Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

Forefront TMG 2010 Tunnel to Racoon

May 22, 2013, 1:58 pm
$
0
0

Hi,

Im trying to establish an IPSec tunnel to a racoon server which is behind NAT.

When I configure aggressive mode on the racoon I get an error that usually indicates mismatched mode (aggressive/main):

May 22 15:59:01 C9160615036 racoon: [public_ip] ERROR: exchange Identity Protection not allowed in any applicable rmconf.

When I change to main mode the tunnel seems to be established but being purged immidiatly:

May 22 16:02:38 C9160615036 racoon: INFO: Adding remote and local NAT-D payloads.
May 22 16:02:38 C9160615036 racoon: INFO: NAT-T: ports changed to: xxxxx[4500]<->10.16.56.229[4500]
May 22 16:02:38 C9160615036 racoon: INFO: KA list add: 10.16.56.229[4500]->xxxxxxx[4500]
May 22 16:02:38 C9160615036 racoon: INFO: ISAKMP-SA established 10.16.56.229[4500]-xxxxx[4500] spi:b543b2b44c07eb63:57a31818c6517c7d
May 22 16:02:38 C9160615036 racoon: INFO: respond new phase 2 negotiation: 10.16.56.229[4500]<=>xxxxxx[4500]
May 22 16:02:38 C9160615036 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 22 16:02:38 C9160615036 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
May 22 16:02:38 C9160615036 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.16.56.229[4500]->xxxxxxxx[4500] spi=54437926(0x33ea826)
May 22 16:02:38 C9160615036 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.16.56.229[4500]->xxxxxxxx[4500] spi=1334098996(0x4f84bc34)
May 22 16:02:41 C9160615036 racoon: INFO: respond new phase 2 negotiation: 10.16.56.229[4500]<=>xxxxxxx[4500]
May 22 16:02:41 C9160615036 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 22 16:02:41 C9160615036 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
May 22 16:02:41 C9160615036 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.16.56.229[4500]->xxxxxxx[4500] spi=111203544(0x6a0d4d8)
May 22 16:02:41 C9160615036 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.16.56.229[4500]->xxxxxxxxxxx[4500] spi=827354367(0x31506cff)
May 22 16:02:41 C9160615036 racoon: INFO: purged IPsec-SA proto_id=ESP spi=1334098996.
May 22 16:02:46 C9160615036 racoon: INFO: respond new phase 2 negotiation: 10.16.56.229[4500]<=>xxxxxxxxxx[4500]
May 22 16:02:46 C9160615036 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
May 22 16:02:46 C9160615036 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
May 22 16:02:46 C9160615036 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.16.56.229[4500]->xxxxxxxxxx[4500] spi=57622458(0x36f3fba)
May 22 16:02:46 C9160615036 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.16.56.229[4500]->xxxxxxxxx[4500] spi=500826022(0x1dd9ffa6)
May 22 16:02:46 C9160615036 racoon: INFO: purged IPsec-SA proto_id=ESP spi=827354367.

Does TMG not support IKE Aggressive mode?

Any idea why it might get purged when using main mode?

this is the racoon conf:

log info;

path pre_shared_key "/etc/racoon/psk.txt";

listen
{
    isakmp 10.16.56.229 [500];
    isakmp_natt 10.16.56.229 [4500];
}

remote anonymous
{
#    exchange_mode main;
    nat_traversal on;
    lifetime time 24 hour;

    proposal
    {
        encryption_algorithm 3des;
        hash_algorithm md5;
        authentication_method pre_shared_key;
        dh_group modp1024;
    }
}

sainfo anonymous
{
    lifetime time 24 hour;
    encryption_algorithm 3des;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate;
}

Thanks!!


Search

[ISA 2006][Website Publishing] intermitten sc-status-code 64 after switching to HTTPS

May 14, 2013, 4:25 am
$
0
0

We are publishing a website through ISA to client desktop

client desktop --> ISA --> IIS servers

The whole transmission is within our company internal network, just passing through different zones.

There are 2 IIS servers, using Win2k8 NLB (network load balancing) to share a virtual IP address to receive request from ISA.

ISA is using a Website Publishing Rule to receive and redirect request.

Meanwhile, all transmission is under HTTP, it works fine.



Now we want to switch to HTTPS, so we created another Website Publishing Rule on ISA, to listen on port 443 and redirect to IIS servers' port 443.

IIS servers also opened port 443 for that same website.

Both ISA and IIS servers use the same SSL certificate to publish the website.

It seems to be working, until the load test.



Out of the thousands requests each day, there must be a few (less than 10) requests failed.

No error in IIS servers log. Those failed requests were successfully received and returned, with http response code 200.

But ISA log showed sc-status code 64.

ISA Diagnostic Log showed this error message

"ISA Server rejected the request with the HTTP status code 0 and will return the following error message to the Web client. "The specified network name is no longer available. (64)""

And client would receive an error html page, saying "Error Code 64: Host not available. The connection to the Web server was lost."



Googled a bit, seems to have many possible causes, including driver bug or router, switch error.

I tried to use Microsoft Network Monitor. But honestly, I have no idea how to troubleshoot........




High Processing Time and Latency

May 22, 2013, 2:07 pm
$
0
0

Have a strange issue at the moment, HTTPS website bypassing proxy is experiencing a 12 sec delay from SYN hitting Internal TMG interface to being output through the TMGs Outside interface.

Subsequent packets for the connection are fine including SYNs for new connections but if left for approx 5 mins, 12 sec delay for next SYN.

TMG Logging shows packet experiecing a 12000ms Processing Time compared to 0ms when not delayed, either way logging shows Success.

URL Filtering is disabled, HTTPS Inspection is disabled, Malware Inspection is disabled, site in NIS exemption, site in Flood Mitigation exemptions, manual DNS lookup of address on TMG always completes instantly, logging shows not being blocked, CPU/Mem are fine.

This only appears to be happening to this one site but is causing a deal of frustration on a critical app - would greatly appreciate any suggestions.

Server: 2008 R2 Enterprise 64bit
TMG:  7.0.9193.500 (TMG 2010 SP2)

Publish Exchange/RD Gateway/DirectAccess 2012 with 1 public ip-adress

May 23, 2013, 5:11 am
$
0
0

Hello,

i am looking for solution to publish 3 services using forefront TMG

1) Exchange 2010 (owa/rpc/ActiveSync) (port 443)

2) RD Gateway (also using 443)

3) Directaccess 2012 (also using using port 443)

This al for a working lab-environment.

Can this be done using forefront TMG and how should i configure this?

Thx

https webfilter using a SecureNAT Client

May 23, 2013, 6:33 am
$
0
0

Hi,

We are using ISA Server 2004 on Windows server 2003. Now we are facing issue while implementing https site filtering . We are able to block https://youtube.com and https://facebook.com using domain name set and URL Set but this is working only for clients who are browsing internet from proxy address ( 192.168.0.2 : 8080 ) or else using a Firewall Client...

If my client machine is browse the internet using a Secure NAT client , i mean keep gateway address as ISA Server ip , they are able to browse the https://youtube.com and https://facebook.com

So , my question is will SecureNAT Client not support web filter for https traffic ? Do i must have to use Web Proxy or Firewall Client ..

Please Help...

Thanks....

Full backup of TMG by Symantec's Netbackup

June 3, 2011, 5:36 am
$
0
0

Hi All,

 

Trying to get a full tape backup of my TMG server with Symantec NetBackup 7.0.   MyTMG is a single nic proxy for Exchange.

Has anyone else successfully done this?  ANy pointers on what the firewall/access rule should look like?

Thanks!

PS:  I know I can (and have) backed upu the config of the TMG - but company standards also require a full tape backup by the big Netbackup install we have.

Publish ConfigMgr 2007 Native Mode Site via a Forefront TMG Server with Exchange Already Published

May 23, 2013, 2:03 pm
$
0
0

I am asking this question to the Forefront TMG community because I believe the problem lies in the Forefront configuration and not on my SCCM server.

We are having trouble configuring a non-web server publishing rule (as noted in appendix E here: http://technet.microsoft.com/en-us/library/cc707697.aspx#AppendixE) for our native mode SCCM site because a listener is already configured for our Exchange 2010 environment on the Forefront TMG primary NIC/IP using port 443.

The documentation here (http://technet.microsoft.com/en-us/library/cc707697.aspx) states "Do not create Web listeners that use the same IP address and port combination as existing server publishing rules or Web listeners. Doing so will cause both to fail".

Please note that I am primarily a SCCM administrator so most of my experience lies there. I did read technet documentation on Forefront but I am new to the concepts and I think that's where I could use your help. I was not involved in setting up the Forefront TMG server; our team's sysadmin did that last year, and he has been involved in helping me troubleshoot this issue. At this point in our troubleshooting, we need advice from a Forefront TMG or ISA specialist who can point us in what direction to go in next.

Here's what our environment looks like:

Environment Overview:
We are a department within a larger academic institution. We have our own domain, our own subnet, and administer all our resources ourselves, but our environment lies within the larger institution's internal network. The parent institution manages the DMZ but not our domain. We have a Forefront TMG server in the DMZ that manages Internet access/traffic for our domain. The dc, forefront server, sccm server, and mail server are all separate servers. All are running Server 2008R2 SP1. All servers except for the forefront server are on the intranet and domain-joined to our dept.org.edu domain.

SCCM Site:
- We are conducting a mixed mode to native mode site migration for a production site
- The site is a single site on single site server on our intranet with ~200 clients
- The clients primarily connect from the intranet but we also need Internet connectivity as well because users frequently take their laptops out of the office for long periods of time, resulting in them becoming noncompliant with software updates, inventory collection, et cetera.
- We do not have the available resources to have additional sccm role servers in the perimeter network/DMZ
- Desired configuration for native mode is this: http://technet.microsoft.com/en-us/library/bb632529.aspx
- We have the site server signing certificate, web certificate, and client autoenrollment certificates configured correctly
- I am using the default website and ports 80/443 for the SCCM site, and the custom website ports 8530/8531 for 
- We have a 2008 CA (the primary 2008R2 DC on our 2008-level domain)
- The AD Schema is extended
- As far as I can tell, everything is configured correctly in preparation for native mode from the internal sccm server side
- The site server is serverA.dept.org.edu
- The FQDN for the intRAnet website is serverA.dept.org.edu; I can connect to the internal website from the intRAnet using both http and https
- The FQDN for the intERnet website is cfgmgr.dept.org.edu; I can connect to this using cfgmgr.dept.org.edu from the intranet using both http and https
- On the intranet DNS, a host (A) record exists for serverA and an alias (CNAME) record exists for cfgmgr pointing to serverA.dept.org.edu
- I have not thrown the native mode switch yet because I do not want clients to become unmanaged, so I do not plan to actually switch to native mode until we resolve the below-described problem

Forefront TMG Server:
- OS is Server 2008R2 Server with Forefront TMG 2010
- TMG server is not domain-joined (it's in a workgroup) and domain administrator does not want it joined to any domain. I am aware that because of this, we must usetunneling instead of bridging for publishing as stated in bullet point 2 of the requirements here: http://technet.microsoft.com/en-us/library/cc707697.aspx
- TMG Server already has successful publishing set up for our domain's Exchange 2010 OWA, ActiveSync, and Outlook Anywhere. These are using a listener on SSL 443 with Forms authentication. These work correctly. 
- TMG Server has three NICs configured (of the 6 installed): First one is public and disabled, second is private DMZ 192.x.x.50, and third is private DMZ 192.x.x.51
- DNS A records exist on the Forefront TMG server for serverA.dept.org.edu (points to the static intRAnet IP address), for cfgmgr.dept.org.edu (points to 192.x.x.51), the intRAnet's primary domain controller (points to the PDC's intRAnet IP address), and for the TMG forefront server itself (points to 192.x.x.50).
- The parent organization NAT-ed and configure IP addresses for the third NIC which we then configured because we read: "Do not create Web listeners that use the same IP address and port combination as existing server publishing rules or Web listeners. Doing so will cause both to fail" in http://technet.microsoft.com/en-us/library/cc707697.aspx. Our thought was that we could use a second NIC/IP/port combination to create a second listener/publishing rule for SCCM separate from the Exchange listener.
- We created a custom network within the network on the TMG server console (Networking / Networks tab) named cfgmgr in order to utilize connections from the 192.x.x.51 IP/SSL port:
 - The address range for this network is 192.x.x.51, the domains tab lists dept.org.edu, the web browser tab has Bypass proxy for web servers in this network and Directly access computers specified in the domains tab checked, auto discovery is not configured, Forefront TMG Client is not enabled, and web proxy client connections is enabled with http using port 8080 and SSL using 443, with the SCCM Web server certificate added here by us importing it to the Personal store of the computer account certificates store of the TMG server. Integrated and Basic authentication are both enabled.
 - The 192.x.x.51 address was removed from the Internal network in order to create the custom network (it wouldn't allow the IP address to be in both).
- We created a Firewall Policy non-web server publication named configmgr:
 The policy is enabled, action is set to "allow" and it's set to log requests, traffic is set to HTTPS Server, from is set to Anywhere, To is set to the intRAnet IP address of the SCCM server, requests are set to look like they're coming from the Forefront TMG computer (we've tried both options with no change in results), Networks is set to cfgmgr, and schedule is always.

Test laptop:
- Test laptop is a machine joined to our intranet domain, it has client certificates configured correctly as far as I can tell, and when on the local intranet can connect to the IIS website as described above using both http and https.
- We are testing from a public wireless network that is not part of our domain and is external to the parent organization's network.
- Laptop client firewall is currently turned off for all networks
- Laptop is a Win 7 SP1 Enterprise machine

We are testing by attempting to connect to the IIS website for the SCCM server using the https://cfgmgr.dept.org.edu address or https://cfgmgrpublicIP while on the public wireless. Attempts to connect to https://serverA.dept.org.edu or any http combination of these fail as predicted and desired.

When connecting to either of these, we get a strange "Network Access Message" error with error code: "502 Proxy Error. The URL does not use a recognized protocol. Either the protocol is not supported or the request was not typed correctly. Confirm that a valid protocol is in use (for example, HTTP for a Web request). (12006)
IP Address: 192.x.x.51
Server: TMGforefront.dept.org.edu
Source: proxy"

In the error log on the forefront server, I see two errors. 

Denied Connection
Log type: Firewall service 
Status: A packet was dropped because its destination IP address is unreachable.  
Rule: None - see Result Code 
Source: Local Host (192.x.x.51:137) 
Destination: Internal (192.168.255.255:137) 
Protocol: NetBios Name Service 
 Additional information 
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.x.x.51

Denied Connection
Log type: Firewall service 
Status: The policy rules do not allow the user request.  
Rule: Default rule 
Source: Local Host (192.x.x.51:137) 
Destination: Local Host (192.168.255.255:137) 
Protocol: NetBios Name Service 
 Additional information 
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.x.x.51 

A strange finding: https://TMGforefront.dept.org.edu redirects to our OWA webmail with a certificate warning.
 
What are we doing wrong? Is there a better way to configure it than to use a second NIC? Can I/should I publish the site using Web publishing instead of non-web server publishing? I was reviewing the documentation for publishing multiple websites over https (http://technet.microsoft.com/en-us/library/cc441449.aspx) and wondering if that was a possibility for us. I will be glad to provide more details if that would be helpful, and especially appreciate anyone's advice.

Thank you.

I got this error message"Error Code: 414 Request-URL too Large. The size of the request header is too large. Contact your Forefront TMG administrator. (12215) "

May 23, 2013, 11:22 pm
$
0
0

Backgroup:

when the client (OS :windows 7) want to access to internet via TMG, it got this error message"

  • Error Code: 414 Request-URL too Large. The size of the request header is too large. Contact your Forefront TMG administrator. (12215)

"

Could you give me a favor to solve this issue.

Many thanks

Hanson

Search

Outlook with GMail email account on IMAP not syncing even if nobody has touched or made any changes on TMG !!!!!! Please HELP

May 23, 2013, 11:44 pm
$
0
0
I need some help we havent touched anything and out Outlook worked with our gmail IMAP accounts set up. Now it doesnt work and nobody has changed or touched anything this is why i am woundering what is happening. Can anyone help me how to fix it?

MR

Event 701

May 24, 2013, 4:27 am
$
0
0

Hi,

I am using Forefront TMG 2010 on a virtual machine VMware Server 2008 R2 with 2 GB ram.

Every night around 00.35 there is an event 701 in the windoes application log saying: There is insufficient memory in resource pool 'internal' to run this query.

I have googled this and it seems to exist different way to get rid of it. Some say the server memory in SQL shall be limited, some say that the physical memory should be increased, some say that it does not help to increase memory since SQL will use all available memory for cache anyway.

No other errors are reported in forefront. Is this really an error since everything seems to work fine?

Any suggestions how to solve this in the correct way?

AD authentication from an EXTERNAL (Apache) webserver

May 24, 2013, 12:33 am
$
0
0

Hi,

We have TMG running and we would like to have (an application  running on) anEXTERNAL (apache) Webserver access to our AD for user authentication only.

Would appreciate any suggestion, from you experts, on how/what to configurae on the  TMG to achieve the above.

Kind regards and thanx in advance!

Charles
X3mGroup 


ISA 2004 -Ping test fails from appliance on network

May 24, 2013, 8:07 am
$
0
0

We have an appliance (IP = 10.10.10.199) on our SBS 2003 (using ISA2004) network (2 NICs, router) from which we can initiate a ping test (using google.com here). ISA blocks it, here is the log:

How can we allow this ping to go through?

ISA 2004 - How to create Non-web Server publishing rule

May 24, 2013, 6:32 am
$
0
0

We use ISA 2004 with SBS 2003 - 2 NICs and a router configuration. We have a hardware appliance(IP= 10.10.10.199) on the internal network that must be accessible from the outside (vendor support). We tried access rules but those did not work. We need port 22, outbound, using TCP, no UDP.  We have already port forwarded that port on the router to the external NIC.

We have read that we should create a non-web Server publishing rule. If this is correct, how do we do that? Where do we start?

For instance, if we choose "Server Publishing Rule", it asks for the Server IP address - is that our SBS Server or the Appliance IP ?

If it is the SBS Server - is it the IP address of the Internal NIC or the External NIC?


ISA 2004 - How to stop logging query

May 24, 2013, 8:29 am
$
0
0
We use ISA 2004. In the troubleshooting section create a filter for a query. After we start the query, how do we stop it? The only way we can stop it is to close ISA Server Management and reopen. Thanks

0x80070522 A required privilege is not held by the client. when Join TMG server to Array

May 25, 2013, 2:55 am
$
0
0

Dear Team,

 

I have an issue with TMG server, it is happening when I tried to join server to another one for Array setup, I tried the following scenario and all failed:

 

  1. Join TMG1 to TMG2
  2. Join TMG2 to TMG1
  3. Join TMG1 and TMG2 to separate EMS server
  4. Make a fresh installation of Windows and TMG

 

The below error code is appearing with all scenarios

 

Operation Failed.

0x80070522

A required privilege is not held by the client.

 

Also I have the following in TMG logs

 

No answer file was given for the Array Membership Type page

No answer file was given for the Array Manager Details page

 

And this error when I tried with EMS

 

No answer file was given for the Array Membership Type page

No answer file was given for the Enterprise Management Server Details page

No answer file was given for the Join Array page

 

I have TMG 2010 with SP2 for all servers, all servers is member of managed array server, it is a fresh installation, No error message in event viewer and the user used for the installation is domain admin membership.

 

looking to hear from you any hints or guide to solve this issue 

Thanks

Amir

Search

My TMG 2010 server cannot browse External Networks

May 25, 2013, 4:19 am
$
0
0

Hi everyone,
please i need your help.

I am trying to introduce Microsoft Forefront tmg 2010 on a network as web proxy server/firewall placed behind a 2821 cisco router (Directly connected to the Cisco router) but the Forefront TMG cannot even access internet by itself.That is the localhost cannot even go out to he internet. The internal network was initially connected to the router (192.168.1.x network) with the gateway of the internal network being 192.168.1.1 (router's interface address).
My objective is to introduce this FF TMG so i can use to block sites and streaming protocols.

Here is my NIC configs:
On the Internal NIC, i configure IP (192.168.1.1/24), Subnet Mask, No gateway, then DNS (point to local DNS server).

On the External NIC, i configure IP (192.168.2.1/24), Subnet Mask, Gateway (point to LAN Interface of Cisco 2821 router), No DNS.

I also have the following rules:
Allow Localhost to connect to anywhere (Internal, external, vpn clients)
Allow DNS protocol from both localhost and Internal network, destination - External.

On the Router:
Inside NIC: 192.168.2.2/24
Access List 10: permitting 192.168.1.0/24
NAT rule set: ip nat inside source access list 10 destination (my gateway address)
Default NAT route set: 0.0.0.0 0.0.0.0 4.1.2.3(my gateway address)

I don't have any DMZ in my network. I have even tried connecting the External LAN interface directly to the ISP's modem bypassing the router, yet i cannot even ping my gateway.
Please study this scenario and tell me what i am missing out. It's very urgent that i come up with the solution as it will help me keep my job. I suffered a lot to get this one, and i would be happy to keep it.

Thank you very much in advance

Forwarding UDP port for Remote Desktop Gateway

May 27, 2013, 6:19 am
$
0
0

What is the correct way to forward UDP 3391 port for RDG server?

What direction should I choose for UDP port parameters? "Receive" or "Receive Send" or something else?

Application Presentation TMG Server Can't Browse Web

September 27, 2012, 8:10 am
$
0
0

Hey guys,

From my TMG server, I cannot get to any web pages. I can ping google.com, so I know I can get to the Internet. Also, we are publishing internal application through this TMG to the outside world. I get the error in the following image:

As far as I know there are no settings that would prohibit web pages from showing. I need to update my TMG server so this is a problem. Windows Update fails too. How can I troubleshoot this? Remember I CAN ping google.com so I know I can get out.

How to open 6080 port on TMG 2010

May 13, 2013, 4:16 am
$
0
0

Hello,

i need to open 6080 port on TMG 2010 for ArcGIS Server. I've created a new protocol (port range:6080 protocol type:tcp direction:outbound) but it doesn't seem to work.

Any suggestions?

Thank you in advance.








Forefront Threat Management Gateway 2010 Management console only on Windows Server 2012 Server

May 28, 2013, 12:25 am
$
0
0

Hi, I have installed Forefront Threat Management Gateway 2010 Management console only on Windows Server 2012 Server, i can connect to TMG CSS role but i cannot see anything in Array information, it just ask me to create new array but i want to manage my existing array on TMG Servers from my management server using this TMG 2010 Management console....Your Help is very much appreciated....

Cheers,

Praakassh Ghaitadke

Viewing all 3822 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>