I started with 2 TMG servers (configured as an array) connected to one Configuration Storage Server / EMS. I added the second, configured it as a secondary Configuration Storage Server on the Array Members, however, if I load the Forefront TMG console
on the second EMS/CSS it says it has no connection with the Array Members. The configuration is up to date on the second server, but I can't manage the array members. Is this by design?
↧
TMG 2010 Array and second Configuration Storage Server
↧
Move Existing TMG EMS CSS role to New server
I am planning to move Existing EMS CSS role to New CSS role as exising CSS role hardware is out dated and the new CSS Role server will have New name,
I have prepared the steps which are :
I have to install TMG by Slipstream method on New server , as per this blog that setup may failed if we run the setup using TMG Sp1 and i can not directly run the Sp2. (http://tmgblog.richardhicks.com/2011/10/23/slipstream-service-pack-2-for-forefront-tmg-2010/)
Install TMG EMS role with the Option "Copy an existing Enterprise configuration to this EMS"
Add new CSS server in the Properties of Array => configuration Storage => "Alternate Configuration Storage server (optional)" Tab
Keep the server running for 2 days so that everything will be sync,
after that Add new CSS server in Properties of Array => configuration Storage => "configuration Storage server (enter the FQDN)"
make my old CSS server in Properties of Array => configuration Storage => "Alternate Configuration Storage server (optional)" Tab
and test the Firewall Policy, if every thing is working then go ahead uninstall the OLD CSS role.
Question :
1) is above steps are correct to transfer the CSS role ?
2) what about AD LDS instance do i have to transfer the role as mentioned for ISA ?....... http://blogs.technet.com/b/isablog/archive/2009/03/31/transferring-configuration-storage-server-fsmo-roles.aspx
3) is there any way to know that Firewall Policy rules are using my new CSS servers before i could go ahead and uninstall old CSS role?
Thanks in advance for all those ISA/TMG champs :)
↧
↧
TMG Traffic Flow Issues
Hi All,
I am having a really frustrating issue with going through my TMG server to an external server, for example SMTP.
My network structure is as follows;
Internal ---> TMG --> Perimiter ----> Hardware Firewall ----> Internet
(192.168.10.0) (192.168.11.0)
I have a rule in my TMG setup which allows traffic from the internal network to the perimeter and external networks using the SMTP protocol.
I am trying this on a server using SecureNAT. Using telnet, if I connect to a SMTP server in the perimeter network, this works fine, however if I try to open a connection to smtp.gmail.com on port 25 the connection fails and I get the following entries in the TMG logs;
Initiated Connection
Log type: Firewall service
Status: The operation completed successful
Rule: SMTP Test
Source: Internal (192.168.10.2:47184)
Destination: External (173.194.67.108:25)
Protocol: SMTP
Number of bytes sent:0 Number of bytes received: 0
Processing time: 0ms Original client IP: 192.168.10.2
Followed a short while later by this;
Closed Connection
Log type: Firewall service
Status: A connection was closed because no SYN/ACK reply was received from the server
Rule: SMTP Test
Source: Internal (192.168.10.2:47184)
Destination: External (173.194.67.108:25)
Protocol: DNS
Number of bytes sent:152 Number of bytes received: 0
Processing time: 69000ms Original client IP: 192.168.10.2
If I replace the TMG with another hardware firewall, the SMTP connections go through no problem.
Does anyone have any suggestions as to how I can find the cause of this issue, it doesn't appear to be as simple as rules on the TMG server as it isn't logging any denial.
Many thanks in advance,
Neil.
I am having a really frustrating issue with going through my TMG server to an external server, for example SMTP.
My network structure is as follows;
Internal ---> TMG --> Perimiter ----> Hardware Firewall ----> Internet
(192.168.10.0) (192.168.11.0)
I have a rule in my TMG setup which allows traffic from the internal network to the perimeter and external networks using the SMTP protocol.
I am trying this on a server using SecureNAT. Using telnet, if I connect to a SMTP server in the perimeter network, this works fine, however if I try to open a connection to smtp.gmail.com on port 25 the connection fails and I get the following entries in the TMG logs;
Initiated Connection
Log type: Firewall service
Status: The operation completed successful
Rule: SMTP Test
Source: Internal (192.168.10.2:47184)
Destination: External (173.194.67.108:25)
Protocol: SMTP
Number of bytes sent:0 Number of bytes received: 0
Processing time: 0ms Original client IP: 192.168.10.2
Followed a short while later by this;
Closed Connection
Log type: Firewall service
Status: A connection was closed because no SYN/ACK reply was received from the server
Rule: SMTP Test
Source: Internal (192.168.10.2:47184)
Destination: External (173.194.67.108:25)
Protocol: DNS
Number of bytes sent:152 Number of bytes received: 0
Processing time: 69000ms Original client IP: 192.168.10.2
If I replace the TMG with another hardware firewall, the SMTP connections go through no problem.
Does anyone have any suggestions as to how I can find the cause of this issue, it doesn't appear to be as simple as rules on the TMG server as it isn't logging any denial.
Many thanks in advance,
Neil.
↧
Make 2 EMS/CSS Role Instances in one TMG CSS Role
I am stuck in one of the Project and I need your expert advice Hope you can help me out.
Basically we have 2 TMG environment
- Reverse proxy for Microsoft application and internet access which has CSS/(EMS) with 2 Array members and dedicated CSS role server (we called this Environment as MS TMG ENV )
- For business application for reverse proxy has standalone Array not EMS and it has 2 Array members. (we called this Environment as Business Apps TMG Env)
I am planning to achieve like this.
- Move MS TMG Environment’s existing CSS role to different server (New Server Name TMG-CSS-01)
- Move standalone array to enterprise Array (CSS/EMS) that too used above CSS role (Server Name TMG-CSS-01) as currently one of the server is holding standalone array between the 2 Array members.
- So end of the project we will have Server Name TMG-CSS-01 as a CSS role for both the environment as I read in the blog that ADAM/AD LDS can have multiple instances, I will make the Instances name as MS-TMG-CSS for MS application environment and BU-TMG-CSS for business Apps TMG environment.
TMG Version : TMG 2010 SP2 (No Rollups)
Can Anybody help me out in this. Thanks a lot in advance.
↧
High ping behind Forefront TMG
In our company we are using Forefront TMG and we are happy about it except one thing, we have a very high ping behind this firewall.
When a computer is connected to the ISP internet line we have a ping of 5 ms. When the same computer use ping behind the Forefront TMG firewall, we have a ping of 260 ms. When the same computer use ping behind the Forefront TMG firewall and enabled Forefront Proxy in IE, the ping is 45 ms.
How can we reduce the ping from a computer behind the firewall without IE proxy?
Thanks in advance.
When a computer is connected to the ISP internet line we have a ping of 5 ms. When the same computer use ping behind the Forefront TMG firewall, we have a ping of 260 ms. When the same computer use ping behind the Forefront TMG firewall and enabled Forefront Proxy in IE, the ping is 45 ms.
How can we reduce the ping from a computer behind the firewall without IE proxy?
Thanks in advance.
↧
↧
OWA password changing problem with TMG 2010.
Hello everyone,
I have met a problem when I trying to change the password in OWA.
Our environment:
One DC, one Exchange 2010 SP1 standard (Mailbox, CAS, Hub role on one server), one TMG server 2010(version: 7.0.7734.100, has joined domain as a member server, with two NICs, one for internal network, one for external network.)
The authentication of 'outlook web app' on exchange server is 'Basic authentication'.
The 'authentication delegation' on TMG server is set as 'Basic authentication' as well. The 'authentication' tab in listener is set as 'HTML Form Authentication', in 'Forms' tab, I have marked 'Use customized HTML forms instead of the default' and put 'Exchange' as the custom HTML from set directory. And also marked 'Allow users to change their passwords.'
Expired password has been enabled on Exchange server: http://technet.microsoft.com/en-us/library/bb684904(v=exchg.141).aspx
But when I marked 'user must change password at next logon' in ADUC, and use that account to login OWA. But the TMG server refuse and return an error message: "You could not be logged on to Forefront TMG. Make sure that the domain name, user name, and password are correct, then try again."
I have read a post and follow it, but still doesn't work: http://social.technet.microsoft.com/Forums/en-US/Forefrontedgegeneral/thread/6ab21aff-35c3-454b-86a4-e3e4bda701ab
All works internally, but doesn't work externally. And it's only works when replace 'all authenticated users' with 'all users' in TMG OWA rule. I guess there are some problems of the communication between TMG server and DC, but I cannot figure it out.
Please help me, thanks in advance!
↧
Outbound RDP traffic denied
Hello people,
TMG is not allowing my workstation to access computers on external networks using RDP.
i have created a rule allowing RDP protocol from my workstation to external network but it seems useless.
when checking logs, i see that the default rule is blocking me; even if the access rule is enabled.
note that when bypassing TMG , i can acess computers with RDP.
tmg client is installed on my workstation.
↧
Error 403 Microsoft ISA 2006
Here's a description of the issue I am facing.
We have two proxy servers( Microsoft ISA 2006 )192.x.x.99 and 192.x.x.100 . We have a exchange server 2007 installed.When a client opens up his email hit first goes to 192.x.x.100 from where it is redirected to our HUBCAS server 192.x.x.14.Our website is
published on 192.x.x.99.
In the 192.x.x.99 there is DNS entry of 192.x.x.100.So while we open OWA using the domain name mail.domainname.in on 192.x.x.99 on the browser everything works fine.
But when we try to open OWA using the domain name mail.domainname.in on 192.x.x.100...it gives a me the following error.
The page must be viewed over a secure channel
The page you are trying to access is secured with Secure Sockets Layer (SSL).Please try the following:
- Type https:// at the beginning of the address you are attempting to reach and press ENTER.
- Click Start, and then click Run.
- In the Open text box, type inetmgr. IIS Manager appears.
- From the Help menu, click Help Topics.
- Click Internet Information Services.
When I add /owa to the url : https://mail.domainname.in/owa
I get the username and password box, but still dont get the proper website opened.
Want to know how to fix this.Any help will be greatly appreciated.
HTTP Error 403.4 - Forbidden: SSL is required to view this resource.
Internet Information Services (IIS)
When I add https:// in front I get
Under Construction
The site you are trying to view does not currently have a default page. It may be in the process of being upgraded and configured.
Please try this site again later. If you still experience the problem, try contacting the Web site administrator.
If you are the Web site administrator and feel you have received this message in error, please see "Enabling and Disabling Dynamic Content" in IIS Help.
To access IIS Help
↧
Denied Connection: NetBios Session (Protocol)
This is the error I get reported by ISA when trying to connect from my SBS 2003 Server to my offsite MSSQL Database Provider via SQL Server Management Studio:
| Denied Connection | |
|---|---|
| Log type: Firewall service | |
| Status: A packet generated on the local host was rejected because its source IP address is assigned to one network adapter and its destination IP address is reachable through another network adapter. | |
| Rule: | |
| Source: Local Host ( 192.168.1.1:29859) | |
| Destination: External (***.***.***.***:139) | |
Protocol: NetBios Session Any idea what this means and how to fix it? | |
↧
↧
How to install 2nd Forefront TMG on my Domain!
How do i install a second Forefront TMG Server on our Domain. I have made ready a Server and named it to "SRVTMG2" and would like to have our second TMG server and apply different policies in it so when users want to switch to TMG2 they just change it in the TMG Client in their computer and that's it is this the right way? And how do i install and configure it please can you help me?
THanks so much
MR
↧
forefront port problem
Greetings,
Im testing an online tutoring system which is supposed to communicate on port 1935 and default back to 80 if it cannot use that port. I have setup a rule to allow in/outbound access for that protocol yet it defaults back to using port 80. In the log i can see it open and close port 1935 but thats it, it refuses to cotinue using it.
The logging shows it tried to use port 1935
Initiated Connection ISA 10/06/2013 13:17:28
Log type: Firewall service
Status: The operation completed successfully.
Rule: Tute Access
Source: Internal (192.168.0.207:50137)
Destination: External (t01.tute.com 164.177.138.80:1935)
Protocol: RTMP
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.168.0.207
and then i see this
Closed Connection ISA 10/06/2013 13:20:00
Log type: Firewall service
Status: A connection was abortively closed after one of the peers sent an RST packet.
Rule: Tute Access
Source: Internal (192.168.0.207:50135)
Destination: External (t01.tute.com 164.177.138.80:1935)
Protocol: RTMP
Additional information
Number of bytes sent: 17072 Number of bytes received: 340069
Processing time: 151992ms Original Client IP: 192.168.0.207
Any ideas what is happening?
Thanks
James
Im testing an online tutoring system which is supposed to communicate on port 1935 and default back to 80 if it cannot use that port. I have setup a rule to allow in/outbound access for that protocol yet it defaults back to using port 80. In the log i can see it open and close port 1935 but thats it, it refuses to cotinue using it.
The logging shows it tried to use port 1935
Initiated Connection ISA 10/06/2013 13:17:28
Log type: Firewall service
Status: The operation completed successfully.
Rule: Tute Access
Source: Internal (192.168.0.207:50137)
Destination: External (t01.tute.com 164.177.138.80:1935)
Protocol: RTMP
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.168.0.207
and then i see this
Closed Connection ISA 10/06/2013 13:20:00
Log type: Firewall service
Status: A connection was abortively closed after one of the peers sent an RST packet.
Rule: Tute Access
Source: Internal (192.168.0.207:50135)
Destination: External (t01.tute.com 164.177.138.80:1935)
Protocol: RTMP
Additional information
Number of bytes sent: 17072 Number of bytes received: 340069
Processing time: 151992ms Original Client IP: 192.168.0.207
Any ideas what is happening?
Thanks
James
↧
SlideShare site open access but restrict upload
Hi Guys,
In my network system currently slideshare is restricted as we can upload presentation here.
How can i open slideshare access in such a way that uploading is restrcted but people can do other browsing without any problem.
Kamran Shahid Application Developer (MCP,MCAD,MCSD.NET,MCTS,MCPD.net[web])
↧
UAG need tmg?
UAG needs a tmg to run? you can use an ASA appliance, or another firewall? I ask this question because the rules that is automatically added when configuring UAG trunk, etc ...
UAG can be installed on a separate server that has no TMG?
Tks!!
↧
↧
Routing/Chaining Failure TMG Detected a Loop
Hi Folks;
I'm having an issue with TMG 2010 in that I'm seeing reports of Routing/Chaining failure / TMG Detected a Loop;
Event id 14141
Forefront TMG detected a proxy server loop. There may be a problem in the configuration of the Forefront TMG Web chaining policy. Alternatively, in Enterprise Edition, when CARP is enabled and there are intermittent interruptions of intra-array connectivity, array member A may forward a request to array member B according to the CARP algorithm, and array member B may forward the request to array member A in an endless loop.
A look at the log files indicates that this error occurs when the localhost (the TMG 2010 VM itself) is connecting to Microsoft to check for Windows Updates. This is the only time the error occurs and it occurs often.
Here's a snippet to illustrate;
Microsoft-CryptoAPI/6.1 Proxy - 65.54.87.108 TCP GET Req ID: 0a655fc7; Compression: client=No, server=No, compress rate=0% decompress rate=0% - 0x110 0x0 58066 SecureNAT 1 3923 201 - 5/14/2013 1:23:26 AM - - 0 - 0 - - - - - - 0 0 From cache 65.54.87.108 5/13/2013 6:23:26 PM Local Host xx.external.IP.xx External 65.54.87.108 80 http Failed Connection Attempt - - -
[System] Allow all HTTP traffic from Forefront TMG to all networks (for CRL downloads)
12206 Forefront TMG detected a proxy chain loop. There is a problem with the configuration of the Forefront TMG routing policy. Please contact your server administrator. anonymous http://65.54.87.108/pki/mscorp/crl/mswww(6).crl EDGE Technical Information Web Proxy Filter - 0 -
Is there anyone left in the groups with knowledge of TMG 2010? I've already looked on the web for information relating to this but none seems relevant. I think the key is in the fact that it only happens when the local host goes off to Microsoft to check for Windows Updates.
↧
TMG and polycom HDX 7000
hi
We have purchased conference video called: polycom hdx 7000
We have a firewall TMG
And some port needs to open in TMG:
- TCP 1720 (Bi directional)
- TCP 3230 - 3243 (Bi directional)
- UDP 3230 - 3277 (Bi directional)
device Was given the following ip: 10.10.120.19
Where I would like when calling recived from outside transferred to the device (NAT) and we have public ip
What are the steps required? I am beginner with the firewall and ask for your help
↧
ForeFront TMG 2010 proxy is not working for some site
We are using the ForeFront TMG as a web proxy and from some days clients are facing the problem to access some of websites likehttp://www.hotmail.com , www.stc.com.sa, www.mohe.gov.sa and all other sites are working fine.
This happens suddenly without any ALERT in the TMG.Although public DNS Serers' IP had been removed from the OUTBOUND Network Adapter. But the problem is still.
I got the following ERROR while browsing the msn site on the page ...
<big>Network Error (tcp_error)</big>
A communication error occurred: "Operation timed out" The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.
MCS
↧
SharePoint 2010 reverse-published through TMG - 403 Forbidden when switching user after successfully authenticating
Hi - hoping someone out there has seen this issue and can help.
We're in the process of migrating to TMG 2010 in a single-network adapter config to reverse-publish SharePoint 2010 sites. We're presently using ISA 2006 in a dual-NIC configuration (one NIC internal, one connected to Internet)
TMG is taking the request, offloading the SSL and sending it to port 80 (we've also tried using TMG as an SSL pass-through and having SSL terminate on the SharePoint web front-end). We're using LDAP-AD validation for our HTTP Basic auth.
Clients can authenticate successfully and all SharePoint functionality is there, but when a user chooses Sign In As A Different User, instead of being presented with an auth prompt, a 403 Forbidden The server denied the specified Uniform Resource Locator (URL) results.
Here is the GET from a Fiddler trace of the page when the 403 is generated ---- I've changed the URLs, IP's and usernames to generic ones:
GET /_layouts/accessdenied.aspx?loginasanotheruser=true&Source=https%3A%2F%2Fsharepoint%2Esite%2Ecom%2FSitePages%2FHome%2Easpx HTTP/1.1
The referer:
Referer: https://sharepoint.site.com/_layouts/closeConnection.aspx?loginasanotheruser=true&Source=https%3A%2F%2Fsharepoint%2Esite%2Ecom%2FSitePages%2FHome%2Easpx
TMG logs show first a 12210 An Internet Server API (ISAPI) filter has finished handling the request
Failed Connection Attempt TMGSERVER 6/20/2013 8:20:54 AM
Log type: Web Proxy (Reverse)
Status: 12210 An Internet Server API (ISAPI) filter has finished handling the request. Contact your system administrator.
Rule: sharepoint.site.com
Source: Internal (ip coming from internet)
Destination: Local Host (ip of sharepoint web server:80)
Request: GET http://sharepoint.site.com/_layouts/blank.htm
Filter information: Req ID: 0e5cbf7c; Compression: client=Yes, server=Yes, compress rate=0% decompress rate=0%
Protocol: https
User: (LDAP)xxxxx
Additional information
Client agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x4000008 (Request includes the AUTHORIZATION header. Response includes the WWW-AUTHENTICATE header.)
Processing time: 94 MIME type:
Then further down the logs
Denied Connection TMGSERVER 6/20/2013 8:31:43 AM
Log type: Web Proxy (Reverse)
Status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).
Rule: sharepoint.site.com
Source: Internal (ip coming from internet)
Destination: Local Host (ip of sharepoint web server:80)
Request: GET http://sharepoint.site.com/_layouts/accessdenied.aspx?loginasanotheruser=true&Source=https%3A%2F%2Fsharepoint%2Esite%2Ecom%2FSitePages%2FHome%2Easpx
Filter information: Req ID: 0e5cc098; Compression: client=Yes, server=Yes, compress rate=0% decompress rate=0%
Protocol: https
User: (LDAP) xxxxx
Additional information
Client agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x6020008 (Request includes the AUTHORIZATION header. Response includes the CACHE-CONTROL: PRIVATE header. Response includes the SET-COOKIE header. Response includes the WWW-AUTHENTICATE header.)
Processing time: 94 MIME type:
I've tried re-publishing the rule, doing various link translations, the Path is set to /* to include everything after the host header. Tried using different listeners/recreating listener. We've even built TMG with a 2-NIC setup to match closely as possible the current ISA 2006 setup. Always the same behavior. ISA works fine, TMG behaves as outlined above.
I think I've run out of things to check, I've probably combed through every setting on each server and made sure they're identical.
Hopefully someone has seen/experienced this and has some things I can try. Let me know if I need to supply more information about our environment/config.
Many thanks!
Tom
↧
↧
TMG 2010 OWA Public/Private Computer browser setting
Hi,
We have a TMG 2010 array that is used for Outlook Web Access and ActiveSync.
We changed the OWA web form (picture, warning, etc).
But now the "this is a private computer" setting is not saved anymore (in the browser).
So the login credentials are not saved anymore and users complain about it.
Where can this be configured/set? Is this a cookie setting in TMG?
And do you have to reboot the servers or is a restart of the firewall services enough?
Thanks!
↧
owa/companyweb not working with ISA 2004
Hello
We have a client who has SBS 2003 with ISA 2004.
OWA and Company web was published and was working correctly both internally/externally until yesterday
Now when
1. OWA is accessed externally after some time a page cannot be displayed message is generated. If tried internally (using the FQDN) ISA Proxy timeout error appears. But if we use the server name or localhost OWA can be accessed without any issues. Apart from OWA all other aspects of exchange is working.
2. When a user tries to access the companyweb an authentication prompt appears asking the user to authenticate but it never gets authenticated and at the end not authorized web page is displayed.
Would really appreciate if someone can point us in the correct direction in order to further troubleshoot and rectify these issues.
Thanks
Dhanushka
↧
TMG To Remote Site With A ASUS RT-N65R
Hey Guys,
I just took over from an old I.T staff and basically they have 2 out the the 300 sites using these Asus RT-N65R routers, they're actually pretty good so I hate to get rid of them. I wanna go ahead and make them site to site but I've only done this with TMG appliances along with IPSEC and Cisco Routers, Any thoughts on PPTP and LT2P?
↧