Hiya,

Getting this error on all traffic destined to a remote site (site-to-site VPN) from my machine. Local traffic, as in from my machine to LAN and internet is fine. If I drop the S2S VPN and re-establish it, all is fine.

The Internal network object has my local range (10.0.0.0/23) and the remote site network object has its range (10.0.2.0/23) and its VPN range (11.0.2.0/23).

I should add that this is happening at least once, sometimes twice a week, with the same fix of recycling the S2S VPN connection.

Hi

After upgrading a client pc from java 6.26 to java 7 I am seeing some strange behaviour.

Before allowing Java to run a tmg login screen appears. I can enter credentials and the java applet will load.

If I hit cancel... the java applet will run anyway..

The screen is a Java popup and text reads:

Enter login details to access <default> on tmg1.site.com:

At the bottom it reads:

authentication scheme unknown.

I've never seen this behaviour before.. and if I remove J7 and reinstall 6.26 then all goes back to normal...

Can this be a TMG related change that needs to be made, or something in Java?

Gents, after fighting with the problem for a couple of days. I decided to rebuild the TMG server from scratch. After all done the problem started to happen again!

The operational system (W2K8 R2) is uptodate and the TMG w/ SP2 RU 2 and.

Any tips?

dump transcript:

Version=1
EventType=APPCRASH
EventTime=129947941372917734
ReportType=2
Consent=1
ReportIdentifier=1273f1d9-16ea-11e2-a29d-00155d011e08
IntegratorReportIdentifier=1273f1d8-16ea-11e2-a29d-00155d011e08
Response.type=4
Sig[0].Name=Application Name
Sig[0].Value=wspsrv.exe
Sig[1].Name=Application Version
Sig[1].Value=7.0.9193.540
Sig[2].Name=Application Timestamp
Sig[2].Value=4f7b29e5
Sig[3].Name=Fault Module Name
Sig[3].Value=ntdll.dll
Sig[4].Name=Fault Module Version
Sig[4].Value=6.1.7601.17725
Sig[5].Name=Fault Module Timestamp
Sig[5].Value=4ec4aa8e
Sig[6].Name=Exception Code
Sig[6].Value=c0000005
Sig[7].Name=Exception Offset
Sig[7].Value=0000000000052fc6
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=6.1.7601.2.1.0.272.7
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1046
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=2b37
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=2b37255b7c798f5cc1afca9527e33f9b
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=5a1d
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=5a1d22f94f7486cd647ea3019af7fb66
UI[2]=C:\Program Files\Microsoft Forefront Threat Management Gateway\wspsrv.exe
UI[3]=Microsoft Firewall Service has stopped working
UI[4]=Windows can check online for a solution to the problem.
UI[5]=Check online for a solution (recommended)
UI[6]=Check for a solution later (recommended)
UI[7]=Close
UI[8]=Microsoft Firewall Service stopped working and was closed
UI[9]=A problem caused the application to stop working correctly. Windows will notify you if a solution is available.
UI[10]=&Close
LoadedModule[0]=C:\Program Files\Microsoft Forefront Threat Management Gateway\wspsrv.exe
LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll
LoadedModule[2]=C:\Windows\system32\kernel32.dll
LoadedModule[3]=C:\Windows\system32\KERNELBASE.dll
LoadedModule[4]=C:\Windows\system32\ADVAPI32.dll
LoadedModule[5]=C:\Windows\system32\msvcrt.dll
LoadedModule[6]=C:\Windows\SYSTEM32\sechost.dll
LoadedModule[7]=C:\Windows\system32\RPCRT4.dll
LoadedModule[8]=C:\Windows\system32\ATL.DLL
LoadedModule[9]=C:\Windows\system32\USER32.dll
LoadedModule[10]=C:\Windows\system32\GDI32.dll
LoadedModule[11]=C:\Windows\system32\LPK.dll
LoadedModule[12]=C:\Windows\system32\USP10.dll
LoadedModule[13]=C:\Program Files\Microsoft Forefront Threat Management Gateway\RATLIB.dll
LoadedModule[14]=C:\Program Files\Microsoft Forefront Threat Management Gateway\MSPSEC.dll
LoadedModule[15]=C:\Program Files\Microsoft Forefront Threat Management Gateway\msfpc.DLL
LoadedModule[16]=C:\Program Files\Microsoft Forefront Threat Management Gateway\msfpcui.DLL
LoadedModule[17]=C:\Program Files\Microsoft Forefront Threat Management Gateway\msfpcstg.DLL
LoadedModule[18]=C:\Windows\system32\ole32.dll
LoadedModule[19]=C:\Windows\system32\OLEAUT32.dll
LoadedModule[20]=C:\Windows\system32\ACTIVEDS.dll
LoadedModule[21]=C:\Windows\system32\adsldpc.dll
LoadedModule[22]=C:\Windows\system32\WLDAP32.dll
LoadedModule[23]=C:\Windows\system32\NTDSAPI.dll
LoadedModule[24]=C:\Windows\system32\WS2_32.dll
LoadedModule[25]=C:\Windows\system32\NSI.dll
LoadedModule[26]=C:\Program Files\Microsoft Forefront Threat Management Gateway\MSPAPI.dll
LoadedModule[27]=C:\Program Files\Microsoft Forefront Threat Management Gateway\WSPAPI.dll
LoadedModule[28]=C:\Program Files\Microsoft Forefront Threat Management Gateway\PREAPI.dll
LoadedModule[29]=C:\Program Files\Microsoft Forefront Threat Management Gateway\MANAGEDAPI.dll
LoadedModule[30]=C:\Program Files\Microsoft Forefront Threat Management Gateway\W3PAPI.dll
LoadedModule[31]=C:\Windows\system32\NETAPI32.dll
LoadedModule[32]=C:\Windows\system32\netutils.dll
LoadedModule[33]=C:\Windows\system32\srvcli.dll
LoadedModule[34]=C:\Windows\system32\wkscli.dll
LoadedModule[35]=C:\Windows\system32\LOGONCLI.DLL
LoadedModule[36]=C:\Windows\system32\DSROLE.DLL
LoadedModule[37]=C:\Windows\system32\WSOCK32.dll
LoadedModule[38]=C:\Windows\system32\urlmon.dll
LoadedModule[39]=C:\Windows\system32\WININET.dll
LoadedModule[40]=C:\Windows\system32\SHLWAPI.dll
LoadedModule[41]=C:\Windows\system32\iertutil.dll
LoadedModule[42]=C:\Windows\system32\CRYPT32.dll
LoadedModule[43]=C:\Windows\system32\MSASN1.dll
LoadedModule[44]=C:\Windows\system32\msi.dll
LoadedModule[45]=C:\Program Files\Microsoft Forefront Threat Management Gateway\msfpccom.DLL
LoadedModule[46]=C:\Windows\system32\IPHLPAPI.DLL
LoadedModule[47]=C:\Windows\system32\WINNSI.DLL
LoadedModule[48]=C:\Windows\system32\SAMCLI.DLL
LoadedModule[49]=C:\Windows\system32\Secur32.dll
LoadedModule[50]=C:\Windows\system32\SSPICLI.DLL
LoadedModule[51]=C:\Windows\system32\DNSAPI.dll
LoadedModule[52]=C:\Windows\system32\WTSAPI32.dll
LoadedModule[53]=C:\Program Files\Microsoft Forefront Threat Management Gateway\sidahlpr.dll
LoadedModule[54]=C:\Windows\system32\PSAPI.DLL
LoadedModule[55]=C:\Windows\system32\VERSION.dll
LoadedModule[56]=C:\Program Files\Microsoft Forefront Threat Management Gateway\MSPHLPR.dll
LoadedModule[57]=C:\Windows\system32\RASAPI32.dll
LoadedModule[58]=C:\Windows\system32\rasman.dll
LoadedModule[59]=C:\Windows\system32\AUTHZ.dll
LoadedModule[60]=C:\Windows\system32\Normaliz.dll
LoadedModule[61]=C:\Program Files\Microsoft Forefront Threat Management Gateway\RpcFltr.DLL
LoadedModule[62]=C:\Program Files\Microsoft Forefront Threat Management Gateway\msfpcregexp.dll
LoadedModule[63]=C:\Windows\system32\MSWSOCK.dll
LoadedModule[64]=C:\Windows\system32\WINHTTP.dll
LoadedModule[65]=C:\Windows\system32\webio.dll
LoadedModule[66]=C:\Windows\system32\IMM32.DLL
LoadedModule[67]=C:\Windows\system32\MSCTF.dll
LoadedModule[68]=C:\Windows\system32\DBGHELP.DLL
LoadedModule[69]=C:\Windows\system32\CRYPTBASE.dll
LoadedModule[70]=C:\Windows\System32\wshtcpip.dll
LoadedModule[71]=C:\Windows\System32\wship6.dll
LoadedModule[72]=C:\Program Files\Microsoft Forefront Threat Management Gateway\MSFPC.SYS
LoadedModule[73]=C:\Windows\system32\dhcpcsvc6.DLL
LoadedModule[74]=C:\Windows\system32\dhcpcsvc.DLL
LoadedModule[75]=C:\Windows\system32\CLBCatQ.DLL
LoadedModule[76]=C:\Program Files\Microsoft Forefront Threat Management Gateway\EmpScan.dll
LoadedModule[77]=C:\Windows\system32\SHELL32.dll
LoadedModule[78]=C:\Program Files\Microsoft Forefront Threat Management Gateway\MpUtil.DLL
LoadedModule[79]=C:\Program Files\Microsoft Forefront Threat Management Gateway\MpHashLib.DLL
LoadedModule[80]=C:\Windows\system32\credssp.dll
LoadedModule[81]=C:\Windows\system32\CRYPTSP.dll
LoadedModule[82]=C:\Windows\system32\rsaenh.dll
LoadedModule[83]=C:\Windows\system32\RpcRtRemote.dll
LoadedModule[84]=C:\Windows\system32\SXS.DLL
LoadedModule[85]=C:\Windows\System32\msxml3.dll
LoadedModule[86]=C:\Program Files\Microsoft Forefront Threat Management Gateway\IPS\GapaEngine_1cdaaf6_d3af2500.dll
LoadedModule[87]=C:\Windows\system32\WINTRUST.dll
LoadedModule[88]=C:\Windows\System32\msxml6.dll
LoadedModule[89]=C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll
LoadedModule[90]=C:\Windows\system32\profapi.dll
LoadedModule[91]=C:\Windows\system32\xmllite.dll
LoadedModule[92]=C:\Windows\system32\security.dll
LoadedModule[93]=C:\Windows\system32\schannel.dll
LoadedModule[94]=C:\Windows\system32\NLAapi.dll
LoadedModule[95]=C:\Windows\system32\napinsp.dll
LoadedModule[96]=C:\Windows\System32\winrnr.dll
LoadedModule[97]=C:\Program Files\Microsoft Forefront Threat Management Gateway\MPEngine\{9F4AF8CE-0798-48D4-93C2-5663278FFD86}\mpengine.dll
LoadedModule[98]=C:\Windows\system32\imagehlp.dll
LoadedModule[99]=C:\Windows\system32\ncrypt.dll
LoadedModule[100]=C:\Windows\system32\bcrypt.dll
LoadedModule[101]=C:\Windows\system32\bcryptprimitives.dll
LoadedModule[102]=C:\Windows\system32\USERENV.dll
LoadedModule[103]=C:\Windows\system32\GPAPI.dll
FriendlyEventName=Stopped working
ConsentKey=APPCRASH
AppName=Microsoft Firewall Service
AppPath=C:\Program Files\Microsoft Forefront Threat Management Gateway\wspsrv.exe

Event on the event viewer:

Log Name:      Application
Source:        Application Error
Date:          15/10/2012 14:02:17
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SERVIDOR
Description:
Faulting application name: wspsrv.exe, version: 7.0.9193.540, time stamp: 0x4f7b29e5
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
Exception code: 0xc0000005
Fault offset: 0x0000000000052fc6
Faulting process id: 0x630
Faulting application start time: 0x01cdaaf6d390dbb4
Faulting application path: C:\Program Files\Microsoft Forefront Threat Management Gateway\wspsrv.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 1273f1d8-16ea-11e2-a29d-00155d011e08
Event Xml:
< Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-10-15T17:02:17.000000000Z" />
    <EventRecordID>72613</EventRecordID>
    <Channel>Application</Channel>
     <Computer>SERVIDOR</Computer>
    <Security />
  </System>
  <EventData>
    <Data>wspsrv.exe</Data>
    <Data>7.0.9193.540</Data>
    <Data>4f7b29e5</Data>
    <Data>ntdll.dll</Data>
    <Data>6.1.7601.17725</Data>
    <Data>4ec4aa8e</Data>
    <Data>c0000005</Data>
    <Data>0000000000052fc6</Data>
    <Data>630</Data>
    <Data>01cdaaf6d390dbb4</Data>
    <Data>C:\Program Files\Microsoft Forefront Threat Management Gateway\wspsrv.exe</Data>
    <Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
    <Data>1273f1d8-16ea-11e2-a29d-00155d011e08</Data>
  </EventData>
< /Event>

Hi!

Is it practical to virtualize ISA 2006 on a Windows 2008 R2 Virtual Machine?

Secondly, is it possible to load balance ISA between two virtual machines and also make a cluster for them?

Thanks.

Hello,

We have facing a strange problem, we have 2 array named TMG1 & TMG2 configured in NLB. Proxy configured in a Explicite Mode.

We observed intermitted issue with TMG 2010 proxy that few users are able to browse the internet but few users are not able to browse. Also unable to telnet proxy port from client machine.

But if we put an array name (i.e. TMG1 or TMG2) in browser then browsing works fine. All the services are shown up & running in TMG dashboard.

TMG 2010 SP2 running on Windows Server 2008 x64 SP2

Please help....... Thanks.

We set the Firewall Client configuration option on single MS ISA 2006 server to point to the "PROXY" name - which is the actual alias of the real server name. We noticed that we have more than few clients that have their local MS ISA clients pointing to the proxy server's real name and not to the alias name. <o:p></o:p>

Is there any way to force those clients to point to the server’s alias name (proxy) rather than to the real server name. As i mentioned above we set the FW Client configuration option for our internal network to use the PROXY name. <o:p></o:p>

Thanks. <o:p></o:p>

Big B

We are using TMG internal ok no problems.  We now testing Direct Access and have this working ok apart from the fact that I cant get the clients to go out via the web proxy, which ideally we would like.  Is there a step by step guide anywhere on setting TMG so Direct Access clients can use it ? I have read a few things such as make sure you use a hostname and not IP in the proxy configuration which we do anyway, any ideas ?

Duncan

With the deprecation of Forefront TMG, what is the future solution for Outbound web proxy services? Is this to be rolled into Forefront UAG?

Why was this done if not - it leaves a large gap in the portfolio and TMG / ISA were great products?

http://blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx

Hi,

we was using the Windows Live Mesh without any issue before we deploy the Forefront TMG 2010. but after deploying the  Forefront TMG We cannot even open the Mesh it showing error "Live mesh closed unexpectedly. Refreshing Your Folder List...". and then shows this error

TMG 2010 SP2 RU2 as an edge firewall running on Hyper-V.

The following URL Works fine:

http://update.contoso.com/Packages/f5092a1d-2344-408a-a03a-f032d63dcdc2/PackageManifest.xml

The following similar URL to the same external host throws an error code 64,

http://update.contoso.com/Packages/6114f1cc-ab5e-4196-841f-d8aa8d42e994/PackageManifest.xml

Here is a snip from the diagnostic log:

Hello all!

I have test infrastructure with one frontend server in a pool and one edge server in internal network.

Also I have one TMG server, which is connected to internal network and DMZ with a second NIC.

External address with port 443 is natted to DMZ address interface port 443.

Task is to publish Lync IM to be available to external users.

I read lots of articles how to publish IM to external users. Nothing works. Do I need Edge server for my needs?

TMG show only unidentified traffic 4443 in logs, nothing works.

Could you please describe the procedure step-by-step how to publish Lync IM to external users please.

Thanks in advance.

MVP | MCP Club lead, Moscow

Hello,

In the past I have simply edited the query filter from within the TMG Management Console and have been able to get all of the URL history for a given user for a 1 or 2 day period, however now I need to get all of the URL history for a given user for the past 3 months.  If I use my normal method of editing the filter in TMG, after much waiting I eventually get a dialog telling me that only 1000 rows were able to be retrieved.

My question is, are there any other free utilties I can use to search my TMG logs?  Or are there any VB scripts out there I can easily modify?

I can use the Import/Export wizard that comes with SQL Express but that only allows me to query one database at a time, and it seems TMG automatically rotates the databases multiple times per day (for example, I've got ISALOG_20121016_WEB_000, ISALOG_20121016_WEB_001, ISALOG_20121016_WEB_002, etc.)

Any help would be appreciated.

We are using 10.10.0.0/16 subnet as VLAN1 in our LAN setup, TMG is configured as like below

Ethernet adapter Internal:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 10.10.10.61
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :

Ethernet adapter External:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 210.2.154.226
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   Default Gateway . . . . . . . . . : 210.2.154.225

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    210.2.154.225    210.2.154.226    276
        10.10.0.0      255.255.0.0         On-link       10.10.10.61    266
      10.10.10.61  255.255.255.255         On-link       10.10.10.61    266
    10.10.255.255  255.255.255.255         On-link       10.10.10.61    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    210.2.154.224  255.255.255.248         On-link     210.2.154.226    276
    210.2.154.226  255.255.255.255         On-link     210.2.154.226    276
    210.2.154.231  255.255.255.255         On-link     210.2.154.226    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       10.10.10.61    266
        224.0.0.0        240.0.0.0         On-link     210.2.154.226    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       10.10.10.61    266
  255.255.255.255  255.255.255.255         On-link     210.2.154.226    276
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0    210.2.154.225  Default

Now we are introducing more VLANs in network with the help of intervlan routing on Layer switch. Please advice how new VLANs will talk TMG for internet, if we need to add route so what will be they?

New Vlans are 10.51.51.0/24 and 10.95.95.0/24. 

TMG2010 SP2 with rollups

Exchange 2010 latest SP

Win 2008 R2

Multiple forests, exchange in resource forest with users in another forest (2 way trust)

If users in either the resource forest or other trusted forests have a password which has not expired or does not need changed at next logon the users can logon fine, they can then use the OWA control panel to change their password if they wish.

When attempting to logon to OWA via TMG (which then forwards to the CAS servers (x2)) for a user in the resource forest who has the password set to change at next logon it allows us to change the password no problem. However...

When attempting to logon to OWA for a user in a separate forest who's password has expires or has the option set to require a change of password at next logon it does now allow the change and instead tells us

"You could not be logged on to Forefront TMG. Make sure that your domain name, user name, and password are correct, and then try again."

I have been researching for hours and found various alleged fixes so here is what we have tried...

On the CAS servers: Enabling ChangeExpiredPasswordEnabled and resetting IIS

On the TMGs: http://support.microsoft.com/kb/957859 and http://support.microsoft.com/kb/2618727 and also  http://www.jaapwesselius.com/2011/11/05/owa-password-reset-tool-and-tmg/ and also ensuring that the appropriate certificates from the domain controllers are installed...

So im not sure where to go next... given that it works for resource forest test users is it something to do with multiple forest scenario?

Thanks

Gary

Hi and thank you!

I've got RRAS SSTP VPN on Win 2008 server. Works ok.

And I've got one client that is sitting on Win7 behind the MS ForeFront TMG.

He could not connect to VPN with error - 0x80072742 (A socket operation encountered a dead network. or something like this - his OS is not in English) What could I recommend to his admin to do with ForeFront to allow him to connect? He tells me that all ports are open - could I check this from a client laptop?

Lina

I understand that there are a few requirements in order to publish SharePoint 2010 securely through TMG 2010.

some of the requirements that I managed to find are

SSL secured connections with clients

External Listerner

Select certificate

HTML form authentication with Windows (Active Directory)

No SSO(Single Sign-on).

Can I use do without No SSO ?

What other method can I use if I cannot use NO SSO ?

Hi,
Is it possible to logged the IP address of all incoming connection? we have an Exchang 2010 that is behind an TMG 2010 and on this exchange server I found a lots of event 4526 there. I can see that some one use a rendom user name and password to get access to this server, but in the event logs I cannot see the IP address of the source, so that I can block this IP from trying to access this mail server. in the logs I can see this:

D:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\PopImap\Microsoft.Exchange.Pop3.exe

So I think they try to break in to the system trough the POP3 Service.

Is there anyway to log the IP of the source of these connections on the Exchange or TMG level?

Thanks 

Shahin

Hello,

My network has a TMG Forefront Gateway 2010 on mode Workstation. 

The ping between machinees of the same network is 270 ms. It's normal? 

When the proxy is off the ping between machines of the same network is 65 ms.

Thanks