Autodiscover and TMG 2010

Similar Messages

• Domain functional level 2003 -- 2008 and TMG 2010 (sp2 rollup 2)

  Hi,
  We want to raise our domain and forest functional level from 2003 to 2008. All DC's have been on 2008 or 2008R2 for about two years.
  I cannot find if there is any impact on TMG 2010 sp2 rollup 2. Does anyone know if this will bring any issues?
  Thanks!

  No impact. From a TMG perspective, go ahead.
  Hth, Anders Janson Enfo Zipper

• Hyper-V 2012 and TMG 2010/NLB

  Hi there,
  I have an issue with TMG 2010 on Hyper-V 2012 - the Setup:
  - Windows 2012 Hyper-V
  - TMG 2010 SP2 Rollup 4 running on W2K8 R2
  TMG 2010 (Array Node1) Network
  Internal Interface: 10.0.0.10/24 (Route to 192.168.11.0/24 over 10.0.0.1)
  IntraArray: 192.168.10.10/24
  Perimeter: 10.0.60.10/24 GW 10.0.60.100
  TMG 2010 (Array Node2) Network
  Internal Interface: 10.0.0.11/24 (Route to 192.168.11.0/24 over 10.0.0.1)
  IntraArray: 192.168.10.11/24
  Perimeter: 10.0.60.11/24 GW 10.0.60.100
  Domain Controllers:
  192.168.11.10
  192.168.11.11
  The NICs of the TMG VMs are configured with the correct VLANs and on the Perimeter Interface as well as on the Internal Interface I activate MAC Address Spoofing.
  Once I activate NLB on the Perimeter Interface all works fine. But NLB on the internal Interface does not work - I see that NLB got configured on Array Node 1 but the second one does not get the config nor is able to sync it´s configuration with Array
  Node 1. ALso the Servers are not able to communicate with the Domain Controllers anymore. Once I deactivate MAC Address Spoofing on the internal Interface and remove NLB the Server are able to speak to the Domain Controllers...
  Any suggestions?

  Hi,
  Can I just confirm you are using TMG console to enable NLB?
  Also did you enable set this reg key on both your TMG servers? You need to make sure MAC Spoofing is enabled too.
  HKLM\System\CurrentControlSet\Services\TCPIP\Parameters
  IPEnableRouter RegDword 1
  after enabling the key you may need to reboot both nodes.
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  Blog: http://www.windows-support.co.uk 
  Twitter:   LinkedIn:

• Exchange 2010 URL and TMG 2010

  Hi All,
  Would like to know whether can I publish my Exchange OWA through TMG 2010 with the URL on Internal and External the same (Example: mail.contoso.com) and using single-Nic?

  Hi
  With a single NIC deployment, you will only be able to use the web publishing feature of TMG for Exchange. This means be able to publishing OWA, Outlook Anywhere and ActiveSync.
  Same URL for Internal and Public Internet
  100 % you can have same URL for Both and belwo are the DNS changes you many need to do.
  You need to create a Split Brain DNS
  Create a New Primary DNS Zone with the same name as you public Domain
  Add a A record and point that to internal IP address of the Exchanges server OWA
  On the Public Internet Add A record pointing to Public IP address which is used on webpublishing
  TMG - Link
  http://technet.microsoft.com/en-us/library/ee796231.aspx 
  Other Post -
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/c38035f8-b975-4c58-99b2-952f3de9db74/configuring-splitbrain-dns

• Autodiscover and Outlook 2010 Client Issue

  Hello
  We are running an Exchange 2010 SP1 and our Outlook 2010 clients are not able to connect to users' mailboxes. When we open Outlook 2010 client, we keep on getting a pop-up requesting to enter credentials. The same credentials work on OWA but don't seem to
  get accepted by Outlook 2010 client.
  Any ideas?

  Hi ,
  1.What happens when you insert the credentials ? will it get accepted ?
  2.What is the results for the test email configuration.Does it get succeed .On this step we need to concentrate on the two options (i.e results and tabs) .
  3. Get-ClientAccessServer -Identity "cas server name" | fl *uri*
  Please share me the output for the above mentioned command .
  4.The name used on the internal autodiscover uri needs to be available on the SAN certificate.
  5.Please disable the internet explorer proxy exceptions and restart the outlook client and check the results .
  6.Does the affected outlook users are connecting to exchange from LAN network or else from the internet ?If it is from internet please check the authentication set for the outlook anywhere is on NTLM to avoid the password prompts .
  7.Does the outlook client connections are going through LB or else directly to exchange 2010 cas servers ?
  Thanks & Regards S.Nithyanandham

• Exchange 2013 with TMG 2010 and Go Daddy

  Hi all;
  actually I'm new to exchange server 2013 and I need some help:
  recently I installed exchange 2013 in our domain with contains TMG 2010
  what I need is sending emails out.
  currently I can send emails internaly
  I have static IP and TMG and registered domain in Go daddy.
  could someone help me by steps what to do?
  in TMG?
  in Exchange administration?
  in Go Daddy?what records needed and how?
  and should I do any configurations in my DNS?
  please I'm stuck in this.
  Thanks

  Sorry, my fault. Try these links:
  http://blogs.technet.com/b/exchange/archive/2012/11/21/publishing-exchange-server-2013-using-tmg.aspx
  http://www.isaserver.org/articles-tutorials/configuration-general/publishing-exchange-2013-outlook-web-app-forefront-threat-management-gateway-tmg-2010.html
  CRM Advisor

• Lync 2010 Edge and TMG

  I have an issue where a large group of users (about 2k) have been 'migrated' into my environment without first migrating their accounts in AD.  Basically, accounts were created internally and they are just connecting to my Lync 2010 and Exchange 2010
  environment through the internet. 
  Problem is, when they leave their current network, they hit my TMG 2010 servers from a single IP address.  This triggered TMGs Flood Mitigation settings and their IP was blocked.  I fixed this by creating an exception for their IP address
  and bumping up the number of allowed tcp and http connections per minute.
  Now, we are still having issues with users that attempt desktop and application sharing.  Their sessions close sporadically. 
  My primary question is, has anyone ever attempted this type of solution before, allowing thousands of users external access from a single IP address through TMG and Lync Edge?  If so is it supported and what type of issues might I need to look
  for?    Does the Edge role also have restrictions on how many connections can be made by a single IP address from the internet?

  Hi Ray,
  I'm pretty sure TMG is generally not the external endpoint publishing the AV/Sharing capabilities unless it is drastically different in your environment (or if TMG is your outer most firewall)
  Usual setup for reverse proxy is :
  Firewall1 (outer most) <---> DMZ <----> Firewall2 (TMG?) ---> Corp
  Firewall 2 publishes web services.
  Edge usually looks like:
  Firewall1 (outer most) <---> DMZ <----> Edge Access/AV/WebConf ---> Corp
  Can you confirm if TMG is your outer-most firewall? If it is then check if your edge has one or multiple IPs. Then check the publishing for those IPs and make sure they adhere to the exception you created. In addition, check the Firewall on the edge server
  itself.
  If TMG is not your outer-most firewall (if Firewall1 is some other device) then please check the intrusion protection on the Firewall1 device and allow for exception in there as well.
  Hope this helps.
  Cheers,
  Max

• Supporting of Broadcast and Multicast in TMG 2010 !

  I have installed TMG 2010 SP2 at Windows 2008 R2.
  So, as I read TMG blocks as broadcast as multicast.
  And such built-in only one way default behaviour is not right.
  I want in my own (as user/admin) define whether it is necessary to me or not as following there have to be ability to switch it on/off such option, for example as checkboxes for each network (address range) defined by default/user - one for broadcast and
  one for multicast.
  So, please add such functionality to kernel mode driver and to service in the next nearest SP or rollup.
  And/or tell how is it possible to switch it on at Tmg 2010 SP2 and later.
  There are some important services relying on broadcast: NetBios, Dhcp, some Alladin hardkey protection, some special soft.
  If somebody of MS techinians will send registry parameter for this or specially designed driver, all will under my responsibility only.

  I didn' t find Threat Management Gateway
  topic at https://connect.microsoft.com/directory
  Please open such topic at  https://connect.microsoft.com/directory.
  I will post suggestion or you can do so in your own.
  I see this as following: next roll up adding two checkboxes and also two array input fields for Each Rule: multicast traffic checkbox and array where some (one or more) IP addresses can be put and broadcast traffic checkbox with also array input (for example
  192.168.0.255 and 255.255.255.255 - both IP, not mask) .
  For example, I want to allow out/in (from LocalHost/to LocalHost) for NetBios 137, 138 port services broadcast, but drop out/in Dhcp Broadcast and allow out only
  Sentinel HASP License Manager uses port 1947 broadcast. Of, course this example is for/from internal net only
  So, and admins/users uses of Tmg only may define in their own or decide whether it is necessary at all and what rule/rules is/are necassary for.
  Warning message can be appeared if admin set multicast and/or broadcast checbox for external net (differs from lan and localhost) but if it is necessary admin can continue anyway to do so.
  Or may be make global settings (also 2 checkboxes and 2 array input control) but if it set to on, multicast/broadcat will allow if allowing appropriate rule (for examplee for NetBios) exist if drop Dhcp rule exist additionally to NetBios allowing rule, so
  multicast/broadcast will be allowed to NetBios nd will not be dropped for Dhcp.
  And some changes are necessary to make in kernel mode driver as I suppose.
  I can become a first tester. :))))))))
  P. S.: At the moment even outgoing traffic with sender IP of LocalHost (for example 192.168.0.100) and destination IP of broadcast (192.168.0.255) is blocked also.

• Error the service FWSRV of TMG 2010 on Windows server 2008 R2 Enterprise

  Please help me about a issue of TMG 2010:
  My company installed TMG 2010 on Windows server 2008 R2 Enterprise but it happen error " Due to an unexpected error, the service fwsrv stopped responding to all requests. Stop the service or the corresponding process if it does not respond, and
  then start it again. Check for related error messages."
  and " The Firewall service stopped because an application filter module C:\Windows\SYSTEM32\ntdll.dll generated an exception code C0000005 in address 0000000077A72F86 when function CompleteAsyncIO was called. To resolve this error, remove recently
  installed application filters and restart the service."
  I have reinstall but there error also appear again. My company use about 2000 clients access through TMG 2010.
  i have try update windows and TMG latest but can not solved this issue.
  i hope everyone help me as soon as. thank you so much.

   
  HI Luis,
  Not sure whether this will fix your issues however give it a try and let us know so that other can also provide suggestion.
  Disable
  Antivirus
  Monitoring Tools / Hardware Diagnostics tools which comes with Server vendor
  Try -
  http://support.microsoft.com/kb/2649961
  http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=2649961&kbln=en-us
  Ensure you have enough space for Log to be stored

• Problem with blocking upload file TMG 2010

  I'm using TMG 2010. I have 3 rules : 
  1/Allow Internet Access : 
  protocols : dns, http, https
  from: loclahost, internal to: External
  2/Allow Protocols :
  protocols : all traffics
  from: localhost, internal to: localhost, internal
  3/Defaul Rule : Block all.
  The problem is : i want to block upload file from internal to external so i've made HTTP filter in Allow Internet Access like this : Config HTTP --> Signature : Search in: Request Header 
   Http header: Content-Type:
   Signature: mutipart/form-data
  Methods : Block method POST
  Unfortunately, it's not work and i dont know why. If i create a rule block web, it's work. Plesase help me. Thanks !

  Hi,
  You could check the following blog to see whether you missed anything.
  How to block Attachment Uploads using Microsoft TMG
  http://www.kuwaitgeekz.com/?p=2248
  (Note: Microsoft provides third-party contact information to help you find technical support. This contact
  information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.)
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Forefront TMG 2010 Error from management console

  Hi,
  I am having a problem connecting to a TMG 2010 array from an installation of TMG management console we are receiving the error 'Refresh Failed' 'Error 0x80070057' ' The Parameter is incorrect'.
  The only article i can find on this error is this http://support.microsoft.com/kb/2591719 which doesn't seem to apply to our setup or this problem but I have applied Service pack 2 anyway but still get same error. The only other thing i can find is
  a few people saying the management console needs to be at the same version as the TMG servers you are trying to connect to but I cannot see how this can be done as when I try to run the service pack on the machine with only the management console I get an
  error as the full installation is not there.

  Hi，
  Firstly, have you found any related information in the event logs?
  Nest, you can check the version of the TMG server from the TMG help menu, TMG system node or using Control Panel. For more detailed information, please refer to the link below:
  How to Determine Which Version of TMG
  Server 2010 Is Installed
  In addition, what hotfix rollup or Server pack have you installed? Please refer to the recommended order below:
  Forefront TMG 2010 Service Pack, Rollup, and
  Version Number Reference
  Best regards,
  Susie

• How to add HTTP Header Response X-Frame-Options:SAMEORIGIN from OWA published via Forefront TMG 2010 to stop Clickjacking

  How to add HTTP Header Response X-Frame-Options:SAMEORIGIN from OWA published via Forefront TMG 2010 to stop Clickjacking. I have put the IIS setting X-Frame-Options:SAMEORIGIN  on my Internal CAS Server. However as the OWA page is published through
  Forefront TMG 2010, the iFrame tag is not blocked when the page is first opened. Only when you login with your credentials to the OWA page inside the frame and the page reaches IIS on the Internal CAS it gets blocked. I want to block it in the first
  instance when it is opened from TMG.

  Hi,
  Thank you for the post.
  To modify the http header, please refer to this blog:
  http://tmgblog.richardhicks.com/2009/03/27/using-the-isa-http-filter-to-modify-via-headers-and-prevent-information-disclosure/
  Regards,
  Nick Gu - MSFT

• TMG 2010 publishing Exchange 2010 OWA cannot change password if user must change password at first logon is set

  Hi,
   I have an odd issue whereby if I set "user must change password" on an AD account, the end user cannot logon, they're simply taken back to the OWA login page as if their password is incorrect.
  My setup is as follows:
  outer TMG -- uses a listener for email.contoso.com and is configured for no authentication.This uses a publishing rule to publish the inner TMG server. This server is not a domain member.
  inner TMG - uses a listener for email.contoso.com and is configured for NLTM\kerberos negotiation with forms authentication (Windows Active Directory). This server is a domain member and use a publishing rule to publish the internal CAS. Allow users to change
  password is selected in the publishing rules.
  Exchange 2010 SP1 - uses integrated windows and basic authentication. Has the appropriate registry key configured to allow users to change their AD password on first logon.
  I've registered an snp for "http/email.contoso.com mailserver-dc1", all SSL certificates being used are valid and my configuration used to allow users to login and change their password with "user must change password on first login"
  set in AD.
  If I launch a web browser on an internal server and point it to email.contoso.com I'm immediately presented with a generic Windows authentication request (similar to what's seen in ADFS) rather than the standard OWA page. No matter what I do, I cannot login
  and change my password using the correct URL. However if I point my browser at
  http://192.168.4.10/owa I'm prompted to login and I can change my password using the sam credentials.
  The only recent changes made are:
  - Disabling SSL 3.0 and enabling TLS  (http://www.isaserver.org/articles-tutorials/configuration-security/improving-ssl-security-forefront-threat-management-gateway-tmg-2010-published-web-sites.html)
  - Replacing the TMG listener certificates so that they now use SHA2 rather than SHA2 (certificates are trusted on each TMG server)
  Looking on the outer TMG and the DC logs I can see schannel errors which I believe are related to the problem. TMG monitoring also shows "Failed connection attempt: 1907 The user'spassword must be changed before logging on for the first time"
  I've checked that my inner TMG and DC are using the same certificate for server authentication and gone through this guide:
  http://blogs.technet.com/b/keithab/archive/2012/02/29/setting-up-and-troubleshooting-ldaps-authentication-in-forefront-tmg-2010.aspx
  If I try to use ldp.exe on the inner TMG, I get the error in the pic below
  Thanks
  IT Support/Everything

  Hi,
  You could try to analyze the TMG tracing and try the troubleshoot steps in the blog below.
  TMG 2010 – FBA, troubleshooting the change password feature 
  http://blogs.technet.com/b/isablog/archive/2012/05/07/tmg-2010-fba-troubleshooting-the-change-password-feature.aspx
  Best Regards,
  Joyce

• Exchange 2010/2013 coexistence published in TMG 2010

  Environment:
  Two Windows 2008 R2, Exchange 2010 SP3 servers, currently holding all mailboxes
  Two Windows 2012 R2, Exchange 2013 SP1 servers, setup in progress
  Two Windows 2008 R2, TMG 2010, V7.0.9193.540 publishing both Exchange 2010 servers.
  Scenario:
  I need to continue having Exchange 2010 setup in TMG as is as the mailbox migration to 2013 will take weeks if not months and I have a project requirement to have Exchange Database Availability Group (DAG) functionality for all mailboxes throughout the project,
  so 4 servers are an absolute must. So I need to add Exchange 2013 in TMG and not just replace the 2010 setup with the 2013 setup and I cannot run one 2010 and one 2013 server. 
  Questions:
  1. I currently only have 2 public IP addresses available to SMTP, mapped to the external interfaces of TMG, to allow my environment to be able receive emails on 4 Exchange servers (two 2010 and two 2013) I need to have 4 public IP addresses, is that correct?
  2. Does anyone have a good general guide/blog for doing this (setting up Exchange 2013 in TMG in a coexistance scenario)? 
  This is nice, but doesn't really approach it from a coexistance scenario:
  http://blogs.technet.com/b/exchange/archive/2012/11/21/publishing-exchange-server-2013-using-tmg.aspx
  Thanks!

  Hi Trana,
  In TMG you can use single IP address to publish multiple Web address and below are the options which you can explore.
  Hope your OWA ECP etc are Https
  You need a SSL certificate which has all the URL SAN entry of both old and new Exchange server.
  Create a listener and select the IP address (Say public IP address 195.219.x.x)
  Link the SSL certificate
  Public DNS entry
   A record , Single IP
  195.219.x.x 
  Point to           
  Owa1.exchange1.com   - Old Server
  195.219.x.x 
  Point to           
  ECP1.exchange1.com     - Old Server
  195.219.x.x 
  Point to           
  ECP2.exchange2.com      - New Server
  195.219.x.x 
  Point to           
  Owa2.exchange2.com     - New Server
  Create a Web publishing rule as below
  Old server Exchange 1
  Owa1.exchange1.com  
  ECP1.exchange1.com    
  One Web publishing Rule with all the URL added on it and link the Rule with the listener we created
  Point the Web publishing to Exchange1.com server which is old
  New server Exchange 2
   Web publishing Rule with all the URL added on it and link the Rule with the listener we created
  Point the Web publishing to Exchange2.com server which is New
  ECP2.exchange2.com     
  Owa2.exchange2.com    

• Login error when publishing OWA 2010 through TMG 2010

  Its configuration publish OWA 2010 with TMG 2010 but when logged through the internet must enter the correct net name: domain.com\administrator and password to login.
  administrator login name or login [email protected] not login. And all the other mailbox account not login.
  This is a picture of my configuration. You do know how to fix it help me okay. Thanks.

  Hi Xuan,
  It depends on your selected authentication method.
  I recommend you refer to the following article, it will give you some hints:
  http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/enabling-forms-based-authentication-external-internal-owa-2010-users-exchange-2010-published-using-forefront-tmg-2010-part2.html
  Please note: Since the website is not hosted by Microsoft, the link may change without
  notice. Microsoft does not guarantee the accuracy of this information. And the
  changes made in the above blog is not supported officially by Microsoft.
  Best regards,
  Niko Cheng
  TechNet Community Support