Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

no tengo internet

$
0
0

Señores tengo un servidor tmg conectado con la gateway pero el solo le da a unos equipos y a otros no,   como  debo hacer para vuelvan a funcionar todos.

el servidor esta dentro de la consola y es un equipo virtual dentro del equipo de dominio.

agradezco me colaboren


10 second delay when loading webpages

$
0
0

Hi All, thanks in advance for reading.

I'm in the process of moving our web users off our old ISA 2006 perimeter firewall and onto our TMG 2010 firewall.  I am facing an issue where connection attempts to some websites (not just the first time web is used) have a 10 second delay before they connect.  

We have a fairly standard multihomed setup.  I've been through the network adapter best practices and amended the binding order to make sure the internal network is highest, but to no avail.  I've also made sure that I only have a DNS server against the internal adapter and the DNS server specified can correctly resolve external DNS entries.

I am using IE9 for this, with the proxy defined by hostname and the "automatically detect scripts" checkbox unchecked.  For testing, I've created a rule which allows my computer out without any authentication and removed the proxy settings in my IE.  This results in a bit quicker access, but still not instantaneous.  Does this maybe rule out the web proxy?

Forgot to mention, TMG version is 7.0.9193.500.

Any ideas?

Client Cerificate with TMG 2010

$
0
0

We have a website that we want to publish using TMG 2010 SP2 RU1

We would like to use FBA, protected by a certificate. Goal is that only have users access the FBA when they have a correct ClientCertificate. After that, LDAP authentication is used. To be clear: It is not the intention to use the client certificate to authenticate the user to AD.

To accomplish this I have done the following:

- Working installation of TMG, not domain joined

- installed a Enterprise Sub CA which deployes UserCertificates to users.

- Deployed a user certificate to the user with which I am trying access the webpage

- Installed the ROOT and SubCa certificates on the TMG server, so it will trust the client certificates

- Created a HTTP location for CRL which is accessible for the TMG servers

- The TMG listener is configured with: Require SSL client certificate

When I access the site, I get an error:

"Error Code: 403 Forbidden. The page requires a client certificate as part of the authentication process. If you are using a smart card, you will need to insert your smart card to select an appropriate certificate. Otherwise, contact your server administrator. (12213) .

The following error is logged in TMG: "12313 The page requires a client certificate as part of the authentication
process. If you are using a smart card, you will need to insert your smart card
to select an appropriate certificate. Otherwise, contact your server
administrator"

As far as I understand IE should come up with a popup to select the usercertificate to authenticate with. But it does not.

To fix the problem I used this URL:

http://blogs.technet.com/b/isablog/archive/2013/03/06/clients-are-not-prompted-to-choose-a-certificate-when-authenticating-to-isa-tmg.aspx : I added the regkey, but no effect.

I also following the next post, but without luck. I have the same scenario as in this thread:

http://social.technet.microsoft.com/Forums/forefront/en-US/1dfe9c23-778f-40a4-92c3-cc1d5446681b/problem-using-client-ssl-certificate

An help would be much appreciated.

Clickjacking vulnerability OWA

Clients accessing WSUS NLB generates multiple Denied Connection actions

$
0
0

Im having an issue with our tmg cluster after I Implemented a WSUS (multicast) NLB cluster ive noticed that every time a client contacts the WSUS NLB virtual IP 10.0.0.40 the TMG logs are flooded by 15-30 denied connection exceptions. There seems to be no problem from the clients perspective however this is causing the maximum denied connection limit to be reached and ive had to disable flood mitigation.

Its just internal > Internal traffic so I don't think I need a publishing rule ? Can anyone suggest a solution ?

Denied
Connection
TMG3 7/6/2013 9:17:59
PM
Log type:Firewall service
Status: An ingoing packet was dropped because its destination address
does not exist on the system, and no appropriate forwarding interface exists.
Rule:None - see Result Code
Source:Internal (10.0.0.31:51643)
Destination:Internal (10.0.0.40:8531)
Protocol:WSUS Server


Additional information
  • Number of bytes sent: Number of bytes received:0
  • Processing time: 0msOriginal Client IP: 10.0.0.31



nslookup on TMG server - Default Server: UnKnown

$
0
0

Hello,

recently we started having problems on our TMG server. After looking a bit into it I've found out that somehow DNS stops responding for TMG and only restores after TMG server reboot.

This happens few times in a week on various hours, but mostly at night.

When problem occurs if I try to use nslookup on TMG server, this is what I see:

C:\Users\Administrator>nslookup
Default Server:  UnKnown
Address:  10.1.1.7

IP address is correct, but the hostname for some reason is UnKnown. I've read that this can be caused incorrect reverse DNS configuration, but this is not the case as after server restart it works fine and it worked without problems at all until recently. Also DNS responds fine on our other computers, so this must be issue on TMG server.

I can ping DNS hostname and IP, I can also telnet to 53 port of DN server successfully from TMG server.

 

our adapter configuration looks like this:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : tmg
   Primary Dns Suffix  . . . . . . . : domain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.com

PPP adapter RAS (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : RAS (Dial In) Interface
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.33.0.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter LAN:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #
2
   Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.1.1.253(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.1.1.7
                                       10.1.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Inet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : yy-yy-yy-yy-yy-yy
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : xxx.xxx.xx.xx(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.240
   IPv4 Address. . . . . . . . . . . : xxx.xxx.xx.xx(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.240
   IPv4 Address. . . . . . . . . . . : xxx.xxx.xx.xx(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.240
   IPv4 Address. . . . . . . . . . . : xxx.xxx.xx.xx(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.240
   IPv4 Address. . . . . . . . . . . : xxx.xxx.xx.xx(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.240
   IPv4 Address. . . . . . . . . . . : xxx.xxx.xx.xx(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.240
   IPv4 Address. . . . . . . . . . . : xxx.xxx.xx.xx(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.240
   Default Gateway . . . . . . . . . : xxx.xxx.xx.xx
   NetBIOS over Tcpip. . . . . . . . : Enabled

C:\Users\Administrator>

 






TMG pre-athentication for sharepoint site against multiple AD domains in trust relationship

$
0
0

Hi All,

we have deployed TMG in our client environment for publishing their in-house SharePoint application on internet.

There are two domains in their environment say DOMAIN1 and DOMAIN2, both the domains are in bidirectional trust relationship. the SharePoint application is hosted in DOMAIN1.

We have deployed TMG with single network adapter topology with NO AUTHENTICATIONconfiguration at the web listener, so the authentication was handled at the SharePoint level. With this configuration, all the users from DOMAIN1 and DOMAIN2 were able to access the SharePoint site on internet.

Now, client wants to setup pre-authentication at TMG, so that authentication can be done at TMG level.

For this, we have modified the publishing rule configurations as:

  1. In web Listener Authentication tab, changed the authentication mechanism from NO AUTHENTICATION toHTML FORM  AUTHENTICATION with LDAP.
  2.  In validate LDAP configurations, created the two LDAP SETS for the two domains.
  3. In AUTHENTICATION DELEGATION tab, delegate the authentication withNTLM authentication.

The problem is that after the pre-authentication configurations, the users from DOMAIN1 (on which the application is hosted) are able to login to the SharePoint site on internet and the username is visible in TMG live logging, but the users from DOMAIN2 are unable to login to the site, getting access denied red colored logs in TMG live logging,and the username is getting displayed asanonymous user.

I am wondering why the users from DOMAIN2 are unable to login with pre-authentication configuration when they were able to login withNO AUTHENTICATION configurations.
Can anybody help me in identifying the issue for this? or please tell me if there is any limitation at TMG level to not to authenticate the users from the trusted domains of the host domain (on which the application is hosted)

Quick response will be really helpful.

Thanks,

Sanjog

Forefront TMG 2010 problem l2tp/ipsec(pre-shared key)

$
0
0

Hi technet.

I have a problem and would like to ask your help.
In my company Microsoft TMG 2010 Server is used for  VPN connections with remote sites. In our company we also use d-link dfl-210 and d-link dfl-260e to connect this remote sites to HQ (TMG 2010). Most of remote sites have public ip address and they are connected using ipsec tunnel. At the same time some sites don't have public ip address and they are connected using PPTP. Taking into consideration the fact that PPTP is not secure We'd like to use L2TP/IPSec instead. Unfortunately we are facing problem while configuring dfl-210 or dfl-260e to connect to TMG using L2TP/IPSec. IPSec connection in transport mode can't be established on the Phase II. I see the following problem in terminal of d-link dfl-210:
2012-09-07 13:10:01: IkeSnoop: Received IKE packet from [ip.addrees of TMG Server]
Exchange type  : Informational
ISAKMP Version : 1.0
Flags          : E (encryption)
Cookies        : 0x1f5af242f7c5bc7c -> 0xbcfb8f851f979637
Message ID     : 0xe30a85d9
Packet length  : 68 bytes
# payloads     : 2
Payloads:
  HASH (Hash)
    Payload data length : 20 bytes
  N (Notification)
    Payload data length : 12 bytes
    Protocol ID  : ESP
    Notification : Invalid ID information

Specialists from d-link said me the problem was occured because TMG works without the use of standarts RFC. Please let me know if it so and what can I do to resolve this issue.

Thanks in advance.



TMG + RODC or only TMG in DMZ

$
0
0
Hello,

I havea DMZ,where we plan to installTMGStandard(one adapter).Inthis DMZalso havetheExchange 2010 Edgerole.The main useis going to havetheTMGwillbepublishing theOWA.

Now Idoubt  which is betteror morerecommended:

1.- Install theTMGin DMZandopen portstothe internal networkfor communication withtheDCs(RW)ofthe internal network,as withtheHUB/ CASExchange 2010.

or

2.-In addition to the TMG,alsoinstall an RODCin the DMZ,whichvalidatestheTMGandtheTMGonlycommunicate withtheHUB/ CASinternal network.

Thatyou think thatisbest solutionorthe best architecture?What thingsshould Iconsider?Never installan RODCandnot what isthe best architecture or possible problems thatmight causeme.

Thank you very much!

No Available Ports TMG 2010 Error !

$
0
0

Hello I am getting "No Available Ports" Error on our TMG 2010 Server.

I checked the Event Log: The Web Proxy filter failed to create a network socket because there are no available ports on this computer. Forefront TMG already reset the maximal port number to 65535. Make sure this is the value at HKLM\System\CurrentControlSet\Services\TcpIp\Parameters\MaxUsePort and restart the computer to apply this change.

I checked the registry settings and its already set to use Maximum i.e. 65535.

Can some one help me in this.

Thanks.

Allowing access to Comodo downloads

$
0
0

hi,

i am trying to create a rule allowing the comodo endpoint security manager to access http://downloads.comodo.com and http://download.comodo.com but nothing helps.

i have checked the availability of the site using a computer outside the tmg internal net and it works.

i have discovered that if i uncheck the "web filter" from the HTTP protocol it helps so i have created a new protocol the same as HTTP but without the filter and i have created an access rule only for the above url's to allow access using the customized protocol and it does not work

10x,

udi

Removing TMG 2010 ?

$
0
0

Hi all,

I'm trying to remove TMG2010 to use a Juniper device instead, but I'm facing an issue.

The Juniper works ok, ie if I take a laptop and connected it to hte Juniper, it has full internet access.

Now, if I'm trying to switch my computer from TMG gateway to Juniper gateway, I can ping, I can surf, but I can't have Outlook to work.

After further investigation, it seems that every https request does not work. Trying to browse https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml using Juniper does not work on my computer (but it work with a laptop not connected to the AD).

I know TMG can do some HTTPS inspection, so I suspect something here. TMG Client is removed on my computer. I cannot find any artcile about properly removing TMG from an AD ?

Any help ?

Thanks,

Removing TMG 2010 ?

$
0
0
Hi all,

I'm trying to remove TMG2010 to use a Juniper device instead, but I'm facing an issue.

The Juniper works ok, ie if I take a laptop and connected it to hte Juniper, it has full internet access.

Now, if I'm trying to switch my computer from TMG gateway to Juniper gateway, I can ping, I can surf, but I can't have Outlook to work.

After further investigation, it seems that every https request does not work. Trying to browse https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml using Juniper does not work on my computer (but it work with a laptop not connected to the AD).

I know TMG can do some HTTPS inspection, so I suspect something here. TMG Client is removed on my computer. I cannot find any artcile about properly removing TMG from an AD ?

Any help ?



Thanks,

TMG 2010 and Java 7 update 25

$
0
0

Our company uses an external website for printing barcodes and other various tasks for their manufacturing process.

All of the internal staff connect to a terminal server farm and access the website through there. The request goes through our TMG 2010 servers using integrated authentication.

We recently updated Java to version 7 update 25. Once we did that we have started experiencing various java related headaches with multiple security popups and one that is most concerning being account lockouts when performing certain functions on the website.

We believe we traced it back to Java 7 being the problem and downgraded to Java 6 to workaround the problem. We found numerous articles online about certain versions of Java 7 having integrated windows authentication problems with proxy servers, but they seem to reference them being fixed with u25. Either way, backing out to java 6 fixes it.

Has anyone else seen problems similar to this, and do you have any suggestions on how to resolve it?

Skydrive website Drag&Drop slow with proxy script

$
0
0

Hi,

Hope someone can help me with the following:

I have a customer that is interested in using skydrive. When trying to upload file using the skydrive webpage the browser / computer freezes for seconds / minutes and finally starts the upload.

We found that this happens when using a proxy script (pac file) for accessing the internet through a proxy server. If i specify the proxy server instead of using the proxy script the upload is almost immediate.

Does anyone know if skydrive is allergic to proxy script file for accessing the internet and if anything can be changed to overcome this problem.

Not using the proxy script and/or using the skydrive app is not an option.

Regards,

Jorge


TMG 2010 Web-Proxy Slow Browsing

$
0
0

When i open any web site browsing it will be open after 1 minute i do not why.
1)  Domain dc Windows server 2008R2
2)  ADC Windows server 2008R2 + tmg 2010


Ehtisham Iftikhar

TMG 2010 on Hyper-V 2012 Supported

$
0
0

Is TMG 2010 Supported on Windows Server 2012 Hyper-V Host?

The guest VM would be of course WS2008R2 since TMG 2010 I already saw it is not supported on WS2012.

Are there any issues with this configuration?

 

Eduardo Rojas

Log type: Web Proxy (Forward)

$
0
0

I have published website via TMG 2010 Sp2 installed on windows 2008 R2 Standard
The website works fine and I can see most of the the pictures
There is only one picture coming with x sign and pic writte on site
I traced it on TMG and getting below error

Failed Connection Attempt TMG01 7/11/2013 4:14:37 PM
Log type: Web Proxy (Forward)
Status: 10061 No connection could be made because the target machine actively refused it. 
Rule: Allow Web Access for All Users
Source: Internal (10.15.16.172:57330)
Destination: External (122.56.22.2:80)
Request: GET http://web.com/images/thumbs/0000363.jpg Filter information: Req ID: 13ad0312; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: GROUP\diM
 Additional information
Client agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x100 (Request includes the CACHE-CONTROL: MAX-AGE, or CACHE-CONTROL: MAX-STALE, or CACHE-CONTROL: MIN-FRESH header.)
Processing time: 3026 MIME type: image/jpeg


Muhammad Mehdi

CA Root Certificate not valid

$
0
0

Hello,

We're setting up a backup machine for my ISA TMG server that can be used in case of problems with the primary machine.  In the past we've setup a Microsoft Enterprise CA and since alls servers are joind into the domain (Windows 2003 servers) , the root CA certificate appears automatically in all servers' Trusted Root Certificates Authorities folder.    I'm using some certificates on my ISA server, for example to enable SSL access to OWA on Exchange, so a properly installed and operational CA root certificate is important.

Now on my backup ISA machine it tells me for some strange reason that there is a problem with the CA root certificate : The integrity of this certificate cannot be guaranteed.  All other servers in the domain don't have this problem.

I've copied the certificate manually from the primary machine to the backup machine, but still the same problem. 

Could it be that ISA is blocking certificate validity checks with the Enterprise CA, and therefore cannot check the integrity of the certificate ?

How can I troubleshoot this issue ?

Thanks for your help.

Regards,

Joeri Michiels

Van Dijk Information Consultants


JM

Forefront TMG Server - Cache: Current Cache Fetches Average Ms Per Request error

$
0
0

Hi,

I have a new TMG installation and I'm reciving the next SCOM alert very often:

Alert: Forefront TMG Server - Cache: Current Cache Fetches Average Ms Per Request error

Source: Caching - TMG1

Path: TMG1.dominio.com

Last modified by: System

Last modified time: 6/15/2012 9:44:28 AM Alert description: 404.6404296875

Alert view link: "http://SCOM/OperationsManager?DisplayMode=Pivot&AlertID=%7b0e3079e3-d246-4a49-a147-f7f06f27c39d%7d"

Notification subscription ID generating this message: {E376809C-1480-289B-CFFF-15F8DB980B8A}

TMG 2010 Version: 7.0.9027.400

TMG Role: Proxy/Firewall

Windows SO: Windows Server 2008 R2 SP1 Enterprise

Hardware: ProLiant BL460c

Memory: 8GB

Procesor: 2 x Quad-Core Intel Xeon, 2500 MHz

HD1 : 60GB (is a LUN in SAN) S.O. and TMG

HD2: 136 GB (local disk RAID 1) Cache size: 20Gb

Wich is the problem? and how can I fix it?

thanks


LFF

Viewing all 3822 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>