Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

Multiple Networks With NLB, Ping not working either way

April 29, 2013, 12:33 pm
$
0
0

Im trying to diagnose a problem with our TMG deployment whos topology is edge server, There are 4 networks/subnets

1 Internal TMG (NLB)

2 External TMG no NLB as its just used for NAT

3 EAP WiFi (NLB)

4 VPN (NLB)

The TMG servers are hosted on a clustered HyperV deployment and all tmg servers have 4 NIC's  and ive taken care to match the MAC address to the network and ip they should have so there are no mistakes there.

There is internet and lan access setup already for the internal networks and I already have a network rule to route between networks 1 3 and 4 (source 1,3,4 destination 1,3,4 relationship route) and on the other side (the routers)

But after enabling NLB on networks 3 and 4 I can no longer ping from either the tmg or routers.

Attempting to ping the router for the EAP WiFi network gives

Pinging 10.0.2.1 with 32 bytes of data:
Reply from 10.0.2.3: Destination host unreachable.

where 10.0.2.1 is the access point TMG 1 10.0.2.2, TMG 2 10.0.2.3, TMG 3 10.0.2.4 are the ip address's on the HyperV switch for this network For each TMG server and the NLB IP is 10.0.2.5

Attempting to ping from the access point to any of the addresses above again fails to work even though the access point shows both the Status & Line Protocol being up.

Can anyone suggest what might be the problem ? Like I said the problem started right after I enabled NLB.

ipconfig for TMG servers

Ethernet adapter TMG Internal Network:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 10.0.0.6
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IPv4 Address. . . . . . . . . . . : 10.0.0.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter TMG External Network:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 10.0.1.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.1.1

Ethernet adapter EAP WiFi Network:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 10.0.2.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IPv4 Address. . . . . . . . . . . : 10.0.2.5
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter Remote Support Network:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 10.0.3.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IPv4 Address. . . . . . . . . . . : 10.0.3.5
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Others are the same except with local ip addresses incremented by 1


Search

ISA Server disconnected from the following client: IP because its connection limit was exceeded.

April 29, 2013, 8:19 am
$
0
0

Event ID: 15113

Warning message: ISA Server disconnected from the following client: IP because its connection limit was exceeded.

Config: Windows SBS 2003; ISA 2004, standard; less than 30 computers. The default setting on ths ISA is already 160 (Connection limit per client).

No sure if this article would help: http://support.microsoft.com/kb/927099?wa=wsignin1.0. It doesn't make sense that changing the number here will help, does it?

 


Invoke Servlet Through TMG

April 29, 2013, 11:47 pm
$
0
0

I am trying to invoke a servlet of client application through TMG which is taking care of session management in share point site. But not able to invoke servlet but able to launch jsp kind files of client application through TMG. Could any one suggest if I missing anything here. Sorry If its basic query, I am very new to TMG and servlet.

Thanks,

Balajee

ISA 2006 and External FTP Site

April 29, 2013, 9:37 pm
$
0
0

Helo, I have the following scenary:

Microsoft ISA Server 2006 version Standard  5.0.5723.514 on Windows 2003 Server R2 SP2

Several Windows 7 SP1 and Windows XP SP3, all clients with the last Hotfixes

The servers and clients are part of  Active Directory Domain.

My problem is:

Windows XP clients cannot upload files to External FTP  through Internet Explorer, when I connect to Ftp Site  prompt  an user and password the connection is established but when I try upload files after some time the following message appear"The operation time out"

Firewall client is installed on Windows XP, firewall rule to permit FTP to External is active, changing the firewall rule to permit all ports from internal to external does not work.

I was checking  the following articles but the error continues

http://technet.microsoft.com/en-us/library/cc750609.aspx

http://support.microsoft.com/kb/814473

What other configuration  can I  apply to permit all Windows XP connect to External FTP and upload files without issues?

Thanks for your help.

TMG VPN

April 29, 2013, 7:52 am
$
0
0

Hi everyone

I am trying to establish a site to site VPN between two TMGs. the thing is that the two of them are configured with private IP addresses. is there a particular configuration to make in order to allow each one of them to identify the other side of the VPN?

thank you

Publish NVR Console

April 29, 2013, 10:18 am
$
0
0
I have aVioStorNVR(NetworkVideo Recorder) whichadministersthrough aWeb consoletheIPcamerasin myorganization.I haveproblemswhen wanting toset up a rulein the firewall (TMG 2010 SP1)to let me seethe console out ofthe local network(internet).

Pleaseyour help

TMG routing help

April 29, 2013, 9:22 am
$
0
0

Hi guys,

Actually, I'm deploying a new TMG server in my company and everything is working fine. However, a I have a small problem and until now, I couldn't solve it.

I have a link with a customer that works as described on picture below.

I need to reach the 10.x.x.x network, but I do not have any interface on my server in this network. So, I'd need to route any packages from my LAN (172.20.1.x) to the ISP firewall (192.168.1.x). However, this is not my default gateway, because this interface will used just to reach network 10.x.x.x.

How can I configure it on TMG?

Thanks a lot!

Lawrence Carvalho

TMG 2010- HTTP delay, NLB or proxysetting?

March 1, 2013, 6:47 am
$
0
0

Hello together,

 We installed a two new TMG 2010 Server (same Hardware) in a Array/ NLB configurations, a couple of months ago. There are 4 Networks. Internal, DMZ, Internet and network to another subnet. There are configured correctly as far as i know.  
But since the Implementation we have some serious problems for webconnections.
When i open some websites, i experience too many times a delay for about 30 seconds. The websites tries to load, but can't. After a while, i have to use F5 and it works again. This Issue doesn't happen with downloads, and it happen radomely every day on the company PC's (Windows XP and Windows 7 with same IE config). Some folks, don't have that problem.
There are no importend error log entries  and the Session tells us that the connections are well splitted as for the same loadweight.

The configuration:
The networks are NLB-Multicast (no igmp) configured. Except for the internet network, which has enough IPs by our Provider and is directly connected from each Firewall to a cheap switch, which is connected to ISP Router.

The following options are activated: Http-compression, Webproxy (port 8080) for HTTP. webcache is deactivated, and  also carp . Authetication is integrated (AD)
"Forefront TMG Clientsupport" and webproxyserver is activated and shows to the VIP  of the internal network (192.168.1.1). Automaticly search for settings is activated.
I also tried to switch the settings under Internal network  settings for "webbowser"...avoiding proxy webserver for this network and the setting in the IE 8/9 "automaticly  search for settings" and the other TMG Client stuff.... Doesn't help.
But what i figured out was that the clients (connected to the first Firewallnode) had more connection problems than the others. Unfortunately , you can't change the loadweight in NLB MAnager or the  TMG 2010  GUI (I have tried that today).
Something tells me that the source of that problem is not the NLB but the webproxy settings. Any tips?

Search

Configure multiple SSL certificates for same IP address (ISA Server) Issue? Urgent help Required...

April 30, 2013, 3:24 am
$
0
0

Hi All,

We have 3 SharePoint applications running on SharePoint server (IP: 10.3.4.1).

The two applications (one.domain.com & two.domain.com) are using a certificate targeted to *.domain.com. This certificate is configured on IIS server as well as it is bind to IP address 10.3.4.1 on ISA server 2006.

The third application (three.otherdomain.com) is using different certificate targeted at three.otherdomain.com. This certificate is configured on IIS server but unfortunately I cannot assign multiple certificates to same IP on ISA server 2006 since it is not possible (as per my understanding from google search).

Due to above issue I am getting the certificate error while trying to access the web applicationhttps://three.otherdomain.com.
The error is...

three.otherdomain.com uses an invalid security certificate.

The certificate is only valid for the following names:
*.domain.com , domain.com

(Error code: ssl_error_bad_cert_domain)

Please guide me on this issue. Will assigning multiple IP addresses to the same server help me?

I also found that all these 3 applications have same public IP. Can this be a problem?

Appreciate your help & support.

Thanks,
Rahul Babar

ASP.NET, C# 4.0, Sharepoint 2007/2010, Infopath 2007/2010 Developer http://sharepoint247.wordpress.com/

access internet with schedule Error

April 30, 2013, 7:04 am
$
0
0

hi
i have imported firewall policy from a tmg in domain x.com and imported theme to tmg in domain y.com

i have already created the users and schedules in the tmg in domain y.com an then import firewall policy

and clients in spesific schedule rule can not access to internet except clients in full time schedule
how can i fix this?

thanks for helping

accessinf internet with schedule Error

April 30, 2013, 7:05 am
$
0
0

hi
i have imported firewall policy from a tmg in domain x.com and imported theme to tmg in domain y.com

i have already created the users and schedules in the tmg in domain y.com an then import firewall policy

and clients in spesific schedule rule can not access to internet except clients in full time schedule
how can i fix this?

thanks for helping

accessinf internet with schedule Error

April 30, 2013, 7:04 am
$
0
0

hi
i have imported firewall policy from a tmg in domain x.com and imported theme to tmg in domain y.com

i have already created the users and schedules in the tmg in domain y.com an then import firewall policy

and clients in spesific schedule rule can not access to internet except clients in full time schedule
how can i fix this?

thanks for helping

Site to Site VPN unstable tunnel! need help please

April 18, 2013, 6:23 am
$
0
0

I have a site to site VPN set up between a Meraki firewall and a TMG server. 

All of the settings match: site to site subnets, IPsec settings, Gateway IPs, ect..

After random periods of time, the site to site VPN on the TMG side will "sleep" or go "idle"

both sides are set to authenticate and re generate new keys after 8 hours.

the second I try to ping a computer on my local site from the remote site, the VPN is back up! it doesn't make sense.

Please help, I know this is probably something easy I am missing

Intermittent inbound smtp comms failure

April 18, 2013, 7:52 am
$
0
0

Hi.

My environment has 2x TMG 2010 std servers (TMG A and TMG B for this discussion) with the latest service pack and rollup and one exchange server behind them. Only TMG A has smtp inbound published. A recent issue I found is that sometimes email with an attachment from external fails with the following error:

4.4.2 Connection dropped due to SocketError

or

Last Error: 421 4.4.2 Connection dropped due to ConnectionReset

I then published smtp on the second server and the email goes through fine. After three days of testing I found that by disabling the NIS service on TMG A it allows the email to go through. My server sending me the email via the internet is not on any sbl list nor is my server receiving the mail. 

My question is how can I find out which specific filter in NIS is causing this failure?

additional info.

tmg log states the following:

Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer. 

Source: External
Destination: Local Host

What I don't understand is why it is trying to communicate with the local tmg server when the rule is published to allow it an inbound connection to the mail server.

It is clearly a problem with the TMG A server as the TMG B server is allowing the mail through. 

Best Regards, Morris Fury AFRIDATA.net


Importing Certificate into Web Listener error

April 30, 2013, 3:28 pm
$
0
0

I recently had to have my SAN Certificate re-keyed due to the fact that I am bringing a new Exchange 2010 server online to replace our Exchange 2003 server.  I have imported the re-keyed certificate into the TMG server but when I select the "Select Certificate" button in the web listener properties to select the new certificate I get the following error:

"One or more array members is not responding.  To select a certificate, Forefront TMG services must be running on all the servers in the array."

This is our only TMG server and as far as I can tell all services are running on this server that should be.  Any help is appreciated.

Search

Publishing CRM through TMG

May 1, 2013, 2:17 am
$
0
0

I'm using CRM 2011 load balanced over two servers through TMG.  Yesterday I changed CRM to use https added the cert and then changed the configuration on TMG, this works fine. So I access CRM through https://crmserver.domain.com

 The problem I have is a custom CRM webservice which needs to run on its own site (due to it being unsupported in CRM 2011 to run under the CRM default site) By default the web service was on 8080, this wouldn't work as TMG uses 8080 for proxy.

Let’s say I change the custom web service to port 8086, it's also still on http (not sure if this should be https now as CRM is) the path would be http://crmserver.domain.com:8086/CRMasmxWebService.asmx

Is there a correct way to publish this additional site/web service through TMG? The easiest way is to forget having the web service load balanced and to point directly to one of the servers bypassing TMG. Ideally I would like to have the webservice load balanced if possible.

Hope that makes some sense!

Thanks

Ross

TMG2010 - An LDAP server did not respond

May 1, 2013, 3:28 am
$
0
0

Hi all,

I am having a problem where our TMG array will intermittently alert through SCOM that the LDAP servers have failed to respond.  We have 2 TMG servers running 2010 SP2 RU1, and each will occasionally flag an event 21286 that it could not contact the DC.  However, all functionality appears to be fine.

I have followed all the suggested steps for resolution in the SCOM alert and everything is already in order.  I have also confirmed that all is set up according to this guide: http://blogs.technet.com/b/keithab/archive/2013/05/01/3483834.aspx  The LDP utility allows me to connect to the DC mentioned in the alert without any problems, and yet we still get these alerts.

Any advice on how to get to the root of this would be much appreciated!  Failing that, if this is a "false" alert since everything appears to be working fine, is it safe to override the alert in SCOM?

Many thanks!
G

Mutiple NIC's on forefront TMG

May 1, 2013, 9:54 am
$
0
0

Hi,

i need to set up a client with 4 NIC's. the setup is 1 Internal NIC, 2 External NIC's for Load Balancing+Failover, 1 External to be used by the MD of the company ONLY (he wants his own pvt External line so that the rest of the company cannot slow his connection down etc.... QOS is not an option for him).

but the MD wants it that if his line goes down it will auto route through the other external NIC's that the rest of the company uses.

is this possible with a single Forefront server with 4 x NIC's?

Web Proxy – Current Direct Fetches

August 17, 2011, 6:52 pm
$
0
0

Hi All,

I've got this alert from SCOM:

Alert: Forefront TMG Server: Web Proxy – Current Direct Fetches Avg Ms Per Request Performance Monitor

There is no delay with my published applications, how do I determine the correct value to override it ?

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

ADAM (ISASTGCTRL) 2527

April 15, 2013, 10:53 am
$
0
0

Hello friends,

After you enable the AD, work stations LDAP signing and do the configuration below the TMG server, I have the following error message:

The directory server could not automatically update the service account, DNS name and / or port information.

This operation will be retried in the next interval.

Interval (minutes):
5

Supplemental Data
Error value:
1789 failed trust relationship between this workstation and the primary domain.
Internal ID:
32b0bad

The registry change TMG Server is as follows below:
Included key LDAPServerIntegrity

MCP - MCTS

Viewing all 3822 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>