Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

Using TMG 2010 with Hyper-V to support multiple Virtual DMZ hosts

January 23, 2012, 2:21 am
$
0
0

I was looking to accomplish the above senario and ran accross the following post:

http://social.technet.microsoft.com/Forums/en-AU/Forefrontedgesetup/thread/fad4ad74-b50f-4776-8ecf-fcaf257320ab

Which basically advises against usage of TMG and Hyper-V on the same machine.

I have personally tested it and it works beautifully, plus it makes much more sense to me both from a topology and a security standpoint. I have wrote an article on it http://www.itguy.gr/2012/01/using-tmg-2010-with-hyper-v-to-support.html, which I believe can help people in similar situations.

In any case I would love to have some expert opinions on the matter.

Many thanks

Andreas

 

 

 

Search

ISA chaining with squid

May 28, 2013, 7:18 am
$
0
0

how can I make ISA server redirect the web requests to squid proxy server.

thank you

How to correctly setup certificates on TMG and Exchange 2010

May 28, 2013, 5:46 am
$
0
0

Hi,

I have seen MS best practice how to generate SSL certificate request with several SANs on Exchange, then send it to external CA, import, then export with private key and import again on TMG to use it in listener.

The problem is that we are taking over an environment with following non-standard setup:

1. 1xTMG 2010 Std SP2, Single NIC, Public IP

- OWA publishing rule with separate owa.external.com SSL certificate - signed by external CA
- Autodiscover publishing rule with separate autodiscover.external.com SSL certificate - signed by external CA

Both rules are sending requests to Exch2010 CAS array NLB casnlb.internal.com. 

2. 2x Exch2010 CAS, NLB casnlb.internal.com

- certificates in personal stores on CAS servers : casnlb.internal.comsigned by local CA with SANs of CAS1, CAS2, owa.external.com, external.com, autodiscover.external.com

Questions:

1. Having SingleNIC TMG with Public IP, with a rule of "No delegation, alow authenticate directly" is probably not a best practice security wise, correct? Switching TMG to two NIC mode to make firewall engine be functional would be an improvement, right?

2. Based on certificate setup mentioned above OWA communication between Internet and TMG is encrypted by owa.external.com cert however this certificate is missing on CAS1 and CAS2 therefore OWA communication between TMG and Exchange is not encrypted. Would it be enough to just import those owa.external.com and autodiscover.external.com to CAS1/2? Is there anything else that must be done on exchange (run commands to assign services to those certificates?)

3. What about this internal casnlb.interntal.com certificate. Is it really needed to have a certificate for DNS name of CAS NLB IP address?

4. Exchange CAS1/2 doesnt have access to internet, so there will be problem with those external certificates as exchange CAS servers will not be able to connect to CRL.

Any tips how to solve this? Thanks

How to publish SharePoint 2010 site with Forefront TMG

May 21, 2013, 9:02 am
$
0
0

Hi,

I'm looking for some information on how to go about publishing SharePoint 2010 with Forefront TMG.

Here's my current set up -

  1. intranet.domainname.com port forwarded to internal IP address of TMG 192.168.1.5
  2. Single SharePoint 2010 web application in IIS with bindings intranet.domainname.com
  3. Alternate access mappings set up in SP - intranet.domainname.com and Front end Server name

I'm trying to configure Forefront TMG to allow me to access the SharePoint web site externally using the intranet.domainname.com address.

I'm trying to set it up so I can use the default Forefront TMG login page to authenticate users in active directory.

I've tried setting up publishing rules in TMG and set up a listener but I cannot seem to get the login page to appear.

Could anyone point me in the right direction of how to properly configure SharePoint with a TMG using publishing rules? I really need this to be working and have exhausted the Google searching on how to do this!

Thanks in advance


Forefront TMG 2010 PPTP site-to-site error

May 28, 2013, 5:35 am
$
0
0

I received this error after i configured both tmg. 

Set up ip address for PC client in system using TMG with single network adapter

May 26, 2013, 9:51 pm
$
0
0

Dear All

If the System using TMG with single network adapter then default gateway in PC Client pointer to ip address of TMG server or ip address of Router ?

Thanks a lot

Error 403 Microsoft ISA 2006

May 27, 2013, 4:56 am
$
0
0

Here's a description of the issue I am facing.

We have two proxy servers( Microsoft ISA 2006 )192.x.x.99 and 192.x.x.100 . We have a exchange server 2007 installed.When a client opens up his email hit first goes to 192.x.x.100 from where it is redirected to our HUBCAS server 192.x.x.14.Our website is published on 192.x.x.99.

In the 192.x.x.99 there is DNS entry of 192.x.x.100.So while we open OWA using the domain name mail.domainname.in on 192.x.x.99 on the browser everything works fine.

But when we try to open OWA using the domain name mail.domainname.in on 192.x.x.100...it gives a me the following error.

The page must be viewed over a secure channel

The page you are trying to access is secured with Secure Sockets Layer (SSL).

Please try the following:

      • Type https:// at the beginning of the address you are attempting to reach and press ENTER.

      HTTP Error 403.4 - Forbidden: SSL is required to view this resource.
      Internet Information Services (IIS)


      When I add https:// in front I get


      Under Construction

      The site you are trying to view does not currently have a default page. It may be in the process of being upgraded and configured.

      Please try this site again later. If you still experience the problem, try contacting the Web site administrator.

      If you are the Web site administrator and feel you have received this message in error, please see "Enabling and Disabling Dynamic Content" in IIS Help.

      To access IIS Help
      1. Click Start, and then click Run.
      2. In the Open text box, type inetmgr. IIS Manager appears.
      3. From the Help menu, click Help Topics.
  • Click Internet Information Services.

      When I add /owa to the url : https://mail.domainname.in/owa

      I get the username and password box, but still dont get the proper website opened.



      Want to know how to fix this.Any help will be greatly appreciated.




    TMG problem

    May 27, 2013, 2:59 am
    $
    0
    0

    Dear All ; 

    greetings of the day , 

    Please i have an problem in in my proxy (TMG) . the problem is broken image when i use the tmg as a proxy .

    I disabled the caching from it but the image broken problem is still , and i must inform you that the tmg in ESX5.0 in 7GB RAM . Our design is : ASA firewall and TMG as a web proxy . so please advice 

    thank you all 

    waleed odeh 

    Search

    Access Restriction - TMG 2010

    May 29, 2013, 8:12 am
    $
    0
    0

    hi,

    i have TMG2010 configured as back firewall.

    i use an adsl modem as a router and the TMG is connected to one of it's lan legs.

    i have created a publish rule allowing rdp from the Internet to one of my servers and it works fine but i want to limit this connection to allow access only from a specific ip address and not from the whole internet.

    i have tried configuring the "external" network listener with the ip that i want to allow but the connection fails

    what do i have to do ?

    10x,

    Udi


    How to troubleshoot ISA 2006 Error 64 “The specified network name is no longer available” while accessing a HTTPS site

    May 29, 2013, 1:12 pm

    TMG and PHPMyAdmin

    May 29, 2013, 3:31 pm
    $
    0
    0

    Hello guys!

    I have a problem with TMG and PHPMyAdmin.

    I've installed PHPMyAdmin on a apache server. It runs on port 82, just fine. 

    When I go to http://localhost:82/phpmyadmin, I can logon and everything is fine.

    Now i've created a reverse proxy rule, so that my url http://phpmyadmin.xxxxxx.com shows the PHPMyAdmin page.

    The page loads, and I can logon.

    When I logon, I instantly get this error: 

    "Cannot start session without errors, please check errors given in your PHP and/or webserver log file and configure your PHP installation properly."

    I've already read almost everything on the internet about this problem. I've made sure temp folder has the right rights, cleared my brower cache and server side. Disabled caching in TMG. 

    It's a problem with TMG, as the localhost url loads fine.

    Any thoughts about this?

    Thanks guys!

    Kind regards,

    Roy

    Routing/Chaining Failure TMG Detected a Loop

    May 13, 2013, 6:49 pm
    $
    0
    0

    Hi Folks;

    I'm having an issue with TMG 2010 in that I'm seeing reports of Routing/Chaining failure / TMG Detected a Loop;

    Event id 14141

    Forefront TMG detected a proxy server loop. There may be a problem in the configuration of the Forefront TMG Web chaining policy. Alternatively, in Enterprise Edition, when CARP is enabled and there are intermittent interruptions of intra-array connectivity, array member A may forward a request to array member B according to the CARP algorithm, and array member B may forward the request to array member A in an endless loop.

    A look at the log files indicates that this error occurs when the localhost (the TMG 2010 VM itself) is connecting to Microsoft to check for Windows Updates. This is the only time the error occurs and it occurs often.

    Here's a snippet to illustrate;

    Microsoft-CryptoAPI/6.1  Proxy - 65.54.87.108 TCP GET Req ID: 0a655fc7; Compression: client=No, server=No, compress rate=0% decompress rate=0% - 0x110 0x0 58066 SecureNAT     1 3923 201 - 5/14/2013 1:23:26 AM - - 0 - 0 - - - - - - 0 0         From cache  65.54.87.108 5/13/2013 6:23:26 PM Local Host xx.external.IP.xx External 65.54.87.108 80 http Failed Connection Attempt  -  - - 

    [System] Allow all HTTP traffic from Forefront TMG to all networks (for CRL downloads)  

    12206 Forefront TMG detected a proxy chain loop. There is a problem with the configuration of the Forefront TMG routing policy. Please contact your server administrator.  anonymous http://65.54.87.108/pki/mscorp/crl/mswww(6).crl EDGE Technical Information Web Proxy Filter   -   0 - 

    Is there anyone left in the groups with knowledge of TMG 2010? I've already looked on the web for information relating to this but none seems relevant. I think the key is in the fact that it only happens when the local host goes off to Microsoft to check for Windows Updates.


    RadiusOTP

    May 30, 2013, 2:15 am
    $
    0
    0

    Hi,

    I am running ISA 2006 and am having a problem with RADIUS OTP. I have configured HTML Forms based authentication on the listener and setup my RADIUS Server and LDAP servers. As expected when I get to the logon screen I am asked for username/token/password.

    Problem I am having is that I have to enter correct username and token number but I am able to enter ANYTHING in the password field and I can successfully access my website. Any ideas why this is occuring?

    Ian W 

    Publish ConfigMgr 2007 Native Mode Site via a Forefront TMG Server with Exchange Already Published

    May 23, 2013, 2:03 pm
    $
    0
    0

    I am asking this question to the Forefront TMG community because I believe the problem lies in the Forefront configuration and not on my SCCM server.

    We are having trouble configuring a non-web server publishing rule (as noted in appendix E here: http://technet.microsoft.com/en-us/library/cc707697.aspx#AppendixE) for our native mode SCCM site because a listener is already configured for our Exchange 2010 environment on the Forefront TMG primary NIC/IP using port 443.

    The documentation here (http://technet.microsoft.com/en-us/library/cc707697.aspx) states "Do not create Web listeners that use the same IP address and port combination as existing server publishing rules or Web listeners. Doing so will cause both to fail".

    Please note that I am primarily a SCCM administrator so most of my experience lies there. I did read technet documentation on Forefront but I am new to the concepts and I think that's where I could use your help. I was not involved in setting up the Forefront TMG server; our team's sysadmin did that last year, and he has been involved in helping me troubleshoot this issue. At this point in our troubleshooting, we need advice from a Forefront TMG or ISA specialist who can point us in what direction to go in next.

    Here's what our environment looks like:

    Environment Overview:
    We are a department within a larger academic institution. We have our own domain, our own subnet, and administer all our resources ourselves, but our environment lies within the larger institution's internal network. The parent institution manages the DMZ but not our domain. We have a Forefront TMG server in the DMZ that manages Internet access/traffic for our domain. The dc, forefront server, sccm server, and mail server are all separate servers. All are running Server 2008R2 SP1. All servers except for the forefront server are on the intranet and domain-joined to our dept.org.edu domain.

    SCCM Site:
    - We are conducting a mixed mode to native mode site migration for a production site
    - The site is a single site on single site server on our intranet with ~200 clients
    - The clients primarily connect from the intranet but we also need Internet connectivity as well because users frequently take their laptops out of the office for long periods of time, resulting in them becoming noncompliant with software updates, inventory collection, et cetera.
    - We do not have the available resources to have additional sccm role servers in the perimeter network/DMZ
    - Desired configuration for native mode is this: http://technet.microsoft.com/en-us/library/bb632529.aspx
    - We have the site server signing certificate, web certificate, and client autoenrollment certificates configured correctly
    - I am using the default website and ports 80/443 for the SCCM site, and the custom website ports 8530/8531 for 
    - We have a 2008 CA (the primary 2008R2 DC on our 2008-level domain)
    - The AD Schema is extended
    - As far as I can tell, everything is configured correctly in preparation for native mode from the internal sccm server side
    - The site server is serverA.dept.org.edu
    - The FQDN for the intRAnet website is serverA.dept.org.edu; I can connect to the internal website from the intRAnet using both http and https
    - The FQDN for the intERnet website is cfgmgr.dept.org.edu; I can connect to this using cfgmgr.dept.org.edu from the intranet using both http and https
    - On the intranet DNS, a host (A) record exists for serverA and an alias (CNAME) record exists for cfgmgr pointing to serverA.dept.org.edu
    - I have not thrown the native mode switch yet because I do not want clients to become unmanaged, so I do not plan to actually switch to native mode until we resolve the below-described problem

    Forefront TMG Server:
    - OS is Server 2008R2 Server with Forefront TMG 2010
    - TMG server is not domain-joined (it's in a workgroup) and domain administrator does not want it joined to any domain. I am aware that because of this, we must usetunneling instead of bridging for publishing as stated in bullet point 2 of the requirements here: http://technet.microsoft.com/en-us/library/cc707697.aspx
    - TMG Server already has successful publishing set up for our domain's Exchange 2010 OWA, ActiveSync, and Outlook Anywhere. These are using a listener on SSL 443 with Forms authentication. These work correctly. 
    - TMG Server has three NICs configured (of the 6 installed): First one is public and disabled, second is private DMZ 192.x.x.50, and third is private DMZ 192.x.x.51
    - DNS A records exist on the Forefront TMG server for serverA.dept.org.edu (points to the static intRAnet IP address), for cfgmgr.dept.org.edu (points to 192.x.x.51), the intRAnet's primary domain controller (points to the PDC's intRAnet IP address), and for the TMG forefront server itself (points to 192.x.x.50).
    - The parent organization NAT-ed and configure IP addresses for the third NIC which we then configured because we read: "Do not create Web listeners that use the same IP address and port combination as existing server publishing rules or Web listeners. Doing so will cause both to fail" in http://technet.microsoft.com/en-us/library/cc707697.aspx. Our thought was that we could use a second NIC/IP/port combination to create a second listener/publishing rule for SCCM separate from the Exchange listener.
    - We created a custom network within the network on the TMG server console (Networking / Networks tab) named cfgmgr in order to utilize connections from the 192.x.x.51 IP/SSL port:
     - The address range for this network is 192.x.x.51, the domains tab lists dept.org.edu, the web browser tab has Bypass proxy for web servers in this network and Directly access computers specified in the domains tab checked, auto discovery is not configured, Forefront TMG Client is not enabled, and web proxy client connections is enabled with http using port 8080 and SSL using 443, with the SCCM Web server certificate added here by us importing it to the Personal store of the computer account certificates store of the TMG server. Integrated and Basic authentication are both enabled.
     - The 192.x.x.51 address was removed from the Internal network in order to create the custom network (it wouldn't allow the IP address to be in both).
    - We created a Firewall Policy non-web server publication named configmgr:
     The policy is enabled, action is set to "allow" and it's set to log requests, traffic is set to HTTPS Server, from is set to Anywhere, To is set to the intRAnet IP address of the SCCM server, requests are set to look like they're coming from the Forefront TMG computer (we've tried both options with no change in results), Networks is set to cfgmgr, and schedule is always.

    Test laptop:
    - Test laptop is a machine joined to our intranet domain, it has client certificates configured correctly as far as I can tell, and when on the local intranet can connect to the IIS website as described above using both http and https.
    - We are testing from a public wireless network that is not part of our domain and is external to the parent organization's network.
    - Laptop client firewall is currently turned off for all networks
    - Laptop is a Win 7 SP1 Enterprise machine

    We are testing by attempting to connect to the IIS website for the SCCM server using the https://cfgmgr.dept.org.edu address or https://cfgmgrpublicIP while on the public wireless. Attempts to connect to https://serverA.dept.org.edu or any http combination of these fail as predicted and desired.

    When connecting to either of these, we get a strange "Network Access Message" error with error code: "502 Proxy Error. The URL does not use a recognized protocol. Either the protocol is not supported or the request was not typed correctly. Confirm that a valid protocol is in use (for example, HTTP for a Web request). (12006)
    IP Address: 192.x.x.51
    Server: TMGforefront.dept.org.edu
    Source: proxy"

    In the error log on the forefront server, I see two errors. 

    Denied Connection
    Log type: Firewall service 
    Status: A packet was dropped because its destination IP address is unreachable.  
    Rule: None - see Result Code 
    Source: Local Host (192.x.x.51:137) 
    Destination: Internal (192.168.255.255:137) 
    Protocol: NetBios Name Service 
     Additional information 
    Number of bytes sent: 0 Number of bytes received: 0
    Processing time: 0ms Original Client IP: 192.x.x.51

    Denied Connection
    Log type: Firewall service 
    Status: The policy rules do not allow the user request.  
    Rule: Default rule 
    Source: Local Host (192.x.x.51:137) 
    Destination: Local Host (192.168.255.255:137) 
    Protocol: NetBios Name Service 
     Additional information 
    Number of bytes sent: 0 Number of bytes received: 0
    Processing time: 0ms Original Client IP: 192.x.x.51 

    A strange finding: https://TMGforefront.dept.org.edu redirects to our OWA webmail with a certificate warning.
     
    What are we doing wrong? Is there a better way to configure it than to use a second NIC? Can I/should I publish the site using Web publishing instead of non-web server publishing? I was reviewing the documentation for publishing multiple websites over https (http://technet.microsoft.com/en-us/library/cc441449.aspx) and wondering if that was a possibility for us. I will be glad to provide more details if that would be helpful, and especially appreciate anyone's advice.

    Thank you.

    TMG / ISA anonymous hazard

    May 30, 2013, 6:05 am
    $
    0
    0

    Hi all,

    Working with TMG platform with AD integration only (client request). Now, due to some problems affecting workstations applications that don't work properly (and other issues) with TMG integrated mode, my client want a full operational report with the downsize for changing actual internet access rules from windows groups to anonymous authentication to become more like a transparent proxy. I need info about the benefits or not, problems with cache, network bandwidth, hardware requirements growth for TMG nodes, access rules, tmg reporting, etc ... Basically i must compile a bunch of info about this change.

    I have an array with 4 nodes serving about 8.000 users.

    Any tip, link, etc, is a must.

    Kind regards,

    Luís Carmo

    Search

    Allow skype when HTTPS Inspection enabled

    August 2, 2012, 11:44 pm
    $
    0
    0

    Hi all,

    I want to allow skype on TMG. When HTTPS Inspection is disabled skype works well. If HTTPS Inspection is enabled skype is not connecting even if I add source exception for my PC and destination exception for *.skype.net.

    I found list of skype connections here: http://community.skype.com/t5/Windows/HTTPS-inspection-problem-on-TMG-2010/td-p/116834

    Why exceptions are not working? Maybe there is another best way to allow skype with HTTPS Inspection enabled?

    No Internet when using TMG Client

    May 9, 2013, 4:02 pm
    $
    0
    0

    Hi, we're running on TMG 2010 for amy months for now and it's been working great. Now to use fully the reporting feature we'd like to enable the authentication feature. Current setup is provinding wpad through DHCP. Now we wanted to test the TMG Client for Windows as we tought it would cause less nightmare dealing with Proxy settings in non IE apps (ex Dropbox). I enabled the TMG client support for my internal network and installed the client on one machine. The client detects tmg (only one server) and also shows the little green icon on it. But the think is I can't browse any web site. It just keeps rolling and rolling. Look on the logs on TMG and say all the requests my computer makes and they all shows as "authorized". for tests purposes I added for a small mount of time a rule allowing all outbound traffic from Internal to LocalHost (tmg) and it still doesn't work.

    Any idea or help would be apreciated :)

    thanks


    Blocking one student

    May 30, 2013, 6:24 am
    $
    0
    0

    We are a school using TMG webfilter. I need a rule which will enable me to block a particular student from accessing anything but our intranet sites. I've set up a Deny rule with...

    From: Internal
    To: External with Exceptions: Intranet (a URL set)
    Users: Blocked Students (a user set with the name(s) of the offending students)

    However, when I activated the rule it blocked everyone, and I had to disable again.
    The problem may be something in the rule, or it may be the location of the rule.
    I'd appreciate any advice...

    ISA 2006 IP Address Change?

    May 30, 2013, 9:49 am
    $
    0
    0

    I have a single ISA 2006 Standard server setup as a 1 leg proxy server.  So the server only has 1 NIC connected.  Policies in place to publish OWA, ActiveSync, Outlook Anywhere, and Sharepoint.

    I need to now change the IP address of this server.  My research shows it should be straight forward with my single NIC setup; simply change the IP and make sure the new IP is in the "Internal" network address range (which it is).  I don't see anywhere in the ISA Management console where the IP address is referenced.

    Is there anything else I should be needing to do?  Any changes to the firewall policies?

    TMG Web Protection Service Updates

    May 30, 2013, 7:00 am
    $
    0
    0

    How do you get TMG Protection Service Updates (malware inspection definitions), now that you can no longer purchase licences from Microsoft?

    According to the Forefront blog:

    In this it says...

     

    For current customers, Microsoft will continue to support the subscription through Dec. 31, 2015. 

    If customer subscriptions expire before Dec. 31, 2015, and cannot be renewed because the product is no longer offered,

    these products will continue to be supported through that date in order to provide with customers sufficient time to move to alternative solutions

     

    So, if we cannot renew/purchase how do we get the malware updates?

     

    Viewing all 3822 articles
    Browse latest View live
    Search
    <script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>