Forefront TMG to SRP527w

Similar Messages

• Forefront TMG 2010 Error from management console

  Hi,
  I am having a problem connecting to a TMG 2010 array from an installation of TMG management console we are receiving the error 'Refresh Failed' 'Error 0x80070057' ' The Parameter is incorrect'.
  The only article i can find on this error is this http://support.microsoft.com/kb/2591719 which doesn't seem to apply to our setup or this problem but I have applied Service pack 2 anyway but still get same error. The only other thing i can find is
  a few people saying the management console needs to be at the same version as the TMG servers you are trying to connect to but I cannot see how this can be done as when I try to run the service pack on the machine with only the management console I get an
  error as the full installation is not there.

  Hi，
  Firstly, have you found any related information in the event logs?
  Nest, you can check the version of the TMG server from the TMG help menu, TMG system node or using Control Panel. For more detailed information, please refer to the link below:
  How to Determine Which Version of TMG
  Server 2010 Is Installed
  In addition, what hotfix rollup or Server pack have you installed? Please refer to the recommended order below:
  Forefront TMG 2010 Service Pack, Rollup, and
  Version Number Reference
  Best regards,
  Susie

• How to add HTTP Header Response X-Frame-Options:SAMEORIGIN from OWA published via Forefront TMG 2010 to stop Clickjacking

  How to add HTTP Header Response X-Frame-Options:SAMEORIGIN from OWA published via Forefront TMG 2010 to stop Clickjacking. I have put the IIS setting X-Frame-Options:SAMEORIGIN  on my Internal CAS Server. However as the OWA page is published through
  Forefront TMG 2010, the iFrame tag is not blocked when the page is first opened. Only when you login with your credentials to the OWA page inside the frame and the page reaches IIS on the Internal CAS it gets blocked. I want to block it in the first
  instance when it is opened from TMG.

  Hi,
  Thank you for the post.
  To modify the http header, please refer to this blog:
  http://tmgblog.richardhicks.com/2009/03/27/using-the-isa-http-filter-to-modify-via-headers-and-prevent-information-disclosure/
  Regards,
  Nick Gu - MSFT

• ForeFront TMG - Web Proxy Authentication

  Hi All! We have a Forefront TMG installed in single network adapter. We configure it as a WebProxy for the domain users. The proxy setting is distributed by GPO. So, we want to authenticate users to correctly set the web filtering (with websense ISA plugin).
  Well, the only way to have the correct authentication is to set "Require All user to Authenticate" (It's the correct behavior?). So, if we untick the switch all the users is recognized as "anonimous".  And if we have some user that
  it's not in our domain we want to permit the navigation with proxy. (for example with anonimous authentication..)
  Any help?

  On Wed, 9 Apr 2014 17:06:06 +0000, Michele Sandonini wrote:
  Hi All! We have a Forefront TMG installed in single network adapter
  TMG has a dedicated forum:
  https://social.technet.microsoft.com/Forums/forefront/en-US/home?forum=Forefrontedgegeneral
  Paul Adare - FIM CM MVP
  Lisp has all the visual appeal of oatmeal with fingernail clippings
  mixed in. -- Larry Wall

• Forefront TMG disconnected a non-TCP connection

  Hi,
  I am getting the following error alerts in  TMG
  Forefront TMG disconnected a non-TCP connection from 192.168.0.1 because the connection limit for this IP address was exceeded. Larger custom connection limits should be configured for the IP addresses of chained proxy servers and back-to-back Forefront
  TMG computers with a NAT relationship. 
  This error show two msgs for my both dns servers.
  My DNS servers Ip addresses
  192.168.0.1
  192.168.0.2
  Please help me out
  Thanks

  Hi,
  How about editing the Maximum non TCP sessions per second per rule setting?
  For more information:
  http://technet.microsoft.com/en-us/library/dd441028.aspx
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Migration from Forefront TMG to Ironport c680

  Hello,
  We're planning to migrate replace Microsoft Forefront TMG with Cisco Ironport c680.
  I am here to get an ideas for easy and smooth migration (change over).
  Need experts advise to list down the tasks before migration / change over & important things to remember.
  Best Regards,
  Juned

  Standard it would be.
  Port 25 SMTP -> Inbound and Outbound for mail delivery
  Port 53 (TCP/UDP) DNS 
  Port 80 HTTP - GUI Access (for internal) and Updates/upgrades to download from internet
  Port 443 HTTPS  - (As above)
  Port 22 SSH - CLI access  (And possible for tunnel)
  Port 23 Telnet - CLI access 
  A long list would be depending on required services:
  Port Protocol In/Out Hostname Description
  20/21 TCP In or Out AsyncOS IPs, FTP ServerFTP for aggregation of log files.
  22 TCP In AsyncOS IPs SSH access to the CLI, aggregation of log files.
  22 TCP Out SSH Server SSH aggregation of log files.
  22 TCP Out SCP Server SCP Push to log server
  23 Telnet In AsyncOS IPs Telnet access to the CLI, aggregation of log files.
  23 Telnet Out Telnet Server Telnet upgrades, aggregation of log files
  (not recommended).
  25 TCP Out Any SMTP to send email.
  25 TCP In AsyncOS IPs SMTP to receive bounced email or if injecting
  email from outside firewall.
  80 HTTP In AsyncOS IPs HTTP access to the GUI for system monitoring.
  80 HTTP Out downloads.ironport.com Service updates, except for AsyncOS
  upgrades and McAfee definitions.
  80 HTTP Out updates.ironport.com AsyncOS upgrades and McAfee Anti-Virus
  definitions.
  80 HTTP Out cdn-microupdates.cloudmark.com Used for updates to
  third-party spam component in Intelligent MultiScan. Appliance must also
  connect to CIDR range 208.83.136.0/22 for third-party phone home updates.
  82 HTTP In AsyncOS IPs Used for viewing the Cisco IronPort Anti-Spam
  quarantine.
  83 HTTPS In AsyncOS IPs Used for viewing the Cisco IronPort Anti-Spam
  quarantine.
  53 UDP/TCP In & Out DNS Servers DNS if configured to use Internet root
  servers or other DNS servers outside the firewall. Also for SenderBase
  queries.
  110 TCP Out POP Server POP authentication for end users for Cisco
  IronPort Spam Quarantine
  123 UDP In & Out NTP Server NTP if time servers are outside firewall.
  143 TCP Out IMAP Server IMAP authentication for end users for Cisco
  IronPort Spam Quarantine
  161 UDP In AsyncOS IPs SNMP Queries
  162 UDP Out Management Station SNMP Traps
  389 LDAP Out LDAP Servers LDAP if LDAP directory servers are outside
  firewall. LDAP authentication for Cisco IronPort Spam Quarantine
  3268 LDAP Out LDAP Servers LDAP if LDAP directory servers are outside
  firewall. LDAP authentication for Cisco IronPort Spam Quarantine
  636 LDAPS Out LDAPS LDAPS ActiveDirectory Global Catalog Server
  3269 LDAPS Out LDAPS LDAPS ActiveDirectory Global Catalog Server
  443 TCP In AsyncOS IPs Secure HTTP (https) access to the GUI for system
  monitoring.
  443 TCP Out res.cisco.com Cisco Registered Envelope Service
  443 TCP Out updates-static.ironport.com Verify the latest files for the
  update server.
  443 TCP Out phonehome.senderbase.org Receive/Send Outbreak Filters
  514 UDP/TCP Out Syslog Server Syslog logging
  628 TCP In AsyncOS IPs QMQP if injecting email from outside firewall.
  2222 CCS In & Out AsyncOS IPs Cluster Communication Service (for
  Centralized Management).
  6025 TCP Out AsyncOS IPs Cisco IronPort Spam Quarantine
  7025 TCP Out AsyncOS IPs Cisco Policy Virus Outbreak Quarantine.

• FOREFRONT TMG 2010 CRITICAL ISSUES

  Dear all,
  I installed and configured the Microsoft Forefront TMG in my company's network. It's been done two weeks ago. Since then, everything is working fine and all intranet computers have worked well.
  This is a two NIC server (LAN and WAN on the same machine) and WINDOWS SERVER 2008 R2 OS.
  When I ran the Microsoft Forefront Best Practise Analyzer Tool, I got these two critical errors:
  FIRST
  "Connection to Update Source Failed"
  This machine have been upgraded normally from Microsoft Update service, I really do not know the why about this issue.
  SECOND
  "The primary configuration storage server failed to respond on port 2172"
  Thia second issue appears twice on the critical erros listed.
  Can you guys help me on that?
  Clemilson Correia IT Specialist

  Hi,
  Thank you for your post
  Port 2172 is used as the SSL control channel for authentication to the LDAP ADAM directory used by the Enterprise Management Service.  Since you stated that these are part of a domain, this error is probably benign in that.  So, with that said,
  let’s look at that error and how to troubleshoot it.
  1. Use ADSIEdit.MSC to troubleshoot. 
  2. For “Connection Point”, select the radio button for “Select or type a Distinguished Name or Naming Context:” In the text box, enter (without quotes): “cn=fpc2”.
  3. For Computer, use “Select or type a domain or server: (Server|[:port]) and in the text box enter {name or IP address of the EMS server}:2171.
  4. If the EMS server is able to be cot acted from the array node, then you will see a successful connect and be able to expand out the LDS tree.
  If you are successful in this connection, then there is probably nothing to worry about.  If you cannot, please let me know and we can go about looking at reasons why it is unable to connect.
  http://social.technet.microsoft.com/Forums/forefront/en-US/f165648c-50da-485c-a77c-ac21089e08d4/tmgbpa
  Additionally, you need to check the system requirement for BPA:
  http://www.isaserver.org/articles-tutorials/configuration-general/Microsoft-Forefront-TMG-Best-Practice-Analyzer.html
  Best Regards
  Quan Gu

• How to Identify the Network Topology being used for a running ForeFront TMG Stand Alone array?

  Hello Experts,
  My client has decided to move their datacenter  from one location to other including the ForeFront TMG servers which are being used as Reverse Proxy and TMG Gateway  in DMZ environment.
  I need to know the network topology used for this configuration so that I could chose the same topology when creating new TMG environment at new datacenter. Here are some details : 
  1. There are 2 TMG servers configured in a DMZ Workgroup in Stand Alone array.
  2. Both servers have 3 NIC attached to them. (one has all public IPs configured, another one has internal IP address and the third one has Management IP which is used to connect the server via RDP).
  3. There are more than 50 websites published via this standalone array.
  I am very new to Forefront TMG technology and need to know the Topology used to create such environment.
  Thanks 
  Lalit

  Hi,
  According to your description, you can use the 3-leg perimeter network template and choose which network adapter connects to the LAN, which network adapter connects to the external  network and which network adapter connects to the DMZ.
  Did you set up TCP/IP settings for the three NICs? If not, please refer to the link below:
  Recommended Network Adapter Configuration for Forefront TMG Enterprise Edition Servers
  More information:
  Microsoft Forefront TMG – How to use TMG network templates (Note:
  Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.)
  Best regards,
  Susie

• IPad 2 looses username and password with Microsoft Forefront TMG

  My company uses Microsoft Forefront TMG as a proxy on our Guest wireless access.  We have a guest username and password that changes every few weeks that iPads can use to access the internet at work - we are not allowed into the company network!  Although I can put the guest username and password into the authentication dialog, the username and password are lost after the iPad has been off for several minutes and I have to reenter them.  In the before iOS 5.0 versions I was able to set the wireless to automatically remember the password and to auto-fill the username and password each time.  Now, the username and password that come up were from the pre-iOS 5.0 settings - it doesn't remember the new username and password from the last time that I logged in.  This occurs with any App that attempts to log in after I turn the iPad on.  The same issue comes up with other iPads here as well.  Settings are: Auto-Join and Auto-Login set, HTTP Proxy Off.  IP address received from DHCP.
  Is there any setting that I can use to get around this problem?
  LW

  The Apps worked when I originally got it (several days ago), and I could also log onto the websites.
  Could it be my wireless router? I did notice that when my macbook pro is asleep, and I open it up to awake it, it sometimes disconnects my wifi signal (everything connected to my signal will lose it) for about 20 seconds, and then it will come back to.
  Not sure if that is connected to my problem with logging into websites and apps, but I'll just put that info out there.

• Forefront TMG detected a possible SYN attack and will protect the network accordingly

  Hi ,  Some times here internet is not working for using through TMG 2010. but Local Host Internet is working. then it should restart the 
  Microsoft Forefront TMG Control with related Services. then again users can access the Internet  through TMG.
  I check the Event Viewer in Server. it shows below Error Log.
  Forefront TMG detected a possible SYN attack and will protect the network accordingly
  what should for this ?
  Regards, COMDINI

  Hello,
  An offending host attempts to flood Forefront TMG with half-open TCP connections by sending numerous TCP SYN messages to a Forefront TMG server and not completing the TCP handshake, leaving the TCP connections half-open.
  Please enable logging to identified this hosts and then check if it is infected by viruses or malware programs.
  Please see the value of the number of Maximum half-open TCP connections in Flood Mitigation settings for more information.
  Once your problem is solved, you have to see "Forefront TMG is no longer experiencing a SYN attack." message.
  This
  posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Microsoft Student Partner 2010
  / 2011
  Microsoft Certified Professional
  Microsoft Certified Systems Administrator:
  Security
  Microsoft Certified Systems Engineer:
  Security
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Active Directory, Configuration
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Network Infrastructure, Configuration
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Applications Infrastructure, Configuration
  Microsoft Certified Technology Specialist:
  Windows 7, Configuring
  Microsoft Certified IT Professional: Enterprise
  Administrator
  Microsoft Certified IT Professional: Server Administrator
  Microsoft Certified Trainer

• How to make Forefront TMG build VPN site-to-site tunnel with reduced subnet

  I am trying to implement a Site-to-Site VPN tunnel with a supplier. We are using Forefront TMG 2010 SP2 (Site A) and they are using Cisco ASA (Site B)
  I have complete access to SITE A, but no access to Site B (suppliers end)
  We have set up the VPN tunnel, but it will only come up if it is initiated from the Site B end. We know this is because there is a mismatch in the expected network size. Site B fits within Site A, but not the other way round.
  The tunnel is set up at Site A with an allowed route of 10.0.2.60/30 and matched with a configuration at the other end. This configuration is If I look at the "Site-to-site" summary on TMG.
  However, my counterpart at site B tells me that when the TMG actually tries to build the tunning, it is not specifying 10.0.2.60/30 but 10.0.2.0/24
  I should also mention that TMG internal ip is 10.0.2.6 ,that we only 10.0.2.61 and 10.0.2.62 should be allowed through the tunnel, and that due to existing VPNs on the supplier site, they cannot increase the size of the network on their side to match the 10.0.2.0/24
  range
  I am a at a bit of a loss why this is happening. Does any one have any guidance, I don't really even know what terminology to use to effectively search for an answer

  Hi,
  Which VPN protocol you have used？
  What is the network addresses you have configure in Create Site-to-Site Connection Wizard? Did you mean that the IP range changed on site B after you created the VPN connection?Please make sure that the ranges match the internal ranges at the site B.
  In addition, I am quite sure of your IP ranges for both sites, I would appreciate it if you can tell the IP range for TMG server internal network and the site B.
  Beside, you can refer to the link below:
  Test Lab Guide: Demonstrate Site to Site VPN with Threat Management Gateway 2010 (Part 1) (Note: Microsoft
  is providing this information as a convenience to you. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.)
  Best regards,
  Susie

• Microsoft outlook 2010 not working after installing proxy server and ForeFront TMG firewall

  I am trying to have Outlook 2010 work though proxy server recently installed on internal network, I have configured IE to use the proxy settings, but I cannot find the
  same with Outlook 2010, I want to clarify that we use Outlook 2010 to connect to internet email and we installed ForeFront TMG firewall on the proxy server and as a result of that we changed the IP settings and after that Outlook stopped sending and receiving
  mails and gives error: “receiving reported error (0x800408fc): 'The Server name you entered cannot be found (it might be down temporarily).”
  So please help us by sharing how to fix this issue to make Outlook work though proxy server
  Thanks

  Hi,
  Are you using Exchange account? If you are changing your Exchange account to use a proxy server, I suggest we can create new profile and automatically re-configuring your account with autodiscover service to have a try:
  http://support.microsoft.com/kb/829918
  If the account can’t be configured automatically, please manually configure the account and change the settings for procy server:
  1. In the Account Settings dialog box, click the
  Email tab, click to select the Exchange account, and then click
  Change.
  2. Click More Settings. On the Connections tab, click
  Exchange Proxy Settings.
  3. In Connection settings, type the proxy server FQDN under Use this URL to connect to my proxy server for Exchange, click OK to have a try, and then click
  OK to save all settings.
  4. Restart Outlook.
  Regards,
  Winnie Liang
  TechNet Community Support

• Forefront TMG network policy server and VPN issue.

  Hello every one!
  I have a problem with configuration VPN server on Forefront TMG on Windows Server 2008R2 with latests microsoft updates.
  I install Forefront TMG on on Windows Server 2008R2 with latest updates.
  Then, I configure startup wizard where I set network configuration and etc.
  Next, I set VPN settings, I set DHCP pool, DNS servers, Access groups for VPN, and set PPTP.
  After apply this settings, service RemoteAccess doesn't start. I try to reboot server but service doesn't start.
  But it's not one problem.
  When I add VPN Access groups in Forefront, and apply configuration, I don't see changes in network policy server (nps.msc) Groups don't add to policy in network policy server.
  Screenshot
  If I start RemoteAccess manually and add new VPN Access groups in policy in network policy server, I can use VPN server, and connect to forefront server.
  But I don't understand why TMG Forefront can't apply this settings in nps.msc and services.
  What I do wrong?
  I Use Windows Server 2008R2
  Forefront TMG RTM 7.0.7734.100

  Hello! Thank you for your help!
  I see this link
  http://www.isaserver.org/articles-tutorials/configuration-security/Implementing-Secure-Remote-Access-PPTP-Forefront-Threat-Management-Gateway-TMG-2010-Part2.html
  But I don't use RADIUS server in my Forefront TMG VPN configuration.
  I configure client VPN Access via PPTP
  When I configure TMG VPN settings, I set VPN Access groups. After that NPS server change and apply TMG network policy correctly.
  But if I change some TMG firewall policy, and then I  try to add VPN Access groups (screenshot -
  http://i.gyazo.com/34a34ba18a01c58689e5e3cddbc52585.png) NPS server can't change and apply TMG network policy correctly.
  Now I have a two Access groups in TMG VPN settings
  http://i.gyazo.com/34a34ba18a01c58689e5e3cddbc52585.png
  And I have a NPS server network policy with not correctly settings
  http://i.gyazo.com/1dd973ca9cc2a228d54a53d88ca90009.png
  Forefront can't change NPS server network policy. I don't undesrtand where problem.
  I try to reinstall TMG on new machine, but problem
  problem persists.

• Vmware or vbox install: behind Forefront TMG proxy.

  I am using export proxy statements in a try to get proxy to work but TMG proxy not only requires address and port but Server-name, username and password. I have TMG proxy set on my PC and it's working.
  After exporting proxy i get this on 'pacman -Syy' statement.
  The requested URL returned error: 407 Proxy Authentication Required (Forefront TMG requires authorization to fulfill the request. Access to Web Proxy filter is denied)
  Is there anything i can do to get it to work. How can i set the virtual machines network interface to use my current Proxy settings

  You got a tricky problem, these links may help to get a better understanding of what needs to be done :
  http://forums.isaserver.org/m_200210352 … ey_/tm.htm
  http://forums.fedoraforum.org/showthread.php?t=281553
  Do you only need internet access from the VM for pacman ?
  If so, a local mirror setup on the host would be  a workaround.
  Edit :
  pacman can use wget as transfer command, and wget can be configured to work with  a proxy.
  check the wiki on wget.
  end of edit
  Getting full internet access for the VM will be much trickier.
  An approach that might work is to configure the VM to use the TMG proxy on your host pc as gateway for the VM.
  The TGM proxy on the host would then take care of the authentication.
  Last edited by Lone_Wolf (2013-03-05 12:02:53)

• HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )

  17:06:13 Synchronizer Version 14.0.6123
  17:06:13 Synchronizing Mailbox '[email protected]'
  17:06:13 Synchronizing Hierarchy
  17:06:13   4 folder(s) added to online store
  17:06:13   1 folder(s) updated in online store
  17:06:13 Synchronizing local changes in folder 'Inbox'
  17:06:13 Error synchronizing folder
  17:06:13 [80041004-0-0-430]
  17:06:13 Error with Send/Receive.
  17:06:13 There was an error synchronizing your folder hierarchy. Error : 80041004.
  17:06:13 Synchronizing server changes in folder 'Calendar'
  17:06:13 Synchronizing server changes in folder 'Contacts'
  17:06:13 
  17:06:13 
  *Request*       
  17:06:13 17:06:13:0590
  17:06:13 POST
  17:06:13  http://
  17:06:13 contacts.msn.com
  17:06:13 /ABService/ABService.asmx
  17:06:13 
  17:06:13 <ABFindAll xmlns="http://www.msn.com/webservices/AddressBook"> <abId>00000000-0000-0000-0000-000000000000</abId><abView>Full</abView><deltasOnly>false</deltasOnly></ABFindAll>
  17:06:13 
  *Response*  
  17:06:13 17:06:13:0870
  17:06:13 HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  )
  Via: 1.1 TMG
  Proxy-Authenticate: Negotiate
  Proxy-Authenticate: Kerberos
  Proxy-Authenticate: NTLM
  Connection: close
  Proxy-Connection: close
  Pragma: no-cache
  Cache-Control: no-cache
  Content-Type: text/html
  Content-Length: 707
  17:06:13 
  17:06:13 
  17:06:13 
  17:06:13 Error with Send/Receive.
  17:06:13 There was an error synchronizing a contacts folder. Error : 80004005.
  17:06:13 Synchronizing server changes in folder 'Drafts'
  17:06:13 Synchronizing local changes in folder 'Inbox'
  17:06:13 Error synchronizing folder
  17:06:13 [80041004-0-0-430]
  17:06:13 Synchronizing server changes in folder 'Sent Items'
  17:06:13 Synchronizing server changes in folder 'Deleted Items'
  17:06:13 Synchronizing server changes in folder 'Junk E-mail'
  17:06:13 Done
  17:06:13 
  17:06:13 
  *Request*       
  17:06:13 17:06:13:0870
  17:06:13 POST
  17:06:13  http://
  17:06:13 mail.services.live.com
  17:06:13 /DeltaSync_v2.0.0/Settings.aspx
  17:06:13 
  17:06:13 <?xml version="1.0" encoding="utf-8"?><Settings xmlns="HMSETTINGS:"><ServiceSettings><SafetySchemaVersion>1</SafetySchemaVersion><SafetyLevelRules><GetVersion/></SafetyLevelRules><SafetyActions><GetVersion/></SafetyActions><Properties><Get/></Properties></ServiceSettings><AccountSettings><Get><Options/><Properties/></Get></AccountSettings></Settings>
  17:06:13 
  *Response*  
  17:06:13 17:06:13:0870
  17:06:13 HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  )
  Via: 1.1 TMG
  Proxy-Authenticate: Negotiate
  Proxy-Authenticate: Kerberos
  Proxy-Authenticate: NTLM
  Connection: close
  Proxy-Connection: close
  Pragma: no-cache
  Cache-Control: no-cache
  Content-Type: text/html
  Content-Length: 707
  17:06:13 
  17:06:13 

  Hi,
  According to the log, it seems that TMG firewall denied the request and replied with an HTTP 407 response, indicating that proxy authentication was required. This was done because the Forefront TMG firewall did not have any access rules which would allow
  the anonymous request. Please check if you have configured related access rules.
  When did you recieve this log? Is there anyting wrong? Which authentication method you have used, Kerberos, NTLM or other? 
  It seems that each time a web proxy client requests a resource through a Forefront TMG firewall that requires NTLM authentication the client is actually denied twice during the transaction before being successfully authenticated and allowed access. When
  the Forefront TMG firewall is configured to use Kerberos there is only a single denied request and HTTP 407 response and then contact a domain controller and obtain a Kerberos ticket to present to the TMG firewall to gain access to the resource.
  If you configured the TMG clients with a certain proxy name, please make sure you typed the TMG's domain computer name only (not IP address nor alias).
  Best regards,
  Susie