Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

How to open 6080 port on TMG 2010

$
0
0

Hello,

i need to open 6080 port on TMG 2010 for ArcGIS Server. I've created a new protocol (port range:6080 protocol type:tcp direction:outbound) but it doesn't seem to work.

Any suggestions?

Thank you in advance.








Proxy related error in user workstation with TMG 2010 as windows 2003 domain client

$
0
0

Recently we have implemented TMG 2010 before that we was using ISA 2006. We have Active Directory based on windows 2003. All the user get the proxy address and port number from AD group policy. After implement TMG 2010 user is not getting automatic proxy address from AD group policy. If i put the manual proxy address in the workstation after restart the workstation proxy showing blank in IE. Please give a solution.

Thanks

Mahatab Rahimafrooz

Importing Certificate into Web Listener error

$
0
0

I recently had to have my SAN Certificate re-keyed due to the fact that I am bringing a new Exchange 2010 server online to replace our Exchange 2003 server.  I have imported the re-keyed certificate into the TMG server but when I select the "Select Certificate" button in the web listener properties to select the new certificate I get the following error:

"One or more array members is not responding.  To select a certificate, Forefront TMG services must be running on all the servers in the array."

This is our only TMG server and as far as I can tell all services are running on this server that should be.  Any help is appreciated.

TMG Reporting Tools

$
0
0

Hi,

Please share what are the best 3rd party TMG 2010 reporting Tools

Regards

Usman


Usman Ghani - MCITP Exchange 2010

Users in Exceptions in From Tab

$
0
0

Hi,

Is there possible to add Users in exceptions in a Firewall rule. I have blocked website rule , From tab of this rule in exception , i can add only only network entities, i want to make exception for group of windows users.

http://prntscr.com/14tcet

Regards

Usman Ghani


Usman Ghani - MCITP Exchange 2010

Routing/Chaining Failure TMG Detected a Loop

$
0
0

Hi Folks;

I'm having an issue with TMG 2010 in that I'm seeing reports of Routing/Chaining failure / TMG Detected a Loop;

Event id 14141

Forefront TMG detected a proxy server loop. There may be a problem in the configuration of the Forefront TMG Web chaining policy. Alternatively, in Enterprise Edition, when CARP is enabled and there are intermittent interruptions of intra-array connectivity, array member A may forward a request to array member B according to the CARP algorithm, and array member B may forward the request to array member A in an endless loop.

A look at the log files indicates that this error occurs when the localhost (the TMG 2010 VM itself) is connecting to Microsoft to check for Windows Updates. This is the only time the error occurs and it occurs often.

Here's a snippet to illustrate;

Microsoft-CryptoAPI/6.1  Proxy - 65.54.87.108 TCP GET Req ID: 0a655fc7; Compression: client=No, server=No, compress rate=0% decompress rate=0% - 0x110 0x0 58066 SecureNAT     1 3923 201 - 5/14/2013 1:23:26 AM - - 0 - 0 - - - - - - 0 0         From cache  65.54.87.108 5/13/2013 6:23:26 PM Local Host xx.external.IP.xx External 65.54.87.108 80 http Failed Connection Attempt  -  - - 

[System] Allow all HTTP traffic from Forefront TMG to all networks (for CRL downloads)  

12206 Forefront TMG detected a proxy chain loop. There is a problem with the configuration of the Forefront TMG routing policy. Please contact your server administrator.  anonymous http://65.54.87.108/pki/mscorp/crl/mswww(6).crl EDGE Technical Information Web Proxy Filter   -   0 - 

Is there anyone left in the groups with knowledge of TMG 2010? I've already looked on the web for information relating to this but none seems relevant. I think the key is in the fact that it only happens when the local host goes off to Microsoft to check for Windows Updates.



Certain website Failed Connection Attempt/Denied Connection

$
0
0

All other websites are working with authentication however one particular website is being denied for some strange reason?

Does anyone have any ideas as to why?

Denied Connection PERDMZ01 14/05/2013 10:07:58 AM 
Log type: Web Proxy (Forward) 
Status: 12209 Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  
Rule: Allow Web Access for All Users - Authenticated 
Request: GET http://www.medallionclub.com.au/ 
Filter information: Req ID: 098601fe; Compression: client=No, server=No, compress rate=0% decompress rate=0% 
Protocol: http 
User: anonymous 

Failed Connection Attempt PERDMZ01 14/05/2013 10:07:58 AM 
Log type: Web Proxy (Forward) 
Status: 5 Access is denied.  
Rule: Allow Web Access for All Users - Authenticated 
Request: GET http://www.medallionclub.com.au/ 
Filter information: Req ID: 098601ff; Compression: client=No, server=No, compress rate=0% decompress rate=0% 
Protocol: http 
User: anonymous 


Publish local site through TMG 2010

$
0
0

I have local web base software on seperate machine which need to publish on internet and allow my remote users to get connect to this local software. I have Live IP that configured on router and routed to TMG 2010 server. On TMG 2010 created publish web site rule and configured all required information as needed related to web base software informaiton. Now when i try to access my web application from remote location through TMG receiving no page display error.The URL is being accessed is http://123.123.123.123:9867 and also allow port on my router and TMG Server as well. 

When try to access directly means by pass TMG server the URL is accesable http://123.123.123.123:9867 with out any issue.

Kindly some one assist where I am making mistake to face this problem.


[ISA 2006][Website Publishing] intermitten sc-status-code 64 after switching to HTTPS

$
0
0

We are publishing a website through ISA to client desktop

client desktop --> ISA --> IIS servers

The whole transmission is within our company internal network, just passing through different zones.

There are 2 IIS servers, using Win2k8 NLB (network load balancing) to share a virtual IP address to receive request from ISA.

ISA is using a Website Publishing Rule to receive and redirect request.

Meanwhile, all transmission is under HTTP, it works fine.



Now we want to switch to HTTPS, so we created another Website Publishing Rule on ISA, to listen on port 443 and redirect to IIS servers' port 443.

IIS servers also opened port 443 for that same website.

Both ISA and IIS servers use the same SSL certificate to publish the website.

It seems to be working, until the load test.



Out of the thousands requests each day, there must be a few (less than 10) requests failed.

No error in IIS servers log. Those failed requests were successfully received and returned, with http response code 200.

But ISA log showed sc-status code 64.

ISA Diagnostic Log showed this error message

"ISA Server rejected the request with the HTTP status code 0 and will return the following error message to the Web client. "The specified network name is no longer available. (64)""

And client would receive an error html page, saying "Error Code 64: Host not available. The connection to the Web server was lost."



Googled a bit, seems to have many possible causes, including driver bug or router, switch error.

I tried to use Microsoft Network Monitor. But honestly, I have no idea how to troubleshoot........




skype problem with TMG

$
0
0
hey all i found way to login to skype but it is still not working features like chat , voice , video so i tell you how.. you go to https inspection > certificate validation then uncheck all the boxes then try to login to skype it will but how to make the features works ?

Forefront TMG 2010 Spoofing issue preventing connections

$
0
0

Been struggling with IP spoofing issues on our TNG 2010 server.

We have web services published to public IP’s all bound to a NIC called WAN-PUBLIC which then NAT’s to the internal IP’s on the web servers.

In certain scenarios we’re unable gain access to the servers and the ISA logs are full of Spoofing errors such as this:

Log type: Firewall service

Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed. 

Rule: None - see Result Code

Source: Local Host (213.122.169.54:18816)

Destination: Internal (192.168.9.130:443)

Protocol: HTTPS

The source host in this scenario is an IIS server / NLB using ARR so it’s almost acting like a reverse proxy.

Below is the relevant public IP’s bound to the WAN Nic and as you can see it has a default gateway set of un upstream ISP router.

Ethernet adapter WAN-PUBLIC:

   Connection-specific DNS Suffix  . :

   IPv4 Address. . . . . . . . . . . : 213.122.169.50

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.51

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.52

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.53

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.54

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.55

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.56

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.57

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.58

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IPv4 Address. . . . . . . . . . . : 213.122.169.59

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 213.122.169.49

Below is the internal NIC of the ISA server (no gateway set)

Ethernet adapter LAN-PRIVATE:

   IPv4 Address. . . . . . . . . . . : 192.168.0.1

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . :

So the rule above that’s failing is on a 192.168.9.x network, this network has a manual route defined that’s an internal core switch.

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask         Gateway       Interface Metric

          0.0.0.0         0.0.0.0   213.122.169.49   213.122.169.50   266

       10.10.10.0   255.255.255.0      192.168.0.2     192.168.0.1     11

        127.0.0.0       255.0.0.0         On-link        127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link        127.0.0.1    306

  127.255.255.255  255.255.255.255        On-link         127.0.0.1   306

      192.168.0.0   255.255.255.0         On-link       192.168.0.1   266

      192.168.0.1  255.255.255.255        On-link       192.168.0.1   266

    192.168.0.103  255.255.255.255   192.168.0.103    192.168.0.107    31

    192.168.0.107  255.255.255.255        On-link     192.168.0.107   286

    192.168.0.255  255.255.255.255        On-link       192.168.0.1   266

      192.168.9.0   255.255.255.0      192.168.0.2     192.168.0.1     11

    213.122.169.0    255.255.255.0        On-link    213.122.169.50   266

   213.122.169.50  255.255.255.255        On-link    213.122.169.50   266

   213.122.169.51  255.255.255.255        On-link    213.122.169.50   266

   213.122.169.52  255.255.255.255        On-link    213.122.169.50   266

   213.122.169.53  255.255.255.255        On-link    213.122.169.50   266

   213.122.169.54  255.255.255.255        On-link    213.122.169.50   266

   213.122.169.55  255.255.255.255        On-link    213.122.169.50   266

   213.122.169.56  255.255.255.255        On-link    213.122.169.50   266

   213.122.169.57  255.255.255.255        On-link    213.122.169.50   266

   213.122.169.58  255.255.255.255        On-link    213.122.169.50   266

   213.122.169.59  255.255.255.255        On-link    213.122.169.50   266

  213.122.169.255  255.255.255.255        On-link    213.122.169.50   266

        224.0.0.0       240.0.0.0         On-link        127.0.0.1    306

        224.0.0.0       240.0.0.0         On-link      192.168.0.1    266

        224.0.0.0       240.0.0.0         On-link   213.122.169.50    266

        224.0.0.0       240.0.0.0         On-link    192.168.0.107    286

  255.255.255.255  255.255.255.255        On-link         127.0.0.1   306

  255.255.255.255  255.255.255.255        On-link       192.168.0.1   266

  255.255.255.255  255.255.255.255        On-link    213.122.169.50   266

  255.255.255.255  255.255.255.255        On-link     192.168.0.107   286

===========================================================================

Persistent Routes:

  Network Address         Netmask  Gateway Address  Metric

      192.168.9.0   255.255.255.0      192.168.0.2      1

       10.10.10.0   255.255.255.0      192.168.0.2      1

         0.0.0.0          0.0.0.0   213.122.169.49  Default

The 192.168.9.x network range has been defined within the ISA Network tab to the “Internal Nic”

I’ve run the ISA BPA and that’s not detected a configuration issue.

Any thoughts on how to proceed?

Slow Internet access with TMG 2010 + Windows Server 2008 R2 running on windows server 2012 hyper-v

$
0
0

I'm using Windows Server 2012 Datacenter  hyper-v one of my VMs run TMG 2010 on win 2008R2

The VM configuration:

4G RAM, 2 NIC, 1 virtual Processorand the external NIC connected to 10M internet connection

my network contains 2 VLANs , the TMG belongs to 1st VLAN and browsing is very fast with no problems

in the 2nd VLAN browsing is very slow.

Ping to my TMG ip <1ms and no delay

how to fix this issue?

TMG ISP Load Balancing and publish sites

$
0
0

Hello,

Can I configure ISP Load Balancing and publish internal site in one TMG Array?

Two RSA securid through one TMG server

$
0
0

Hi

One of the RSA servers is already configured I am currently trying to configure another RSA securid to authenticate through the same gateway. As i have noticed you can only copy a single sdconfig file to the location. appreciate your thoughts and suggestions on how i can achieve this task.

thanks

Ashneil Singh

TMG site running slow.

$
0
0

we Have a site which we access using RSA token TMG.

Sometime site be faster but sometime it takes long time to process each request.

site works find internally.

Dont know why it would be doing this.


internal ip 192.168.0.140 will have a look at an other internal PC with ip 192.168.0.119 to get a microsoft update.

$
0
0
Hi guys,

can someone explain what happend here?

I can not understand why the internal ip 192.168.0.140 will have a look at an other internal PC with ip 192.168.0.119 to get a microsoft update.

192.168.0.119 is NOT the default gateway (192.168.0.200

Fehlgeschlagener Verbindungsversuch     TMG200 08.05.2013 09:13:59
Protokolltyp: Webproxy (Forward)
Status: 10060 Ein Verbindungsversuch ist fehlgeschlagen, da die Gegenstelle nach einer bestimmten Zeitspanne nicht richtig reagiert hat, oder die hergestellte Verbindung war fehlerhaft, da der verbundene Host nicht reagiert hat.
Regel: Vollzugriff extern
Quelle: Intern (192.168.0.140:1072)
Ziel: Lokaler Host (192.168.0.119:80)
Anforderung: GET http://download.windowsupdate.com/v9/1/windowsupdate/redir/muv4wuredir.cab?1305080711
Filterinformationen: Req ID: 0b8cb8df
Protokoll: http
Benutzer: anonymous

Zusätzliche Informationen

    Client agent: Windows-Update-Agent
    Objektquelle: Internet (Quelle ist das Internet. Das Objekt wurde zum Cache hinzugefügt.)
    Cacheinformationen: 0x0
    Verarbeitungszeit: 63109 MIME type:

thanks in advanced

Richard

TMG not allowing X-MicrosoftAjax headers

$
0
0

Hi,

How do I allow  X-MicrosoftAjax header.

We have a website which is being access from TMG when we click on data text box we dont get ajax calendar opening.

Can someone please let me know how do i allow this.

this works find without the tmg.

Internet Explorer 9 breaks Forefront TMG Management Tools

$
0
0

Hello

We use here TMG Management tools to administrate a TMG array remotely, and after installing IE9 (RTM), these tools give all kinds of error messages like 'member not found', 'refresh failed' and so on. Is there a (hot)fix for this?

Thanks in advance,


Jeroen.

TMG 2010 web protection license renewal

$
0
0
Is it possible to renew the license after expiration?

Application Presentation TMG Server Can't Browse Web

$
0
0

Hey guys,

From my TMG server, I cannot get to any web pages. I can ping google.com, so I know I can get to the Internet. Also, we are publishing internal application through this TMG to the outside world. I get the error in the following image:

As far as I know there are no settings that would prohibit web pages from showing. I need to update my TMG server so this is a problem. Windows Update fails too. How can I troubleshoot this? Remember I CAN ping google.com so I know I can get out.

Viewing all 3822 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>