Señores tengo un servidor tmg conectado con la gateway pero el solo le da a unos equipos y a otros no, como debo hacer para vuelvan a funcionar todos.
el servidor esta dentro de la consola y es un equipo virtual dentro del equipo de dominio.
agradezco me colaboren
Hi All, thanks in advance for reading.
I'm in the process of moving our web users off our old ISA 2006 perimeter firewall and onto our TMG 2010 firewall. I am facing an issue where connection attempts to some websites (not just the first time web is used) have a 10 second delay before they
connect.
We have a fairly standard multihomed setup. I've been through the network adapter best practices and amended the binding order to make sure the internal network is highest, but to no avail. I've also made sure that I only have a DNS server against
the internal adapter and the DNS server specified can correctly resolve external DNS entries.
I am using IE9 for this, with the proxy defined by hostname and the "automatically detect scripts" checkbox unchecked. For testing, I've created a rule which allows my computer out without any authentication and removed the proxy settings in
my IE. This results in a bit quicker access, but still not instantaneous. Does this maybe rule out the web proxy?
Forgot to mention, TMG version is 7.0.9193.500.
Any ideas?
We have a website that we want to publish using TMG 2010 SP2 RU1
We would like to use FBA, protected by a certificate. Goal is that only have users access the FBA when they have a correct ClientCertificate. After that, LDAP authentication is used. To be clear: It is not the intention to use the client certificate to authenticate the user to AD.
To accomplish this I have done the following:
- Working installation of TMG, not domain joined
- installed a Enterprise Sub CA which deployes UserCertificates to users.
- Deployed a user certificate to the user with which I am trying access the webpage
- Installed the ROOT and SubCa certificates on the TMG server, so it will trust the client certificates
- Created a HTTP location for CRL which is accessible for the TMG servers
- The TMG listener is configured with: Require SSL client certificate
When I access the site, I get an error:
"Error Code: 403 Forbidden. The page requires a client certificate as part of the authentication process. If you are using a smart card, you will need to insert your smart card to select an appropriate certificate. Otherwise, contact your server administrator. (12213) .
The following error is logged in TMG: "12313 The page requires a client certificate as part of the authentication
process. If you are using a smart card, you will need to insert your smart card
to select an appropriate certificate. Otherwise, contact your server
administrator"
As far as I understand IE should come up with a popup to select the usercertificate to authenticate with. But it does not.
To fix the problem I used this URL:
http://blogs.technet.com/b/isablog/archive/2013/03/06/clients-are-not-prompted-to-choose-a-certificate-when-authenticating-to-isa-tmg.aspx : I added the regkey, but no effect.
I also following the next post, but without luck. I have the same scenario as in this thread:
An help would be much appreciated.
I have found that my OWA has the clickjacking vulnerability, My Exchange is 2010 and i have the TMG 2010 configured so OWA is available to my users from the web.
I applied the solution http://tmgblog.richardhicks.com/2009/03/27/using-the-isa-http-filter-to-modify-via-headers-and-prevent-information-disclosure/
but it did not work. It would help if Microsoft would acknowledge this issue and design a fix that can be applied easily.
Im having an issue with our tmg cluster after I Implemented a WSUS (multicast) NLB cluster ive noticed that every time a client contacts the WSUS NLB virtual IP 10.0.0.40 the TMG logs are flooded by 15-30 denied connection exceptions. There seems to be no problem from the clients perspective however this is causing the maximum denied connection limit to be reached and ive had to disable flood mitigation.
Its just internal > Internal traffic so I don't think I need a publishing rule ? Can anyone suggest a solution ?
| Denied Connection | TMG3 7/6/2013 9:17:59 PM |
|---|---|
| Log type:Firewall service | |
| Status: An ingoing packet was dropped because its destination address does not exist on the system, and no appropriate forwarding interface exists. | |
| Rule:None - see Result Code | |
| Source:Internal (10.0.0.31:51643) | |
| Destination:Internal (10.0.0.40:8531) | |
| Protocol:WSUS Server | |
| |
Hello,
recently we started having problems on our TMG server. After looking a bit into it I've found out that somehow DNS stops responding for TMG and only restores after TMG server reboot.
This happens few times in a week on various hours, but mostly at night.
When problem occurs if I try to use nslookup on TMG server, this is what I see:
C:\Users\Administrator>nslookup
Default Server: UnKnown
Address: 10.1.1.7
IP address is correct, but the hostname for some reason is UnKnown. I've read that this can be caused incorrect reverse DNS configuration, but this is not the case as after server restart it works fine and it worked without problems at all until recently. Also DNS responds fine on our other computers, so this must be issue on TMG server.
I can ping DNS hostname and IP, I can also telnet to 53 port of DN server successfully from TMG server.
our adapter configuration looks like this:
Windows IP Configuration
Host Name . . . . . . . . . . . . : tmg
Primary Dns Suffix . . . . . . . : domain.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.com
PPP adapter RAS (Dial In) Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : RAS (Dial In) Interface
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.33.0.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter LAN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #
2
Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.1.1.253(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.1.1.7
10.1.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Inet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : yy-yy-yy-yy-yy-yy
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : xxx.xxx.xx.xx(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.240
IPv4 Address. . . . . . . . . . . : xxx.xxx.xx.xx(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.240
IPv4 Address. . . . . . . . . . . : xxx.xxx.xx.xx(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.240
IPv4 Address. . . . . . . . . . . : xxx.xxx.xx.xx(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.240
IPv4 Address. . . . . . . . . . . : xxx.xxx.xx.xx(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.240
IPv4 Address. . . . . . . . . . . : xxx.xxx.xx.xx(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.240
IPv4 Address. . . . . . . . . . . : xxx.xxx.xx.xx(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : xxx.xxx.xx.xx
NetBIOS over Tcpip. . . . . . . . : Enabled
C:\Users\Administrator>
Hi All,
we have deployed TMG in our client environment for publishing their in-house SharePoint application on internet.
There are two domains in their environment say DOMAIN1 and DOMAIN2, both the domains are in bidirectional trust relationship. the SharePoint application is hosted in DOMAIN1.
We have deployed TMG with single network adapter topology with NO AUTHENTICATIONconfiguration at the web listener, so the authentication was handled at the SharePoint level. With this configuration, all the users from DOMAIN1 and DOMAIN2 were able to access the SharePoint site on internet.
Now, client wants to setup pre-authentication at TMG, so that authentication can be done at TMG level.
For this, we have modified the publishing rule configurations as:
The problem is that after the pre-authentication configurations, the users from DOMAIN1 (on which the application is hosted) are able to login to the SharePoint site on internet and the username is visible in TMG live logging, but the users from DOMAIN2
are unable to login to the site, getting access denied red colored logs in TMG live logging,and the username is getting displayed asanonymous user.
I am wondering why the users from DOMAIN2 are unable to login with pre-authentication configuration when they were able to login withNO AUTHENTICATION configurations.
Can anybody help me in identifying the issue for this? or please tell me if there is any limitation at TMG level to not to authenticate the users from the trusted domains of the host domain (on which the application is hosted)
Quick response will be really helpful.
Thanks,
Sanjog
Hi technet.
I have a problem and would like to ask your help.
In my company Microsoft TMG 2010 Server is used for VPN connections with remote sites. In our company we also use d-link dfl-210 and d-link
dfl-260e to connect this remote sites to HQ (TMG 2010). Most of remote sites have public ip address and they are connected using ipsec tunnel. At the same time some sites don't have public ip address and they are connected using PPTP. Taking into consideration
the fact that PPTP is not secure We'd like to use L2TP/IPSec instead. Unfortunately we are facing problem while configuring dfl-210 or dfl-260e to connect to TMG using L2TP/IPSec. IPSec connection in transport mode can't be established on the Phase II. I see
the following problem in terminal of d-link dfl-210:
2012-09-07 13:10:01: IkeSnoop: Received IKE packet from [ip.addrees of TMG Server]
Exchange type : Informational
ISAKMP Version : 1.0
Flags : E (encryption)
Cookies : 0x1f5af242f7c5bc7c -> 0xbcfb8f851f979637
Message ID : 0xe30a85d9
Packet length : 68 bytes
# payloads : 2
Payloads:
HASH (Hash)
Payload data length : 20 bytes
N (Notification)
Payload data length : 12 bytes
Protocol ID : ESP
Notification : Invalid ID information
Specialists from d-link said me the problem was occured because TMG works without the use of standarts RFC. Please let me know if it so and what can I do to resolve this issue.
Thanks in advance.
Hello I am getting "No Available Ports" Error on our TMG 2010 Server.
I checked the Event Log: The Web Proxy filter failed to create a network socket because there are no available ports on this computer. Forefront TMG already reset the maximal port number to 65535. Make sure this is the value at HKLM\System\CurrentControlSet\Services\TcpIp\Parameters\MaxUsePort and restart the computer to apply this change.
I checked the registry settings and its already set to use Maximum i.e. 65535.
Can some one help me in this.
Thanks.
hi,
i am trying to create a rule allowing the comodo endpoint security manager to access http://downloads.comodo.com and http://download.comodo.com but nothing helps.
i have checked the availability of the site using a computer outside the tmg internal net and it works.
i have discovered that if i uncheck the "web filter" from the HTTP protocol it helps so i have created a new protocol the same as HTTP but without the filter and i have created an access rule only for the above url's to allow access using the customized protocol and it does not work
10x,
udi
Hi all,
I'm trying to remove TMG2010 to use a Juniper device instead, but I'm facing an issue.
The Juniper works ok, ie if I take a laptop and connected it to hte Juniper, it has full internet access.
Now, if I'm trying to switch my computer from TMG gateway to Juniper gateway, I can ping, I can surf, but I can't have Outlook to work.
After further investigation, it seems that every https request does not work. Trying to browse https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml using Juniper does not work on my computer (but it work with a laptop not connected to the AD).
I know TMG can do some HTTPS inspection, so I suspect something here. TMG Client is removed on my computer. I cannot find any artcile about properly removing TMG from an AD ?
Any help ?
Thanks,
Our company uses an external website for printing barcodes and other various tasks for their manufacturing process.
All of the internal staff connect to a terminal server farm and access the website through there. The request goes through our TMG 2010 servers using integrated authentication.
We recently updated Java to version 7 update 25. Once we did that we have started experiencing various java related headaches with multiple security popups and one that is most concerning being account lockouts when performing certain functions on the website.
We believe we traced it back to Java 7 being the problem and downgraded to Java 6 to workaround the problem. We found numerous articles online about certain versions of Java 7 having integrated windows authentication problems with proxy servers, but they seem to reference them being fixed with u25. Either way, backing out to java 6 fixes it.
Has anyone else seen problems similar to this, and do you have any suggestions on how to resolve it?
Hi,
Hope someone can help me with the following:
I have a customer that is interested in using skydrive. When trying to upload file using the skydrive webpage the browser / computer freezes for seconds / minutes and finally starts the upload.
We found that this happens when using a proxy script (pac file) for accessing the internet through a proxy server. If i specify the proxy server instead of using the proxy script the upload is almost immediate.
Does anyone know if skydrive is allergic to proxy script file for accessing the internet and if anything can be changed to overcome this problem.
Not using the proxy script and/or using the skydrive app is not an option.
Regards,
Jorge
When i open any web site browsing it will be open after 1 minute i do not why.
1) Domain dc Windows server 2008R2
2) ADC Windows server 2008R2 + tmg 2010
Ehtisham Iftikhar
Is TMG 2010 Supported on Windows Server 2012 Hyper-V Host?
The guest VM would be of course WS2008R2 since TMG 2010 I already saw it is not supported on WS2012.
Are there any issues with this configuration?
Eduardo Rojas
I have published website via TMG 2010 Sp2 installed on windows 2008 R2 Standard
The website works fine and I can see most of the the pictures
There is only one picture coming with x sign and pic writte on site
I traced it on TMG and getting below error
Failed Connection Attempt TMG01 7/11/2013 4:14:37 PM
Log type: Web Proxy (Forward)
Status: 10061 No connection could be made because the target machine actively refused it.
Rule: Allow Web Access for All Users
Source: Internal (10.15.16.172:57330)
Destination: External (122.56.22.2:80)
Request: GET http://web.com/images/thumbs/0000363.jpg Filter information: Req ID: 13ad0312; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: GROUP\diM
Additional information
Client agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x100 (Request includes the CACHE-CONTROL: MAX-AGE, or CACHE-CONTROL: MAX-STALE, or CACHE-CONTROL: MIN-FRESH header.)
Processing time: 3026 MIME type: image/jpeg
Muhammad Mehdi
Hello,
We're setting up a backup machine for my ISA TMG server that can be used in case of problems with the primary machine. In the past we've setup a Microsoft Enterprise CA and since alls servers are joind into the domain (Windows 2003 servers) , the root CA certificate appears automatically in all servers' Trusted Root Certificates Authorities folder. I'm using some certificates on my ISA server, for example to enable SSL access to OWA on Exchange, so a properly installed and operational CA root certificate is important.
Now on my backup ISA machine it tells me for some strange reason that there is a problem with the CA root certificate : The integrity of this certificate cannot be guaranteed. All other servers in the domain don't have this problem.
I've copied the certificate manually from the primary machine to the backup machine, but still the same problem.
Could it be that ISA is blocking certificate validity checks with the Enterprise CA, and therefore cannot check the integrity of the certificate ?
How can I troubleshoot this issue ?
Thanks for your help.
Regards,
Joeri Michiels
Van Dijk Information Consultants
JM
Hi,
I have a new TMG installation and I'm reciving the next SCOM alert very often:
Alert: Forefront TMG Server - Cache: Current Cache Fetches Average Ms Per Request error
Source: Caching - TMG1
Path: TMG1.dominio.com
Last modified by: System
Last modified time: 6/15/2012 9:44:28 AM Alert description: 404.6404296875
Alert view link: "http://SCOM/OperationsManager?DisplayMode=Pivot&AlertID=%7b0e3079e3-d246-4a49-a147-f7f06f27c39d%7d"
Notification subscription ID generating this message: {E376809C-1480-289B-CFFF-15F8DB980B8A}
TMG 2010 Version: 7.0.9027.400
TMG Role: Proxy/Firewall
Windows SO: Windows Server 2008 R2 SP1 Enterprise
Hardware: ProLiant BL460c
Memory: 8GB
Procesor: 2 x Quad-Core Intel Xeon, 2500 MHz
HD1 : 60GB (is a LUN in SAN) S.O. and TMG
HD2: 136 GB (local disk RAID 1) Cache size: 20Gb
Wich is the problem? and how can I fix it?
thanks
LFF
Additional information