Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

TMG question

$
0
0

Hi.

I have some questions.

My questions are in the pictures.

plz download file and help me.

http://uploadtak.com/images/n887_TMG.zip


Routing to Subnets through a router.

$
0
0

Hello Everyone,

I've a problem routing Internal and Perimeter traffic to Subnets through a router.

Our network Layout:



What I want to achieve:
- Use TMG as the default gateway for the Internal and Perimeter network.
- Route Internal, subnets and Perimeter.
- Accomplish this without using a static route in the clients machines.

What I've done so far:
- Added a third NIC and Network for Perimeter.
- Added a Route rule between Perimeter and Internal.

- Added an Access Rule to allow traffic between Perimeter and Internal.

- Added a Range address in the Internal network (172.16.0.0 ~ 172.16.255.255).
- Added a static route using the OS or/and TMG console (172.16.0.0 255.255.0.0 172.16.71.8).

TMG settings:
- IPv6 is disabled in all NIC's.

- Adapters binding orders is (Internal, Perimeter, External)
- Only one gateway is set, and it's in the External NIC.
- Only one DNS server is set, and it's in the Internal NIC.

What is working:
- TMG to ALL.
- Internal to subnets (ONLY ping works)
- Perimeter to Internal (172.16.71.0)

What is NOT working:
- Perimeter to subnets.
- Internal to subnets (other than PING)

what I don't understand is that I have another TMG (built for tests) machine
with the same settings (without TMG SP 1 & 2) that can route to
subnets.

Thanks for your help.


HTTP traffic through port 80 and custom port

$
0
0

Hi,

My scenario as below:

I have iPad connected to VPN configured on external NIC of TMG and running some application. On Internal NIC inside our LAN I have some web server.

I created new Outbound TCP protocol on port 1111 (My1111) and configured allow rule on TMG to allow traffic from VPN to Internal. iPAD application connected to web server on port 1111 with protocol My1111, user authenticated on server IIS and everything is OK.

But when I am trying to switch both iPAD and server binding to port 80, the application can connect only once. Next tries are failed.

I tried to find solution with TMG logs. There is no dropped packets. The only problem is protocol changed from My80, that I created, to http. This is only difference from traffic through port 1111.

Looking like a problem with caching on TMG. I already disabled all caching, but it wasn't help.

Is any way to prevent it TMG to recognize the traffic through port 80 as http?

Any help is appreciated.


•Error Code 11002: Host not found

$
0
0

hi

   pls help me step by step

Error Code: 502 Proxy Error. The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests. (12204)

$
0
0

how to slove it?????   pls help me step tp step

external network

$
0
0

Hi,

When I configure NLB on my network adapters using TMG, I found a information dialog in the wizard, which states NLB should NOT be applied to the external network if the array is not directly connected external network. what does it mean? thx!

Best Regards,
zancan

Unable to connect to ISA 2006 using Remote Desktop after installing KB2799494

$
0
0

Hi!

Unable to connect to ISA 2006 (build 5.0.5723.526) using Remote Desktop after installingKB2799494.

Uninstalling update solves this problem.

Are the anyone have a similar probled and it is decided?

Exchange 2010 IPSEC

$
0
0

I am looking to implement IPSEC according to white paper "securing remote Access to Exchange Server using IPsec". Now it is not really stated into the document, but does the TMG need to be domain joined? I think it is, but at is not stated into the document.

reference:  http://www.microsoft.com/en-us/download/details.aspx?id=23708


Answers provided are coming from personal experience, and come with no warranty of success. I as everybody else do make mistakes.


TMG Packet Filter Bound to all NIC's...

$
0
0

Hi Folks

In TMG 2010 I'm noticing that Forefront TMG Packet Filter is bound to all NIC's in the server.

Is there any way to selectively choose which NIC's it's bound to?

Thanks in advance!


Q: Marking a question as answered when it's not - is this something new? A: Not at all, it's standard Nick Gu!

how to allow an url in forefront or deny

$
0
0
hello, all I would like to allow an url in forefront I am new to configuring the product and It does not seem straight forward but I hear its a good product. I am looking for a few steps to put me in the right direction. I have been searching the internet did not see any how to topics. any help will be grately appreciated.

ISA 2006 Dashboard System Performance Monitoring Not Working..

$
0
0

Hi Guys,

     Anyone can resolved or any idea with ISA 2006 Dashboard System Performance Monitoring Not Working..

     Is there any update patch which needs to update ISA Server 2006?

     Installed Service Pack 1, all firewall policy are working, implemented a Web Filtering and Web Caching ISA Server 2006 with single NIC only...

     Suggestions, Recommendation it would be a great help...Thanks,

    

ISP Redundancy no work

$
0
0

Hello, I have TMG Array(NLB) with 4 servers, I try configure ISP Redundancy(load balancing): add second network adapter for my vitrual servers, configure using article http://www.isaserver.org/tutorials/Exploring-ISP-Redundancy-Forefront-Threat-Management-Gateway-TMG-2010.html but my balance is not an array or a general or throwing packets at random. Perhaps the problem in the routing table windose. On all servers in the table are two routes
0.0.0.0 0.0.0.0 IP_ISP1 metric 2
0.0.0.0 0.0.0.0 IP_ISP2 metric 3
Help please, why does not work balancing?

Forefront 2010 &Wpad not work in Windows 7

$
0
0

Hi

I use MS Forefront 2010 as a proxy. I do config wpad.dat with DHCP & DNS. My client windows XP work well with IE or Firefox. However, client with windows 7 didn't work on IE/Chrome. But for Firefox it working fine.

All client with windows 7 will result this. When I choose Auto discovery setting. For client that unjoin with network It can gethttp://proxy/wpad.dat . However,for client join with network, it can't gethttp://proxy/wpad.dat . It has  this error message below

Network Access Message: The page cannot be displayed

Both of them can't access internet. Until I check it to use manual proxy.

I do nslookup on both windows 7 client, it resolve right on wpad. Its point to forefront TMG.

 

As my understand Firefox working fine because its use DNS to resolve WPAD, but for IE 8 / chrome. They both use windows setting for proxy. So, when I check auto discovery setting, they can't find wpad.dat. That why both can't access internet. I don't know the reason why.

Could someone will suggest anything, thank you for your help.

VPN Authentication Server Transfer Time

$
0
0

I have a quick question that I cant seem to find any documentation. How long does it take for the PPTP authentication to switch from one DC on the same domain to another and is there a way to force or manually change it.

Anyone able to point me in the right direction?

Thanks. 

Website timing out from some workstations but working from others

$
0
0

We have a host file configured on our workstations to point to our website using our external IP instead of the internal IP.

Some of the workstations are working correctly and some are not.  I can't determine if this is a forefront issue or not.

This problem started happening after some power outages.  I have rebooted both problem workstations and forefront servers and it doesn't appear to make a difference.

In forefront I can see the connection made but for the ones that are not work I am seeing a 408 timeout, it is consistent from the problem workstations. 

I don't believe it is a problem with the website itself because it is working for some workstations and from the outside no problem.

The host file is exactly the same for both working and problem machines.  Any ideas?


OWA authentication with RSA SecureID on Exchange 2010 in 2 AD Domains

$
0
0

I have 2 TMG servers on a DMZ AD domain, 2 Exchange 2010 CAS servers in the production AD domain and a RSA server v7.1 in the production domain. The domains arecompletely separate. I followed the documentation on setting up RSA with TMG. The TMG servers are configured with 1 NIC.  All the servers are on the latest service packs and rollups.   

TMG is set with form based authentication and Exchange CAS servers has basic authentication. When I enter a the user's name in the user name field under remote access credential in username format (no domain), RSA authentication works and AD authentication fails. If I enter the user's name in domain\username format then RSA authentication will fail and AD authentication will work.  If I enter the user name (no domain) and then check use a different user name under internal network credentials and enter the user's name in the domain\username format then I am able to successfully authenticate.

We would like for the user to just enter the username (no domain), RSA passcode and AD password.

I have read adding the TMG servers to the production domain would fix this issue but I am trying to avoid that.

Any help would be appreciated.  Thanks.

malware inspection license how do you buy it

$
0
0

Purchase of forefront gate2010 within the last 90 days

I have had no luck on getting information on the malware inspection subscription which is about to run out on it eval time.

Any suggestions out there on how to resolve,

the product is licensed from the key but not the malware inspection?

 

The best the technet came up with did not answer how to get the malware inspection license ?

How to add HTTP Header Response X-Frame-Options:SAMEORIGIN from OWA published via Forefront TMG 2010 to stop Clickjacking

$
0
0
How to add HTTP Header Response X-Frame-Options:SAMEORIGIN from OWA published via Forefront TMG 2010 to stop Clickjacking. I have put the IIS setting X-Frame-Options:SAMEORIGIN  on my Internal CAS Server. However as the OWA page is published through Forefront TMG 2010, the iFrame tag is not blocked when the page is first opened. Only when you login with your credentials to the OWA page inside the frame and the page reaches IIS on the Internal CAS it gets blocked. I want to block it in the first instance when it is opened from TMG.

TMG Server can not generate Report

$
0
0

Dear All

 

I have 2 TMG Server TMG05 and TMG06, I install enterprise edition, and Configure it TMG05 is master of array and reporting Service,  TMG06 is member of array. Both on it is configure NLB too

I already configure daily report, and user sql reporting service, that build in on install forefront. So it working 6 month past. But on last week it not working. For all scheduled report is not Gen ( daily and weekly ) and I try to create one time report too. It not generate too. so I got error is

Error: 0xc0040432

The report testdaily could not be generated. Report Sever error information: The operation has time out.

The error occurred on object “Reports’ of class ‘Reports Configuration’ in the scope of array ‘TMG06’

 Please help me to explain is error and tell me how to fix it

Isa2006 and sharepoint to expose certain urls

$
0
0
hi We are using sharepoint 2010 installed on windows 2008 R2 and ISA 2006 We want to expose certain pages under certain folder over Internet but these pages haave refrence to other URLs in other folder such as images, CSS , and files hosted on root folder /. External url: Http://externalname/public/folder1/page1.aspx (Please note public folder is not exist on internal URL and we want to hide _layouts from internal) Http://externalname/public/folder1/page2.aspx Internal urls for the above Http://internalservername/_layouts/folder1/page1.aspx Http://internalservername/_layouts/folder1/page2.aspx Some of internal files are referenced in the above pages: Http://internalservername/CSS/* Http://internalservername/JavaScript/* Http://internalservername/webresources.aspx Http://internalservername/scriptresources.aspx Http://internalservername/_layouts/folder1/~/_vti_bin/Get1.svc Http://internalservername/_layouts/folder1/~/_vti_bin/Get2.svc So how do we achieve this via ISA to map external urls? Please note we don't want to exposes any arbitrary pages outside folder1,but there are are files reside outside folder1 and we need access it in order to render page correctly. Thanks
Viewing all 3822 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>