hi friends
is it true to say it is better to use different FQDNS for our internal domain and external Domain.
please tell me some reasons why this is true ? ( specialy from security viewpoint ) ? if possible please explain with some simple examples
( i mean if we assign test.com for both our internal and external domains, what controls can't we have and why? )
thanks alot
I have published website via TMG 2010 Sp2 installed on windows 2008 R2 Standard
The website works fine and I can see most of the the pictures
There is only one picture coming with x sign and pic writte on site
I traced it on TMG and getting below error
Failed Connection Attempt TMG01 7/11/2013 4:14:37 PM
Log type: Web Proxy (Forward)
Status: 10061 No connection could be made because the target machine actively refused it.
Rule: Allow Web Access for All Users
Source: Internal (10.15.16.172:57330)
Destination: External (122.56.22.2:80)
Request: GET http://web.com/images/thumbs/0000363.jpg Filter information: Req ID: 13ad0312; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: GROUP\diM
Additional information
Client agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x100 (Request includes the CACHE-CONTROL: MAX-AGE, or CACHE-CONTROL: MAX-STALE, or CACHE-CONTROL: MIN-FRESH header.)
Processing time: 3026 MIME type: image/jpeg
Muhammad Mehdi
Hi,
I'm having problem opening TMG 2010 i get this error.
This happen when opening or clicking within tmg.
I have rebooted the server still no difference.
Hi,
I have several customers that wanted to deploy TMG Server as a web proxy/firewall back-end, but we all know that TMG is dieing? Which product offers exactly the same functionalities?
Cristian L Ruiz
Having a major issue and this all seemed to stem after I tried to remove a HTTPS Inspection website (dropbox.com) from the list. it looks like between my two appliances they are no longer updating any URL categorys as well.
When I click into ' Configure HTTPS Inspection ' and clikc the destionation Exceptions tab I get "Forefront TMG cannot load the property page". I also notice now when I go into Monitoring > Configuration > that my two servers show Last Updated - 11/29/1999 7:00 PM .
Ran the BPA and it does come back with:
-HTTPS Inspection configuration not loaded error alert was signaled 1 times.
-The secure channel to the domain controller cannot be verified
-The security descriptor of a logging folder does not grant sufficient rights
-The upload new configuration to services failed error alert was signaled 10 times
-The upsteam chaining credentials error alert was signaled 1 times
This thing worked totally fine up until I tried removing that one domain name. Any suggestions as to what happened and how to fix?
Thanks in advance,
Jordan
web proxy filter
Hello
I wonder if the web proxy filter on something related to the url filter?
It is marked to the rules of permission for https sites for my users, which
only go out to sites released, like the image below:
Hi,
We have exchange behind forefront tmg.
Some emails are not been delivered. i identified some port 25 packets been dropped because of "non-syn packet"
Could someone please let me know if this screen cap is the missing email messages & if so how do i resolve this
our servers are on 11.1.1.1 - 11.1.1.254
second tmg network port plugged into router TMG address 192.168.1.19 router gateway 192.168.1.1
Please help lol
Hello,
some of the clients have trouble with internet access over the TMG. The IE is configured to use wpad, which is setup as an DHCP option. In the logs I can see, that the clients are not authenticated. If I enter the proxy parameters in the browser settings, everything
works fine.
Has anybody an idea, what may be wrong?
Regards
Andreas
Hi fellas
I'm trying to roll-out TMG this week and we have a desktop app that is trying to connect to a local webserver yet the FWC intercepts this traffic and fails thru TMG.
We added the app executable name to the exceptions in TMG and it is working on some workstations but not all.
Any recommendations on why these changes are not coming down to all of the firewall clients?
Thanks!
Hi All,
we have deployed TMG in our client environment for publishing their in-house SharePoint application on internet.
There are two domains in their environment say DOMAIN1 and DOMAIN2, both the domains are in bidirectional trust relationship. the SharePoint application is hosted in DOMAIN1.
We have deployed TMG with single network adapter topology with NO AUTHENTICATIONconfiguration at the web listener, so the authentication was handled at the SharePoint level. With this configuration, all the users from DOMAIN1 and DOMAIN2 were able to access the SharePoint site on internet.
Now, client wants to setup pre-authentication at TMG, so that authentication can be done at TMG level.
For this, we have modified the publishing rule configurations as:
The problem is that after the pre-authentication configurations, the users from DOMAIN1 (on which the application is hosted) are able to login to the SharePoint site on internet and the username is visible in TMG live logging, but the users from DOMAIN2
are unable to login to the site, getting access denied red colored logs in TMG live logging,and the username is getting displayed asanonymous user.
I am wondering why the users from DOMAIN2 are unable to login with pre-authentication configuration when they were able to login withNO AUTHENTICATION configurations.
Can anybody help me in identifying the issue for this? or please tell me if there is any limitation at TMG level to not to authenticate the users from the trusted domains of the host domain (on which the application is hosted)
Quick response will be really helpful.
Thanks,
Sanjog
Here is my TMG using Plan :
1- I have window 7 on my laptop
2- I have Installed Win2008R2 on Oracle Virtual Box
3- win2008 have 2 LAN card (one attached as internal Network : 192.168.90.10 and one is Bridge as external: 192.168.55.41)
4- The bridge LAN card have internet from my main ISA server
5- I have installed DHCP Server too
6- I installed TMG 2010SP2 ENT on Win2008 Virtual box
7- The VPN Server PPTP configured on this TMG it is using DHCP for assign IP to clients
8- I maked VPN connection from my own windows7 (Laptop) to TMG external IP
9- VPN connection established without any problem
here is my Qustions:
1- My VPN connection take IP from TMG in unknown range (169.254.197.254)
2- I want my clients to take IP in local range that I made scope in DHCP (Server DHCP Scope 192.168.90.20 - 192.168.90.30)
Please help me and show me solutions
Hi everyone
We're selling cloud applications to our Customer (hosted Exchange, multitenant SharePoint and IaaS Platform) and we'd like to extend our offer with websites hosting. I setup the Azure for Windows server and I published the frontend servers behind TMG
By default, all websites are set with our specific domain (eg hosting.com). So in the TMG publishing rule to our frontends, I specified *.hosting.com in the public name field and everything works like a charm
Customers will then create sites like mycompany.hosting.com but the will surely want to access their hosted website through their own public domain likewww.companydomain.com. The problem is that in the previous TMG publication rule, I can't set the public domain to accept any domain (I can't set the field to * or *.*)
Does anyone has an idea to reach my goal ?
Thanks in advance for your help
Hello Everyone,
I am using isa 2006,i want to block gmaili have created rule for the same and also added all the urls.
After that user can not access gmail using ie ,but problem is when they use Google chrome they can access gmail.
If anybody have solution for the same please revert.
Regards,
Abhishek
This is the first time I've implemented TMG, and I think I'm in a bit over my head. Here's my setup:
- I'm using TMG simply as a reverse proxy for publishing OWA (as well as Lync and Sharepoint, but that's not for now). It is not being used as an internet facing firewall, so we've placed it in the DMZ behind our Cisco ASA.
- I want to have an Array of TMGs load balanced, for redundancy (traffic isn't really an issue; we're not that big).
- Exchange CAS is on the Internal network (no edge roles).
So, I've got two NICs on each box, one in the DMZ and one internal.
Current config for those NICs:
DMZ:
default gateway: yes
DNS:no
MS File Sharing: disabled
Internal:
gateway:no
DNS:yes
File Sharing: enabled
I've followed Technet docs to get a standalone array going. They are communicating configs on the DMZ Nics (I used those NICs when defining Managed Computers in the Firewall settings).
I then enabled NLB in TMG, and set the VIP on the DMZ network. Now it's all broke.
First question: Am I doing this correctly in the first place?
Second question: Assuming my config works, what else do I need to do to get NLB working?
I am working on a test TMG server. I have included allowed domains by wildcard (*.*. and *.) as well as specific domain as it was configured in our ISA 06 setup (which works flawlessly). All the rules are the same from ISA to TMG, however the strangest thing happens.
When I make a change and apply, a particular website is now blocked (that is in my allowed domains list). The error code 502 (12202) comes up. Blocking the URL. When I read into this I see that this is caused by content being blocked. Looking through I don't see any reason why content would be blocked. For example, if I add youtube and cnet, I can view and download anything I want. So executables are not being blocked, nor are embedded elements.
The site in question is yorkcountypa.gov.
Some background. This is a VM with a single interface acting as a proxy ONLY.
I can provide specific screen shots and configs if needed, but don't want to spam them yet. So just let me know what you want to look at.
We are using TMG 2010 and Exchange 2010 to publish OA, OWA, and ActiveSync. Currently I have setup a separate web listener for ActiveSync which requires SSL Client Cert Authentication. I am having issues getting it to work.
I am trying to use the same wildcard cert for both web listeners but I am not sure if this is possible (mail.company.com and activesync.company.com). Both names are in the SAN, the web listeners each listen on a separate internal IP which have corresponding
public IPs NAT'd to them.
Is this possible?
Can someone assist with defining firewall policy that allows port 8600 inbound to Forefront TMG 2010? My backup software communicates over this port.
Currenlty have TMG server, but need to move it to a new virtual box with a different IP.
Can I import the config from the original TMG to the new virtual machine with a new IP running TMG?
TAG
Ok I have a very strange issue with my TMG right now. We are using the TMG to publish a SIP Server for inbound calls (from PSTN) over a trunk from our provider. Now this works fine 99,9% of the time, but there is a scenario that I have confirmed now happens
every time.
Setup is:
Internal LAN - has internal PBX and SIP clients on same network, all media is routed through our media gateway so no RTP or SIP is coming directly from the clients to the TMG.
External WAN - we have a trunk to our provider so we can make extarnal calls and also recieve calls from PSTN.
SIP/RTP published using wizard
Works fine 99% of the time.
The scenario when the problem occurs is as follows:
- Someone internally makes an outbound call.
- A SIP request is sent from our internal PBX to external vendor.
- TMG initiates a SIP session.
- Outbound call is established - all is fine.
- While above call is ongoing, someone tries to dial in.
- We recieve an inbound call (protocol SIP Server) from PSTN.
- TMG initiates connection (i.e. does not deny it).
- TMG *immediately* closes the inbound connection with the following error:
Closed Connection XXXXXXXX 2013-07-10 11:55:42
Log type: Firewall service
Status: You were not connected because a duplicate name exists on the network. If joining a domain, go to System in Control Panel to change the computer name and try again. If joining a workgroup, choose another workgroup name.
Rule: VoIP Policy: Publish internal SIP proxy
Source: External (XX.XX.XX.XX:5060)
Destination: Internal (XXX.XXX.X.XXX5060)
Protocol: SIP Server
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: XXX.XXX.X.XXX
As soon as the original outbound connection is CLOSED by TMG inbound calls start to work again.
We are on version: 7.0.9193.575 - with latest service pack and hotfixes installed. ANY suggestions would be appreciated.
PS. I have already reviewed our internal DNS server 10 times for dupe names, there are none. .DS