Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

Skydrive website Drag&Drop slow with proxy script

June 20, 2013, 3:55 pm
$
0
0

Hi,

Hope someone can help me with the following:

I have a customer that is interested in using skydrive. When trying to upload file using the skydrive webpage the browser / computer freezes for seconds / minutes and finally starts the upload.

We found that this happens when using a proxy script (pac file) for accessing the internet through a proxy server. If i specify the proxy server instead of using the proxy script the upload is almost immediate.

Does anyone know if skydrive is allergic to proxy script file for accessing the internet and if anything can be changed to overcome this problem.

Not using the proxy script and/or using the skydrive app is not an option.

Regards,

Jorge

Search

ISA Server 2006 Authentication ramdomly prompt due to RPC server Unavailable.

June 20, 2013, 5:25 pm
$
0
0

1.

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5719
Date:  6/21/2013
Time:  6:59:24 AM
User:  N/A
Computer: Servername
Description:
This computer was not able to set up a secure session with a domain controller in domain example_sample due to the following:
The RPC server is unavailable. 
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. 

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 17 00 02 c0               ...À   

2.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1053
Date:  6/21/2013
Time:  7:19:26 AM
User:  NT AUTHORITY\SYSTEM
Computer: Servername
Description:
Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Dear All

I'm having Authentication issue on ISA server 2006 SP1 which running on Windows server 2003 STD R2 SP2 with 1 G Ethernet ( HP NC373i Multifunction Gigabit Server Adapter ) connected to Cisco Gigabyte Switch.

I have already tried with many way to solve base on Microsoft technical forum as well as other technical forum but it couldn't help me. Now, I'm running out of idea how to sovle this since his issue occur more than a month which distrubing our Asean Region users evenrday. Finally I have call Microsoft Professional team to assist me but they also taking long time ( almost 2 weeks until now ) to solve this issue but they problem still persist. Now I'm really need your guy's professional advise.

If you nees further information or something to clarify pls, do not hesitate to contact me.

Best Regards

TZ

Connection with SQL Server Management Studio through ISA 2004

May 6, 2013, 2:55 pm
$
0
0

I opened up TCP Port 1433 in ISA, but I still receive the following message when I try to connect to my outside SQL Server Database with SQL Server Management Studio.

Status: A packet generated on the local host was rejected because its source IP address is assigned to one network adapter and its destination IP address is reachable through another network adapter

Any ideas?


Custom deny message - unable to hit the rule

June 18, 2013, 5:00 am
$
0
0

Hi All,

I have a situation where OWA is published via TMG (SP3). TMG is running in single NIC mode. OWA rule is set to pre-authentication and let in only users from certain groups. All works fine however when there is a request from a user who doesnt have the access it will fall to the "Last Default Rule" and returns standard TMG deny message to his/her browser. In TMG I see this:

Denied Connection TMG01 18.6.2013 14:11:36 
Log type: Web Proxy (Reverse) 
Status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).  
Rule: Default rule 
Source: Internal (85.195.185.83:27614) 
Destination: Local Host (132.87.49.78:443) 
Request: GET http://webmail.anonymous.com/owa/ 
Filter information: Req ID: 104c0fac; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=yes, valid=yes, updated=no, logged off=no, client type=public, user activity=yes 
Protocol: https 
User: Internal\user.user 
 Additional information 
Client agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 1 MIME type: 
 

Customer requested a Custom deny message to be returned to user. I create a new deny access rule "OWA custom message" and placed it at the bottom. Rule got following paramenters:

Action: Deny Advanced - Display denial notification to user : Custom message

Protocols: HTTP, HTTPS

From: Internal (as it is single NIC)

To: webmail.anonymous.com (Domain name set) also tried http://webmail.anonymous.com/owa*, https://webmail.anonymous.com/owa* (URL set)

Users: All Users

This however newer hit the rule and always fall to the Last Default Rule. What am I doing wrong?

Thanks



How to Test UDP ldap port is working in ISA 2004

April 23, 2013, 2:49 am
$
0
0

Dear All,

I was testing ports from my DC using PORTQUERY it display LDAP query to Port 389 is failed

My DC;s gateway is ISA server 2004 I have created an access rule allowing UDP netstat does not show UDP port 389

which causing Replication failure. windows 2008 R2 firewall is OK is any other thing to verify UDP 389 Port

God blessings...

RaSa

RaSa

How to install 2nd Forefront TMG on my Domain!

June 19, 2013, 2:44 am
$
0
0

How do i install a second Forefront TMG Server on our Domain. I have made ready a Server and named it to "SRVTMG2" and would like to have our second TMG server and apply different policies in it so when users want to switch to TMG2 they just change it in the TMG Client in their computer and that's it is this the right way? And how do i install and configure it please can you help me?


THanks so much

MR

How to allow ping from External To Internal

June 21, 2013, 1:32 am
$
0
0

Hello,

I've allowed ICMP protocol to all network . Internal can ping to External and Perimters.
Perimeters can ping External and Internal but External cannot ping Internal and Perimeters .What can I do to resolve this problem.

Thanks.

Youtube does show only black screen/notplays clips on non Admin users - Domain is through TMG Filtered

June 21, 2013, 5:33 am
$
0
0

Can anyone help?

Youtube does show only black screen/notplays clips on non Admin users - Domain is through TMG Filtered
All pcs have windows xp sp3 and updated the flash player but its not possible to make it work

MR

Search

TMG 2010 - reports

June 21, 2013, 7:46 am
$
0
0

Hi,

How can I get user activity report in Excel format ?

and,

Is it possible to get to websites reports live this:

www.google.com

www.Youtube.com

www.microsoft.com

and not like this:

www.google.com

xpto.Youtube.com

www.microsoft.com

ccc.Youtube.com

abc.Youtube.com

vfhsdgsdugw.Youtube.com

iuyqoeywqeoywqe.Youtube.com

To join all the access to the same domain

Is there a better free reporting tools for TMG ?

Regards,

Paulo

OWA behind ISA works but Active sync give error - An HTTP 403 error

May 21, 2011, 3:23 am
$
0
0
hi i have a lan with a Exchange Server 2007, ISA Server and several other servers & clients.


ISA has two nic; first nic connected to external broadband with multiple static ip addresses and second nic to internal LAN where Exchange, DC and rest of the servers/clients are connected.

So far from ISA i have published OWA with the SSL (www.instantssl.com). Usesr from outside typeshttps://mail.mycompany.com where they are prompted with outlook web access form. They can successfully logon with their domain username & passwd to send/receive emails.

Now i am trying to setup Exchange Activesync so that users can use their phones to setup the email. This is what i did:

Created another rule to publish exchange
- selected Exchange 2007
- ticked on Exchange Activesync
- entered myexchange1.mycompany.com
- selected Accept requests for "This domain name" - and typed mail.mycompany.com
- created new web listener - selected External networks with diff ip than the one used with OWA weblistener - used 443 as port - selected certificate as mail.mycompany.com - selected Basic Authentication
- selected the above web listener
- Added All Users



Now from my iphone if i setup as
email: user1@mycompany.com
server: mail.mycompany.com
domain: mydomain
username: user1
password: ********
use ssl: ticked

When i access the mail app, it gives error

Exchange Account
Unable to verify account information.

ISA Logging shows followings:
Action: Denied Connection
Rule: Default rule
Source Port: 52291
Dest Port: 443
Result Code: 0xc004000d FWX_E_POLICY_RULES_DENIED
Log Record Type: Firewall

From a PC from my home if i type

https://myexchange1.mycompany.com/Microsoft-Server-ActiveSync Server not found page displays
https://mail.mycompany.com/Microsoft-Server-ActiveSync will redirects page to outllok web access form


From PC in Lan if i type this in the browser
https://myexchange1.mycompany.com/Microsoft-Server-ActiveSync
I get a login username and password box. Once i type a correct username and password i get just blank page with no errors.

Also within a lan i can successfully access email using
https://myexchange1.mycompany.com/owa/
or
https://mail.mycompany.com

What could be the problem.

 

i tried this website to test the activesync
https://www.testexchangeconnectivity.com

and this is what i got

Testing HTTP Authentication Methods for URL https://mail.mycompany.com/Microsoft-Server-Activesync/.
The HTTP authentication test failed.
Additional Details
An HTTP 403 error was received because ISA Server denied the specified URL.

Help will be much appreciated. thank you.

A specific question regarding the ports needed for a DMZ machine to log in to a Domain Controller.

June 22, 2013, 4:08 am
$
0
0
Hello,

First, my scenario: ISA Server 2006, Windows 2008 Enterprise as the DCs , and Windows 2008 as the machine in the DMZ trying to log in the DCs.

I have been reading this article: http://www.isaserver.org/articles-tutorials/articles/2004perimeterdomain.html

In that article some ports are stated as required : RPC (All interfcaes), CIFS TCP 445, DNS, Kerberos-Adm UDP, Kerberos-Sec TCP and UDP, LDAP TCP and UDP, LDAP GC, NTP and Ping.

However I just created a machine in the DMZ, joined in the domain and afterwards, when loging into the domain for the second time, I monitored from ISA what was happening in this procces of the DMZ machine log in to the domain. The protocols I see are these:

Kerberos-Sec (TCP) , DNS, LDAP UDP, Ping, Netbios Name Service, CIFS, and RPC (All interfaces).

Kerberos, DNS and ldap seem obvious, but I don't understand:

1- Why do I need NetBios Name Service , CIFS and RPC.
2- Why are there protocols in the article I have just read, that my ISA doesn't log.

Thanks a lot in advance!!

Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)


Remotely installing TMG

February 2, 2011, 4:57 am
$
0
0

Hi,

I am trying to setup a lab in the cloud. There are 3 machines. Machine 1 is the DC and I was setting up TMG on Machine 2. During the install of TMG(through RDP), the wizard warned me that it was about to add the my private address(I am going through a NAT) into the RDP ALLOWED List. Towards the end of the installation, the my RDP connection was cut off. 

I cannot RDP again, since TMG sees my public address and since it in not in the "ALLOWED" list, it simply drops my connection.

Is there anyway of installing TMG using RDP ? I need to install TMG in the cloud

I s there anyway of getting access to the machine on which TMG is installed :(? This machine is in the domain.

Regards,

Chris

 

Tmg cache settings for specific website or link.

June 23, 2013, 11:53 pm
$
0
0

I have installed TMG2010 its working awesome. i want to use "cache"feature in TMG2010. but i don't want to cache entire web site i just wan to cache anspecific link like "documentation" link and "Help" links so my users can use that even internet is not available. is this possible?? can we configure tmg is such way???. 

Akshay Pate Server Administrator

Load Balancing TMG 2010

June 23, 2013, 7:02 am
$
0
0

hi,

i use 2 tmg's with sp2.

no active directory, hance no tmg array.

i want to enable microsoft load balancing on the internal and external but i always get "RPC is not ..." although i have opened the correct ports.

i have managed to establish a load balance cluster on the 1st host on both internal and external nic's but no luck in joining the other host.

any suggestions ?

Regards,

Udi

ActiveSync: HTTP 401 response at OPTIONS command

June 6, 2013, 8:12 am
$
0
0

I have an Exchange 2010 CAS at a second datacentre (but part of the main exchange org and domain) and I am trying to publish EAS and OWA from it through TMG. The name that is being published is drwebmail.contoso.com as opposed to the main site which is webmail.contoso.com. The FF TMG server is currently sitting in the DMZ and is not domain joined, and resides on the same server as the Edge Transport role (don't ask - it's not my design).

I have set this up with the same settings as my main site (where OWA and EAS are published through a domain joined ISA). When I go to ExRCA i get the 401 unauthorised error.

Search

Require client certificate for connection

June 24, 2013, 7:43 am
$
0
0
Hi, I want to publish outlook anywhere to users, they authenticate using their AD credentials and it works fine at the moment. I want to limit it so that users can only use OA on specific (company owned) computers. Is there any way to achieve this using certificates or something else on the client? I want them to still log on using their credentials but if they don't have the certificate, they can't log on...

The TMG 2010 Firewall service crashes a number of times and does not automatically restart

June 24, 2013, 3:00 pm
$
0
0

Just an FYI on a recent article we published. If the TMG Firewall service crashes a number of times within a short time period it does not automatically restart after the 4<sup>th</sup> crash even though it may appear that it's configured to do so. You can get all the details about why this happens here:

http://blogs.technet.com/b/isablog/archive/2013/06/10/tmg-service-recovery-actions.aspx

J.C. Hornbeck| Knowledge Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

clip_image001clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/    
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/    
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/    
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/    
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/    
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager    
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/    
WSUS Support Team blog: http://blogs.technet.com/sus/    
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

  App-V Team blog: http://blogs.technet.com/appv/  
MED-V Team blog: http://blogs.technet.com/medv/  
Server App-V Team blog: http://blogs.technet.com/b/serverappv  

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/    
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/    
The Forefront TMG blog: http://blogs.technet.com/b/isablog/    
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

firewall

June 24, 2013, 9:57 pm
$
0
0

hi,

i have a new install isaserver2006 in win server 2003. my problem is  about firewall services.it is stoped automaticlly. how to slove it

pls step by step help me.

tnx.

Downloading Adobe Flash terminates at 47% and TMG gives a non-SYN packet error message

June 12, 2013, 11:49 pm
$
0
0

None of our users are able to dowonload Adobe flash player 11 as the download process terminates at 47% completion and on TMG we see the following error message: 

Denied ConnectionCAR-WEBPROXY 6/13/2013 9:39:33 AM
<id id="L_LogPane_LogType">Log type:</id><id id="L_LogPane_FirewallService">Firewall service</id>
<id id="L_LogPane_Status">Status: </id>A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer.
<id id="L_LogPane_Rule">Rule:</id>None - see Result Code
<id id="L_LogPane_Source">Source:</id>Internal (10.46.18.189:64989)
<id id="L_LogPane_Destination">Destination:</id>Local Host (10.46.16.94:8080)
<id id="L_LogPane_Protocol">Protocol:</id>HTTP Proxy
Additional information
  • <id id="L_LogPane_BytesSent">Number of bytes sent:</id>0<id id="L_LogPane_BytesReceived">Number of bytes received:</id>0
  • <id id="L_LogPane_ProcessingTime">Processing time:</id>0ms<id id="L_LogPane_OriginalClientIp">Original Client IP:</id>10.46.18.189

I am running Forefront Threat Management Gateway Version: 7.0.7734.100 on Windows 2008 R2 x64 Server.

Thi is not the only situation when a non-SYN error message occurs.

Any help will be appreciated.

This invariably follows a "Close Connection" action by TMG such as:

Closed ConnectionCAR-WEBPROXY 6/13/2013 11:16:39 AM
<id id="L_LogPane_LogType">Log type:</id><id id="L_LogPane_FirewallService">Firewall service</id>
<id id="L_LogPane_Status">Status: </id>A connection was abortively closed after one of the peers sent an RST packet.
<id id="L_LogPane_Source">Source:</id>Internal (10.46.18.189:51280)
<id id="L_LogPane_Destination">Destination:</id>Local Host (10.46.16.94:8080)
<id id="L_LogPane_Protocol">Protocol:</id>HTTP Proxy
Additional information
  • <id id="L_LogPane_BytesSent">Number of bytes sent:</id>20670<id id="L_LogPane_BytesReceived">Number of bytes received:</id>572099
  • <id id="L_LogPane_ProcessingTime">Processing time:</id>18003ms<id id="L_LogPane_OriginalClientIp">Original Client IP:</id>10.46.18.189

Outbound RDP traffic denied

June 13, 2013, 3:03 am
$
0
0

Hello people,

TMG is not allowing my workstation to access computers on external networks using RDP.

i have created a rule allowing RDP protocol from my workstation to external network but it seems useless.

when checking logs, i see that the default rule is blocking me; even if the access rule is enabled.

note that when bypassing TMG , i can acess computers with RDP.

tmg client is installed on my workstation.

Viewing all 3822 articles
Browse latest View live
Search