 AM INFO    Download progress 100
2/4/2013 11:15:25 AM INFO    Download progress 100
2/4/2013 11:15:25 AM INFO    Download succeeded with no error
2/4/2013 11:15:25 AM INFO    Installing Network Inspection System updates...
2/4/2013 11:15:25 AM INFO    Installation progress 0
2/4/2013 11:15:25 AM INFO    Installation progress 0
2/4/2013 11:15:27 AM INFO    Installation progress 50
2/4/2013 11:15:28 AM INFO    Installation progress 50
2/4/2013 11:15:28 AM INFO    Installation progress 50
2/4/2013 11:15:41 AM INFO    Installation progress 100
2/4/2013 11:15:41 AM INFO    Installation progress 100
2/4/2013 11:15:41 AM ERROR   Installation succeeded with error, hr = 0x  240003
2/4/2013 11:15:41 AM INFO    Process installed update, index=0
2/4/2013 11:15:41 AM ERROR   Failed to install Definition Update for Microsoft Forefront Threat Management Gateway (Network Inspection System 4.32) update, hr = 0x80070643
2/4/2013 11:15:41 AM INFO    Process installed update, index=1
2/4/2013 11:15:41 AM INFO    Successfuly installed Definition Update for Microsoft Forefront Threat Management Gateway (Network Inspection System 17.36.0.0) update

Two primary error codes are reflected here "hr = 0x80070643 " &  "hr = 0x  240003".

Please help on this problem , as some of the client PCs in LAN are not able to reach the Gateway - Forefront TMG 2010.


Regards, Kumar Lokesh Singh, Assistant Manager Systems, Larsen & Toubro Ltd.-ECC Division.

Prevent all Website except my corporate website in TMG

$
0
0

Hi

I want to prevent all website except our company web site. Actually, I make URL Set which included my company website and after that I set e Firewall Policy Deny IP to external Except URL Set! but it does not work. sometimes this IP have access to all external and sometimes does not have access to External! In this situation my exception did not work!

Regards

Vahid Aghakhani

Tmg Implemantation In multiple VLan

$
0
0

Dear Tmg Support Team,

We are not able to implement Tmg server as a transparent proxy in a multiple  Vlans, what configuration should i give to internal NIC as well to external NIC.

when we are  assinging default gateway 10.100.10.2 to external nic internet is not working  (as we want the traffic to be out through firewall)

TMG 2010 policies not work

$
0
0

Good day,

           I am using TMG 2010. I create the following allow firewall policies,

1-     All outbound traffic from internal to  mails only to Designing department

2-     All outbound traffic from internal to Specific websites to HR users

3-     All outbound traffic from internal to external to engineering, Finance etc.

When I try to connect to the internet using client computer and find there is no internet access. When I disable policy no 1 and 2 and allow No 3rd policy to all users, the internet work fine. Can you please help to solve the issue and please tell me how I allow dropbox behind TMG 2010?

Regards,

Imtiaz Latif


New TMG install problem

$
0
0

Hi All

i am new in TMG 2010, after installed the TMG 2010, i found out that the TMG 2010 can not be ping from other computer in internal network, is there anything i need to config ? and during the TMG configuration stages, i went for default for every option, and when it comes to whether it needs to config basic access rule for me , i have chosen no, afterward i put all the client pc point to the proxy server (the TMG 2010), all the client pc can not access to internet, is there anything i miss to do ? 

keith

Status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL)

$
0
0

Good day

Im busy trying to test that our TMG is able to take https request for OWA on its external IP before getting our networks guys to configure the firewall to send external requests for OWA through it from its external IP. The TMG is currently configured as a back firewall. I have configured a rule that sends requests to our cas array. If I send a request directly to the cas array eg. https://*.*.*.*/owa/ I get the web app logon screen. If I try to do it through the TMG I get the message below. Im not sure what Im doing wrong. Your help would be greatly appreciated.

<id id="L_defaultr_3">The page cannot be displayed</id>

<id id="L_defaultr_5">Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.</id>

Try the following:

  • Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
  • Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
  • Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.

Technical Information (for support personnel)

  • Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

This is from the TMG live log

Denied Connection ********* 11/17/2012 2:00:30 PM 
Log type: Web Proxy (Reverse) 
Status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).  
Rule: Default rule 
Source: Perimeter (192.168.1**.*:26285) 
Destination: Local Host (192.168.1**.*:443) 
Request: GET http://192.168.*1.*/owa/ 
Filter information: Req ID: 0a08bc45; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes 
Protocol: https 
User: anonymous 
 Additional information 
Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 1 MIME type:  
 

TMG and L2TP/IPSec - revoked computer certificte, clients still can connect

$
0
0

I have trouble with configuring IPSec/L2TP VPN connection.

Network topology is as follow:

I have an AD Domain, my DC is configured also as NPS Server, but I do not use NAP functionality. On another machine I installed a TMG server- the server is equipped with two NICs- one to connect to ISP, and second to my Internal network; TMG is a domain member. I enabled and configured VPN client access on my TMG, enabling only L2TP/IPSec protocol, and configured TMG to use my DC as RADIUS server for authentication. In this AD domain I have PKI deployed.

Now, using PKI/CA I issue a computer certificate for external (not domain member) computer from my CA, and imported this certificate on local computer certificate store in “Personal”, and also imported my CA’s root certificate in “Trusted Root” local computer certificate store.

I configured the client with new VPN connection, and setting to use only L2TP/IPSec; in authentication section I choose “EAP”, and in properties I choose “Secured password EAP-MSCHAP v2”. Corresponding policies are created on my NPS server.

All works fine! I can connect to my VPN Server, authenticate, and access internal resources.

Now I revoke the issued computer certificate from my CA. For my surprise, this not preventing a user to connect to VPN from this computer (with revoked computer certificate). I try to generate a delta and full CRL, clear a CRL cache on my DC but with no success.

Please, help me with this- I want when I revoke a computer certificate, this action to prevent users to connect to VPN from this “untrusted” computer.

The Forefront Threat Management Gateway Firewall service (Wspsrv.exe) consuming high CPU and memory resources

$
0
0

We have Forefront TMG 2010 with SP2 installed in our network. Suddenly, wspsrv.exe started consuming all cpu and memory and we have to stop and restart firewall service to clear it out and sure enough the ram and cpu will max out, rendering the server dead.  I have no idea why the proxy is chewing up so much ram and cpu. No changes have been made to it prior to.

Appreciate if anyone helps me to sort it out.

Best Regards,

RDS 2012 Gateway Farm (NLB) kerberos constrained delegation error with TMG

$
0
0

Hi,

I have a RDS Gateway with Webaccess role Farm with NLB.

The web access NLB is working perfect internally, but when I publish them with TMG, I'm getting a problem.

I'm not able to authenticate on the gateway server.

When I use 1 of the RDS Gateway servers servername as SPN in TMG, then the kerberos constrained authentication works.

but when I use a generic name like rds.domain.com, the kerberos constrained delegation does not work.

I have added the rds.domain.com SPN to my RDS gateway servers, and added them to my TMG servers...

I'm out of ideas,

does anyone has the same setup, and working

Viewing all 3822 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>