Quantcast
Channel: Forefront TMG and ISA Server forum
Viewing all 3822 articles
Browse latest View live

Site-to-Site VPN with Certificates

July 18, 2013, 2:57 am
$
0
0

Hey,

We used to use pre-shared keys but have recently switched to certificates, which all seems to be fine.

However, when I look at the summary of the VPN one both servers, they say:

Local:
Outgoing Authentication Method: Certificate
Incoming Authentication Method: Certificate and pre-shared secret (***********)

Other End:
Outgoing Authentication Method: Certificate
Incoming Authentication Method: Certificate

How comes. Why does it not say just Certificate for both Local and Other End? Interestingly, the pre-shared key is the same as it used to be when we actually used them. The settings for the VPN do not show the pre-shared key as being enabled, so where is it getting this value from?

Thanks

Search

Create rule to allowed outlook clients to access an external exchange server

July 18, 2013, 1:12 am
$
0
0

Hi , was wondering if anyone can Enlighten me on this matter,

i have set forefront tmg has my main internet gateway and all my clients are getting internet via the proxy setting but outlook wont connect to the external exchange server , somehow it is being blocked so can anyone be kind enough to tell me how to create rule to allow outlook clients on my LAN to link with an exchange server from external. many thanks in advanced

Paul



tmg Refresh failed 0x8007003a

July 16, 2013, 2:20 am
$
0
0

Hi,

I'm having problem opening TMG 2010 i get this error.

This happen when opening or clicking within tmg.

I have rebooted the server still no difference.

Configuration of SSTP vpn

July 19, 2013, 12:50 am
$
0
0

I have a plan to implement SSTP vpn for my users. Currently my setup is having TMG 2010 with two NIC(LAN and WAN), DC, DNS and DHCP. We don't have public registered domain name.

So far, followed a good number of documents and configured CA server and generate certificate, configured RRAS for VPN and Natthing, configured pptp and sstp vpn(with weblistener) , crl publishing etc. TMG 2010 is installed in windows server 2008.

Result:- PPTP vpn is working- but not the sstp though export & import the certificate in client pc(windows 8), entries made on hosts file of the client pc. I have tried as far as possible but could not able to work with sstp vpn.

Questions:- Are all the above prerequisites and setups are ok? I  can realize/ suspecting problem is in Certificate, unregistered dns but could not find out.

It will be very much helpful if someone shares me the proper guideline to do that....

 

Forefront TMG dropping some port 25 packets syn not recieving some email

July 16, 2013, 7:39 pm
$
0
0

Hi,

We have exchange behind forefront tmg.

Some emails are not been delivered. i identified some port 25 packets been dropped because of "non-syn packet"

Could someone please let me know if this screen cap is the missing email messages & if so how do i resolve this

our servers are on 11.1.1.1 - 11.1.1.254

second tmg network port plugged into router TMG address 192.168.1.19 router gateway 192.168.1.1

Please help lol

Between a rock and a hard place; URL Category

July 19, 2013, 6:01 am
$
0
0

If I do a URL category query on this URL:  http://ui.constantcontact.com
It returns General Business and Technical Information.  All good.
But, I have a url like this:
http://ui.constantcontact.com/sa/fwtf.jsp?llr=ykcn96bab&m=1101586139480&ea=some.name@DomainName.com&a=1114077390671

It gets blocked by the Spam category.  And I've seen other instances, like Craigslist, where just Craigslist.com goes through, but if there is additional information at the end of the URL it gets blocked as Spam.

So I seem to have 2 options:  #1 Choose to "Report a URL to Microsoft Reputation Service as incorrectly categorized". or #2 A URL category override on the Spam URL properties.
Neither of those are good options.  Because these types of url's are one-offs.  We'd be constantly doing #1 or #2.

Any other suggestions?  There must be many people out there experiencing this same problem.  There must be a better way to solve this.



Smart Card VPN Issues

July 19, 2013, 8:58 am
$
0
0

Hi All

We are having some issues getting a VPN set up to use a smart card for its credentials. It works just fine when using a username and password, but fails with the following error when using a smart card:

The client could not be authenticated because the EAP type could not be processed by the server.

This appears in the Security log as an audit failure. Above it is the details of the username, client IP etc which all appears fine.

The network setup is as follows. All servers run Server 2008 R2 Standard with SP1. All clients run Windows 7 Professional with SP1 64 bit and are domain members. We have a DC at 2008 R2 Forest Functional Level. We have also installed a CA on this server, and have duplicated the Smartcard Logon template to V2 (Server 2003 Enterprise). We have another server running TMG 2010. This has 2 network cards, one for local LAN and one for WAN. It is set up as an edge firewall. We have enabled the Remote Access (VPN) settings in the console for TMG. We have it using PPTP and allowing a group called VPNUsers access.

When we use our client PC to access the VPN using a username and password, it lets us in with no problems. We reconnect to the domain network and plug in our smartcard reader. The user we are logged on to the PC as is an admin. They have also installed an Enrollment Agent certificate into their local store. Using this user, we then enroll on behalf of, and then put in the name of our user. It requests the smart card be inserted. We do this and the enrollment goes through fine. Log off of the PC and back in as the user instead of the admin. Change the VPN to use smart card instead of PEAP or EAP-MSCHAP-V2. Then it fails to establish the connection with error code as shown in the attached image

I have tried a number of different smart cards, readers, and tweaked several settings on both the client and server, but I am coming to the limit of what I can do. Is this something anyone has come across before? Have I missed a step in the setup of the VPN or client? Any help would be greatly appreciated.

Many Thanks

Iain

How to block a URL with a particular word in it using TMG 2010

July 19, 2013, 12:07 am
$
0
0

Hello All,

We are hosting a public we site ..... https://publicname.example.com/SASWebReportStudio/selectReportToOpenApplyCommand.do?CMDID=rfsrch

Last word on the above link is "rfsrch" --- This is used for some search function. Now the management wants to block this search function. Hence they want to block the URL when it is coming with this "rfsrch" search function.

If there is anything else other than "rfsrch" then it should not be blocked. Like ... if it is ..... https://publicname.example.com/SASWebReportStudio/selectReportToOpenApplyCommand.do?CMDID=xyzaa ....... then  it should not be blocked.

Can we have this cracked Guyz!! Thanks in advance.

Regards,

Kiddy


Search

How can I find the CD key used to install MS Forefront TMG?

July 19, 2013, 12:12 pm
$
0
0

I currently have an instance of Forefront TMG running, but we've been experiencing some issues that we can't resolve. I want to build a new server, but I do not know the CD key that was used for this particular install. Is there a way to find out what the CD key is from the system? Either the TMG software or the Registry?

OS: Windows Server 2008
Reverse Proxy, Forefront TMG.

TMG acting up / not letting traffic through

July 18, 2013, 1:04 pm
$
0
0

Hello

I have installed a win2k8 R2 server, with TMG on it to act as a gatewayserver for my traffic at home. The server is installed on ESXi 5.1 as a virtualized server (mostly because I only have one physical NIC on the server.)

The server itself seems to work fine, in its current state (which is internet provided by my old router, but DNS and DHCP services is run on the TMG server.)

The rules I have applied are basicaly:

* DNS to TMG server from Internal and Perimeter Allow (resolving local requests)
* DNS from TMG server to External Allow (forwarding DNS requests on the internet)
* DHCP Request from Any Network to TMG Allow (only listening on internal NIC)
* DHCP Reply from TMG to Any Network Allow
* Allow any outbound traffic from Internal, Perimeter and Localhost (mostly for testing) to External Allow

The configuration I have now that is working:

Managable switch with 3 Vlans configured

* VLAN 100 - WAN
* VLAN 200 - DMZ
* VLAN 300 - LAN

The TMG has 3 virtual network-cards corresponding with those Vlans, and they are all tagged on the port the ESXi server is hanging in on the switch. 

Router connected to the Internet, DHCP and DNS services running on the TMG server. WAN-card attached to the local LAN for DNS lookups on External to work properly (whatever rocks TMGs boat atm). This setup works for now and allows for surfing and access to my resources depending on port forwarding rules on my router.

This is my problem:

Once I attach the WAN-link to a port that is tagged with VLAN 100, and switch the WAN-card on the TMG to VLAN 100 the internet-access stops working. I get a DHCP address from my ISP, which is correct, but I cannot access any internet-sites, either from the TMG server nor the Internal network.

I have even tried creating a specific PING rule that allows pings from Internal and Localhost to External networks, but it wont ping anything, not even the router of the WAN-network.

Does anyone have any suggestions on what may be blocking the access here? I can provice schematics of the setup for any who needs or wants to see them


Client local administrator Internet Acces denied - TMG

July 20, 2013, 12:25 am
$
0
0
If domain user (login with domain account) browse internet, it's no problem. But if not domain user (login computer using local administrator) browse External website it will get access denied connection. And don't pop the windows to input user account and password on client PC.

How can I let the user PC pop the windows to input their domain account and password when they login to local account

TMG 2010 SP2 with Rollup 3 slow download/upload speed

July 14, 2013, 12:40 am
$
0
0

Hi,

I have Service Pack 2 with roll-up update 3. The download speed is constantly limited to 5 Mbps and the upload speed is limited to 1 Mbps. If I use an alternative gateway (Linux), I constantly get 20 Mbps download and 20 Mbps upload

I have turned off Malware Inspection and applied all suggested registry solution plus the script to increase TCP buffer but to no success.

The TMG server (Windows 2008 R2) is installed as a Hyper-V 2012 guest. The alternative gateway (CentOS) is also installed as a Hyper-V 2012 guest. Both are hosted on the same Hyper-V 2012 host. Both are also connected to the same dedicated physical NIC.

Any help would be greatly appreciated.

Error Code: 403 Forbidden. ISA Server is configured to block HTTP requests that require authentication. (12250)

July 21, 2013, 8:51 am
$
0
0

Hello to every good man and woman :)

I upgraded ISA Server 2004 to ISA server 2006 SP1, after that my mail client stopped working. When I try to connect from outside it writes . Error Code: 403 Forbidden. ISA Server is configured to block HTTP requests that require authentication. (12250).

I found a solution: 

Solution 
In web listener click on the "Authentication" tab and then "Advanced..." and check the box "Allow client authentication over HTTP".

, but when I want to change setting in authentication settings, it says: Error 0x80070002, The system cannot find the file specified.

And I tried every solution with this error but no result :(

Forefront TMG detected a proxy server loop- Standalone array

July 22, 2013, 12:33 am
$
0
0

Hi,

I have two TMG 2010 server and configured with standalone array and load balancing also enable on both interal and external itnerface.

TMG01 is a array manager TMG02 is array member.

Both TMG having 2 Nics Internal and External  and both nics have default gateways. but only internal nic have a DNS ip.

Im  recieving this warning:

Forefront TMG detected a proxy server loop. There may be a problem in the configuration of the Forefront TMG Web chaining policy. Alternatively, in Enterprise Edition, when CARP is enabled and there are intermittent interruptions of intra-array connectivity, array member A may forward a request to array member B according to the CARP algorithm, and array member B may forward the request to array member A in an endless loop.

Plz suggest me the exact solution



Polycom Realpresenece behind TMG 2010

July 22, 2013, 3:34 am
$
0
0

Hello,

 I have a Polycom RealPresenece Desktop client behind TMG 2010 Server. and we cannot start any Audio/video Call to External video conference Devices.

  • I disabled the H.323 filter
  • opened the below Protocols/ports From Desktop client to External:-
  1. TCP/1720 H.323 
  2. TCP/5060 SIP
  3. TCP/3230-3237 

but unfortunately I still can't start A/V Call to any external VC devices. it seems that there a problem with NATing. so please could anyone advise what the needed configuration in TMG to make this call started successfully?

Regards,

 

Search

Utorrent Download Problem with TMG 2010

July 21, 2013, 11:25 pm
$
0
0
Denied Connection 
Log type: Firewall service 
Status: The action cannot be performed because the session is not authenticated.  
Rule: IT-Professional 
Source: Internal (192.168.0.*:58536) 
Destination: External (193.45.10.151:80) 
Protocol: BranchCache - Retrieval 

Ehtisham Iftikhar


TMG 2010 outbound VPN does not work (PPTP), Error 619

August 4, 2011, 6:24 am
$
0
0

Hi,

We just deployed TMG 2010 NLB (SP1 with all 4 rollups) for a customer and one outbound VPN connection stopped working. I have searched the forums, google and tried everything I could find but with no result. The ruleset in TMG and the routing is configured properly  and I can open other VPN connection (PPTP aswell, same port, same protocol, same encryption) with no problem, except this one.

So whenever I try to connect to this VPN connection I immediately get Error 619 (almost instantly). TMG shows that the connection opened successfully and then closed in the same second. I can not figure out what is TMG altering in the connection as it works via 3G modem or any other internet connection which is not protected with TMG. (I tried it on 3 different TMG installations and one ISA 2006 and the problem is with all of them) but from my home wifi router everything works like a charm. I have no control over the other end of the VPN tunnel but I know that it is not IP bound.

I am almost ready to give up and configure a static route to this VPN server and circumvent TMG. :(

 

 


TMG report content messed up after change file location

March 10, 2013, 9:34 pm
$
0
0

Hi All,

I'm new to ISA and corrently just setup a TMG 2010 server as edge firewall (two network card mode.)

As the special situation here, i need to set the server as a transparent agent so everyone does not need to setup web proxy for internet access.

Issue 1: I ran the TMG server status report, and looks fine. when I copy and paste the report folder(html) to my computer or any other computer, the report content messed up as the picture shows:

issue 2: If I want the AD user name & site domain name shows to replace current IP in report, but no web proxy setup for users, what should I do?

Thank you.

Jack,

HTTPS INSPECTION certificate validation

July 23, 2013, 2:09 am
$
0
0

Hi,

I am using TMG2010, i have enabled Https Inspection : "Do not inspect traffic, but validate site certificates. Block Https trafffic if certificate is not valid". 

Some sites i have added in destination exception list. and no validation i have selected on these sites.

I have deployed Https inspection certifcate from Active Directory on all clients machine having this certificate.

But sites with expired certificate are not opeing for me but  i have inserted this sites in exception list with "no validation" of certificates.

But some sites with vaild certificate as well not opening.

Kindly sugget me the solution



ForeFront NLB

July 23, 2013, 4:40 am
$
0
0

Hi,

I have TMG 2010 with Single Network card with one internal IP 192.168.0.1 and it's natted to firewall for connecting internet...

it's doing his job perfectly for near about 325 Users .. TMG is integrated with websense with user license of 425 users....

It was working fine since last week.. On last week i have added another network card with public ip (another external ip)

and enabled the NLB with routing methods. Possible to browse with both the ips and able to get both the ip address..

But i am facing license issues on Websense Since websense is considering more than 425 users are connected...

in addition if we are disabling the second public network card we are not facing any license issues on websense..

as per our analyze the secondary network card is acting as a separate one and he is also giving the data to Websense hence the problems are coming..

can anyone please guide me to configure the TMG Server correctly...


Viewing all 3822 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>