Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

Issue with Publishing OWA

$
0
0

Hello,

   Having an issue with Outlook Web Access 2010 and Threat Management Gateway.  The OWA login screen comes up when the mailbox.mrm2inc.com/owa is entered into the browser, both internally and externally.  Internally when the user enters their username and password they are able to get to their email.  When a user externally enters in their username and password, it flashes off the screen and back to the login screen.  Anyone have any idea what would cause this?


Michael R. Mastro II


TMG Migration Cross-forest

$
0
0

Hi people,

I have astandalonetmgarrayformingtwo servers.
I havetomigrateto a new ADforest.
I am usingADMT 3.2to migrate.
I wantedto know what arethe steps I haveto take tomigratemy arrayoftwoTMGserversfrom one domain toanother.
Is it enough toput in thenew domain?Is therea specific orderto migrate?First hethearrayand then thearraymanagermanage?

Do I have touse ADMTto migrate theTMGto the new domain?

thank you very much

ISA Server: Connectivity error. Error details: 10060

$
0
0

Hi,

We have a server onsite and staff are able to access it from the outside, using a URL. However, recently it has stopped working.

I have gone onto the ISA server where the rule was set and done a test connection. However, it has returned with the following error. We have not made a change in here from when it was working.

Category: Connectivity error
Error details: 10060 - A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Action: Go to http://go.microsoft.com/fwlink/?LinkId=115965

Configure multiple SSL certificates for same IP address (ISA Server) Issue? Urgent help Required...

$
0
0

Hi All,

We have 3 SharePoint applications running on SharePoint server (IP: 10.3.4.1).

The two applications (one.domain.com & two.domain.com) are using a certificate targeted to *.domain.com. This certificate is configured on IIS server as well as it is bind to IP address 10.3.4.1 on ISA server 2006.

The third application (three.otherdomain.com) is using different certificate targeted at three.otherdomain.com. This certificate is configured on IIS server but unfortunately I cannot assign multiple certificates to same IP on ISA server 2006 since it is not possible (as per my understanding from google search).

Due to above issue I am getting the certificate error while trying to access the web applicationhttps://three.otherdomain.com.
The error is...

three.otherdomain.com uses an invalid security certificate.

The certificate is only valid for the following names:
*.domain.com , domain.com

(Error code: ssl_error_bad_cert_domain)


Please guide me on this issue. Will assigning multiple IP addresses to the same server help me?

I also found that all these 3 applications have same public IP. Can this be a problem?

Appreciate your help & support.

Thanks,
Rahul Babar


ASP.NET, C# 4.0, Sharepoint 2007/2010, Infopath 2007/2010 Developer http://sharepoint247.wordpress.com/

Users in Exceptions in From Tab

$
0
0

Hi,

Is there possible to add Users in exceptions in a Firewall rule. I have blocked website rule , From tab of this rule in exception , i can add only only network entities, i want to make exception for group of windows users.

http://prntscr.com/14tcet

Regards

Usman Ghani


Usman Ghani - MCITP Exchange 2010

Certain website Failed Connection Attempt/Denied Connection

$
0
0

All other websites are working with authentication however one particular website is being denied for some strange reason?

Does anyone have any ideas as to why?

Denied Connection PERDMZ01 14/05/2013 10:07:58 AM 
Log type: Web Proxy (Forward) 
Status: 12209 Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  
Rule: Allow Web Access for All Users - Authenticated 
Request: GET http://www.medallionclub.com.au/ 
Filter information: Req ID: 098601fe; Compression: client=No, server=No, compress rate=0% decompress rate=0% 
Protocol: http 
User: anonymous 

Failed Connection Attempt PERDMZ01 14/05/2013 10:07:58 AM 
Log type: Web Proxy (Forward) 
Status: 5 Access is denied.  
Rule: Allow Web Access for All Users - Authenticated 
Request: GET http://www.medallionclub.com.au/ 
Filter information: Req ID: 098601ff; Compression: client=No, server=No, compress rate=0% decompress rate=0% 
Protocol: http 
User: anonymous 


Forefront TMG running slow browseing

$
0
0

For someone reason our Forefront TMG  running slow.

When Access the iis site from within company without going through Forefront TMG  it works faster but when you try to login externally using ForefrontTMG RSA token it takes few minutes to load each page.

This has been happening for few days now. nothing has been chnaged which i can think might have caused this.

Block TeamViewer FTP from TMG2010

$
0
0

I have TMG 2010 Enterprise SP2 in my org. I have created several rules which works very well

Some time we need to give TeamViewer access to client pc for that i have created an access rule to 

Q1 :- I want to block ftp in teamviewer is this possible. I have blocked FTP for entire org but team viewer will use different ftp is this possible to block that also.

See image for Access rule which i created for teamviewer access.


Akshay Pate Server Administrator


OpenVPN client behind TMG

$
0
0

Hello,

I'm trying to create a site-to-site connection using OpenVPN.

The OpenVPN client is installed on the same VM with TMG. I set two firewall rules for this:
- from localhost to aaa.bbb.ccc.ddd, All outbound ports
- from aaa.bbb.ccc.ddd to localhost, All outbound ports

When I try to establish the VPN connection, the following events appear in "Logs & Reports"

Initiated Connection
Log type:Firewall service
Status: The operation completed successfully.
Rule: aaa.bbb.ccc.ddd allow outbound traffic
Source:Local Host (xx.xx.xx.xx:54346)
Destination:External (aaa.bbb.ccc.ddd:1194)

Closed Connection
Log type:Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
Rule:aaa.bbb.ccc.ddd allow outbound traffic
Source:Local Host (xx.xx.xx.xx:63415)
Destination:External (aaa.bbb.ccc.ddd:1194)

If I try to telnet on port 1194, the connection fails, so it seems that the port is still blocked. Any idea how to solve this?

Kind regards,
Adrian

Weird HTTPS issue

$
0
0

Hey Guys,

So I have a remote support appliance I'm trying to publish behind the ISA server we have (2006). I published the appliance as a web-server. It does all its communication over 443. 

The rule works fine when accessing the site from the browser. I get nice logging saying src (external 70.x.x.x) and destination (Ip of INTERNAL SERVER)
Request: Get http://legitmate.site.com/download* - allowed connection

Now once the web browser downloads the client and begins to run the client is trying to access the internal server BUT my logging reports this now -

Denied connection - 12202 The Isa Server denied the specified URL

Src: External

Dest: GET http://192.168.100.59/np

Rule: default 

That 192 address is the address of the weblistener address - that address is natted through my firewall to a public address.

(public address)  <-NAT-> (weblistener) -> (internal server)

                          firewall

I have tried every single access rule I could possibly thing of. No matter what once the client wants to contact that public address the logging changes to the destination of the weblistener and not the internal address like when the rule allows the connection.

Any help would be appreciated. 

Web publishing rule together with Server publishing Rule port 443

$
0
0

Hi,

I have the following situation

  • 3-leg TMG2010 Server (external,perimeter,internal)
  • Only 1 public IP
  • Citrix Access Gateway (in dmz)
  • Apache Web Server (in dmz)

I need to publish the Apache as well as the CAG at port 443. CAG needs to be a server publishing rule according to a Citrix Article.

I also made a web publishing rule for the Apache web server with SSL certificate included. If I Separately use these 2 rules, it works perfectly. When I use the Web publishing rule (Apache) in front of the Server Publishing rule (CAG) it fails to access my CAG because it fails on the Apache rule and the CAG rule is ignored. Is it possible to use both rules together to achieve what I want  or should i look for another solution ?

thanks in advance

Routing/Chaining Failure TMG Detected a Loop

$
0
0

Hi Folks;

I'm having an issue with TMG 2010 in that I'm seeing reports of Routing/Chaining failure / TMG Detected a Loop;

Event id 14141

Forefront TMG detected a proxy server loop. There may be a problem in the configuration of the Forefront TMG Web chaining policy. Alternatively, in Enterprise Edition, when CARP is enabled and there are intermittent interruptions of intra-array connectivity, array member A may forward a request to array member B according to the CARP algorithm, and array member B may forward the request to array member A in an endless loop.

A look at the log files indicates that this error occurs when the localhost (the TMG 2010 VM itself) is connecting to Microsoft to check for Windows Updates. This is the only time the error occurs and it occurs often.

Here's a snippet to illustrate;

Microsoft-CryptoAPI/6.1  Proxy - 65.54.87.108 TCP GET Req ID: 0a655fc7; Compression: client=No, server=No, compress rate=0% decompress rate=0% - 0x110 0x0 58066 SecureNAT     1 3923 201 - 5/14/2013 1:23:26 AM - - 0 - 0 - - - - - - 0 0         From cache  65.54.87.108 5/13/2013 6:23:26 PM Local Host xx.external.IP.xx External 65.54.87.108 80 http Failed Connection Attempt  -  - - 

[System] Allow all HTTP traffic from Forefront TMG to all networks (for CRL downloads)  

12206 Forefront TMG detected a proxy chain loop. There is a problem with the configuration of the Forefront TMG routing policy. Please contact your server administrator.  anonymous http://65.54.87.108/pki/mscorp/crl/mswww(6).crl EDGE Technical Information Web Proxy Filter   -   0 - 

Is there anyone left in the groups with knowledge of TMG 2010? I've already looked on the web for information relating to this but none seems relevant. I think the key is in the fact that it only happens when the local host goes off to Microsoft to check for Windows Updates.



TMG 2010 detected SYN attack and all Clent in Internal network can not access to Internet

$
0
0

Dear All

My system using TMG 2010 happen error " Forefront TMG detected a possible SYN attack and will protect the network accordingly" and all PC clent can not access to Internet.

There are some legal reasons for a clients which creates more connections at a timeto my customer fortheir work

Please help me how fix this problem.

No Internet when using TMG Client

$
0
0

Hi, we're running on TMG 2010 for amy months for now and it's been working great. Now to use fully the reporting feature we'd like to enable the authentication feature. Current setup is provinding wpad through DHCP. Now we wanted to test the TMG Client for Windows as we tought it would cause less nightmare dealing with Proxy settings in non IE apps (ex Dropbox). I enabled the TMG client support for my internal network and installed the client on one machine. The client detects tmg (only one server) and also shows the little green icon on it. But the think is I can't browse any web site. It just keeps rolling and rolling. Look on the logs on TMG and say all the requests my computer makes and they all shows as "authorized". for tests purposes I added for a small mount of time a rule allowing all outbound traffic from Internal to LocalHost (tmg) and it still doesn't work.

Any idea or help would be apreciated :)

thanks


[ISA 2006][Website Publishing] intermitten sc-status-code 64 after switching to HTTPS

$
0
0

We are publishing a website through ISA to client desktop

client desktop --> ISA --> IIS servers

The whole transmission is within our company internal network, just passing through different zones.

There are 2 IIS servers, using Win2k8 NLB (network load balancing) to share a virtual IP address to receive request from ISA.

ISA is using a Website Publishing Rule to receive and redirect request.

Meanwhile, all transmission is under HTTP, it works fine.



Now we want to switch to HTTPS, so we created another Website Publishing Rule on ISA, to listen on port 443 and redirect to IIS servers' port 443.

IIS servers also opened port 443 for that same website.

Both ISA and IIS servers use the same SSL certificate to publish the website.

It seems to be working, until the load test.



Out of the thousands requests each day, there must be a few (less than 10) requests failed.

No error in IIS servers log. Those failed requests were successfully received and returned, with http response code 200.

But ISA log showed sc-status code 64.

ISA Diagnostic Log showed this error message

"ISA Server rejected the request with the HTTP status code 0 and will return the following error message to the Web client. "The specified network name is no longer available. (64)""

And client would receive an error html page, saying "Error Code 64: Host not available. The connection to the Web server was lost."



Googled a bit, seems to have many possible causes, including driver bug or router, switch error.

I tried to use Microsoft Network Monitor. But honestly, I have no idea how to troubleshoot........





Skydrive - Block Upload and allow Downloads files

$
0
0

Hello,

" Skydrive.live.com ".

Its possible to block users to upload files and alow downlod files from skydrive ?

In my private network some users are using Skydrive to plublish privates files. I want to block every upload traffic. But I want to allow users to view, share and download every file from skydrive.

So, block upload and allow download files.

Its is possible ?

Thanks


Ronald - Rio de Janeiro - Brasil

problem in https inspection

$
0
0

dear all

i facing a problem in the TMG https inspection as this

when ever i turn on https inspection on our TMG and i have done expection for some user to access facebook, then complete page of it's facebook is not loading, mean partially loads and also it is completely scattered i-e images , links, friends are not organized,

whenever i turn off the https inspection then user uses skype etc.

please fix my issue.

thanks

Publishing Zimbra server through TMG 2010 using IMAP

$
0
0

I havea mail server Zimbra and I need helpto publish the servicethrough theTMGusingIMAPprotocol that allows me tocheck emailsthroughinternet.

Regards.

authentication keep prompting when go to internet

$
0
0

Hi. Recently go to external site, all of us will keep getting proxy authentication prompt. Any help would be appreciated.

we are using IE7 and 8 and for proxy server, we are using Microsoft tmg 2010.

Thank you.

RDP through TMG doesn't work

$
0
0

I have problem for remoting through Inernet to my LAN recently.

I can connect to TMG through Internet however it’s not possible to connect to a local computer in LAN using port (79.XXX.XXX.XXX:20221).

I set it before and it worked properly but it dosen’t work now.     

Viewing all 3822 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>