Hi,

I am running a test on testechangeconnectivity.com for autodiscover and for some of the users in the domain I am getting An HTTP 403 error was received because ISA Server denied the specified URL. on the website and12202 Forefront TMG denied the specified Uniform Resource Locator on ISa server 2006 this is only happening for some of my AD users a lot of them work fine, any newly created users do not appear to pass the test, because a lot of users are working fine I am sure it is not a configuration problem with ISA server but I can't be sure they were all working a few days ago.

Any help would be greatly appreciated...

Hi All,

Hoping for some information/assistance. Currently testing Windows 8 Ent x64 in our Domain Environment. All works well for the built in apps and certainly looks promising. Hoping to get quite a few Surface or other W8 Tablets in the organisation if I can fix this final issue.

I currently cannot install any Apps via the App Store through or Microsoft TMG 2010 SP2 product. I can change rules on the TMG to help make this work if necessary.

This is the message I am currently experiencing when I attempt to install an App:

"Your purchase couldn't be completed. Something happened and your purchase can't be completed"

I hit Try Again and immediately I get the same message. I have traced it to WindowsUpdate.log in the Windows dir which shows:

2012-11-01	12:12:30:243	 852	47cc	Agent	*************
2012-11-01	12:12:30:243	 852	47cc	Agent	** START **  Agent: Finding updates [CallerId = WSAcquisition]
2012-11-01	12:12:30:243	 852	47cc	Agent	*********
2012-11-01	12:12:30:243	 852	47cc	Agent	  * Include potentially superseded updates
2012-11-01	12:12:30:243	 852	47cc	Agent	  * Online = Yes; Ignore download priority = No
2012-11-01	12:12:30:243	 852	47cc	Agent	  * Criteria = "AppCategoryIDs contains '5e19cc61-8994-4797-bdc7-c21263f6282b'"
2012-11-01	12:12:30:243	 852	47cc	Agent	  * ServiceID = {117CAB2D-82B1-4B5A-A08C-4D62DBEE7782} Third party service
2012-11-01	12:12:30:243	 852	47cc	Agent	  * Search Scope = {Current User}
2012-11-01	12:12:30:243	 852	47cc	Agent	  * Caller SID for Applicability: S-1-5-21-1390067357-746137067-1202660629-26658
2012-11-01	12:12:30:243	 852	47cc	EP	Got 9482F4B4-E343-43B6-B170-9A65BC822C77 redir SecondaryServiceAuth URL: "http://fe1.ws.microsoft.com/w8/2/redir/storeauth.cab"
2012-11-01	12:12:30:244	 852	47cc	EP	Got 117CAB2D-82B1-4B5A-A08C-4D62DBEE7782 redir Client/Server URL: "https://fe1.ws.microsoft.com/v6/ClientWebService/client.asmx"
2012-11-01	12:12:30:247	 852	47cc	PT	Skipping StartCategoryScan, no categories require server checks.
2012-11-01	12:12:30:248	 852	47cc	PT	+++++++++++  PT: Synchronizing server updates  +++++++++++
2012-11-01	12:12:30:249	 852	47cc	PT	  + ServiceId = {117CAB2D-82B1-4B5A-A08C-4D62DBEE7782}, Server URL = https://fe1.ws.microsoft.com/v6/ClientWebService/client.asmx
2012-11-01	12:12:30:256	 852	47cc	WS	WARNING: Nws Failure: errorCode=0x803d0006
2012-11-01	12:12:30:256	 852	47cc	WS	WARNING: There was an error communicating with the endpoint at 'https://fe1.ws.microsoft.com/v6/ClientWebService/client.asmx'.
2012-11-01	12:12:30:256	 852	47cc	WS	WARNING: The operation timed out after 60000 (0xEA60) milliseconds.
2012-11-01	12:12:30:256	 852	47cc	WS	WARNING: The operation could not be completed because the channel has been aborted.
2012-11-01	12:12:30:256	 852	47cc	WS	WARNING: Web service call failed with hr = 8024401c.
2012-11-01	12:12:30:256	 852	47cc	WS	WARNING: Current service auth scheme='None'.
2012-11-01	12:12:30:256	 852	47cc	WS	WARNING: Proxy List used: 'PROXYIPHERE:8080', Bypass List used: '(null)', Last Proxy used: 'PROXYIPHERE:8080', Last auth Schemes used: 'None'.
2012-11-01	12:12:30:256	 852	47cc	WS	FATAL: OnCallFailure(hrCall, m_error) failed with hr=0x8024401c
2012-11-01	12:12:30:256	 852	47cc	PT	WARNING: PTError: 0x8024401c
2012-11-01	12:12:30:256	 852	47cc	PT	WARNING: SyncUpdates_WithRecovery failed.: 0x8024401c
2012-11-01	12:12:30:256	 852	47cc	PT	WARNING: Sync of Updates: 0x8024401c
2012-11-01	12:12:30:256	 852	47cc	PT	WARNING: SyncServerUpdatesInternal failed: 0x8024401c
2012-11-01	12:12:30:256	 852	47cc	Agent	  * WARNING: Failed to synchronize, error = 0x8024401C
2012-11-01	12:12:30:256	 852	47cc	Agent	  * WARNING: Exit code = 0x8024401C
2012-11-01	12:12:30:256	 852	47cc	Agent	*********
2012-11-01	12:12:30:257	 852	47cc	Agent	**  END  **  Agent: Finding updates [CallerId = WSAcquisition]
2012-11-01	12:12:30:257	 852	47cc	Agent	*************

The key line here being: Last auth Schemes used: 'None'

Which gives the error: hr=0x8024401c - Authentication error?

This leads me to the TMG live Proxy log. Which shows all as Allowed Connection but the HTTP Status Code is 407 Proxy Authentication Required:

I am stuck in one of the Project and I need your expert advice Hope you can help me out. 

Basically we have 2 TMG environment

1. Reverse proxy for Microsoft application and internet access which has CSS/(EMS) with 2 Array members and dedicated CSS role server (we called this Environment as MS TMG ENV )
2. For business application for reverse proxy has standalone Array not EMS and it has 2 Array members. (we called this Environment as Business Apps TMG Env) 

I am planning to achieve like this. 

1. Move MS TMG Environment’s existing CSS role to different server (New Server Name TMG-CSS-01)
2. Move standalone array to enterprise Array (CSS/EMS) that too used above CSS role (Server Name TMG-CSS-01) as currently one of the server is holding standalone array between the 2 Array members.
3. So end of the project we will have Server Name TMG-CSS-01 as a CSS role for both the environment as I read in the blog that ADAM/AD LDS can have multiple instances, I will make the Instances name as MS-TMG-CSS for MS application environment and  BU-TMG-CSS for business Apps TMG environment. 

TMG Version : TMG 2010 SP2 (No Rollups)

Can Anybody help me out in this. Thanks a lot in advance.

Environment: Exchange 2007 Sp3 single server with all roles.  Outlook Anywhere, ActiveSync, EWS, and OWA are published using ISA 2006.  ISA 2006 is a single NIC setup and is only functioning as a reverse proxy for Exchange and SharePoint.

Issue:

Outlook anywhere has stopped working in my environment.  Not sure when, but I found this out today.

Basically, when I open Outlook outside of my network, I am prompted for credentials and after entering my credentials Outlook hangs for a short while and then dispays "Microsoft Exchange is Unavailable - retry, work offline or cancel".  On the ISA server side I see several "Failed Connection Attempts - (LDAP) username RPC_IN_DATA http://email.domain.com/rpc/rpcproxy.dll?internalemailserver.local:6004 

The RPC_IN_DATA URL also has another failed entry with a different internal server name for one of my AD servers EXamplehttp://email.domain.com/rpc/rpcproxy.dll?internalADserver.local:6004 

In addition there is an "Allowed Connection" entry for RPC_OUT_DATA forhttp://email.domain.com/rpc/rpcproxy.dll?internalADserver.local:6004 

If I open the url: https://email.domain.com/rpc/rpcproxy.dll I receive the ISA logon page.  After logging on I receive the following:

Technical Information (for support personnel)

• Error Code 64: Host not available
• Background: The connection to the Web server was lost.

I am really at a loss here.  As I stated I am not entirely sure when this issue occurred.  I recently published EWS through ISA by adding the path /EWS/* to the Outlook Anywhere rule.  I did create an EWS external URL on the Exchange server.  Other than this I am not aware of any other changes.

Can you please offer assistance.

Hello all,

I have read a lot of sites and posts regarding Cert revocation but still have not found a working setup yet. We are publishing a website using a dedicated listener that requires client certificates from either an internal PKI (Based on Windows 2008r2) and an External PKI (Based on the opensource XCA tool). The internal CA's have the CDP/AIA information published and updated and are available via HTTP and LDAP. The TMG 2010 Server is member of the domain and can retrieve all certificate revocation information successfully using CERTUTIL -f -urlfetch -verify my-user-cert.cer.

The TMG server can also download the CRL using the CERTUTIL -URL "http://crl.domain.com/CAInfo/filename.crl".

I have installed the root/issuing/personal certificates on my iPad in the profiles store and can successfully open the website using Safari after importing those certificates, which I could not without those certs. So Certificate issuing-check is working fine, however when I revoke the certificate on the CA and replublish the CRL then the iPad can still access the website. When I sniff the traffic on the TMG server I also cannot easily see any trace of the server trying to even access the CRL either via an LDAP query or HTTP request.

When I run the CERTUTIL revocation check internally or via the internet works fine and shows the certificate is revoked. I also cleared the CRL cache locally on the TMG servers and downloaded the lates one via the CERTUTIL -f -urlfetch ... command.

What am I missing? On the TMG Server the System Policy "CRL Download" is enabled.

I hope you can help me out!

Many thanks,

Eric 

Best regards and many thanks in advance, Eric Vegter

Hi,

I installed my first TMG recently. In the web access policy I configured a automatically generated certificate for the https inspection and decided to automatically deploy the certificate using Active Directory. It works fine and the trusted root CA is installed on my clients.

But how the hell is it working?

I thought it works via GPO, but there is no new GPO and all of my old GPOs still have an old modified date. I checked the default domain policy. But there I can only find the certificate of our active directory integrated root CA. Does anyone have an idea where I have to look for?

Regard

tebit

Hi All

I've seen this question asked a few times and it appears the only answer at this stage is to allow everything outbound.

Is this still the case? Is there no way to identify and allow the application and not neccessarily everything outbound, unrestricted access to the Internet?

Surely there is a better way than simply disabling the core features of TMG. I'm already starting to ask myself if it's worth the overhead in keeping the product if I'm limited to using it as an Inbound Firewall, after all, I can get a Cisco Modem to do that.

Ben

Hello,

   Having an issue with Outlook Web Access 2010 and Threat Management Gateway.  The OWA login screen comes up when the mailbox.mrm2inc.com/owa is entered into the browser, both internally and externally.  Internally when the user enters their username and password they are able to get to their email.  When a user externally enters in their username and password, it flashes off the screen and back to the login screen.  Anyone have any idea what would cause this?

Michael R. Mastro II

Hi,

I am running a test on testechangeconnectivity.com for autodiscover and for some of the users in the domain I am getting An HTTP 403 error was received because ISA Server denied the specified URL. on the website and12202 Forefront TMG denied the specified Uniform Resource Locator on ISa server 2006 this is only happening for some of my AD users a lot of them work fine, any newly created users do not appear to pass the test, because a lot of users are working fine I am sure it is not a configuration problem with ISA server but I can't be sure they were all working a few days ago.

Any help would be greatly appreciated...

I have a TMG 2010 server with https inspection on.
In my field I have another windows server 2008R2, which is my Domain Controller, and has a certification authority,
it always get error messages in TMG

"Forefront TMG failed to sign the cloned SSL server certificate for the destination server using the certification authority (CA) certificate."

Already put the controller in the domain except for https inspection, yet I keep receiving error messages.

Additionally in my field work with encrypted LDAP.

I wonder how I can solve the problem of the error message above?

I´m curious how long it takes for your Clients to connect via SSTP.

We have a Server 2012 with RRAS installed. PPTP is not an option, so we tested IKEv2 and SSTP.

Dialing in via IKEv2 (Windows 8 and Windows 7) happens within the blink of an eye. Unfortunately IKEv2 has some drawbacks for us and SSTP seems to be the better way, so we also tested SSTP.

But with SSTP the time until a connection is established can take from 10-30 seconds, which is pretty long compared to IKEv2. So I wonder if this is normal for the SSTP handshake or if there´s something I could look into.

To add some more background Information: We also run Direct Access on separate Servers and use our own PKI for the Certificates. DA works like a charm and of course our CRL Servers and OCSP are available also from the outside.

None of our users are able to dowonload Adobe flash player 11 as the download process terminates at 47% completion and on TMG we see the following error message: 

I am running Forefront Threat Management Gateway Version: 7.0.7734.100 on Windows 2008 R2 x64 Server.

Thi is not the only situation when a non-SYN error message occurs.

Any help will be appreciated.

This invariably follows a "Close Connection" action by TMG such as:

I built a new TMG 2010 SP 2 server this weekend but appear to be having slow performance issues.

• It's on Win 2008 R2 SP1, a physical server.
• There are also 5 other TMG servers (all at same TMG level with same OS versions)
• We have a central EMS server.
• This server was built with OS with an ip address off 10.170.150.102, 2 weeks ago.
• This weekend I installed TMG on it.  However, prior to installing TMG, I changed it's IP to 10.170.150.101.
• Reason for IP changes is that .101 was the ISA server and the TMG server is the replacement and we need to keep same IPs on the TMG as they were on the ISA.  ISA has been powered off and given different temporary IPs.
• The TMG appears to be working fine as far as internet access is concerned but is slow serving pages.
• I see this error in Win event logs and also TMG logs:

The IP address specified for communication between this Forefront TMG computer (10.170.150.101) and other array members is not bound to a network adapter installed on this computer. The IP address specified for intra-array communication must be bound to a network adapter installed on the computer.

I have already done/checked these and all have the correct IP, .101, set.:

• In Forefront TMG Management console > Firewall Policy > Network Objects > Computer Sets > Array Servers.
• SQL Server Configuration Manager > SQL Server Network Configuration > Protocols for MSFW/ISARS > TCP/IP > IP Addresses (TAB).
• Searched registry for msFPCIntraArrayAddress and changed IP to .101, there were couple of entries with .102 IP.
• Searched registry for .102 IP, which was the IP of server prior to installing TMG and found no entries.
• Have rebooted the TMG.
• Looked in ADSIEDIT for msFPCIntraArrayAddress, and this entry was not found in properties of the server nor on it's GUID.
• Looked in ADSIEDIT on properties of server and it's GUID and found no mention of any IP addresses.

I'm unsure what else I need to check.

I'm also not familiar with what utils I can run on the TMG which may point to what is causing the slowness.  At this stage, I'm assuming above error is the cause of this slowness.

Can anyone please help? First time I'm posting a question so if you require any more details then please let me know.

This is quite urgent so quick replies would be very welcomed.

Kindest regards

Environment: Exchange 2007 Sp3 single server with all roles.  Outlook Anywhere, ActiveSync, EWS, and OWA are published using ISA 2006.  ISA 2006 is a single NIC setup and is only functioning as a reverse proxy for Exchange and SharePoint.

Issue:

Outlook anywhere has stopped working in my environment.  Not sure when, but I found this out today.

Basically, when I open Outlook outside of my network, I am prompted for credentials and after entering my credentials Outlook hangs for a short while and then dispays "Microsoft Exchange is Unavailable - retry, work offline or cancel".  On the ISA server side I see several "Failed Connection Attempts - (LDAP) username RPC_IN_DATA http://email.domain.com/rpc/rpcproxy.dll?internalemailserver.local:6004 

The RPC_IN_DATA URL also has another failed entry with a different internal server name for one of my AD servers EXamplehttp://email.domain.com/rpc/rpcproxy.dll?internalADserver.local:6004 

In addition there is an "Allowed Connection" entry for RPC_OUT_DATA forhttp://email.domain.com/rpc/rpcproxy.dll?internalADserver.local:6004 

If I open the url: https://email.domain.com/rpc/rpcproxy.dll I receive the ISA logon page.  After logging on I receive the following:

Technical Information (for support personnel)

• Error Code 64: Host not available
• Background: The connection to the Web server was lost.

I am really at a loss here.  As I stated I am not entirely sure when this issue occurred.  I recently published EWS through ISA by adding the path /EWS/* to the Outlook Anywhere rule.  I did create an EWS external URL on the Exchange server.  Other than this I am not aware of any other changes.

Can you please offer assistance.

Hi All,

I have a situation where OWA is published via TMG (SP3). TMG is running in single NIC mode. OWA rule is set to pre-authentication and let in only users from certain groups. All works fine however when there is a request from a user who doesnt have the access it will fall to the "Last Default Rule" and returns standard TMG deny message to his/her browser. In TMG I see this:

Customer requested a Custom deny message to be returned to user. I create a new deny access rule "OWA custom message" and placed it at the bottom. Rule got following paramenters:

Action: Deny Advanced - Display denial notification to user : Custom message

Protocols: HTTP, HTTPS

From: Internal (as it is single NIC)

To: webmail.anonymous.com (Domain name set) also tried http://webmail.anonymous.com/owa*, https://webmail.anonymous.com/owa* (URL set)

Users: All Users

This however newer hit the rule and always fall to the Last Default Rule. What am I doing wrong?

Thanks

Hi All,

Hoping for some information/assistance. Currently testing Windows 8 Ent x64 in our Domain Environment. All works well for the built in apps and certainly looks promising. Hoping to get quite a few Surface or other W8 Tablets in the organisation if I can fix this final issue.

I currently cannot install any Apps via the App Store through or Microsoft TMG 2010 SP2 product. I can change rules on the TMG to help make this work if necessary.

This is the message I am currently experiencing when I attempt to install an App:

"Your purchase couldn't be completed. Something happened and your purchase can't be completed"

I hit Try Again and immediately I get the same message. I have traced it to WindowsUpdate.log in the Windows dir which shows:

2012-11-01	12:12:30:243	 852	47cc	Agent	*************
2012-11-01	12:12:30:243	 852	47cc	Agent	** START **  Agent: Finding updates [CallerId = WSAcquisition]
2012-11-01	12:12:30:243	 852	47cc	Agent	*********
2012-11-01	12:12:30:243	 852	47cc	Agent	  * Include potentially superseded updates
2012-11-01	12:12:30:243	 852	47cc	Agent	  * Online = Yes; Ignore download priority = No
2012-11-01	12:12:30:243	 852	47cc	Agent	  * Criteria = "AppCategoryIDs contains '5e19cc61-8994-4797-bdc7-c21263f6282b'"
2012-11-01	12:12:30:243	 852	47cc	Agent	  * ServiceID = {117CAB2D-82B1-4B5A-A08C-4D62DBEE7782} Third party service
2012-11-01	12:12:30:243	 852	47cc	Agent	  * Search Scope = {Current User}
2012-11-01	12:12:30:243	 852	47cc	Agent	  * Caller SID for Applicability: S-1-5-21-1390067357-746137067-1202660629-26658
2012-11-01	12:12:30:243	 852	47cc	EP	Got 9482F4B4-E343-43B6-B170-9A65BC822C77 redir SecondaryServiceAuth URL: "http://fe1.ws.microsoft.com/w8/2/redir/storeauth.cab"
2012-11-01	12:12:30:244	 852	47cc	EP	Got 117CAB2D-82B1-4B5A-A08C-4D62DBEE7782 redir Client/Server URL: "https://fe1.ws.microsoft.com/v6/ClientWebService/client.asmx"
2012-11-01	12:12:30:247	 852	47cc	PT	Skipping StartCategoryScan, no categories require server checks.
2012-11-01	12:12:30:248	 852	47cc	PT	+++++++++++  PT: Synchronizing server updates  +++++++++++
2012-11-01	12:12:30:249	 852	47cc	PT	  + ServiceId = {117CAB2D-82B1-4B5A-A08C-4D62DBEE7782}, Server URL = https://fe1.ws.microsoft.com/v6/ClientWebService/client.asmx
2012-11-01	12:12:30:256	 852	47cc	WS	WARNING: Nws Failure: errorCode=0x803d0006
2012-11-01	12:12:30:256	 852	47cc	WS	WARNING: There was an error communicating with the endpoint at 'https://fe1.ws.microsoft.com/v6/ClientWebService/client.asmx'.
2012-11-01	12:12:30:256	 852	47cc	WS	WARNING: The operation timed out after 60000 (0xEA60) milliseconds.
2012-11-01	12:12:30:256	 852	47cc	WS	WARNING: The operation could not be completed because the channel has been aborted.
2012-11-01	12:12:30:256	 852	47cc	WS	WARNING: Web service call failed with hr = 8024401c.
2012-11-01	12:12:30:256	 852	47cc	WS	WARNING: Current service auth scheme='None'.
2012-11-01	12:12:30:256	 852	47cc	WS	WARNING: Proxy List used: 'PROXYIPHERE:8080', Bypass List used: '(null)', Last Proxy used: 'PROXYIPHERE:8080', Last auth Schemes used: 'None'.
2012-11-01	12:12:30:256	 852	47cc	WS	FATAL: OnCallFailure(hrCall, m_error) failed with hr=0x8024401c
2012-11-01	12:12:30:256	 852	47cc	PT	WARNING: PTError: 0x8024401c
2012-11-01	12:12:30:256	 852	47cc	PT	WARNING: SyncUpdates_WithRecovery failed.: 0x8024401c
2012-11-01	12:12:30:256	 852	47cc	PT	WARNING: Sync of Updates: 0x8024401c
2012-11-01	12:12:30:256	 852	47cc	PT	WARNING: SyncServerUpdatesInternal failed: 0x8024401c
2012-11-01	12:12:30:256	 852	47cc	Agent	  * WARNING: Failed to synchronize, error = 0x8024401C
2012-11-01	12:12:30:256	 852	47cc	Agent	  * WARNING: Exit code = 0x8024401C
2012-11-01	12:12:30:256	 852	47cc	Agent	*********
2012-11-01	12:12:30:257	 852	47cc	Agent	**  END  **  Agent: Finding updates [CallerId = WSAcquisition]
2012-11-01	12:12:30:257	 852	47cc	Agent	*************

The key line here being: Last auth Schemes used: 'None'

Which gives the error: hr=0x8024401c - Authentication error?

This leads me to the TMG live Proxy log. Which shows all as Allowed Connection but the HTTP Status Code is 407 Proxy Authentication Required: