Remove internal network . TMG 2010 SP2

Hello,
I used to have a TMG with three networks: Internal, Perimeter, External.
Now, due to a change in the design, I would like to remove the internal network, but I cannot.
I thought it was harmless if I just removed the NIC (vmware) , but I am having some issues and I think it is best practise to remove such network (the network card is removed)
I can't figure this out.
Thanks in advance!
Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)

Hi,
Would you please elaborate the issues that you have encountered?
According to your description, it seems that you have configured the network template as a 3-leg perimeter and now you want to change it to a back firewall template.
Personally, I don’t think it is appropriate to just remove the internal network adapter and network range.
It is possible to change the network design after the initial installation by
launching the Getting Started Wizard. However, I am not sure if it is possible to launch the Getting Started Wizard in the TMG Management console for you now. If not, in these scenario, maybe you need to reinstall TMG and
reconfigure the network template.
Best regards,
Susie

Similar Messages

Domain functional level 2003 -- 2008 and TMG 2010 (sp2 rollup 2)

Hi,
We want to raise our domain and forest functional level from 2003 to 2008. All DC's have been on 2008 or 2008R2 for about two years.
I cannot find if there is any impact on TMG 2010 sp2 rollup 2. Does anyone know if this will bring any issues?
Thanks!

No impact. From a TMG perspective, go ahead.
Hth, Anders Janson Enfo Zipper

]TMG 2010 SP2 Rollup 5 - None Available Worker threads

Hi Guys,
We're experiencing some problems with our TMG 2010 Array (SP2 Rollup 5 ),and the first thing I can see is that the "Available Worker Threads" are 0 many times during the day. How can debug further this issue to know the root cause?'
Best Regards
Federico Giampietri Latamsupport IT Infrastructure Services

Hi,
>>"Available Worker Threads" are 0 many times during the day.
Could you see any other abnormal symptom in TMG?
The issue in the KB below has a symptom that "The Available Worker Threads counter in the Forefront TMG Firewall Service may suddenly decrease to zero". But this has been fixed in Rollup 5. If you still have the same issue after
installing Rollup 5, you may need to open a case with Microsoft.
FIX: Server that's running Forefront Threat Management Gateway 2010 stops accepting all new connections and becomes unresponsive
Best Regards,
Joyce
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Hyper-V 2012 and TMG 2010/NLB

Hi there,
I have an issue with TMG 2010 on Hyper-V 2012 - the Setup:
- Windows 2012 Hyper-V
- TMG 2010 SP2 Rollup 4 running on W2K8 R2
TMG 2010 (Array Node1) Network
Internal Interface: 10.0.0.10/24 (Route to 192.168.11.0/24 over 10.0.0.1)
IntraArray: 192.168.10.10/24
Perimeter: 10.0.60.10/24 GW 10.0.60.100
TMG 2010 (Array Node2) Network
Internal Interface: 10.0.0.11/24 (Route to 192.168.11.0/24 over 10.0.0.1)
IntraArray: 192.168.10.11/24
Perimeter: 10.0.60.11/24 GW 10.0.60.100
Domain Controllers:
192.168.11.10
192.168.11.11
The NICs of the TMG VMs are configured with the correct VLANs and on the Perimeter Interface as well as on the Internal Interface I activate MAC Address Spoofing.
Once I activate NLB on the Perimeter Interface all works fine. But NLB on the internal Interface does not work - I see that NLB got configured on Array Node 1 but the second one does not get the config nor is able to sync it´s configuration with Array
Node 1. ALso the Servers are not able to communicate with the Domain Controllers anymore. Once I deactivate MAC Address Spoofing on the internal Interface and remove NLB the Server are able to speak to the Domain Controllers...
Any suggestions?

Hi,
Can I just confirm you are using TMG console to enable NLB?
Also did you enable set this reg key on both your TMG servers? You need to make sure MAC Spoofing is enabled too.
HKLM\System\CurrentControlSet\Services\TCPIP\Parameters
IPEnableRouter RegDword 1
after enabling the key you may need to reboot both nodes.
Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
Blog: http://www.windows-support.co.uk
Twitter: LinkedIn:

Supporting of Broadcast and Multicast in TMG 2010 !

I have installed TMG 2010 SP2 at Windows 2008 R2.
So, as I read TMG blocks as broadcast as multicast.
And such built-in only one way default behaviour is not right.
I want in my own (as user/admin) define whether it is necessary to me or not as following there have to be ability to switch it on/off such option, for example as checkboxes for each network (address range) defined by default/user - one for broadcast and
one for multicast.
So, please add such functionality to kernel mode driver and to service in the next nearest SP or rollup.
And/or tell how is it possible to switch it on at Tmg 2010 SP2 and later.
There are some important services relying on broadcast: NetBios, Dhcp, some Alladin hardkey protection, some special soft.
If somebody of MS techinians will send registry parameter for this or specially designed driver, all will under my responsibility only.

I didn' t find Threat Management Gateway
topic at https://connect.microsoft.com/directory
Please open such topic at https://connect.microsoft.com/directory.
I will post suggestion or you can do so in your own.
I see this as following: next roll up adding two checkboxes and also two array input fields for Each Rule: multicast traffic checkbox and array where some (one or more) IP addresses can be put and broadcast traffic checkbox with also array input (for example
192.168.0.255 and 255.255.255.255 - both IP, not mask) .
For example, I want to allow out/in (from LocalHost/to LocalHost) for NetBios 137, 138 port services broadcast, but drop out/in Dhcp Broadcast and allow out only
Sentinel HASP License Manager uses port 1947 broadcast. Of, course this example is for/from internal net only
So, and admins/users uses of Tmg only may define in their own or decide whether it is necessary at all and what rule/rules is/are necassary for.
Warning message can be appeared if admin set multicast and/or broadcast checbox for external net (differs from lan and localhost) but if it is necessary admin can continue anyway to do so.
Or may be make global settings (also 2 checkboxes and 2 array input control) but if it set to on, multicast/broadcat will allow if allowing appropriate rule (for examplee for NetBios) exist if drop Dhcp rule exist additionally to NetBios allowing rule, so
multicast/broadcast will be allowed to NetBios nd will not be dropped for Dhcp.
And some changes are necessary to make in kernel mode driver as I suppose.
I can become a first tester. :))))))))
P. S.: At the moment even outgoing traffic with sender IP of LocalHost (for example 192.168.0.100) and destination IP of broadcast (192.168.0.255) is blocked also.

TMG 2010 report problem Operation has timed out

Hello.
I stuck and i'm really need assistance
We has a TMG 2010 RTM version and i decide to update it to latest rollup and SP (dumb head)
So at now we have TMG 2010 SP2 rollup 4.
Before i update TMG reports work fine but at now reports not working at all.
When i try execute a report ( or shedule daily or weekly report) i have same issue
Error 31289:
The report "Daily" could not be generated. Report Server error information: The report Daily could not be generated. Report Server error information: The operation has timed out.
The error occurred on object 'Reports' of class 'Reports Configuration' in the scope of array 'TMG`
I read all guidliness( include this http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-How-to-use-SQL-Server-2008-Express-Reporting-Services.html) and not find something useful.
Settings correct, and i not changed any settings.
And at now my ideas end i ask your help.

That would be expected as the RAT key does not exist by default on a TMG system. You will need to create it and the subkeys referenced along with the values.
Create as described in the article.
Hth, Anders Janson Enfo Zipper

TMG 2010 Array Brings down the entire internal network

Ok, so this is a weird as it sounds.
We've been working with ISA and TMG since 2004, this is the first time I've seen this kind of behavior. Let me explain the details.
We implemented 3 TMG 2010 Servers in an Array and 2 EMS Servers on Windows Server 2008 R2. Each TMG Server has 4 NICs (Internal, External, DMZ-Intra-array). At first we wanted to enable them with an F5 Hardware Load Balancer but after weeks of trying to
make them work together we couldn't (SNAT and routing issues related), so we tried using Windows NLB but had problems with the Multicast configuration using VMWare and after some other battles we decided to first try out just using one TMG Server as the main
one to try to make it work. The customer we are implementing this is currently using ISA 2006 and they wanted to upgrade to TMG 2010 using basically the same stuff as their ISA had, so we backed up that configuration and imported it into TMG without problems.
We added the TMG Servers on the EMS configuration and everything replicated just fine.
Since they already had IPS, Cisco ASAs and Ironports as Proxy they decided to disable NIS, Malware inspection, Flood Mitigation and all those things TMG has for better securing Internet traffic.
The firewall policy rules are about 100 and they have 3 publishing rules to HTTPS Services.
So after making the necessary configuration changes to the TMG infrastructure, we then decided to unplug the ISA Servers, change the TMG servers IP Address to the ISA Server ones and test to see if everything worked just as ISA Server did. However it didn't.
At first we have issues related to slow internet traffic, after troubleshooting for some time we ended up finding out that the Source IP used by TMG was different that the one ISA was using, even if the same IP was configured in the NIC and the other IPs
were configured as alternate. We found out after some searching that Windows Server 2008 R2 uses some RFC and manipulates the IP Address on a NIC in a way that 2003 didn't. We found out that we needed to add the other IPs via Netsh int ipv4 add address
<Interface Name> <ip address> skipassource=true
After that configuration we got things working fine... for a while, several hours later, servers started losing connectivity, switches stopped responding and the entire network was collapsed! After unplugging the TMG Servers, everything returned back to
normal. We though this was a issue related to drivers or something to do with VMWare plataform, so it was decided to reinstall everything on physical servers.
After some days of reconfiguring again TMG Servers, we made the switch again, unplugged the ISA Servers, configured the TMG with the ISA IP Addresses, did the NETSH thing and then tested out everything and everything worked.
But again hours later the same behavior appeared once more! Servers and switches stopped responding and the entire network went down once more! Again we unplugged the TMG Servers and everything returned back to normal!
So here we are, back to square one with no clue on what is causing this behavior on the network. The current physical servers are running HP 3666i 4 multiport 10Gb NICs, we don't know if that has something to do with this. Or the fact the the switch core
to which the TMG servers are directly connected to is a Nexus 7000 and there is some configuration issues with it against the TMG or something. The TMGs are patched with Service Pack 2 Update Rollup 5.
We are probably going to open a support case with Microsoft with this issue, but we first wanted to see if anyone else may have had, seen or heard something related to this and has an explanation or ideas on why is this happening.
I appreciate any replies.
Thank you all.
Eduardo Rojas

Hi, I belive your TMG is virtual and NLB is setup. If so you need to bind the physical swith port with NLB MAK address in multicaste mode. Let's take an example, if your internal NLB physical NIC is connected to swith port 1 and 2 then you need to manually
bind the NLB MAK to port 1 and 2 like wise for all NLB enabled zone.Read VM ware NLB as they support multicaste in virtual. So do not use unicaste in NLB if it's virtual. All should be okay with the above configuration.

Deploy Default Font Settings with Outlook 2010 SP2

Hi team
Until Office 2010 SP1 it was possible to deploy a registry key to set the default fonts in Outlook. This was the following key:
HKCU\Software\Microsoft\Office\14.0\Common\MailSettings\...
This keys remained after a user logged in the first time to a computer resp. after the user started Outlook the first time.
Now with installed SP2, this keys are deleted after the first start of Outlook and a REG_EXPAND_SZ string called "Template" is created.
Is this issue known and whats the solution to deploy default fonts in Outlook 2010 SP2.
Regards,
Stephen

Hi,
Please add the registry key manually after the user logged in the first time, does this registry key still takes effect then? If yes, try to deploy this registry key via OCT to check the result.
For this kind of issue, one method I suggest is to deploy a NormalEmail.dotm template to users, in which the default font has been configured. For example, put it on a network shared location, use a startup script to remove the existing template on the user's
client, then copy the shared template to each user's local path. The location should be: C:\Users\<username>\AppData\Roaming\Microsoft\Templates.
Regards,
Melon Chen
Forum Support
Come back and mark the replies as answers if they help and unmark them if they provide no help.
If you have any feedback on our support, please click
here.

TMG 2010 to connect Branch Office

We have TMG 2010 installed for proxy solution. Recently we opened new branch office but they are unable to internet through proxy. I have added the route add command in TMG Server.
route add 10.24.84.0 mask 255.255.255.224 10.24.30.20 -p - Branch 1
route add 10.24.86.0 mask 255.255.255.224 10.24.30.20 -p - Branch 2
10.24.30.20 is our core router IP...
Is there any configuration required in core router and branch office router...Branch office users can access all server service except proxy solution.Please advice

HI
In your branch office,
YOu need to ensure that internal Branch office subnet is able to reach TMG server. Need route to TMG networ from branch office on branch office Router,
TMG should have route to reach Branch office network.
Add branch office subnet as internal in TMG network range

TMG 2010 IP addresses change

Hi All,
we need to replace our TMG 2010 internal and public IP addresses due to network segment change,
will i need to re-install the TMG software? where will i need to change the IP addresses except to the NIC settings?
can you please advise what is the best way to do it?
Thanks in advance,
Elad Avital

You don't mention what you have configured on your TMG but this is basically how you do it:
Before doing anything, backup the server and export the TMG configuration. Do this while physically logged on to the server.
Change the external IP first.
- change IP address on ext nic through Getting Started Wizard, apply the settings
- change any server publishing rules and web listeners that are using a specified IP address
When done and all is verified to be working, move on to the internal ip address.
- Change the IP address from within the Gestting Started Wizard. Apply the settings
- validate all network objects and update the ones that need to be updated with a correct IP address. Don't forget to look at the system policy as well.
You may need to alter the SQL configuration as well:
SQL Server Configuration Manager / SQL Server Network Configuration / Protocols for MSFW/ISARS / TCP/IP / IP Addresses (most likely only ISARS)
Hth, Anders Janson Enfo Zipper

RV042 behind Forefront TMG 2010 (SOLVED)

Currently i am having a scenario where i have setup RV042 and which is connected to Microsoft Forefront 2010. PPTP works fine only on rv042 subnet but i am not able to access the "internal" network of TMG.
RV042 (172.16.1.1) ---> TMG [external] (172.16.1.2) ---> TMG [internal] (192.168.1.1)
Is there any way through static route to access the TMG internal network through RV042 pptp server ?

Well after expecting experts views from so long, i took help from one of my senior where i had to make changes in NETWORK RULES of TMG by creating Internal to External & External to Internal rules for 5 PPTP ip addresses and it started working. This is how it helped.
Common troubleshooting steps :
1. Check the IP address of TMG if it is pinging through RV042 firmware.
2. If not pinging than create a policy to allow PING into internal network.
3. Do the STATIC ROUTING in RV042 by keeping the IP address as TMG internal ip & gateway as TMG wan static ip.
4. Ping to confirm if you are having access through the router to TMG using PING utility of RV042.
5. Once you are able to PING than , enable PPTP and connect from the remote side and PING the WAN static ip of TMG and any of the INTERNAL ip of TMG network.
6. If you are not able to ping TMG internal network by just STATIC ROUTING from RV042
7. Than you need to create two rules under NETWORK RULES of FOREFRONT (check this option in FOREFRONT management window) , first you need to create a range of PPTP ip addresses in SUBNET category of TMG and use these range of ip addresses in the rules we are going to create.
8. Create SOURCE (PPTP IP ADDRESS RANGE) to INTERNAL and INTERNAL to (PPTP IP ADDRESS RANGE)
9. That's it , i am sure you will be able to ping it from the remote and so does access the resources of TMG network.
Please if any one have any doubts, post it here. Ill be really glad to help. Thank you.

SharePoint 2010 SP2 hosted on Windows 2012 R2 NOT discovered by SCOM 2012 R2 + 2 SP MP's

What is the process to get SharePoint 2010 Management Packs loaded in System Center 2012 R2 to discover/monitor SharePoint 2010 SP2 (14.0.7121.5000) loaded on Windows 2012 R2?
View of installed system:
System Center 2012 R2 loaded on Windows 2012 R2 (supported separately by SQL 2012 SP1 loaded on Windows 2012 R2)
-Microsoft SharePoint 2010 Products Management Pack for System Center Operations Manager 2007
-System Center 2012 Monitoring Pack for SharePoint 2010
SharePoint 2010 SP2 (14.0.7121.5000) loaded on Windows 2012 R2 (supported separately by SQL 2012 SP1 loaded on Windows 2012 R2)
The SharePoint 2010 Management Shell works fine!
Result
Event 0, Operations Manager - Cannot identify which SharePoint farm server is associated with. Check the management pack guide for troubleshooting information.
Looked at these already:
KB2690744, Configuring the SharePoint 2010 Management Pack for System Center Operations Manager.
http://om2012.wordpress.com/2013/05/24/sharepoint-2010-mp-on-scom-2012/
Further, if the xml push does have the command get-farm instead of get-spfarm, that could be the issue. i.e.
http://www.scom2k7.com/advanced-troubleshooting-of-the-sharepoint-2010-mp/
Thanks,
+Tony
Please click "Propose As Answer" if a post solves your problem or "Vote As Helpful" if a post has been useful to you.

Peter,
I recommend to remove the Windows 2012 R2 server out of the farm and redeploy on W2008 R2.
This issue does not have an easy fix.
Summarizing, this appears to be the issue:
1. Windows Management Framework 3.0 is integrated with Windows 2012 R2, which installs .NET 4 and Powershell 4.0. Not uninstallable.
2. The Add-PSSnapin Microsoft.SharePoint.PowerShell is not supported with Powershell 4.0.
3. The SCOM SP2010 MP puts a package on the defined farm server and when the agent launches the package, it calls Powershell (v4 in theis case) and errors out. The target W2012 server will have an Error 0 in the Operations Manager Event log. See below.
Options:
1. Work around maybe - Develop method for manual discovery (I'm working on that now).
2. Rebuild SP2010 farm on Windows 2008 R2
3. System Center Team - Write a new MP to down version Powershell (Powershell.exe -Version 2)
4. Powershell Team - Write a SharePoint Snapin for Powershell 4
Please click "Propose As Answer" if a post solves your problem or "Vote As Helpful" if a post has been useful to you.

Crystal Reports Visual Studio 2010 SP2 Fixed issues

Hi All,
Here is the list with fixed issues in Crystal Reports Visual Studio 2010 SP2
http://www.crystaladvice.com/crystalreports/crystal-reports-2010-sp2
The following list with issues is fixed:
1566763 - CRVS2010 WPF Viewer error; "System.NullReferenceException was unhandled" PageControl.OnMouseMove
1540637 - Error: External component has thrown an exception. Launching the Database Expert in the embedded Crystal Reports designer in Visual Studio
1544675 - Error; 'Object reference not set to an instance of an object' when using the CR WPF viewer in VS2010
1578823 - CRVS2010; "Load Report Failed" error when Report is open in any full version of the CR Designer
1638191 - Using RTL language (Arabic) the CR viewer Group Tree Panel does not display RTL
1631283 - Error; 'Failed to load database information' when reporting off of file system data
1553469 - How to enable Database logging in Crystal Reports for Visual Studio 2010
1299185 - Error: Operation not yet implemented or Failed to Export, when exporting a Crystal Reports to Text format
1451960 - Null or empty values are not surrounded with delimiter when exported to CSV format
1659185 - The special Crystal Reports field, 'File Name and Path' shows temp path and temp name when viewing a report
1452648 - Dynamic Cascading Parameter prompts two times when using the Crystal Reports in VS .NET
1580338 - When refreshing a report that contains a linked subreport report takes long time to execute
1659111 - GCHandle left in memory for each open and close of a Crystal Report in VS2010 application
1356672 - Crystal Reports special field "File Path and Name" displays incorrect information in a Visual Studio .NET application
1593658 - Impersonation of database Log On credentials failure in report generation when set at runtime in a .NET application
1661239 - Summary fields are converted to String fields
1661276 - Using the Crystal Reports SetTableLocation method in VS .NET causes long report processing delays
1661200 - Not able to copy text from report objects using the Crystal Reports WinForm viewer for VS .NET
1631722 - Date function in a Selection Formula is removed when running a report in a VS .NET application
1525822 - Exception "Object reference not set to an instance of an object." thrown when clicking on Parameter Panel button in Crystal Report .NET Windows Form Viewer
1603082 - Cross-tab background colors not retained when exporting a report to PDF format
1603154 - Shared variable display the incorrect value in Crystal Reports
1427747 - Why does a CR .NET SDK web app have problems running on IIS 7 in integrated pipeline mode?
1545536 - Alignment set to Justify causes broken underline
Source: Resolved Issues in Service Pack 2 for Crystal Reports for Visual Studio 2010
With kind regards,
Pieter Jong
Crystal Advice
http://www.crystaladvice.com

Many thanks for the link Pieter.
I recently created a wiki that lists all of the fixes, their tracking numbers, associated Kbase numbers, Kbase titles and links to the kbases:
http://wiki.sdn.sap.com/wiki/x/tgK3Dw
It's 90% complete. I think I have a few Kbases to do to complete it.
Now that I think about it, I'll also add the link to the [sticky thread|SP 2 for Crystal Reports for Visual Studio 2010 released!; re. SP2 release.
- Ludek

Outlook 2010 SP2 error Office11ShipAssert

Good Day,
I originally placed this in the Office forum but did not get any help.
So I figured that perhaps I need to put this in the Office support forum. About a week ago after I applied SP2 give or take I started getting the following errors and the error repeats itself over and over again. I have repaired Office with no
luck. I can't even find what Office11ShipAssert is so I am not sure what I am looking for. I have tried entering into safe mode which appears to work but when I remove add-on one at a time nothing appears to work.
I am not even sure if Safe mode even works as the results get confusing.
I thought it may have been the VB add-on but as of today that is incorrect.
When I start up outlook after a few a few minutes I get the errors that are below.
I have also renamed my OST file and rebuilt it figuring that perhaps there may be some sort of corruption within the file.
Now I understand that there is an issue with SP2 and 2010 when it comes to calendar errors which appears
not to have been fixed. I do not know if these would be or are related to those errors but to trouble shoot I have removed all my PST files at this time.
If anybody has any idea what are causing these errors or how to fix it would be greatly appreciated. I am at the point of uninstalling Office and doing a clean install back to Office
2010 SP1. As I did not have these errors when I was on that version.
The system is fully patched and I am connected to a exchange 2010 SP2 server. I do not appear to be having issues just these errors that keep coming back.
Thank You
Adam Raff
Log Name:      Application
Source:        Microsoft Office 14
Date:          3/3/2014 12:36:18 PM
Event ID:      5000
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      AdamR64.xxxxx.net
Description:
The description for Event ID 5000 from source Microsoft Office 14 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Office11ShipAssert
6xk3
14.0.7015.0
the message resource is present but the message is not found in the string/message table
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft Office 14" />
    <EventID Qualifiers="49152">5000</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-03-03T17:36:18.000000000Z" />
    <EventRecordID>61665</EventRecordID>
    <Channel>Application</Channel>
    <Computer>AdamR64.xxxxxx.net</Computer>
    <Security />
</System>
<EventData>
    <Data>Office11ShipAssert</Data>
    <Data>6xk3</Data>
    <Data>14.0.7015.0</Data>
</EventData>
</Event>
then I would get the following error
Log Name:      Application
Source:        Windows Error Reporting
Date:          3/3/2014 12:36:20 PM
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      AdamR64.xxxxx.net
Description:
Fault bucket 8096914, type 21
Event Name: Office11ShipAssert
Response: Not available
Cab Id: 0
Problem signature:
P1: 6xk3
P2: 14.0.7015.0
P3:
P4:
P5:
P6:
P7:
P8:
P9:
P10:
Attached files:
C:\Users\AdamR\AppData\Local\Microsoft\Office\ShipAsserts\outlook.exe.6xk3.dmp
C:\Users\AdamR\AppData\Local\Microsoft\Office\ShipAsserts\outlook.exe.6xk3.cvr
These files may be available here:
C:\Users\AdamR\AppData\Local\Microsoft\Windows\WER\ReportArchive\NonCritical_6xk3_cae7bb3efd629b7aa754c7bce3d3e93e0a6fd93_1196ca6f
Analysis symbol:
Rechecking for solution: 0
Report Id: 531db1d4-a2fa-11e3-9ef1-842b2b9a1d57
Report Status: 0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Windows Error Reporting" />
    <EventID Qualifiers="0">1001</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-03-03T17:36:20.000000000Z" />
    <EventRecordID>61673</EventRecordID>
    <Channel>Application</Channel>
    <Computer>AdamR64.xxxxxx.net</Computer>
    <Security />
</System>
<EventData>
    <Data>8096914</Data>
    <Data>21</Data>
    <Data>Office11ShipAssert</Data>
    <Data>Not available</Data>
    <Data>0</Data>
    <Data>6xk3</Data>
    <Data>14.0.7015.0</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
C:\Users\AdamR\AppData\Local\Microsoft\Office\ShipAsserts\outlook.exe.6xk3.dmp
C:\Users\AdamR\AppData\Local\Microsoft\Office\ShipAsserts\outlook.exe.6xk3.cvr</Data>
    <Data>C:\Users\AdamR\AppData\Local\Microsoft\Windows\WER\ReportArchive\NonCritical_6xk3_cae7bb3efd629b7aa754c7bce3d3e93e0a6fd93_1196ca6f</Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>531db1d4-a2fa-11e3-9ef1-842b2b9a1d57</Data>
    <Data>0</Data>
</EventData>
</Event>
Version=1
EventType=Office11ShipAssert
EventTime=130385170645103870
Consent=2
UploadTime=130385170645103870
ReportIdentifier=71f1de7e-a492-11e3-9ef1-842b2b9a1d57
Response.BucketId=8096914
Response.BucketTable=21
Response.type=4
Sig[0].Name=Problem Signature 01
Sig[0].Value=6xk3
Sig[1].Name=Problem Signature 02
Sig[1].Value=14.0.7015.0
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=6.1.7601.2.1.0.256.48
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1033
UI[2]=C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Sec[0].Key=No2nd
Sec[0].Value=2
State[0].Key=Transport.DoneStage1
State[0].Value=1
FriendlyEventName=Non-critical error
ConsentKey=Office11ShipAssert
AppName=Microsoft Outlook
AppPath=C:\Windows\System32\DWWIN.EXE

Hi,
When did you get this error? Does it pop up when you launch Outlook?
Please try to repair the net framework to check if it helps:
http://support.microsoft.com/kb/2698555/en-us
In addition, we can try to locate the following registry psth:
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook
and then rename the \Outlook part of this key to \Outlook-1, restart Outlook to check the result.
Note:
Serious problems might occur if you modify the registry incorrectly. For added protection,
back up the registry before you modify it.
Please let me know the result.
Regards,
Steve Fan
Forum Support
Come back and mark the replies as answers if they help and unmark them if they provide no help.
If you have any feedback on our support, please click
here

PIX 501 config - access to internal network not working from remote VPN users - everything on the inside is OK

One other thing - I had a problem with the key pairing so I rebuilt the rsa 1024 and the unit started working. Unfortunately I reloaded without the config in place and now I cannot get it to work again. Any help will be greatly apprecaited although I did review a dozen other posts of people having similar problems and for some reason there is never any conclusion as to the solution and I am not sure why.
Some other info from the client end:
I just ran the stats on the client and packets are being encrypted BUT none are decrypted.
Also Tunnel received 0 and sent 115119
Encryption is 168-bit 3-DES
Authentication is HMAC-SHA1
also even though the allow LAN is selected in the Cisco VPN client it states the local LAN is disabled in the client stats
also Transparent tunneling is selcted but in the stats it states it is inactive
I am connecting with the Cisco VPN Client Ver 5.0.07.0440
This config works. It is on the internal net 192.168..40.x and all users obtain dhcp and surf the web. It has required ports opened.The problem is that you can connect remotely via the VPN and you receive an IP address from the remote-vpn pool but you cannot see any machines on the internal network. The pix is at 40.2 and you cannot ping the pix and the pix from the remote PC connecting via the VPN and youcannot ping the remote PC from the PIX console when the remote is connected and receives the first IP address in the VPN pool of 192.168.40.25
I need to see the internal network and map network drives. I have another friend that is running the same config and it works but his computer is on a linksys wireless and has an IP of 192.168.1.x and the IP he receives from the VPN pool is 192.168.1.25 so I do not know if the same network is allowing this config to work even if there is an error in the config. In my present case I obtain the ip of 192.168.40.25 from the VPN pool and my connecting pc on 192.168.1.x I really am not sure how the VPN virtual adapter works. I am assuming it routes all traffic from your connecting PC to and from the virtual adapater but I really do not know for sure.
Other people have had similar issues with accessing the internal network from the VPN. One solution was the split-tunnel, another was the natting and another had to do with the encrption where there and an issue with the encrypt and ecrypt which was stopping the communicaton via the VPN.
I still cannot seem to find the issue with this config and any help will be greatly appreciated.
This is the config
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password somepassword
hostname hostname
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network internal_trusted_net
network-object 192.168.40.0 255.255.255.0
object-group icmp-type icmp_outside
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
icmp-object source-quench
access-list OutToIn permit icmp any xxx.xxx.xxx.0 255.255.255.248 object-group icmp_outside
access-list no_nat_inside permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list split_tunnel permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list OutToIn permit ip any any
access-list outbound permit ip any any
(NOTE: I had many more entries in the access list but removed them. Even with the above two allowing everything it does not work)
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.248
ip address inside 192.168.40.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_client_pool 192.168.40.25-192.168.40.30
pdm history enable
arp timeout 14400
global (outside) 1 interface
I had this statement missing from the previous posted config but even with the nat (inside) 0 access-list no_nat_inside it still does not work.
nat (inside) 0 access-list no_nat_inside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_outside_in in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.40.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community $XXXXXX$
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 3des_strong esp-3des esp-sha-hmac
crypto dynamic-map clientmap 50 set transform-set 3des_strong
crypto map vpn 50 ipsec-isakmp dynamic clientmap
crypto map vpn client configuration address initiate
crypto map vpn client configuration address respond
crypto map vpn client authentication LOCAL
crypto map vpn interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local vpn_client_pool outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remote-vpn split-tunnel split_tunnel
vpngroup remote-vpn idle-time 10800
vpngroup remote-vpn password ANOTHER PASSWORD
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.40.0 255.255.255.0 inside
ssh timeout 30
console timeout 60
dhcpd address 192.168.40.100-192.168.40.131 inside
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username AUSER password PASSWORD privilege 15
terminal width 80
****************** End of config
I have been searching docs and other people's postings trying to obtain the info to make this work. It appears pretty much boiler plate but I believe my problem is in the natting. I am using a range in the internal network for the VPN pool and I have tried switching this to other networks but this has not helped. Unfortunately I have been unable to get the PDM to work and I believe this is a PC config thing and I did not want to waste the time on it. I read a post where a person using the PDM interface with the same problem (not being able to access the internal network) was able to go to a section in the VPN wizard and set the Address Exeption Translation. They said they originally set the VPN subnet when they did not have to. Many of the other blogs I read also stated that if the natting is not proper for the VPN pool- that it will not work but I am confused by the examples. They show as I do the complete range for an access-list called no_nat_inside but I believe it should only have the VPN pool IP range and not the entire network since the others do require natting - not sure if my thought process is correct here. Any help will be greatly apprecaited. Also this morning I just tried a boiler plate example from CISCO and it also did not do what I need for it to do. And I also connect a PC to obtain an IP to see if I can see it - no good. The PC can ping the PIX and viceversa but no one can ping the remote PC that connects via the CISCO Remote VPN client even though it receive an address from the vpnpool. Also include LAN is checked off on the client. This was mentioned in anther post.
Thank you once again.

Hi,
PIX501 is a very very old Cisco firewall that has not been sold for a long time to my understanding. It also doesnt support even close to new software levels.
If you wanted to replace the PIX501 the corresponding model nowadays would be ASA5505 which is the smallest Cisco ASA firewall with 8 switch port module. There is already a new ASA5500-X Series (while ASA5505 is of the original ASA 5500 Series) but they have not yet introduced a replacing model for this model nor have they stopped selling this unit. I have a couple of them at home. Though naturally they are more expensive than your usual consumer firewalls.
But if you wanted to replace your PIX firewall then I would probably suggest ASA5505. Naturally you could get some other models too but the cost naturally rises even more. I am not sure at what price these are sold as used.
I used some PIX501 firewalls at the start of my career but have not used them in ages since ASA5505 is pretty much the firewall model we use when we need a firewall/vpn device for a smaller network/branch site.
Here is a PDF of the original ASA5500 Series.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
Here is a PDF of the new ASA5500-X Series
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
I am afraid that its very hard for me atleast to troubleshoot this especially since I have not seen any outputs yet. Also the very old CLI and lack of GUI (?) make it harder to see what the problem is.
Could you provide the requested outputs?
From the PIX after connection test
show crypto ipsec sa
Screen captures of the VPN Client routing and statistics sections.
- Jouni

Remove internal network . TMG 2010 SP2

Similar Messages

Maybe you are looking for