Route in TMG

Similar Messages

• TMG vs Router

  Hi, guys
  i would like to know about TMG and Router. Without firewall service, TMG works like a  Router? Or, Could TMG replace the router in our environment? 
  Nice day
  Timmoon

  Hi,
  TMG is a Firewall, Web Proxy, Reverse and Forwad Proxy, VPN Server, Application Layer Gateway Firewall and Forefront TMG is also able to act as a router but TMG is not a product to replace a Router.
  And you cannot disable the Firewall services on the TMG Server. You must create Firewall policy rules which allows / deny traffic
  regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3276?GPP=MarcGrote

• TMG 2010 to connect Branch Office

  We have TMG 2010 installed for proxy solution. Recently we opened new branch office but they are unable to internet through proxy. I have added the route add command in TMG Server.
  route add 10.24.84.0 mask 255.255.255.224 10.24.30.20 -p           - Branch 1
  route add 10.24.86.0 mask 255.255.255.224 10.24.30.20 -p                           - Branch 2
  10.24.30.20 is our core router IP...
  Is there any configuration required in core router and branch office router...Branch office users can access all server service except proxy solution.Please advice

  HI
  In your branch office,
  YOu need to ensure that internal Branch office subnet is able to reach TMG server. Need route to TMG networ from branch office on branch office Router,
  TMG should have route to reach Branch office network.
  Add branch office subnet as internal in TMG network range

• RV042 behind Forefront TMG 2010 (SOLVED)

  Currently i am having a scenario where i have setup RV042 and  which is connected to Microsoft Forefront 2010. PPTP works fine only on  rv042 subnet but i am not able to access the "internal" network of TMG.
  RV042 (172.16.1.1) ---> TMG [external] (172.16.1.2) ---> TMG [internal] (192.168.1.1)
  Is there any way through static route to access the TMG internal network through RV042 pptp server ?

  Well after expecting experts views from so long, i took help from one of  my senior where i had to make changes in NETWORK RULES of TMG by  creating Internal to External & External to Internal rules for 5  PPTP ip addresses and it started working. This is how it helped.
  Common troubleshooting steps :
  1.  Check the IP address of TMG if it is pinging through RV042 firmware.
  2.  If not pinging than create a policy to allow PING into internal network.
  3.  Do the STATIC ROUTING in RV042 by keeping the IP address as TMG internal ip & gateway as TMG wan static ip.
  4. Ping to confirm if you are having access through the router to TMG using PING utility of RV042.
  5.  Once you are able to PING than , enable PPTP and connect from the  remote side and PING the WAN static ip of TMG and any of the INTERNAL ip  of TMG network.
  6. If you are not able to ping TMG internal network by just STATIC ROUTING from RV042
  7.  Than you need to create two rules under NETWORK RULES of FOREFRONT  (check this option in FOREFRONT management window) , first you need to  create a range of PPTP ip addresses in SUBNET category of TMG and use  these range of ip addresses in the rules we are going to create.
  8. Create SOURCE (PPTP IP ADDRESS RANGE) to INTERNAL and INTERNAL to (PPTP IP ADDRESS RANGE)
  9. That's it , i am sure you will be able to ping it from the remote and so does access the resources of TMG network.
  Please if any one have any doubts, post it here. Ill be really glad to help. Thank you.

• TMG Standalone Array simple question

  hi everyone i have what i think is a simple question but i don't know if i'm missing something in all the tutorials about standalone arrays i've read.
  i'm working with 2 tmg enterprise editions in 2008R2 in a test environment. both are on sp2 fully updated and a single 20 Mbit connection. i would like for this two tmg's to work for high availability using that connection only and i was able to join both in
  a standalone array. here's how they're configured:
  tmg01
  internal nic ip range: 192.168.1.1/24
  second internal nic: not connected at the moment, considering for intra-array network if needed later on (if anyone suggest is absolutely necessary)
  external nic ip: dhcp supplied by isp.
  tmg02
  internal nic ip range: 192.168.1.2/24
  second internal nic: not connected at the moment.
  external nic: not connected. (where do i connect this one if i only have one modem for that 20 Mbit connection??)
  i have read that the intra-array network is not absolutely necessary so i’m leaving those unplugged.
  now, here’s my question, since they’re both already on an array, if tmg01 fails to deliver (let’s assume it has a hardware malfunction), how is tmg02 going to take over and connect to the external network if by definition my modem only accepts one cable? will
  i have to be near the server and change the cable to the other nic in tmg02 for it to work or do i have to add something in between the modem and the two tmg’s?
  is there something i’m missing? will i be needing 2 connections? maybe it’s too obvious or stupid and it just went passed me. i’m open to criticism and opinions.
  thanks

  Hi
  Let follow the best practice.
  In Production Normal setup for Full redundant Architecture, we need three servers, one for Array and other two servers for TMG for HA.
  1 . TMG Array Server – Subnet Routable with Internal TMG Subnet ( You can also have this in any one TMG but best practice is to separate it )
  2. 
  TMG – 1 – Two NIC, Internal / External
  3. 
  TMG – 2 – Two NIC, Internal / External
  Second Internal NIC is not required in your setup. So you can go with two NIC. External and Internal on two TMG
  Join TMG 1 and TMG 2 to Single Array which is server 1. By this all the configuration you make on one TMG will sync with other TMG.
  How TMG will handle in case of Server failure
  You need to Create two NLB in TMG
  One for Internal and one for External
  Internal NLB
  You need to create an Internal NLB, Since you are using 192.168.1.0 / 24 Network for Internal, assign an internal NLB as 192.168.1.3
  If you want to use TMG as gateway for all internet connection, then you need to have default Route from internal network pointing to 192.168.1.3 which is TMG NLB internal IP
  address
  External NLB
  Since you have not mentioned  External Network, let’s assume you are using 10.10.10.0 / 24 and External Interface of TMG 1 is 10.10.10.1 and TMG 2 is 10.10.10.2, Then create
  an External NLB and assign an IP address 10.10.10.3
  You need to have a Switch in between your Router and TMG servers,
  Connect TMG -1 and TMG – 2 External Interface NIC to Switch
  On external NIC – Set gateway as Modem IP address of Both TMG
  Connect an internet cable from modem to the same switch
  Ensure that, you have a route to 10.10.10.0 /24
   from Modem to External NLB IP address Ie 10.10.10.3
  Now you don’t have to switch cables to Modem,
  Good Luck !!

• TMG Traffic For a Specific IP isn't leaving the server despite valid routes and no firewall

  Hi,
   I'm struggling to troubleshoot a TMG networking issue:
  I have a TMG server setup in my DMZ. Inbound traffic hits the a 3rd party firewall router, goes to the TMG server and is then routed back through the 3rd party firewall router to my internal network. I've setup web publishing rules and listeners for IIS
  sites and SMTP traffic using a different IP to listen for 2 different websites and another IP for SMTP.
  The issue I have is that my TMG server can't ping a server on the internal network on a specific IP:
  TMG can ping 192.168.11.190
  TMG cannot ping 192.168.11.191
  Firewall rules are configured to permit traffic (no deny connections are shown in the monitor).
  tracert and pings to 192.168.11.190 hit the internal IP of the 3rd party router
  tracert to 192.168.11.191 simply responds with * * * * before timing out
  Monitoring from within TMG shows the correct IP is being used in both cases (internal NIC 192.168.10.10).
  A route print from TMG has a valid route to the internal network:
  (network)192.168.11.128 (mask) 255.255.255.128 (gateway) 192.168.10.126
  In summary:
   - TMG can ping 192.168.11.190, but not 192.168.11.191
   - Valid routes exists 
   - No firewall rules are blocking communication
   - Traffic to 192.168.11.191 doesn't seem to be leaving the TMG server 
  Any advice on solving this would be appreciated.
  Cheers

  It can have many reasons, but it appears to me you are having a routing issue. I can't say for sure, because I don't have the entire IP Addressing sheme. I assume you have used separate subnets for the External DMZ and Internal DMZ.
  Have you configured the 192.168.11.128/25 subnet as a correct 'Address' range 192.168.11.128 - 192.168.11.255 on the 'Internal' interface within TMG?
  Boudewijn Plomp | BPMi Infrastructure & Security
  This posting is provided "AS IS" with no warranties, and confers no rights. Please remember, if you see a post that helped you please click "Vote as Helpful", and if it answered your question, please click "Mark as Answer".

• Don't reach a network , even when I add a route to the TMG machine

  Hello,
  Hello,
  I attach the image so it is easier to understand.
  Basically, as the drawing says, I am trying to reach DC1 from TMG2, but I am unable. To achieve it I just added a route (red-coloured in the image) to the TMG2 machine, but the log keeps telling me "Packet dropped because the ip is unreachable."
  I really don't know why it is that the machine can't get to DC1, the firewall is off.
  Also, TMG1 allows all the icmp traffic from the Perimeter to the LAN.
  I have a question: TMG2 sees 192.168.2.0/24 as external, I don't have a definition for such network in the TMG2 machine. There is the NAT relation between the Perimeter network and the External , and I am wondering if this is what is causing all the issue.
  I edit the post to ask another question:
  I have a route relationship between the LAN and the Perimeter network in TMG1, I wonder if that should be a NAT relationship between those two networks.
  Thanks in advance!
  Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)

  Thanks again Anders.
  Answering you:
  1. Yes, it is the DC and it needs to be accessed from the machines in other branches, because I have set up a VPN Site-to-Site between a branchoffice and the main office. (Lab for now, not working environment)
  2. TMG2 logs says that any traffic going to DC1 is dropped because "Packet dropped because the ip is unreachable." All are packetc coming from the DC from the branchoffice, asking for dns traffic 53 udp, ldap, kerberos, and so forth, in order to
  get in touch with DC1.
  3.Since the traffic is dropped by TMG2, TMG1 don't receive any traffic. But the rules to pass through it are well set (in my view, I have set up many rules in ISA Server 2006)
  4.TMG1 sees TMG2 as belonging to the Perimeter network (you can see it in the picture, if I drew it well I mean)
  5.There is a route relationship between perimeter and lan, which is just what I think it is where the problem could be, but I really don't get the difference between a nat and a route, I know the difference, nat hides the private ip's but still unable how
  that affects here.
  Again: Thanks !
  Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)

• Internet Access through TMG for all HO & Branch office

  Dear Experts!,
  I am new to the Forefront TMG 2010. Have requirement to implement internet access.
  Head office : 192.168.11.x/24 (192.168.11.1 is the TMG server)
  Branch Office 1: 192.168.12.x/24
  Branch Office 2 : 192.168.14.x/24
  Branch Office 2 : 192.168.16.x/24
  Forefront TMG 2010 standard edition.
  Having 3 NIC's two have different ISP network addresses and one has 192.168.11.1.
  Branch office are connected using MPLS network, the requirement is all branch site internet must be accessed through TMG 2010 server which is homed in Head Office. How to achieve ?
  What needs to be done in external firewall and in TMG for enabling internet access.
  Thanks!
  Regards, Ganesh, MCTS, MCP, ITILV2 This posting is provided with no warranties and confers no rights. Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread.

  Hi Ganesh,
  Hope this helps
  1 - If you wish to give internet as Proxy to users.
  Ensure the Below subnet is able to reach TMG Internal Interface that is 192.168.11.1
  Subnet
  Branch Office 1: 192.168.12.x/24
  Branch Office 2 : 192.168.14.x/24
  Branch Office 2 : 192.168.16.x/24
  Configuration
  Enable Proxy in TMG and configure Proper Ports as per your requirements
  On the Client IE – Ensure you put Proxy IP as TMG and Port configured in TMG configuration.
  Enable a Rule
  Access Rule
  Source : Internal
  Destination : External
  Ports : HTTP / HTTPS
  Users : Authenticated Users
  2 As normal Internet as Gateway to users
  You need to request your MPLS provider to change the Default Route of below subnet to 192.168.11.1. By doing this, all the internet request from the below subnet to internet will hit TMG.
  Subnet
  Branch Office 1: 192.168.12.x/24 Default Route 192.168.11.1
  Branch Office 2 : 192.168.14.x/24 Default Route 192.168.11.1
  Branch Office 2 : 192.168.16.x/24 Default Route 192.168.11.1
  IF you have any L3 Switch then you can also make Default gateway as L3 for all the subnet and from L3 device point it to TMG
  Enable a Rule
  Access Rule
  Source : Internal
  Destination : External
  Ports : HTTP / HTTPS
  Users : All Users ( Important )
  Two ISP
  In network Rules : You need to use NAT
  You will have a Rule which NATS internal to  External
  On external - Choose which ISP interface should be used  and Apply NAT rule

• How to use time capsule as hard drive and connect with existing net gear router

  I have a netgear D6300 router, which i use to connect to internet - which is excellent so far for my downloads and games etc for my PS4 and hence am keen to continue using it. I bought the Airport time capsule for wireless storage, and when i set it up, I was advised on setup to connect the TC to my router, and it did what it needed to do.
  Now, in order to connect to internet, i need to connect wifi to net gear router, but to access time capsule, i need to change wifi connection to my newly created wifi network with TC.
  I want to use TC as a backup storage for my mac (its a 3TB TC), but also, my laptop has only 500gb hard drive which is now half full from downloads, so i want to transfer all my downloads to my TC and use it as an external hard drive, and future downloads to TC - but when i connect to wifi of TC, i can copy my folder on my mac, but not paste it to TC in finder. (the only thing in TC is an image of tmg of my macbook from first backup.).
  How do i use TC as an external HD - there wasn't much difference in price of external wifi/wireless HD between non-TC and TC at 3gb, so i just thought i'd go for the airport TC option.
  And is it possible to keep connected to wifi internet via net gear router, AND wifi TC - the whole point i bought it (from US shipped to australia on eBay, therefore not able to send back) was to use TC as external large HD via wifi, but keep my net gear router going.
  Surely there is a way to not having to flick between wifi connections of TC and net gear internet.
  When i'm connected to TC, i can't access internet, only TC.
  And I don't really want to connect TC to my router via ethernet cable, as too many cables.
  This can't be a difficult situation to manage, but i'm not sure how to do it.
  Thanks

  And I don't really want to connect TC to my router via ethernet cable, as too many cables.
  Sorry but you have very little choice.
  The TC can join to a wireless network.. but it is flakey, poor, slow and highly NOT recommended way to do things.
  Nevertheless if you want to give it a try .. here is the method.
  How do I setup my time capsule with wireless internet?
  You SHOULD, plug the TC into the Netgear and run it in bridge mode.. you set the wireless to create a wireless network.. then when you connect to the TC it will be also connected to the internet and fast.
  (if you don't do that you may as well have used a USB drive plugged into the Netgear, as it would be just as good).
  TC is not actually designed for mixing Time Machine backups and files.. but if you are just storing downloads that is ok.. but I strongly recommend you use a DMG or sparsebundle to prevent the TM and the data from messing each other.
  See Pondini instructions here.
  Q http://pondini.org/TM/Time_Capsule.html

• How to stop windows ipv6 route table auto-update

  In ipv6 , windows xp can get one global ipv6-address. how to delete the address and del the route in route table persistent? And stop route table auto update?

  The WsusContent folder is filled with 256 folders that are two-characters long (e.g. 00, 0A, 0B, etc), and each of those folders are filled with exe and cab files all with what appears to be a GUID as a filename.
  Currently the C:\Program Files\Update Services\WsusContent folder is 27.5GB in size with 256 folders and 15,361 files.
  Classifications are confirmed matching exactly when viewed from either the WSUS console or the Software Update Point Component Properties on the CAS server:
  Critical Updates
  Definition Updates
  Security Updates
  Service Packs
  Update Rollups
  Updates
  Product selection is confirmed matching exactly when viewed from either the WSUS console or the Software Update Point Component Properties on the CAS server:
  Developer Tools (VS 2005 - 2013, etc)
  Exchange 2007, 2010, 2013
  Forefront Endpoint Protection 2010, TMG Definition Updates for HTTP Malware and NIS, TMG, TMG Firewall Client
  BitLocker Admin
  Lync 2010, Lync Server 2010 and 2013
  System Center DPM 2006 and 2010
  Office Dictionary updates, new dictionaires, XP, 2003, 2007, 2010, 2013
  Silverlight
  SQL Server 2012, 2000, 2005, 2008, 2008 R2, 2012, feature pack
  System Center 2012 (all), 2012 R2 (all), 2012 SP1 (all)
  Windows (all except EU browser choice and graphics drivers for 8.1 upgrade)
  Admittedly we could update that list a bit, but it sounds like you don't think there should be any content downloading to the WsusContent folder at all?

• Issue with UAG/TMG communication to published SharePoint application is blocked by access policy settings

  We have a UAG/TMG server set up with SharePoint published. The UAG is also doing load balancing for the SharePoint farm. We have an MDM application that is trying to connect to our SharePoint but our SharePoint is routed through the UAG. The MDM application
  does not need to be published neither is there any component that can be accessed directly by end users. It is more of a proxy to relay content to mobile devices. It is using 443 and two other secondary ports.
  On the TMG logs, we can see requests hitting the TMG over port 443 from the MDM application server. We can also see that it is trying to be routed to our SharePoint but we get the following error in the TMG log:
  “Filter information: A request from source IP address xx.xx.xx.xx, user to trunk portal; Secure=1 for application SharePoint of type SharePoint15 failed. The endpoint device does not comply with access policy settings ([%PolicyId%]) for session [%SessionId]”
  The source IP is the internal IP of the host running the MDM application. In the UAG side, under the SharePoint publishing rule, for Access Policy Settings we have tried selecting the 'Always' option but that had no effect. It appears like there is a policy
  blocking communication to SharePoint. Does anyone have a suggestion on which policy or where the policy that is controlling this is located so that we can try to resolve this issue? Thanks.

  Looking at the UAG Web Monitor, it says that the access policy is 'Hybrid_Default_Session_Access' and the URL is /_vti_bin/Webs.asmx. 
  We can't find a 'Hybrid Default Session Access' policy. In the Endpoint Policy Settings tab, we tried using 'Always' for the Access Policy for the published SharePoint application but that did not make any difference. 

• Publishing Exchange coexistance in 2010/2013 in TMG

  I already asked this in the TMG forums and didnt really get the answers there, so hoping I get better luck
  here, so slightly rephrased:
  Environment:
  Two Windows 2008 R2, Exchange 2010 SP3 servers, currently holding all mailboxes
  Two Windows 2012 R2, Exchange 2013 SP1 servers, setup in progress
  Two Windows 2008 R2, TMG 2010, V7.0.9193.540 publishing both Exchange 2010 servers.
  Scenario:
  I need to allow incoming and outgoing emails through TMG to both Exchange 2010 and 2013 as it will take me weeks, if not months before all mailboxes are in 2013.
  Question:
  1. How do I need to configure TMG to allow both Exchange 2010 and 2013 simultaneously? 
  2. Do I just redirect all SMTP to Exchange 2010 mailboxes to Exchanges 2013 in TMG and 2013 just pass on the traffic to 2010 if it doesn't have the mailbox?
  Hoping to hear from someone whos actually had 2010/2013 in coexistence with TMG doing the publishing and firewalling for Exchange. Thanks.

  These answers assume that all servers are in the same Exchange organization.
  1.  Exchange 2013 will proxy all Exchange 2010 traffic, so all you should route all traffic through and publish the Exchange 2013 servers rather than trying to publish both.  Unfortunately, TMG hasn't been updated with a wizard for Exchange 2013. 
  I've seen this article that explains how to publish Exchange 2013, but I haven't tried it myself since none of my Exchange 2013 customers have deployed TMG with it.  It does come from a source I would trust.
  http://blogs.technet.com/b/exchange/archive/2012/11/21/publishing-exchange-server-2013-using-tmg.aspx
  2.  Generally I don't recommend routing SMTP through TMG as it doesn't offer much value for that, but there's no reason you can't do it.  You should not have to worry about the server to which you route SMTP since SMTP mail will find
  its way to the correct destination regardless of where you submit it.  It is my preference to change your routing so that all mail goes through the Exchange 2013 servers early in the project rather than late.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• TMG SSO issue with Windows 7 clients

  I have very strange problem with Forefront TMG 2010 Single Sign On feature.
  SSO settings:
  I'm publishing two websites (https://site1.domain.com and https://site2.domain.com) by using the same web listener with SSO enabled for *.domain.com
  SSO is working as charm for Windows 8.1 clients
  The issue when accessing sites from Windows 7 clients:
  On the first access to any of the sites (i.e. site1), I'm getting TMG forms login form - as expected.
  I login, then visit few pages of the same site (i.e. site1), and everything works as expected. I'm logged in, and I can surf.
  The problem arises when I try to open the other site (i.e. site2). I'm getting TMG forms login form again! And even worse - as soon as new TMG login form opens -
  I'm logged off from the first site also. So not just I must login separately for both sites - I can't be logged to both sites in the same time because as soon as I login to one site, the session with other site is terminated!
  Interesting thing is that behavior is the same in any browser. I've tried with IE, Chrome and Mozilla - the problem is the same.
  When external client tries to open the second site, TMG logs one interesting message:
  Req ID: 0ae9f57b; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ;
  FBA cookie: exists=yes, valid=no, updated=no, logged off=no, client type=private, user activity=yes
  It looks that TMG finds that cookie is not valid and deletes it, terminating this way existing session with all sites.
  My setup:
  Array of two TMG's 2010 SP2 RU4, on Windows Server 2008 R2, all updates installed.
  Published websites (site1.domain.com and site2.domain.com) are residing on two different servers (srv1 and srv2)
  Websites are published over https by using SSL certificate gotten from local PKI. All clients and servers do have PKI CA in their "Trusted Root Certificates" storage. No client or server reports any certificate issue. Websites are "green"
  in address bar.
  I'm really confused with this behavior. Especially due to the fact that the same third-party browser (Chrome), can be used with SSO without any problem when installed on Windows 8.1, but not when installed on Windows 7!?!?
  Any help would be appreciated...
  Thanks!
  Fat Dragon

  Hahah! Shame on me! The problem is not related to Windows 8.1 / Windows 7. Client OS coincides with DNS server settings... To explain:
  My two-server TMG array has two public IPs (each server having one) - 1.1.1.1 and 1.1.1.2.
  In order to avoid setting the same IPs for all my websites, I've decided to create one common A record, and to define all websites as CNAME records pointing to this common A record. (This way I have just one place where I should change IP if it changes.)
  My common A record is defined as follows:
  a.domain.com -> 1.1.1.1, 1.1.1.2
  And websites as follows:
  site1.domain.com -> a.domain.com
  site2.domain.com -> a.domain.com
  When multiple IPs are bound to the same host some DNS servers will round robin them, and some will not. For example, when I do nslookup on the PC with google's public DNS server (8.8.8.8) I'm getting the following result:
  C:\Windows\System32>nslookup site1.domain.com
  Server: google-public-dns-a.google.com
  Address: 8.8.8.8
  Non-authoritative answer:
  Name: a.domain.com
  Addresses: 1.1.1.1
  1.1.1.2
  Aliases: site1.domain.com
  No matter how many times I execute nslookup, I'm getting the same answer, with IP addresses in the same sequence. But when I do nslookup on the PC that uses local DNS service on the router, sequence of IP addresses changes with each subsequent call:
  C:\Windows\System32>nslookup site1.domain.com
  Server: UnKnown
  Address: 192.168.1.1
  Non-authoritative answer:
  Name: a.domain.com
  Addresses: 1.1.1.1
  1.1.1.2
  Aliases: site1.domain.com
  C:\Windows\System32>nslookup site1.domain.com
  Server: UnKnown
  Address: 192.168.1.1
  Non-authoritative answer:
  Name: a.domain.com
  Addresses: 1.1.1.2
  1.1.1.1
  Aliases: site1.domain.com
  In my case Windows 8.1 machines were using Google's public DNS server, so all of them were resolving both websites in the same way, always using the first IP gotten - 1.1.1.1. In the other words, both websites were pointing to the same TMG array member 1.1.1.1.
  And SSO was working as expected.
  On the other side, my Windows 7 machines were setup to dynamically get network settings from the DHCP service (the router), and they were using its DNS service (second example). So when the browser opens site1.domain.com it queries DNS for site1.domain.com,
  gets two IPs, as always selects the first one (1.1.1.1), makes request to the first member of my TMG array and successfully creates session. Browser caches site1.domain.com -> 1.1.1.1, so each subsequent call goes to the same address without querying DNS
  server. But when the browser opens site2.domain.com it queries DNS server again, this time getting the same IP addresses, but reordered. As always it selects the first one (1.1.1.2), and sends the request (with authentication cookie) to
  the second TMG array member. The second TMG validates the cookie and doesn't recognize it, so
  rejects it and deletes it, and redirects the browser to login form. Since the cookie is deleted, browser cannot access site1.domain.com (through 1.1.1.1) anymore.
  Huuuhhh.
  The new question: can SSO be setup with TMG arrays and DNS round robin? Is there any way to "force" array members to accept cookies distributed by other members?
  I guess that I must open new question...
  Sorry for my stupidity!
  Fat Dragon

• IPad 2 looses username and password with Microsoft Forefront TMG

  My company uses Microsoft Forefront TMG as a proxy on our Guest wireless access.  We have a guest username and password that changes every few weeks that iPads can use to access the internet at work - we are not allowed into the company network!  Although I can put the guest username and password into the authentication dialog, the username and password are lost after the iPad has been off for several minutes and I have to reenter them.  In the before iOS 5.0 versions I was able to set the wireless to automatically remember the password and to auto-fill the username and password each time.  Now, the username and password that come up were from the pre-iOS 5.0 settings - it doesn't remember the new username and password from the last time that I logged in.  This occurs with any App that attempts to log in after I turn the iPad on.  The same issue comes up with other iPads here as well.  Settings are: Auto-Join and Auto-Login set, HTTP Proxy Off.  IP address received from DHCP.
  Is there any setting that I can use to get around this problem?
  LW

  The Apps worked when I originally got it (several days ago), and I could also log onto the websites.
  Could it be my wireless router? I did notice that when my macbook pro is asleep, and I open it up to awake it, it sometimes disconnects my wifi signal (everything connected to my signal will lose it) for about 20 seconds, and then it will come back to.
  Not sure if that is connected to my problem with logging into websites and apps, but I'll just put that info out there.

• AD authentication for routed local subnet

  Good day,
  I'm testing the addition of a routed local subnet to existing network and seem to be experiencing trouble with AD authentication.
  Primary network:
  Subnet: 192.168.0.0/24
  Default GW: 192.168.0.1
  PDC/DHCP/DNS1: 192.168.0.2
  BDC/DNS2: 192.168.0.3
  Routed network:
  Subnet: 192.168.17.0/24
  Default GW: 192.168.17.1
  DNS1/2: 192.168.0.2/192.168.0.3
  DHCP relay is configured and functioning.
  Primary network gateway has persistent route for subnet 192.168.17.0/24 hopping via router IP 192.168.0.122.
  Ping tests OK both ways and internet is browsable from clients in routed network.
  Problem occurs when clients in routed network attempt to access domain resources in primary network. Using
  net view //test-host results in 5 minute pause and then "Access Denied". Unable to view //test-domain/netlogon
  I have added routed subnet to existing default-first-site in AD Sites and Services.
  I'm certain I'm missing something simple here and will appreciate any advice.

  Hi Christoffer, thanks for your reply.
  There are no firewall rules active between the two subnets, however our primary network gateway is a Forefront TMG MBE firewall. To my knowledge this should not interfere with the inter-subnet routing however there could be access/policy rules that determine
  how TMG (localhost) responds to traffic from routed subnet. Will need to look closely at this if AD authentication is not at fault.
  The nltest queries also seem return successful responses:
  nltest /dsgetdc:[DOMAIN]
  DC: \\[PDC]
  Address: \\192.168.0.2
  Dom Guid: [GUID]
  Dom Name: [DOMAIN]
  Forest Name: [FOREST]
  Dc Site Name: Default-First-Site-Name
  Our Site Name: Default-First-Site-Name
  Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET
  nltest /dsgetsite
  Default-First-Site-Name