I'm trying to access a client machine via VNC on an external IP address. The client machine it's on the same building as our main network but on a separate network behind a TMG 2010. The problem I have is that our main network and this client machine once they go past the firewall (separate TMG 2010 for both networks) they connect to the same switch to get to the internet.

I have set up the port forward on the TMG to access the VNC Client and it works fine if you connect from an external network on the internet. The problem is if I try to connect from my internal network it doesn't work. So, I think because both networks connect to the same switch, traffic never goes out to the internet.

Below is a graphical diagram that explains a bit more about the network layout.

For example I try to access the VNC on 10.10.10.1:5902 and it doesn't work. However if I just try to use IP address only then it connects fine.

The reason we need this is that we need customers to be able to access a test machine from the internet and for security reason is on a separate network.

Any advise would be appreciated.

Thanks  

Hi All

i am enabling cookies persistent on share point 2010 listener to avoid multiple authentication pop up and my questions is , is this cookies encrypted using any of the industry standard (DES, AES, etc...) if not os there any level of security applied here?appreciate your help

Hi All,

I found similar articles for my problem but none of them is helping resolve my problem.

My Requirement:  I have a web application behind TMG which works on HTTPS. I want TMG to be able to allow user access this application on HTTPS from internet and validate client certificate installed on the system. Only system with valid client certificate issued by our internal CA should be allowed access to web application over HTTPS

Additional Details:

1. SSL certificate for web application is issued by our internal CA

2.  Every system in our environment has system certificate and user certificate issued by our internal CA. We want TMG to validate system certificate in this case.

3. TMG trust our internal CA

4. Web application is configured to have anonymous authentication enabled

5. On TMG, I have configured. No authentication, Client side certificate validation issued by any trusted CA

6. Web server is configured to require SSL certificate and ignore client certificate. ( It tried it to change to "Accept" but still doesnt help)

ISSUE:

1. From TMG logs it looks like it is not getting the certificate from IE and keeps droping the connection.

Please let me know how to resolve this issue? I have tried by best but unable to resolve it

Hi,

We have deployed TMG in our client environment for publishing their in-house SharePoint application on internet.

There are two domains in their environment say DOMAIN1 and DOMAIN2, both the domains are in bidirectional trust relationship. the SharePoint application is hosted in DOMAIN1.

We have deployed TMG with single network adapter topology with NO AUTHENTICATION configuration at the web listener, so the authentication was handled at the SharePoint level. With this configuration, all the users from DOMAIN1 and DOMAIN2 were able to access the SharePoint site on internet.

Now, client wants to collect the user info for the traffic accessing the Sharepoint on Internet.

To achieve this we planned to setup pre-authentication at TMG

In web Listener Authentication tab, changed the authentication mechanism from NO AUTHENTICATION to HTML FORM AUTHENTICATION with LDAP

And on AUTHENTICATION DELEGATION tab, kept the same “No Delegation But client may authenticate directly”, just to test whether users are able to authenticate to TMG.

The problem is that the users from DOMAIN1 (on which the application is hosted) are able to login to TMG and from there could login into SharePoint site on internet and the username is visible in TMG live logging.

But the users from DOMAIN2 are unable to pass through TMG HTML Form Authentication.

I am wondering why the users from DOMAIN2 are unable to login with pre-authentication configuration when they were able to login with NO AUTHENTICATION configurations.

In TMGs LAN settings, the preferred DNS is set as DOMAIN1 IP.

TMG, DOMAIN1 and DOMAIN2 are in same network but separated with VLANs

Trouble shooting done as Below

• Ping- working fine from both ends
• Telnet from TMG to DOMAIN2 DC on 389 and 636 ports- Successful
• Telnet from DOMAIN2 DC to TMG on 389 and 636 ports- Failed
• Bi-Directional Ports were opened between DOMAIN2 DC and TMG- 389 and 636
• Tested with ldp.exe tool on TMG to both DOMAIN1 AND DOMAIN2- Received: Cannot open connection
• Could See User Login attempted on TMG and Login Successful logs on DOMAIN1 Security Event logs along with the user Account Name.

Please help in fixing this.

Thanks in Advance,

Harish

Hi,

We have deployed TMG in our client environment for publishing their in-house SharePoint application on internet.

There are two domains in their environment say DOMAIN1 and DOMAIN2, both the domains are in bidirectional trust relationship. the SharePoint application is hosted in DOMAIN1.

We have deployed TMG with single network adapter topology with NO AUTHENTICATION configuration at the web listener, so the authentication was handled at the SharePoint level. With this configuration, all the users from DOMAIN1 and DOMAIN2 were able to access the SharePoint site on internet.

Now, client wants to collect the user info for the traffic accessing the Sharepoint on Internet.

To achieve this we planned to setup pre-authentication at TMG

In web Listener Authentication tab, changed the authentication mechanism from NO AUTHENTICATION to HTML FORM AUTHENTICATION with LDAP

And on AUTHENTICATION DELEGATION tab, kept the same “No Delegation But client may authenticate directly”, just to test whether users are able to authenticate to TMG.

The problem is that the users from DOMAIN1 (on which the application is hosted) are able to login to TMG and from there could login into SharePoint site on internet and the username is visible in TMG live logging.

But the users from DOMAIN2 are unable to pass through TMG HTML Form Authentication.

I am wondering why the users from DOMAIN2 are unable to login with pre-authentication configuration when they were able to login with NO AUTHENTICATION configurations.

In TMGs LAN settings, the preferred DNS is set as DOMAIN1 IP.

TMG, DOMAIN1 and DOMAIN2 are in same network but separated with VLANs

Trouble shooting done as Below

• Ping- working fine from both ends
• Telnet from TMG to DOMAIN2 DC on 389 and 636 ports- Successful
• Telnet from DOMAIN2 DC to TMG on 389 and 636 ports- Failed
• Bi-Directional Ports were opened between DOMAIN2 DC and TMG- 389 and 636
• Tested with ldp.exe tool on TMG to both DOMAIN1 AND DOMAIN2- Received: Cannot open connection
• Could See User Login attempted on TMG and Login Successful logs on DOMAIN1 Security Event logs along with the user Account Name.

Please help in fixing this.

Thanks in Advance,

Harish

Hi everyone,

I recently implemented VLANs on our wireless networks and am currently having trouble passing traffic through our TMG firewall. We have our core switch providing all the inter-VLAN routing and the default route is set to send all traffic to firewall. Clients on separate VLANs can ping each other and the virtual interface of each VLAN with no issues, but when traffic attempts to go through the firewall I'm seeing 0x80074e25 FWX_E_TIMEOUT and 0x80074e21 FWX_E_ABORTIVE_SHUTDOWN

All of the VLANs have been added to the "Internal" network list and the gateway on the firewall has been set to the VLAN interface. Please see below for sample config info:

LAN:

IP: 192.168.1.2

Subnet: 255.255.255.0

DNS: 192.168.1.3

Gateway: 192.168.1.1

WAN:

IP: 1.2.3.4

Subnet: 255.255.255.248

DNS: 4.3.2.1

Gateway: 1.2.3.5

Prior to setting a LAN gateway I was seeing spoofing errors but I imagine because those networks were unreachable.

I am trying to publish a PCoIP Security Gateway from a DMZ using the only public IP address we have available.

We have TMG 2010 appliance with 5 NICs:

1 Internal - 10.100.10.254/24
1 External - 204.9.159.XXX/29
1 DMZ - 172.16.0.1/24
2 Unused

On one of our ESXi hosts I added a new NIC and created a new vSwitch.  I added the security gateway appliance to the vSwitch and connected this new NIC to the DMZ NIC on our TMG appliance.

I need to publish out this security gateway on ports TCP 443 and 4172 and UDP 4172.  We are already hosting websites on the public IP address assigned to the External NIC so I assume I need to use the one remaining public IP address I have to publish out this security gateway.

I have a few questions to try and figure out the best route for accomplishing this:

1 - Do I need to assign the DMZ NIC the remaining public IP but give the security gateway a private IP and use NAT?  Or do I dual-home the External NIC with the remaining public IP address?

2 - Do I use access rules or publish rules to give the External network access to the DMZ network?

3 - Is there an easier way to accomplish this that I'm unaware of?

More than a month ago we installed NEC SV8100 VoIP systems in our two offices that are connected via MPLS circuit. Our west coast office has a TMG 2010 installed as an edge firewall. All TMG services, web and SharePoint publishing is working just fine but we simply cannot get VoIP to work for our remote NEC phones. By remote phones we are talking about the NEC VoIP phones that home office employees use to connect to our NEC PBX.

Remote phones do connect to our published SIP address using NAT traversal and they are programmed to use SIP Mate port 5080 (NEC requirement). Problem is that either the calls always drop after couple of minutes and remote phone either is ready for another call in few seconds or it shows network busy and reboots.

On the TMG side NEC told us to disable TMG VoIP services (we did try with them configured and turned on but with same results) and use UDP port forwarding as follows:

5080 & 5081 = Forward to the address in 192.168.10.12

10020 – 10051 = Forward to the 1st IP address in 192.168.10.13

10052 – 10083 = Forward to the 2nd IP address in 192.168.10.14

10084 – 10115 = Forward to the 3rd IP address in 192.168.10.15

10016 – 10147 = Forward to the 4th IP address in 192.168.10.16

10148 – 10179 = Forward to the 5th IP address in 192.168.10.17

10180 – 10211 = Forward to the 6th IP address in 192.168.10.18

10212 – 10243 = Forward to the 7th IP address in 192.168.10.19

10244 – 10275 = Forward to the 8th IP address in 192.168.10.20

We created user defined protocols to allow UDP traffic with specified port ranges with Primary Connections set in Receive Send direction and Secondary Connections direction set as Send Receive for same UDP port range.  Server publishing rule was than created for each port range/protocol and published external TMG dedicated SIP address as requested.

We did try all many different rules and configurations but are running out of ideas.

If anyone has ideas, suggestion and especially experience with NEC specific VoIP configurations, it would be greatly appreciated. 

We have several offices connected with TMG 2010 servers at each location. Since October, we have been running a 2012 file server in the data center. Now, we have started to roll out Windows 8 clients (all clients are currently windows 7 and most servers are 2008 R2) and have had no problem accessing the 2012 file server while the clients were located in the data center, but after the machines were shipped to the branch locations, suddenly the windows 8 clients cannot access the 2012 file server. They can still access any of the older 2008 R2 or earlier files servers, but not the 2012 boxes. 

I have set up several test windows 8 clients, all with the same results. I have set up another 2012 file server, same result.

I found the following article http://support.microsoft.com/kb/2686098 discussing smb3 issues, so as a test, did the workaround for "Disable "Secure Negotiate" on the client." in the windows 8 clients, and immediately could access the windows 2012 servers.

Is there some firewall policy I need to change on the TMG's to allow the SMB3 protocol to pass? Am I right to think that the TMG's might be the culprit? Thanks 

Hi,

I'm currently trying to evaluate TMG 2010 and to achieve that created four VMs:

• 1 DC (NETWORK-DC)
• 2 IIS Servers (NETWORK-IIS1 and NETWORK-IIS2)
• 1 TMG Server (NETWORK-TMG) : installed in edge configuration

They are on the same network (192.168.0.X, 255.255.255.0) and the tmg server has a second NIC with IP address 10.0.0.7

My VM's host computer has the IP address 10.0.0.1

I'm just trying to access the web site hosted on NETWORK-IIS1 on port 80.

What I've done:

• Created a web publishing rule so when a request to 10.0.0.7 on port 80 and url iis1.network.local, it is redirected to NETWORK-IIS1
• Update my host computer hosts file to resolve iis1.network.local to 10.0.0.7

When logging, I can see that the connection is initiated but the next log row states that the connection failed with the following error:

Failed Connection Attempt NETWORK-TMG 13/08/2013 16:09:29

Log type Web Proxy (Reverse)

Status: 10060 Une tentative de connexion a échoué car le part connecté n’a pas répondu convenablement au-delà d’une certaine durée ou une connexion établie a échoué car I'hôte de connexion n’a pas répondu.

Rule: IIS1

Source: External (10.1.2.12:55288)

Destination: Local Host (192.168.0.2:80)

Request GET http://NETWORK-IIS1.NETWORK.LOCAL/

Filter information: Req ID: 0c5c762b; Compression: client=Yes, server=No, compress rate=0% decompress rate=0%

Protocol http

User anonymous

 Additional information

. Client agent Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; W0W64; Trident/6.0)

. Object source: Internet (Source is the Internet. Object was added to the cache.)

. Cache info: 0x0

. Processing time: 63000 MIME type:

My Internet Explorer shows:

• Error Code: 408. The operation timed out. The remote server did not respond within the set time allowed. The server might be unavailable at this time. Try again later or contact the server administrator. (12002) 

I know the TMG server can resolve and display website at url http://iis1.network.local

Can someone help me?

Thanks

My blog : http://mscrmtools.blogspot.com

I have a number of different rules which block sites by catagory.  The rules work fine but, I have a strange issue, if people go to a HTTP site that is blocked then they are correctly redirected to the block page we created, if people access a HTTPS site that is blocked they just get a page not found and not the custom block page.  Why is this ? The blocks are on the same rule for HTTP and HTTPS.  They are blocks via URL sets.

Example

Action = Deny

Advanced = Redirect to URL http://block/socialmedia.html

Protocols = HTTP / HTTPS

From = Internal

To = URL Set - Block Social Media ( sites listed in this group are HTTP and HTTPS )

Users = All Users

Exceptions = Allowed Access To Social Media

Hi,

We are in the process of configuring TMG 2010. From a web client, all is good as far as HTTP traffic goes. We get the page returned without issue. The problem occurres when we try and browse to SSL (443) pages.

In the logs, we see the line:

Destination: External (255.255.255.255:8080)

But what we don't understand is where is this "255.255.255.255" address coming from. On are current ISA 2006 server, we see Destination: External (173.194.41.96:443).

On our external firewall, sitting between the TMG server and the big bad world, we don't see anything coming from TMG.

I'm sure it is something really simple, but we just can't figure it out.

Below is a screen shot of the issue.

Any help would be greatly apreciated.

Thanks

W.

W.

I need to NAT our internal private IP range to a public range to go though the site-to-site IPSEC tunnel.  I can't figure out why I can't pass traffic.  When I assign a public IP (that I own), without assigning it to an adapter, it fails with an alert message the no NAT addresses are available.  When I assign the NAT address to the outside interface I get no interesting traffic to open the tunnel.  Can anyone help me figure out how to get this done?

I have created the NAT rule above and below the tunnel network rule, but neither works.  If I do not try and NAT, the tunnel establishes Phase 1, but will not go any further due to the non-public IP being used.

On what adapter do I assign the public IP in order to use it for NAT'ing to the tunnel? 

Bob

Hi all, I have to set-up a Site-to-Site VPN w/IPsec with our customer.

The infrastructure is like this:

Internal Network ---> TMG 2010 Std ---> NAT Router Cisco ---> Internet ---> Customer VPN GW

I configured the connection on TMG in the same way as this article:
After reading this article I have a doubt: the External Interface on TMG as IP like 192.168.200.2, and our Public IP is 213.156.x.y
Which of two IP's I have to specify as "Local VPN Gateway IP address", 192.168.200.2 assigned to my Ext NIC or 213.156.x.y ??

Other question: at the end of the configuration wizard, I can see the new VPN connection and a new Network Rule with Route relationship. The customer technician is asking us to hide our internal hosts by NAT. I have to modify the Network Rule changing from Route to NAT relationship? Or I have to create another Network Rule?

Thanks in advance!!!

Hi,

I am using Forefront TMG 2010 on a virtual machine VMware Server 2008 R2 with 2 GB ram.

Every night around 00.35 there is an event 701 in the windoes application log saying: There is insufficient memory in resource pool 'internal' to run this query.

I have googled this and it seems to exist different way to get rid of it. Some say the server memory in SQL shall be limited, some say that the physical memory should be increased, some say that it does not help to increase memory since SQL will use all available memory for cache anyway.

No other errors are reported in forefront. Is this really an error since everything seems to work fine?

Any suggestions how to solve this in the correct way?

Currently we block a number of HTTP sites and this works fine.

Example

Action = Deny

Protocols = HTTP and HTTPS

From = Internal

To = Block group name

Users = all users

Im trying to block some HTTPS sites (lets say facebook as that is one I need to block) I have tried a domain set with *.facebook.com and facebook.com in it but it wont block it keeps been allowed.  I have added the Domain Name Set to the same rule as my normal URL Set block (is this an issue) any ideas ?

Thanks

I have TMG and OWA setup in the following way:

SSL Traffic from the web to https://mail.wingtips.com --> Hardware firewall -->TMG + Exchange Ege in DMZ --> internal Exchange server

This configuration is working with an SSL listener and an OWA publishing rule on my DMZ TMG\Exchange server. What I want to do is have the ability to puiblish an maintenance page for our monthly patching cycle whilst exchange is down.

I've created an internal website with a default maintenance page and used my Exchange SSL certificate for the binding. I was then planning on doing the following:

Create a hosts file entry on TMG+Exchange DMZ server to point mail.wingtips.com to InternalMaintenanceSite
Create a new web listener without any authentication, use the same external IP on my TMG server and the same Exchange certificate as the current listener
Create a web site publishing rule on my TMG DMZ server puiblishing the internal maintenance site and use the newly created listener which has no authentication

I'm aiming to simply disable the current OWA publishing rule as and when is needed, then simply enable the maintenance rule.

What I'm not sure about is having 2 listeners on the same IP, using the same certificate and listening for the same traffic simultaneously would be problematic (bear in mind, the live and maintenance publishing rules will never be active at the same time)

Please advise

Thanks

I have setup tmg2010. its working very nice. i have configured tmg in such way that users can surf  but can't upload even login or register on anyHTTP website. i have to do same thing for HTTPSwebsites.

I have done below HTTP filter settings to block upload in HTTP

Block Uploads

request headers

Content-Type:

multipart/form-data

Above settings will not work with https traffic. Is i am missing some thing that needs to be done.

Akshay Pate Server Administrator