Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

Help with firewall policy to allow outbound connections to remote desktop web

June 11, 2013, 10:13 pm
$
0
0

We have recently moved from ISA 2000 to a new Windows 2008 R2 (SP1) server running Forefront TMG 2010 (7.0.9193.575) as a firewall edge server with dual NICs. We are a small business and do not have a lot of skills in TMG firewall management, so please keep this in mind :-)

I need to configure a firewall policy rule to allow staff on our internal network access to one of our customer's servers, which has been published (at the customer site) using remote desktop web connection. Before we upgraded to TMG 2010, we could simply open an RDP connection from a desktop PC within our internal network and the computer name listed in the remote desktop connection settings wasintranet.companyname:3391 /admin This RDP connection would connect us directly to the customer's server across the internet without needing to establish a VPN connection or anything first.

My problem is, I have tried to create a firewall policy to open this port for the RDP (Terminal Services) protocol from the internal to external network, but am still not able to connect. I am not really sure what is required for this rule. Do I need to add a specific destination for the customer's URL used in the connection settings above? Any help much appreciated.


Search

authority (CA) certificate TMG

June 11, 2013, 11:02 am
$
0
0

I have a TMG 2010 server with https inspection on.
In my field I have another windows server 2008R2, which is my Domain Controller, and has a certification authority,
it always get error messages in TMG

"Forefront TMG failed to sign the cloned SSL server certificate for the destination server using the certification authority (CA) certificate."

Already put the controller in the domain except for https inspection, yet I keep receiving error messages.

Additionally in my field work with encrypted LDAP.

I wonder how I can solve the problem of the error message above?

SSTP time to establish the connection: How long is it for you?

June 12, 2013, 11:43 pm
$
0
0

I´m curious how long it takes for your Clients to connect via SSTP.

We have a Server 2012 with RRAS installed. PPTP is not an option, so we tested IKEv2 and SSTP.

Dialing in via IKEv2 (Windows 8 and Windows 7) happens within the blink of an eye. Unfortunately IKEv2 has some drawbacks for us and SSTP seems to be the better way, so we also tested SSTP.

But with SSTP the time until a connection is established can take from 10-30 seconds, which is pretty long compared to IKEv2. So I wonder if this is normal for the SSTP handshake or if there´s something I could look into.

To add some more background Information: We also run Direct Access on separate Servers and use our own PKI for the Certificates. DA works like a charm and of course our CRL Servers and OCSP are available also from the outside.

Downloading Adobe Flash terminates at 47% and TMG gives a non-SYN packet error message

June 12, 2013, 11:49 pm
$
0
0

None of our users are able to dowonload Adobe flash player 11 as the download process terminates at 47% completion and on TMG we see the following error message: 

Denied ConnectionCAR-WEBPROXY 6/13/2013 9:39:33 AM
<id id="L_LogPane_LogType">Log type:</id><id id="L_LogPane_FirewallService">Firewall service</id>
<id id="L_LogPane_Status">Status: </id>A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer.
<id id="L_LogPane_Rule">Rule:</id>None - see Result Code
<id id="L_LogPane_Source">Source:</id>Internal (10.46.18.189:64989)
<id id="L_LogPane_Destination">Destination:</id>Local Host (10.46.16.94:8080)
<id id="L_LogPane_Protocol">Protocol:</id>HTTP Proxy
Additional information
  • <id id="L_LogPane_BytesSent">Number of bytes sent:</id>0<id id="L_LogPane_BytesReceived">Number of bytes received:</id>0
  • <id id="L_LogPane_ProcessingTime">Processing time:</id>0ms<id id="L_LogPane_OriginalClientIp">Original Client IP:</id>10.46.18.189

I am running Forefront Threat Management Gateway Version: 7.0.7734.100 on Windows 2008 R2 x64 Server.

Thi is not the only situation when a non-SYN error message occurs.

Any help will be appreciated.

TMG Traffic Flow Issues

June 12, 2013, 2:12 am
$
0
0
Hi All,

I am having a really frustrating issue with going through my TMG server to an external server, for example SMTP.

My network structure is as follows;

Internal --->  TMG -->  Perimiter  ----> Hardware Firewall ----> Internet
(192.168.10.0)                (192.168.11.0)

I have a rule in my TMG setup which allows traffic from the internal network to the perimeter and external networks using the SMTP protocol.

I am trying this on a server using SecureNAT. Using telnet, if I connect to a SMTP server in the perimeter network, this works fine, however if I try to open a connection to smtp.gmail.com on port 25 the connection fails and I get the following entries in the TMG logs;

Initiated Connection
Log type: Firewall service
Status: The operation completed successful
Rule: SMTP Test
Source: Internal (192.168.10.2:47184)
Destination: External (173.194.67.108:25)
Protocol: SMTP
Number of bytes sent:0 Number of bytes received: 0
Processing time: 0ms Original client IP: 192.168.10.2

Followed a short while later by this;

Closed Connection
Log type: Firewall service
Status: A connection was closed because no SYN/ACK reply was received from the server
Rule: SMTP Test
Source: Internal (192.168.10.2:47184)
Destination: External (173.194.67.108:25)
Protocol: DNS
Number of bytes sent:152 Number of bytes received: 0
Processing time: 69000ms Original client IP: 192.168.10.2

If I replace the TMG with another hardware firewall, the SMTP connections go through no problem. 

Does anyone have any suggestions as to how I can find the cause of this issue, it doesn't appear to be as simple as rules on the TMG server as it isn't logging any denial.

Many thanks in advance,

Neil.

OWA password change problem

March 2, 2013, 12:04 am
$
0
0

Hi All,

spent last weak troubleshooting this issue and at the end just had to rollback the change as I was unable to find a solution to this.

Environment before change:

Two domains with external trust. TMG SP2 and Win2008SP2 DCs in Domain1, Exchange 2010 SP2 RU5v2 CAS aray and Win2008R2SP1 inDomain2.  TMG is single NIC.

OWA rule which allows "All Users". Authentication delegation - Clients may authenticate directly. Listener: FBA - Active Directory.
On CAS FBA authentication. Forms tab set for "Exchange", password change checked.

Users from Domain1 and Domain2 can authenticate and use OWA without problem, and when administrator set "must change password on next logon" they are prompted for a change and change password via OWA.

Environment after change:

OWA rule has been changed. Authentication delegation changed to Basic and "all users" changed to Global Security groups from both domains. This was done to pre-authenticate users on TMG and filter access to OWA based on group membership. In addition OWA and ECP on Exchange CAS has been changed from FBA to Basic to match the TMG delegation method.

After this change all works fine, users from both domains can log to OWA and use mailbox, however users from Domain2 are unable to change their password by using OWA forms options or when admin sets "must change pass on next logon" on account.

Troubleshooting:

So we read all about it and checked if LDAPs is configured correctly as based on MS articles this OWA pass change is happening over LDAPs even when its FBA with AD Windows Integrated pre-authentication on listener. root CA from Domain1 and Domain2 is in Trusted cert store on TMG as well as Issuing CA are in Intermediate cert store. All DCs got their computer certificates in their personal certification stores. LDAPs test from TMG is successful to all DCs. 

We did packet capturing for Domain1 users and we can see that password is being changed via LDAPs.

We did packet capturing for Domain2 user and we can see that Kerberos protocol ends up with kerberosv5:KRB_ERROR - KDC_ERR_KEY_EXPIRED (23). No communication initiated after that from TMG. When running diagnostic logging on TMG it ends up with this:

375716 1.3.2013 11:59:16 0d2f135a 0d2f135b Web Proxy The Web publishing rule OWA requires client authentication.
375717 1.3.2013 11:59:16 0d2f135a 0d2f135b Web Proxy Forefront TMG denied the request with the following error: 0x00002FB1.
375718 1.3.2013 11:59:16 0d2f135a 0d2f135b Web Proxy Forefront TMG completed checking the policy rules for the Web request.
375719 1.3.2013 11:59:16 0d2f135a 0d2f135b Web Proxy Forefront TMG tries to authenticate connected client
375738 1.3.2013 11:59:16 0d2f135a 0d2f135bWeb Proxy User authentication failed. The request was denied because the password for user USER1 expired. To resolve this problem, the user must request a new password in Active Directory.
375739 1.3.2013 11:59:16 0d2f135a 0d2f135bWeb Proxy Forefront TMG rejected the request with the HTTP status code 0 and will return the following error message to the Web client. "The user's password must be changed before logging on the first time. (1907)"

Basicaly TMG just informs User from Domain2 that password needs to be reset but did not offer chance to change it as it does for user from Domain1.

Any ideas? Thanks.


Facebook.com times out in Forefront TMG

May 7, 2013, 12:10 am
$
0
0
I recently deployed Forefront TMG as my web access server. Users whose browser settings point to TMG as proxy server cannot access facebook. The connection times out with the error code 10060. All other websites, including social networking and https sites, remain accessible. I do not recall explicitly blocking access to facebook. I do not want to block access to any websites. How do I resolve this?

Outbound RDP traffic denied

June 13, 2013, 3:03 am
$
0
0

Hello people,

TMG is not allowing my workstation to access computers on external networks using RDP.

i have created a rule allowing RDP protocol from my workstation to external network but it seems useless.

when checking logs, i see that the default rule is blocking me; even if the access rule is enabled.

note that when bypassing TMG , i can acess computers with RDP.

tmg client is installed on my workstation.

Search

FF TMG 2010 on Server 2012

July 6, 2012, 11:29 pm
$
0
0

Has anyone tried successfully installing Forefront TMG 2010 on Windows Server 2012?

I tried but failed, it complained about unable to add roles and features.

Valuable skills are not learned, learned skills aren't valuable.


Private to Public IP ISA 2006

June 13, 2013, 3:41 pm
$
0
0
I have ISA server 2006. I am trying to install a video phone that is used for the hearing impaired from Sorenson. I have a public IP address to assign for the phone and I have the phone set up with a static private IP address. How do I set up the firewall for NAT between the public and private addresses. I have not had to do this before so any help would be appreciated

Unable to Access Lync 2010 via TMG 2010 Ent.

June 13, 2013, 11:33 pm
$
0
0

Hello All,

I have Installed and configure TMG 2010 Ent in my office but I am not able to login in  Microsoft Lync  through TMG,

I have already configured the TMG client on the systems. Our Lync services are on office 365. Some time I am getting Certificate error and some time password incorrect. but when I am using any public IP then able to login in Lync.

Please suggest some solutions.

Thanks

Avnish

SlideShare site open access but restrict upload

June 14, 2013, 1:15 am
$
0
0

Hi Guys,

In my network system currently slideshare is restricted as we can upload presentation here.

How can i open slideshare access in such a way that uploading is restrcted but  people can do other browsing without any problem.

Kamran Shahid Application Developer (MCP,MCAD,MCSD.NET,MCTS,MCPD.net[web])

OWA password changing problem with TMG 2010.

June 13, 2013, 11:38 pm
$
0
0

Hello everyone,

I have met a problem when I trying to change the password in OWA.

Our environment:

One DC, one Exchange 2010 SP1 standard (Mailbox, CAS, Hub role on one server), one TMG server 2010(version: 7.0.7734.100, has joined domain as a member server, with two NICs, one for internal network, one for external network.) 

The authentication of 'outlook web app' on exchange server is 'Basic authentication'.

The 'authentication delegation' on TMG server is set as 'Basic authentication' as well. The 'authentication' tab in listener is set as 'HTML Form Authentication', in 'Forms' tab, I have marked 'Use customized HTML forms instead of the default' and put 'Exchange' as the custom HTML from set directory. And also marked 'Allow users to change their passwords.'

Expired password has been enabled on Exchange server: http://technet.microsoft.com/en-us/library/bb684904(v=exchg.141).aspx

But when I marked 'user must change password at next logon' in ADUC, and use that account to login OWA. But the TMG server refuse and return an error message: "You could not be logged on to Forefront TMG. Make sure that the domain name, user name, and password are correct, then try again."

I have read a post and follow it, but still doesn't work: http://social.technet.microsoft.com/Forums/en-US/Forefrontedgegeneral/thread/6ab21aff-35c3-454b-86a4-e3e4bda701ab

All works internally, but doesn't work externally. And it's only works when replace 'all authenticated users' with 'all users' in TMG OWA rule. I guess there are some problems of the communication between TMG server and DC, but I cannot figure it out.

Please help me, thanks in advance!

publishing webserver with ssl certificate + spn

June 14, 2013, 5:11 am
$
0
0
hi ppl
try to get solve my problem with tmg while it get connect to iis server ,
publishing webserver with ssl certificate + spn 
looking for full guide that provides this information

thanks alot

Publish NVR Console

April 29, 2013, 10:18 am
$
0
0
I have aVioStorNVR(NetworkVideo Recorder) whichadministersthrough aWeb consoletheIPcamerasin myorganization.I haveproblemswhen wanting toset up a rulein the firewall (TMG 2010 SP1)to let me seethe console out ofthe local network(internet).

Pleaseyour help
Search

Issue with Publishing OWA

May 15, 2013, 4:15 pm
$
0
0

Hello,

   Having an issue with Outlook Web Access 2010 and Threat Management Gateway.  The OWA login screen comes up when the mailbox.mrm2inc.com/owa is entered into the browser, both internally and externally.  Internally when the user enters their username and password they are able to get to their email.  When a user externally enters in their username and password, it flashes off the screen and back to the login screen.  Anyone have any idea what would cause this?

Michael R. Mastro II

TMG Publishing Rule-Listener with client certificate requirement does not check for revocation

June 4, 2013, 7:46 am
$
0
0

Hello all,

I have read a lot of sites and posts regarding Cert revocation but still have not found a working setup yet. We are publishing a website using a dedicated listener that requires client certificates from either an internal PKI (Based on Windows 2008r2) and an External PKI (Based on the opensource XCA tool). The internal CA's have the CDP/AIA information published and updated and are available via HTTP and LDAP. The TMG 2010 Server is member of the domain and can retrieve all certificate revocation information successfully using CERTUTIL -f -urlfetch -verify my-user-cert.cer.

The TMG server can also download the CRL using the CERTUTIL -URL "http://crl.domain.com/CAInfo/filename.crl".

I have installed the root/issuing/personal certificates on my iPad in the profiles store and can successfully open the website using Safari after importing those certificates, which I could not without those certs. So Certificate issuing-check is working fine, however when I revoke the certificate on the CA and replublish the CRL then the iPad can still access the website. When I sniff the traffic on the TMG server I also cannot easily see any trace of the server trying to even access the CRL either via an LDAP query or HTTP request.

When I run the CERTUTIL revocation check internally or via the internet works fine and shows the certificate is revoked. I also cleared the CRL cache locally on the TMG servers and downloaded the lates one via the CERTUTIL -f -urlfetch ... command.

What am I missing? On the TMG Server the System Policy "CRL Download" is enabled.

I hope you can help me out!

Many thanks,

Eric 

Best regards and many thanks in advance, Eric Vegter

TMG HTTPS Inspection certificate deployment

February 16, 2011, 5:04 am
$
0
0

Hi,

I installed my first TMG recently. In the web access policy I configured a automatically generated certificate for the https inspection and decided to automatically deploy the certificate using Active Directory. It works fine and the trusted root CA is installed on my clients.

But how the hell is it working?

I thought it works via GPO, but there is no new GPO and all of my old GPOs still have an old modified date. I checked the default domain policy. But there I can only find the certificate of our active directory integrated root CA. Does anyone have an idea where I have to look for?

Regard

tebit

TMG 2010 + Skype

February 14, 2012, 9:36 pm
$
0
0

Hi All

I've seen this question asked a few times and it appears the only answer at this stage is to allow everything outbound.

Is this still the case? Is there no way to identify and allow the application and not neccessarily everything outbound, unrestricted access to the Internet?

Surely there is a better way than simply disabling the core features of TMG. I'm already starting to ask myself if it's worth the overhead in keeping the product if I'm limited to using it as an Inbound Firewall, after all, I can get a Cisco Modem to do that.

Ben

TMG 2010 error

June 16, 2013, 8:27 am
$
0
0

I built a new TMG 2010 SP 2 server this weekend but appear to be having slow performance issues.

  • It's on Win 2008 R2 SP1, a physical server.
  • There are also 5 other TMG servers (all at same TMG level with same OS versions)
  • We have a central EMS server.
  • This server was built with OS with an ip address off 10.170.150.102, 2 weeks ago.
  • This weekend I installed TMG on it.  However, prior to installing TMG, I changed it's IP to 10.170.150.101.
  • Reason for IP changes is that .101 was the ISA server and the TMG server is the replacement and we need to keep same IPs on the TMG as they were on the ISA.  ISA has been powered off and given different temporary IPs.
  • The TMG appears to be working fine as far as internet access is concerned but is slow serving pages.
  • I see this error in Win event logs and also TMG logs:

The IP address specified for communication between this Forefront TMG computer (10.170.150.101) and other array members is not bound to a network adapter installed on this computer. The IP address specified for intra-array communication must be bound to a network adapter installed on the computer.

I have already done/checked these and all have the correct IP, .101, set.:

  • In Forefront TMG Management console > Firewall Policy > Network Objects > Computer Sets > Array Servers.
  • SQL Server Configuration Manager > SQL Server Network Configuration > Protocols for MSFW/ISARS > TCP/IP > IP Addresses (TAB).
  • Searched registry for msFPCIntraArrayAddress and changed IP to .101, there were couple of entries with .102 IP.
  • Searched registry for .102 IP, which was the IP of server prior to installing TMG and found no entries.
  • Have rebooted the TMG.
  • Looked in ADSIEDIT for msFPCIntraArrayAddress, and this entry was not found in properties of the server nor on it's GUID.
  • Looked in ADSIEDIT on properties of server and it's GUID and found no mention of any IP addresses.

I'm unsure what else I need to check.

I'm also not familiar with what utils I can run on the TMG which may point to what is causing the slowness.  At this stage, I'm assuming above error is the cause of this slowness.

Can anyone please help? First time I'm posting a question so if you require any more details then please let me know.

This is quite urgent so quick replies would be very welcomed.

Kindest regards

Viewing all 3822 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>