Internet Control by TMG 2010

Similar Messages

• Internet Access through TMG for all HO & Branch office

  Dear Experts!,
  I am new to the Forefront TMG 2010. Have requirement to implement internet access.
  Head office : 192.168.11.x/24 (192.168.11.1 is the TMG server)
  Branch Office 1: 192.168.12.x/24
  Branch Office 2 : 192.168.14.x/24
  Branch Office 2 : 192.168.16.x/24
  Forefront TMG 2010 standard edition.
  Having 3 NIC's two have different ISP network addresses and one has 192.168.11.1.
  Branch office are connected using MPLS network, the requirement is all branch site internet must be accessed through TMG 2010 server which is homed in Head Office. How to achieve ?
  What needs to be done in external firewall and in TMG for enabling internet access.
  Thanks!
  Regards, Ganesh, MCTS, MCP, ITILV2 This posting is provided with no warranties and confers no rights. Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread.

  Hi Ganesh,
  Hope this helps
  1 - If you wish to give internet as Proxy to users.
  Ensure the Below subnet is able to reach TMG Internal Interface that is 192.168.11.1
  Subnet
  Branch Office 1: 192.168.12.x/24
  Branch Office 2 : 192.168.14.x/24
  Branch Office 2 : 192.168.16.x/24
  Configuration
  Enable Proxy in TMG and configure Proper Ports as per your requirements
  On the Client IE – Ensure you put Proxy IP as TMG and Port configured in TMG configuration.
  Enable a Rule
  Access Rule
  Source : Internal
  Destination : External
  Ports : HTTP / HTTPS
  Users : Authenticated Users
  2 As normal Internet as Gateway to users
  You need to request your MPLS provider to change the Default Route of below subnet to 192.168.11.1. By doing this, all the internet request from the below subnet to internet will hit TMG.
  Subnet
  Branch Office 1: 192.168.12.x/24 Default Route 192.168.11.1
  Branch Office 2 : 192.168.14.x/24 Default Route 192.168.11.1
  Branch Office 2 : 192.168.16.x/24 Default Route 192.168.11.1
  IF you have any L3 Switch then you can also make Default gateway as L3 for all the subnet and from L3 device point it to TMG
  Enable a Rule
  Access Rule
  Source : Internal
  Destination : External
  Ports : HTTP / HTTPS
  Users : All Users ( Important )
  Two ISP
  In network Rules : You need to use NAT
  You will have a Rule which NATS internal to  External
  On external - Choose which ISP interface should be used  and Apply NAT rule

• Problem with blocking upload file TMG 2010

  I'm using TMG 2010. I have 3 rules : 
  1/Allow Internet Access : 
  protocols : dns, http, https
  from: loclahost, internal to: External
  2/Allow Protocols :
  protocols : all traffics
  from: localhost, internal to: localhost, internal
  3/Defaul Rule : Block all.
  The problem is : i want to block upload file from internal to external so i've made HTTP filter in Allow Internet Access like this : Config HTTP --> Signature : Search in: Request Header 
   Http header: Content-Type:
   Signature: mutipart/form-data
  Methods : Block method POST
  Unfortunately, it's not work and i dont know why. If i create a rule block web, it's work. Plesase help me. Thanks !

  Hi,
  You could check the following blog to see whether you missed anything.
  How to block Attachment Uploads using Microsoft TMG
  http://www.kuwaitgeekz.com/?p=2248
  (Note: Microsoft provides third-party contact information to help you find technical support. This contact
  information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.)
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Forefront TMG 2010 Error from management console

  Hi,
  I am having a problem connecting to a TMG 2010 array from an installation of TMG management console we are receiving the error 'Refresh Failed' 'Error 0x80070057' ' The Parameter is incorrect'.
  The only article i can find on this error is this http://support.microsoft.com/kb/2591719 which doesn't seem to apply to our setup or this problem but I have applied Service pack 2 anyway but still get same error. The only other thing i can find is
  a few people saying the management console needs to be at the same version as the TMG servers you are trying to connect to but I cannot see how this can be done as when I try to run the service pack on the machine with only the management console I get an
  error as the full installation is not there.

  Hi，
  Firstly, have you found any related information in the event logs?
  Nest, you can check the version of the TMG server from the TMG help menu, TMG system node or using Control Panel. For more detailed information, please refer to the link below:
  How to Determine Which Version of TMG
  Server 2010 Is Installed
  In addition, what hotfix rollup or Server pack have you installed? Please refer to the recommended order below:
  Forefront TMG 2010 Service Pack, Rollup, and
  Version Number Reference
  Best regards,
  Susie

• Login error when publishing OWA 2010 through TMG 2010

  Its configuration publish OWA 2010 with TMG 2010 but when logged through the internet must enter the correct net name: domain.com\administrator and password to login.
  administrator login name or login [email protected] not login. And all the other mailbox account not login.
  This is a picture of my configuration. You do know how to fix it help me okay. Thanks.

  Hi Xuan,
  It depends on your selected authentication method.
  I recommend you refer to the following article, it will give you some hints:
  http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/enabling-forms-based-authentication-external-internal-owa-2010-users-exchange-2010-published-using-forefront-tmg-2010-part2.html
  Please note: Since the website is not hosted by Microsoft, the link may change without
  notice. Microsoft does not guarantee the accuracy of this information. And the
  changes made in the above blog is not supported officially by Microsoft.
  Best regards,
  Niko Cheng
  TechNet Community Support

• TMG 2010 to connect Branch Office

  We have TMG 2010 installed for proxy solution. Recently we opened new branch office but they are unable to internet through proxy. I have added the route add command in TMG Server.
  route add 10.24.84.0 mask 255.255.255.224 10.24.30.20 -p           - Branch 1
  route add 10.24.86.0 mask 255.255.255.224 10.24.30.20 -p                           - Branch 2
  10.24.30.20 is our core router IP...
  Is there any configuration required in core router and branch office router...Branch office users can access all server service except proxy solution.Please advice

  HI
  In your branch office,
  YOu need to ensure that internal Branch office subnet is able to reach TMG server. Need route to TMG networ from branch office on branch office Router,
  TMG should have route to reach Branch office network.
  Add branch office subnet as internal in TMG network range

• TMG 2010 - Webaccess becomes unresponsive

  Our TMG 2010 server is set up in a test situation and is currently only used for outbound Internet access, no inbound connections yet pointing to this route.  We have been struggling with the issue that users using this outbound route will
  loose internet connectivity and we cannot pinpoit the reason. Only restarting the server will fix it, temporarily.
  We have been struggling with this issue for a very long time now, we tried clean installs and a MS TMG specialized partner looked at the installation and deemed it best practise. The only thing he could think of was that HP's teaming software
  for the LAN connection could be the culprit. He changed it to Network Fault Tolerance instead of Transmit Load Balancing. That did not help either.
  The server doesn't show any errors we can work with. only users loosing their internet connectivity.
  Any idea's how to solve this situation? Other option is to pack in this TMG and go for an appliance.
  TIA,
  Fred
  d

  Hi,
  NIC teaming is not recommended for TMG server:
  http://blogs.technet.com/b/keithab/archive/2012/02/15/top-troubleshooting-tips-to-try-before-calling-support-for-isa-tmg.aspx
  If you MUST use NIC teaming try to install the latest drivers/Firmware for the MICs and make sure all SNP setting like Chimney offload, RSS and more matches the NIC and TMG configuration
  regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3276?GPP=MarcGrote

• Tmg 2010 Block Any https web site

   TMG 2010 block any https site And HTTPS Inspection Disabled when i make a Rule and i make TO Exception URL sets.

  HI Jesper
  Thanks for Reply
  Yes Https sites blocked even with https inspection disabled, and I have firewall policy that is allowing http and https.
  If I make firewall policy allowing http and https without Exceptions traffic will be allowed If i make any URL sets Exceptions traffic will be blocked.
  Regards,
  Ahmed Salama.
  Denied Connection
  Log type:
  Web Proxy (Forward)
  Status:
  12202 Forefront TMG denied the specified Uniform Resource Locator (URL).
  Rule:
  Default rule
  Source:
  Internal (10.6.29.199:65109)
  Destination:
  External (10.6.28.5:443)
  Request:
  twitter.com:443
  Filter information:
  Req ID: 0785b898; Compression: client=No, server=No, compress rate=0% decompress rate=0%
  Protocol:
  SSL-tunnel
  Client agent:
  Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0
  Object source:
  Internet (Source is the Internet. Object was added to the cache.)
  Cache info:
  0x0
  Processing time:
  0 MIME type:

• Open port on TMG 2010

  dears
  I need to open port 1521 for oracle listener on my TMG 2010 , and have no idea about this .
  can anyone help me please?..
  thanks in advance 

  Hi,
  In general,
  access rules are used for controlling outbound access. You can create a custom protocol to define the port 1521. As there is only a single port, please enter the same
  port number in the From and To boxes in
  New/Edit Protocol Connection dialog box. Then you can create an access rule and choose that protocol.
  More information:
  Creating an access rule
  TMG back to Basics - Part 3: Protocol Definitions (
  Note: Microsoft is providing this information as a convenience
  to you. The sites are not controlled by Microsoft. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.)
  Best regards,
  Susie

• Exchange 2010 URL and TMG 2010

  Hi All,
  Would like to know whether can I publish my Exchange OWA through TMG 2010 with the URL on Internal and External the same (Example: mail.contoso.com) and using single-Nic?

  Hi
  With a single NIC deployment, you will only be able to use the web publishing feature of TMG for Exchange. This means be able to publishing OWA, Outlook Anywhere and ActiveSync.
  Same URL for Internal and Public Internet
  100 % you can have same URL for Both and belwo are the DNS changes you many need to do.
  You need to create a Split Brain DNS
  Create a New Primary DNS Zone with the same name as you public Domain
  Add a A record and point that to internal IP address of the Exchanges server OWA
  On the Public Internet Add A record pointing to Public IP address which is used on webpublishing
  TMG - Link
  http://technet.microsoft.com/en-us/library/ee796231.aspx 
  Other Post -
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/c38035f8-b975-4c58-99b2-952f3de9db74/configuring-splitbrain-dns

• Publishing Exchange 2013 Outlook Web App with Forefront TMG 2010

  Hello guys,
  I have published Exchange 2013 via TMG 2010 with pre-authentication. Since this is the first time I am doing it- I want to ask experts for the explanations:).
  When I configure Active Sync on mobile, I just type the password and  it's starts syncing after 20 sec.
  When I use browser and trying to login using TMG logon screen, after I enter credentials (if they were not wrong), I get exchange 2013 logon screen ( because my password was checked by DC's).
  I have customized TMG tamplate to Exchange 2013 tamplate, but it did not help- I have two logon screens.
  Is it possible to configure TMG for showing only one logon screen ( without disabling pre-authentication) ? Does it work this way?
  Did I miss something?

  Hi,
  Please try to enable FBA for external and internal OWA 2010 users by the methods in the blog below.
   There are several ways to accomplish this:
  Have internal users pointed to the internal interface of the Forefront TMG and utilize the forms-based authentication logon page offered by Forefront TMG. 
  Deploy Forefront UAG instead of Forefront TMG. Forefront UAG allows you to have FBA enabled on both the Exchange 2010 Client Access Servers and on the Forefront UAG solution itself. 
  Publish Exchange 2010 to the Internet using Forefront TMG but do not configure pre-authentication. This way the users need to go through the Forefront TMG solution, but will authenticate directly against the Exchange 2010 Client Access servers. 
  Configure an additional OWA and ECP virtual directory on the Exchange 2010 Client Access Servers.
  Reference:http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/enabling-forms-based-authentication-external-internal-owa-2010-users-exchange-2010-published-using-forefront-tmg-2010-part1.html
  Then check the blog
  - Creating a custom Forefront TMG 2010 OWA FBA logon page
  Note:
  Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
  Best Regards,
  Joyce
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• TMG 2010 Array Brings down the entire internal network

  Ok, so this is a weird as it sounds. 
  We've been working with ISA and TMG since 2004, this is the first time I've seen this kind of behavior. Let me explain the details.
  We implemented 3 TMG 2010 Servers in an Array and 2 EMS Servers on Windows Server 2008 R2. Each TMG Server has 4 NICs (Internal, External, DMZ-Intra-array). At first we wanted to enable them with an F5 Hardware Load Balancer but after weeks of trying to
  make them work together we couldn't (SNAT and routing issues related), so we tried using Windows NLB but had problems with the Multicast configuration using VMWare and after some other battles we decided to first try out just using one TMG Server as the main
  one to try to make it work. The customer we are implementing this is currently using ISA 2006 and they wanted to upgrade to TMG 2010 using basically the same stuff as their ISA had, so we backed up that configuration and imported it into TMG without problems.
  We added the TMG Servers on the EMS configuration and everything replicated just fine.
  Since they already had IPS, Cisco ASAs and Ironports as Proxy they decided to disable NIS, Malware inspection, Flood Mitigation and all those things TMG has for better securing Internet traffic.
  The firewall policy rules are about 100 and they have 3 publishing rules to HTTPS Services. 
  So after making the necessary configuration changes to the TMG infrastructure, we then decided to unplug the ISA Servers, change the TMG servers IP Address to the ISA Server ones and test to see if everything worked just as ISA Server did. However it didn't.
  At first we have issues related to slow internet traffic, after troubleshooting for some time we ended up finding out that the Source IP used by TMG was different that the one ISA was using, even if the same IP was configured in the NIC and the other IPs
  were configured as alternate. We found out after some searching that Windows Server 2008 R2 uses some RFC and manipulates the IP Address on a NIC in a way that 2003 didn't. We found out that we needed to add the other IPs via Netsh int ipv4 add address
  <Interface Name> <ip address> skipassource=true
  After that configuration we got things working fine... for a while, several hours later, servers started losing connectivity, switches stopped responding and the entire network was collapsed! After unplugging the TMG Servers, everything returned back to
  normal.  We though this was a issue related to drivers or something to do with VMWare plataform, so it was decided to reinstall everything on physical servers.
  After some days of reconfiguring again TMG Servers, we made the switch again, unplugged the ISA Servers, configured the TMG with the ISA IP Addresses, did the NETSH thing and then tested out everything and everything worked.
  But again hours later the same behavior appeared once more! Servers and switches stopped responding and the entire network went down once more! Again we unplugged the TMG Servers and everything returned back to normal!
  So here we are, back to square one with no clue on what is causing this behavior on the network. The current physical servers are running HP 3666i 4 multiport 10Gb NICs, we don't know if that has something to do with this. Or the fact the the switch core
  to which the TMG servers are directly connected to is a Nexus 7000 and there is some configuration issues with it against the TMG or something. The TMGs are patched with Service Pack 2 Update Rollup 5.
  We are probably going to open a support case with Microsoft with this issue, but we first wanted to see if anyone else may have had, seen or heard something related to this and has an explanation or ideas on why is this happening.
  I appreciate any replies.
  Thank you all.
  Eduardo Rojas

  Hi, I belive your TMG is virtual and NLB is setup. If so you need to bind the physical swith port with NLB MAK address in multicaste mode. Let's take an example, if your internal NLB physical NIC is connected to swith port 1 and 2 then you need to manually
  bind the NLB MAK to port 1 and 2 like wise for all NLB enabled zone.Read VM ware NLB as they support multicaste in virtual. So do not use unicaste in NLB if it's virtual. All should be okay with the above configuration.

• Supporting of Broadcast and Multicast in TMG 2010 !

  I have installed TMG 2010 SP2 at Windows 2008 R2.
  So, as I read TMG blocks as broadcast as multicast.
  And such built-in only one way default behaviour is not right.
  I want in my own (as user/admin) define whether it is necessary to me or not as following there have to be ability to switch it on/off such option, for example as checkboxes for each network (address range) defined by default/user - one for broadcast and
  one for multicast.
  So, please add such functionality to kernel mode driver and to service in the next nearest SP or rollup.
  And/or tell how is it possible to switch it on at Tmg 2010 SP2 and later.
  There are some important services relying on broadcast: NetBios, Dhcp, some Alladin hardkey protection, some special soft.
  If somebody of MS techinians will send registry parameter for this or specially designed driver, all will under my responsibility only.

  I didn' t find Threat Management Gateway
  topic at https://connect.microsoft.com/directory
  Please open such topic at  https://connect.microsoft.com/directory.
  I will post suggestion or you can do so in your own.
  I see this as following: next roll up adding two checkboxes and also two array input fields for Each Rule: multicast traffic checkbox and array where some (one or more) IP addresses can be put and broadcast traffic checkbox with also array input (for example
  192.168.0.255 and 255.255.255.255 - both IP, not mask) .
  For example, I want to allow out/in (from LocalHost/to LocalHost) for NetBios 137, 138 port services broadcast, but drop out/in Dhcp Broadcast and allow out only
  Sentinel HASP License Manager uses port 1947 broadcast. Of, course this example is for/from internal net only
  So, and admins/users uses of Tmg only may define in their own or decide whether it is necessary at all and what rule/rules is/are necassary for.
  Warning message can be appeared if admin set multicast and/or broadcast checbox for external net (differs from lan and localhost) but if it is necessary admin can continue anyway to do so.
  Or may be make global settings (also 2 checkboxes and 2 array input control) but if it set to on, multicast/broadcat will allow if allowing appropriate rule (for examplee for NetBios) exist if drop Dhcp rule exist additionally to NetBios allowing rule, so
  multicast/broadcast will be allowed to NetBios nd will not be dropped for Dhcp.
  And some changes are necessary to make in kernel mode driver as I suppose.
  I can become a first tester. :))))))))
  P. S.: At the moment even outgoing traffic with sender IP of LocalHost (for example 192.168.0.100) and destination IP of broadcast (192.168.0.255) is blocked also.

• Strange behavior from TMG 2010

  Hi all,
  I have a strange issue in accessing internet behind TMG 2010 from random users. Sometimes internet works fine and sometimes not. I have checked the monitor section and I found this alert "Global denied packets rate limit: The number of denied TCP and
  non-TCP packets per second exceeded the system limit. As a result, Forefront TMG reduced the number of records of denied packets that are written in the log."
  I did the following:
  Increase the number of TCP and non-TCP requests in Flood Mitigation Settings.
  Add the range of my subnet in the exception section to allow all users.
  Disable Mitigation flood attacks and worm propagation.
  And the warning still exist and it is not directed to certain host.
  Thanks in advance.

  Hi,
  >>Sometimes internet works fine and sometimes not
  Is there any error in TMG logging when the internet not work?
  Please try to increase the number of denied packets by Specify how many denied packets trigger an alert
  in flood mitigation settings.
  Best Regards,
  Joyce
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Install FTP services on TMG 2010

  We need to securely publish an FTP server to the internet.  We already have a TMG 2010 server in place to securely publish Exchange 2010 ActiveSync and OWA.  I know it can publish FTP sites.  Is there any issue with the TMG 2010 server being
  the FTP server itself; installing the FTP role on the TMG 2010 server and then publishing it securely?  Any security issues with this?
  J

  Hi,
  Forefront TMG is a Firewall and for security reasons (attack surface reduction) there should be no additional software installed on the TMG Server. But if you have no other choice it is possible to install a FTP Server on the TMG Server
  best regards Marc Grote - www.it-training-grote.de