Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

Network topology - internal use of TMG, with VLANs

October 18, 2012, 3:34 pm
$
0
0

Hello. I read with interest: http://social.technet.microsoft.com/Forums/en-US/Forefrontedgegeneral/thread/ae90b6d9-288a-4a26-86b2-ce9f810ad2a5

We would like to do something very similar - to separate some internal VLANs from others using TMG. Sometimes I find this a bit confusing because the vast majority of TMG guidance and comment is written on the assumption that TMG has an internet gateway on one side and a LAN on the other. What we are doing will be internal (visiting wireless devices) separated from internal (domain devices)

When I think about TMG and topology two concepts spring to mind.

1) Edge, back end, 3 leg perimeter, etc. In other words TMG template topologies.
2) Pure networking topologies involving arrangements of routers, core switches, edge switches, VLAN configuration.

What I would like help with is how 1) and 2) fit together.

We have the router at our front end, then we have a layer 3 core switch, then the edge switches. Pretty much all on the same subnet at the moment.

If I create a VLAN 2 for visiting wireless devices, and use the layer 3 core switch to create that VLAN, where does my TMG server go? It wouldn't go between the switch and the WAPs would it, because the VLAN 2 is configured on the switch and I want the switch to handle the VLAN routing? But if the TMG server goes between the core switch and the router it will have to be configured to handle requests from the whole network, which we don't necessarily want (yet).

Is the solution to put the TMG server on another VLAN, eg VLAN 3? I think it might be, but then I get confused. If visiting wireless (VLAN 2) internet requests will come into the core switch, what's to stop that traffic being passed straight up to the router and out the door? How do I force the VLAN 2 traffic to go via TMG on VLAN 3? I'm guessing that would be to do with how I configure VLAN 2?


Background note: our organisation while largely autonomous is for networking purposes an IP subnet of a larger network. We have a router at our front end to which we do not have the password, although we can discuss changes to it with a contractor. I actually am not sure whether there is then a dedicated line or VPN tunnel to the ISP who provide us with our internal address subnet. It does not matter, the point is that in a networking sense we are some distance from the REAL www gateway which is not our business.

Search

Forefront user based access to websites for terminal server users.

October 17, 2012, 2:18 am
$
0
0

Hi, 

We have several terminal servers which hold about 50 users each. We would like to grant/block access to websites on a per user basis. The problem we have now with our current configuration is that when we grant one user on the terminal server access to a website all the users on that terminal server have access too. 

If we use forefront as our proxy server could we make sure that only that one user has access and the others don't ?

Redirect external URL to internal site or allow access to a URL without requiring authorization

October 19, 2012, 11:37 am
$
0
0

I'm trying to shoehorn iPads into our enterprise network and my last hangup is with the iPads disconnecting the WLAN because it cant reach http://www.apple.com/library/test/success.htm.  

How can I either A) allow access to that URL without requiring that the user be authorized by TMG or B) redirect any request to that URL to a local server containing the success file?  

One TMG and Two separate Forests?

October 4, 2012, 2:22 am
$
0
0

Hi,

Is it possible to have 1 single TMG server and people from 2 different forests using it?

what features would be available/possible? what features would not be available/possible?

Thank you,

SK

SCOM agent on TMG server can't see management server

October 19, 2012, 10:50 am
$
0
0

We use SCOM 2007 R2 CU5.  TMG 2010 Enterprise on a 2-server array, and 2010 Standard on a standalone member server.  All servers in the same domain.

I installed the SCOM agent on all 3 TMG servers, before TMG was installed.  In the SCOM console the servers looked ok - they were not greyed out.

First, on the array, I configured the suggested rule to allow communications on port 5723, and in TMG used the System Policy Editor to add the scom server under Remote Monitoring>MS Operations Manager.  That's ok.  The server does not appear as greyed out in the Ops Mgr Console in SCOM.

I did the same thing on the standalone TMG server.  But it is still greyed out in SCOM.  Remember, this server was not greyed out prior to installing TMG.  Otherwise I'd be posting this in the SCOM forum.

From this standalone TMG server I could connect to the SCOM server using Telnet on port 5723.

What am I missing?  Is there something else I need to do in TMG?

This is all prior to installing the TMG management pack in SCOM.

Thanks.

TMG - Can it log HTTP Header info from Web Filter?

October 19, 2012, 1:37 pm
$
0
0

We have a DLL ForeFront applies via WebFilter that passes HTTP Header infomation to an outside websites.  It's two proxys talking back and forth.  Can ForeFront capture the data passed in the HTTP Header and log this information in a file or someother means I can use to view the exact data being passed?  I am a newbie so any detailed info would be appreciated.

Configuration lost...!!!

April 15, 2012, 7:15 am
$
0
0

Dear Friends..

today i got a mail from my client that they getting loads of SPAMs .. thought lets check TMG .. but there is no configuration in nay of my TMG servers.. when i see my TMg console .. first it is not opening up.. and if it is .. then its not showing any configuration... guys this is very critical and urgent ... please help

UPDATE : .. :(

i got 2 TMG servers and that was configured with another TMG store server for the configuration ... which was a virtual server.. now by mistake we deleted that HDD for the store server... so both the TMG are without config server now .. is there any thing which can be done .. i have my production clients on this .. please help ...

Thanks
Happiness Always
Jatin



Web Listener

October 21, 2012, 4:30 am
$
0
0
We are transitioning from Exchange 2007 to Exchange 2010 (i.e., moving all maiboxes, publics etc., to Exchange 2010)

Currently, there is a single SSL certicate (DNS=webmail.domain.com.au) issued by Thawte on the web listener for OWA in the TMG box.

There are no other DNS names in the SAN certificate........

Config:
Exchange 2007 IP Address 192.168.0.10
Exchange 2010 IP Address 192.168.0.11


Plan:
It was decided to use the current SAN certificate of Exchange 2007 server and apply it to Exchange 2010
The web listener uses the above SAN certificate for OWAN and ActiveSyn
Export the SAN certificate from Exchange 2007 server>MMC>Certificates>Personals>Export Certificate
then import it from Exchange Server>Server Configuration>Import Exchange Certificate



Questions:

After export the SSL certificate from Exchange 2007 then importing into Exchange 2010, Do I need to do anything in the TMG box apart from pointing the OWA listener and ActivySync listener to 192.168.0.11?
Search

ISA 2004 IPSec VPN Routing Issue

October 21, 2012, 5:14 am
$
0
0

Hi
I have an ISA2004 server (not able to be replaced yet) at a remote site in the Philippines connecting back to head office in Melbourne where there is a Juniper SRX210. The VPN is up and Melbourne has full access to the Philippines network. The Philippines network has access back to Melbourne but the Philippines server does not. The server is a DC as well as running ISA 2004. It has two NIC's, the internal with no gateway and the external with ISA controlling access. This is resulting in the server being unable to replicate Active Directory between sites. Debugging logs shows the issue to be with ISA, not a rule in Melbourne on the Juniper. The error is:

Denied Connection  10/20/2012 6:25:37 PM
Log type: Firewall service
Status: A packet generated on the local host was rejected because its source IP address is assigned to one network adapter and its destination IP address is reachable through another network adapter.
Rule: 
Source: Local Host ( 192.168.79.1:137)
Destination: Melbourne ( 192.168.75.6:137)
Protocol: NetBios Name Service
User: 
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.168.79.1
Client agent:
 
The Networks, Network Sets, Network Rules and routes all appear fine. How else is one supposed to setup ISA to send traffic from itself to the VPN tunnel? A static route to either its own internal IP or the external gateway kills the VPN. ISA should be intercepting the traffic and directing it over the tunnel. It is for the Philippines LAN just not for the server itself. It is the firewall service itself, there is no rule to tweak.

This is causing me no end of grief, any assistance appreciated. I have been through http://technet.microsoft.com/library/bb794765.aspx and it has not helped. Everything from Melbourne to the Philippines is fine, it is just the Philippines Server (the ISA one) that cannot see the Melbourne network. It also seems to be still trying to initiate an IP Sec VPN after the Juniper initiated SA is up and running and the VPN is up.

Thanks, Ben

ISA 2006 SP1 - external IP address from DHCP - effect of DNS entries

October 21, 2012, 9:46 am
$
0
0

Consulting various sources including Technet articles, Technet forum discussions and Dr. Tom Shinder's ISA 2006 book, I see that if you have an established "corporate" name resolution structure, there should be no DNS entries for the external network interface (NIC).

Unfortunately, the external network interface on my ISA server obtains its IP address from my ISP, via DHCP.

Therefore, there ARE DNS entries for the external NIC.

Yes, the internal NIC is above the external NIC (Adapter and Binding properties).

No, I have no problem resolving names from the ISA server. NSLOOKUP displays the name of the correct server for A and SRV records (just tested those two, imagine others would be fine).

I thought I could delete the entries using NETSH INTERFACE IP DELETE DNS WAN ALL but that apparently does not function (?) on dynamically assigned address (ipconfig still showed the DNS entries). 

I see that you COULD place yet another device (router, 3rd party firewall) between the ISA server and the ISP so the former could have a statically configured IP address - with the DNS settings left blank (empty).

But is that really necessary?

But would those DNS entries on the external NIC have adverse effects (given that I am having no DNS resolution issues).

???

In the absence of a "corporate" name resolution structure (slighty different scenario), I read in Dr. Shinder's ISA 2006 book that the external NIC should have no DNS entries... "unless assigned by ISP via DNS" (page 135).

http://www.amazon.com/Shinders-Server-2006-Migration-Guide/dp/1597491993/ref=sr_1_4?ie=UTF8&qid=1350837912&sr=8-4&keywords=isa+2006

So should I just leave those entries and not worry about it?

???

Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.


How ro publish 2 DVRs so can view form external?

October 21, 2012, 8:58 pm
$
0
0

Dear all experts,

I have fftmg 2010 on a win2k8 r2 box. My setup is like this: Modem(static ip) > fftmg > switch > DVRs

2 DVRs with local ip 192.168.1.18, 192.168.1.19. Data port is 67, Control port is 68, same for both. Assign port 7788 to 192.168.1.19, 7789 to 192.168.1.18

I also registered the no-ip dynamic dns service. I plan to use the domain name to map with my modem's static ip. When at home i can just key in the domain name with the port in the web browser to access my DVRs, depends on which port(7788 or 7789) i supply in the url.

Actually I manage to access my DVR from home but the problem is no matter which port i using(7788 or 7789), always show me one of the DVR only.

I don't know where went wrong, please help.

Thanks

TMG not using assign ip address

October 22, 2012, 12:02 am
$
0
0

Hi,

I just install TMG with this IP address 192.168.5.40

I also have addtional Ip address 192.168.5.45, 48, 19

After adding 192.168.5.19

I can't use RSA on the serevr.

I have done some research to found out why this is happening. lot of the forum talking about tmg use the lower ip address which is 192.168.5.19 to make it use specif ip address i need to use enat.

I went into tmg -> Networking -> Network Rule

Name: Internet Access

Relation: NAT

Destination Network: External

When I try to set the default IP address in this section i dont see anything under

properties -> NAT Address Selection -> Use the specified IP address

How to I see these ip address and select one of them as default which will be used all of the time.

block non domain computer from internet access

February 16, 2012, 1:40 am
$
0
0

Hello,
i have a windows 2003 server with ISA server 2006 my domain works on static IPs.
The problem is some of employees bring their own laptop to work so i want to prevent them from accessing the internet by their laptops just if they dis connect the cable from a machine and connected it to a laptop and configure its IP.
is there any way to make sure that no machine can join the internet unless it's already in my domain ??

DARIUSHk

Web Report

October 22, 2012, 1:44 am
$
0
0

Hi everyone,

How can i generate reports on how users use the internet by username,Visited sites,time.... ?

Meshack

ISA 2006 SP1 - Outbound DNS queries failing

October 21, 2012, 2:32 pm
$
0
0

I want my DNS server to be able to forward name resolution requests to DNS servers on the Internet.

I created an Access Rule called "DNS Outbound" with the following settings:

Action: Allow

Protocols: DNS

From/Listener: Internal

To: External

Condition: All Users

----------------------------------------------------------------

Even so, if I go to the "Monitoring" tab of the DNS server, the recursive queries to "other DNS servers" fail consistently.

- nslookup on the ISA server correctly shows the IP address of the (internal) DNS server.

- nslookup on the DNS server (domain controller) itself times out in two seconds: Default Server is unknown, Address: ::1 (IPv6 address of DC/DNS server itself).

- Preferred DNS points to server itself (only one server in this network).

- There is a reverse DNS zone. There is a PTR record for the DNS server in this zone.

- DCDIAG is fine.

*

Despite the NSLOOKUP timeout and message, the local DNS server will, however, resolve local IP addresses correctly.

*

So why can't I resolve names past the ISA server?

Do I need to configure more rules? An inbound rules for the replies the queries?

Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

Search

which relationship between NAT and ISP Redundancy.

October 22, 2012, 11:18 am
$
0
0

I have been config ISP redundancy, but i have a doubt, i need config kind of NAT, I mark "default IP Address" first option, my doubt is, if link down the second link inside operation automatic?

My scenario is two links  internet and one intranet!

Forgive me, my english is not só good!

Connectivity verfier for monitoring only?

October 22, 2012, 3:39 am
$
0
0

I want to know if the connectivity verifier created in TMG Server farm is used just for monitoring or TMG use it to verify the connectivity to each server in the farm so if one of them failed to response then TMG will stop forward any request to this failed server?

TMG BPA questions

October 22, 2012, 3:11 pm
$
0
0

Hi,

Just got a couple questions:

1. Do I need to install the TMG BPA on the TMG server? or can it be run remotely?

2. When I run it, it asks  for an 'AD Server' name - but not the TMG server name, is this correct? how does it find the TMG server?

Thank  you

Forefront TMG Reporting issues

October 22, 2012, 7:54 pm
$
0
0

I am unable to generate reports in TMG. Our logs currently sit on a seperate server (non TMG) and I am unable to change the repoerting server to this server.

Does anybody have any Idea how I can either

a. Change the reporting server in TMG to be our SQL server, or

b. Run the reports from this server?

Change OWA loon text (TMG Forefront Publishing)

October 23, 2012, 2:26 am
$
0
0

Hi,

I am following an MS article to change our OWA login page:

http://technet.microsoft.com/en-us/library/ee914625.aspx

To change the text for the user name input in the standard logon page

  1. Open the strings.txt file in the appropriate language folder in the nls directory.

  2. Find the string matching the placeholder @@L_username_ text. The string appears in the strings.txt file as: L_UserName_Text="Domain\User name:".

  3. Change the text string to L_UserName_Text="Alias:".

  4. Save the strings.txt file. When the HTML form is generated, the new value of @@L_username_text will be displayed in the form.

  5. Restart the Microsoft Firewall service for the changes to take effect.

I have changed the strings.txt file and in my case need the text L_UserName_Text="User name:" without the Domain\

Even though i changed the strings.txt file located here : \%Forefront TMG Installation Directory%\Templates\CookieAuthTemplates\Exchange and restarted the firewall service the OWA logon page still shows Domain\Username


Viewing all 3822 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>