Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

TMG Server can not generate Report

February 11, 2013, 9:58 pm
$
0
0

Dear All

 

I have 2 TMG Server TMG05 and TMG06, I install enterprise edition, and Configure it TMG05 is master of array and reporting Service,  TMG06 is member of array. Both on it is configure NLB too

I already configure daily report, and user sql reporting service, that build in on install forefront. So it working 6 month past. But on last week it not working. For all scheduled report is not Gen ( daily and weekly ) and I try to create one time report too. It not generate too. so I got error is

Error: 0xc0040432

The report testdaily could not be generated. Report Sever error information: The operation has time out.

The error occurred on object “Reports’ of class ‘Reports Configuration’ in the scope of array ‘TMG06’

 Please help me to explain is error and tell me how to fix it

Search

Publish website /index.aspx

February 21, 2013, 7:32 am
$
0
0

Hello,

We have a TMG2010 that we use to publish owa/activesync and a intranet.  Now we want to publish another website but i don´t get it to work.

The problem with the site is that internally you need to type /index.aspx to access it but i can´t figure out how to make the TMG to do this.

for example

externally  www.xyw.com should go to http://xyw/index.aspx

Tried different paths but none works. Googled like a madman but no joy.

Martin

Firewall rules in Forefront TMG 2010 for Nagios

February 21, 2013, 6:43 am
$
0
0

I have a server that runs Forefront TMG 2010.  We use a monitoring service called Nagios.  I am having trouble setting up a proper firewall rule to allow this service to monitor the server.  Can someone please help me figure out what rule I need to create and where it needs to be on the list?

THank you!

-Ryan

WP8 device in TMG log

November 22, 2012, 9:37 pm
$
0
0

Could my Lumia 920 showing up in the TMG logs like this

instead of like this

cause an issue with Exchange ActiveSync?

I only ask here because our EAS policy is correct and working fine, I just get prompted occasionally that my domain password is incorrect. Entering the password allows it to sync but backing out of the prompt and manually pressing the sync button allows it to sync as well.

Server is 2008 R2 SP1, Exchange 2010 with update rollup 7. TMG version 7.09193.540.

ISA 2006 Interfering With Securenat Internal LAN Traffic

February 17, 2013, 4:04 pm
$
0
0

I have set up ISA 2006 to proxy and log traffic going to the Internet, but it is blocking some internal traffic.

We do not want it to block anything at this stage in the deployment and especially not any traffic between workstations and servers on the LAN.

As a test I set up one server as a Securenat client with the gateway IP set as the IP to the VIP for the 2 load balanced ISA servers.

When I opened the monitoring, I immediately saw lots of denied traffic from dozens of different ports being blocked between the server (this is an antivirus management server that talks to every workstation and server on the domain) and the workstations with an "Undentified IP Traffic" Denied Connection message.  They are on different subnets, but both subnets are included in the internal network.  

There are too many ports to make rules to specify all these ports in an Allow rule.  I don't understand why I should need to create a specified allow rule for internal LAN traffic at all.  I created a rule that allows all users all protocols from All Protected Networks to All Protected Networks as well as the IP range and it has not helped.

Of course, the local domain is included in "Specify the domain names that belong to this network" and "bypass proxy for Web servers on this network" and Directly access computers specified in the Domains tab and Addresses tab boxes checked.

What needs to be done to make sure only traffic headed to the Internet is routed through ISA filtering?

How to Use Both Autoconfiguration Auto Discovery and Round Robin ISA in DNS For Firewall Clients and Web Proxy Clients?

February 17, 2013, 5:18 pm
$
0
0

I need the Web Proxy Clients to autodiscover the VIP of the 2 ISA servers and I need the web proxy clients to automatically use Round Robin.

If you have 2 ISA servers called ISA1 and ISA2, do you  just add a second DNS entry for ISA1 pointed to the IP address of ISA2 or do you create a new fake host name with both ISA1 and ISA2's IP adresses?

When you are using automatic configuration Autodiscovery of firewall clients and are also using Round Robin, what do you put as the "ISA Server Name or IP Address" in Firewall Client Properties?



Failed update: "Security Update for Microsoft Office 2003 Web Components used in ISA Server 2004 SP3 Standard Edition Reporting"

February 7, 2013, 8:16 pm
$
0
0

I'm running Windows 2003 SBS and the following automatic update always fails:

"Security Update for Microsoft Office 2003 Web Components used in ISA Server 2004 SP3 Standard Edition Reporting"

How can I install this properly?

We publishing rule - which ports should be opened for internal communication?

February 18, 2013, 4:12 am
$
0
0

Hi,

I'm in the middle of a deployment process for Lync 2010 to Lync 2013. The two systems coexist for now until all user will be moved to the new deployment.

What I would like to know is, I have created a new Web Publishing rule in TMG following the actions bellow from technet:

To create a web publishing rule for port 80

  1. Start, point toPrograms, point toMicrosoft Forefront TMG, and then clickForefront TMG Management.
  2. ServerName, right-clickFirewall Policy, point toNew, and then clickWeb Site Publishing Rule.
  3. Welcome to the New Web Publishing Rulepage, type a display name for the new publishing rule (for example, Lync Autodiscover (HTTP)).
  4. Select Rule Actionpage, selectAllow.
  5. Publishing Typepage, selectPublish a single Web site or load balancer.
  6. Server Connection page, select Use non-secured connections to connect to the published Web server or server farm.
  7. Internal Publishing Detailspage, inInternal Site name, type the internal Web Services FQDN for your Front End pool (for example, lyncpool01.contoso.local).
  8. Internal Publishing Detailspage, inPath (optional), type/*as the path of the folder to be published, and then selectForward the original host header instead of the one specified in the Internal site name field.
  9. Public Name Detailspage, do the following:
    • Under Accept Requests for, selectThis domain name.
    • In Public Name, typelyncdiscover.<sipdomain>(the external Autodiscover Service URL).
    • In Path, type/*.

10.  OnSelect Web Listenerpage, inWeb Listener, select a Web Listener or use the New Web Listener Definition Wizard to create a new one.

11.  On theAuthentication Delegationpage, selectNo delegation, and client cannot authenticate directly.

12.  On theUser Setpage, selectAll Users.

13.  On theCompleting the New Web Publishing Rule Wizardpage, verify that the web publishing rule settings are correct, and then clickFinish.

14.  In the Forefront TMG list of web publishing rules, double-click the new rule you just added to openProperties.

15.  On theBridgingtab, configure the following:

  • Select Web server.
  • Select Redirect requests to HTTP port, and type8080for the port number.
  • Verify that Redirect requests to SSL portis not selected.

16.  ClickOK.

17.  ClickApplyin the details pane to save the changes and update the configuration.

18.  ClickTest Ruleto verify that your new rule is set up correctly.

19.  Verify that the external Autodiscover Service URL is not defined on any other web publishing rule.

After having completed these steps, I am trying to test the rule and it fails with the following message:

Time reported by the Microsoft Forefront TMG Firewall Service: 62.998 seconds
Testing http://lyncdiscover.MySipDomain:8080/
Category: Connectivity error
Error details: 10060 - A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Action: Go to http://go.microsoft.com/fwlink/?LinkId=115965

Any ideas what could be wrong? Can you tell me which ports do I need to open between TMG and internal server?


Search

Rule Access IP Camera

February 18, 2013, 7:44 am
$
0
0
Morning, i have a problem with a rule in Forefront TMG 2010, i need to see an IP Cameras over my local Lan and Internet, when i try to see my Cameras over Internet, i don't have any problem, but when i try to see my Cameras in my local Lan, have a lot of problems, because i need to publish in H.264 Video Format, i don´t know what is the specific rule to solve this issue, my Cameras work with this Protocols RTP Over RTSP Over HTTP, please helpme with this, y don´t know how i can publish on my local LAN, my Cameras.

OWA, TMG and Certificates

February 21, 2013, 6:13 pm
$
0
0

Hi Guys,

Recently our ISA 2006 on W2k3 server died and needed to be rebuilt for use for our Websites, including OWA.  We decided to upgrade both the server and the ISA software so now we have a new W2k8 Standard server with TMG 2010 Standard installed.

The previous config was exported and imported to the new server for TMG.  We updated the rules and checked the Listener settings and everything looks ok.

When we navigate to the OWA page form our client machine, we can get to the login page but after logging in we get an error page with the following message "Error Code: 500 Internal Server Error.  The signature of the certificate cannot be verified. (-2146869244)"

I can verify that the correct certificate has been imported to the Listener and we are using Basic Authentication with HTML Form Authentication.  I have installed the certificate in both the Personal and Trusted Root Certification Authorities stores and verified that there are no errors on the certificate.

We have other websites being successfully published.  When we test the rule for publishing OWA, there are always red crosses (see attachment).

Exchange 2007, TMG 2010 both on Win2k8 machines.

Any ideas will be greatly appreciated

Regards,

TMG handles SharePoint 2010 website, intranet and Exchange, OWA and ActiveSync: How to allow single login to Intranet and browse to OWA?

February 19, 2013, 2:20 pm
$
0
0

Need some pointers if anyone can help...

We've got TMG 2010, which we're currently using to publish our website ( SharePoint 2010, www.name.co.uk, external IP .51, Listener A ) and Exchange 2010 ( OWA and ActiveSync, owa.name.co.uk, external IP .60, Listener B ).  We would like to publish our new SharePoint 2010 Intranet site on si.name.co.uk, external IP .52, Listener C - easy enough.  however, we're a little stuck as to how to configure it so that once someone logs in via TMG Forms based auth (validated against AD), they can click a link within the intranet to reach Outlook Web App on owa.name.co.uk without needing to login again on OWA's forms based authentication as well.

I'm currently thinking we somehow need to try to consolidate our 3 seperate web listeners into 2 or 1??

Any pointers? Thanks in advance.

TMG question

February 22, 2013, 2:49 am
$
0
0

Hi.

I have some questions.

My questions are in the pictures.

plz download file and help me.

http://uploadtak.com/images/n887_TMG.zip

3rd party reporting recommendations

February 22, 2013, 5:27 am
$
0
0

Looking for recommendations on 3rd party reporting solutions.

Thanks.

Planning a new network topology, Comments Please: TMG/Cisco DMZ; Exchange Edge; Site to Site VPN; Web Filtering

February 12, 2013, 2:32 pm
$
0
0

Hi all,

I've been charged with trying to correctly structure a (friend of the families) small company network, and tie in a remote office to the headquarters via VPN. I've been scouring all the whitepapers and manuals I can find before I jump in to try and plan the best way of structuring this so that it ticks all the requirements boxes and is as secure as possible. Previously they had a single 2008 R2 Server running ADDS, DNS, DHCP, Exchange 2010, and they were wanting to open this box up to the internet to allow OWA and users to receive mail on their iPhones. When I heard about this I advised them that their 'engineer' probably doesn't know what he's doing, as even I know with my dated knowledge that this isn't right! Me and my big mouth haha!

Well its been a while since I've had any involvement with this kind of work, but based on what I've read so far, I've come up with the following plan and I'd like to know if you guys think its sufficient, or can chip in with any advise on how I can improve the design, or point me in the direction of any essential reading:

The image can be found here: (copy&paste only as even though Ive verified my account here I cant post links or images for some reason)

http://santaclara.com.gt/sc_topology.gif


Now the requirements that I need to fulfil:

1) Client access to the Exchange via the internet using OWA

2) Client access to Exchange from iPhone

3) Client access to Exchange via Outlook when connected to LAN at HQ or at Remote Site Office

4) Internet filter (url or keyword filtering) for users that belong to a specific security group in AD - Both at the remote site and HQ

5) Access to File Server (SRV-FS1) from clients at Remote Site Office.

Ok, so the questions that I have so far:

1) Should I let the Cisco Routers handle the Site-to-Site VPN that I will need or is it more practical to allow TMG handle the VPN? 

2) How can I force internet requests from Clients at the remote site to pass through TMG filters (if they are users of the restricted group)?

3) I plan for only one physical server (SRV-VMH1) at the HQ office, which is running the 4 VMs as shown above. The server will have 5 Gigabit LAN connections, One onboard and two PCI-E HP Server Dual Port NICs. I plan to use one of the HP cards solely for the TMG Server VM, one port of which will be assigned to the public static IP from the ISP, and will be connected directly to FastEthernet 0/0 of the Cisco 1760. The other port of this card will have its address in the 10.0.0.x range of the internal network and will be connected to a Gigabit switch.

The second NIC I plan to team both ports together, and bind to the other 3 VMs.

The onboard NIC I plan to use for direct access to the VM Host.

Is this the most optimized configuration for use with TMG based on the hardware we have available?

ANY information that you can throw my way will be very much appreciated! 

TIA

SSL Problem with Symantec

February 22, 2013, 9:54 am
$
0
0

good afternoon,

I am with the following problem as SSL errors on my network:

Forefront TMG was unable to Establish an SSL connection with 216.10.195.110. The specified network name is no longer available.

The failure is due to error: The specified network name is no longer available.

The IP 216.10.195.110 is from symantec that this implemented in my network

how can I solve this?

MCP - MCTS

Search

Routing to Subnets through a router.

February 22, 2013, 11:05 am
$
0
0

Hello Everyone,

I've a problem routing Internal and Perimeter traffic to Subnets through a router.

Our network Layout:



What I want to achieve:
- Use TMG as the default gateway for the Internal and Perimeter network.
- Route Internal, subnets and Perimeter.
- Accomplish this without using a static route in the clients machines.

What I've done so far:
- Added a third NIC and Network for Perimeter.
- Added a Route rule between Perimeter and Internal.

- Added an Access Rule to allow traffic between Perimeter and Internal.

- Added a Range address in the Internal network (172.16.0.0 ~ 172.16.255.255).
- Added a static route using the OS or/and TMG console (172.16.0.0 255.255.0.0 172.16.71.8).

TMG settings:
- IPv6 is disabled in all NIC's.

- Adapters binding orders is (Internal, Perimeter, External)
- Only one gateway is set, and it's in the External NIC.
- Only one DNS server is set, and it's in the Internal NIC.

What is working:
- TMG to ALL.
- Internal to subnets (ONLY ping works)
- Perimeter to Internal (172.16.71.0)

What is NOT working:
- Perimeter to subnets.
- Internal to subnets (other than PING)

what I don't understand is that I have another TMG (built for tests) machine
with the same settings (without TMG SP 1 & 2) that can route to
subnets.

Thanks for your help.


Configuration WPAD

February 22, 2013, 3:09 am
$
0
0

Hello everybody

Some doubts are arising with the implementation of WPAD, which is the method of discovery proxy for customers (at least that's what we mean.)

The questions that arose out of the following:

1 - We are using ForeFront Server in the field, and we are using
customers in the TMG Client, when you set up the TMG client on the User season
it automatically configures the proxy in Internet Explorer, because I need to use WPAD if that gets automatically configures ja?

2 - In the screenshot below, many published articles that door "correct" is 80, but there is not diferenteça between port 80 and 8080, here we are using port 8080 with WPAD (if it is really necessary for our scenario ), what problem switching to port 80?

3 - Now when the client leaves for internet, checking the logs, he seeks wpad the DHCP server, and then leaves for internet, however there is also an entry in DNS, which we use DNS DHCP OR?


thank you

TMG PPTP VPN - Policys

February 22, 2013, 12:44 pm
$
0
0

I have a Forefront TMG 2010, Version 7.0.9193.500

I am not overly familiar with TMG, but enough to get it to work for its intended purpose of Lync, meetings and such for the Lync platform.

We would like to implement PPTP VPN, and have already done so, and its works great. It works so great that we found users were using their network credentials to access the network from their personal home device's, and not company provided machines.

For security purpose's we would like to have the TMG look at the connecting device, for a specified file, or folder, or possible service, that is specific to the company, and if it does not exist, which it would not on the users home device, deny the connection?

Is that possible? I have been reading eh forums, but have not seen anything specific to this scenario.

Thanks a7mmUM

GreenBleeder

Windows Could not start the Microsoft Forefront TMG managed Control Service on Local Computer Error:0x80131515

January 3, 2013, 9:58 am
$
0
0

Recently My TMG server stopped sending Mails to internet servers and giving the error  : Windows Could not start the Microsoft Forefront TMG managed Control Service on Local Computer Error:0x80131515

Screenshot is here



Install TMG on ESX server with one NIC

February 14, 2013, 8:47 am
$
0
0

Hi Dear all
I have a problem with TMG
We have ESX server (with one NIC) that I create a new VM on it and install windows 2008R2, next install TMG 2010 but after install it seems need two NIC.
I create a new virtual NIC on vSphere and assign it to the VM, now I have 2 NIC on this server (LAN,WAN) 

LAN range IP    192.168.X.X 
Sub-net         255.255.255.0 
DG              blank
-------------------------
WAN range IP    91.98.X.X 
Sub-net 255.0.0.0 
DG      91.98.X.X


Is it possible just with one NIC do this job and after that all LAN clients coming beyond the TMG?

Please explain with detail ,I'm newbie !!! 


Viewing all 3822 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>