Skype TMG 2010 problem

Dear Sir
I have a problem configuring my TMG 2010 proxy allowing skype to go through while HTTPS inspection is on.
I execlude *.skype.com, *.skype.net from the inspection process, but still i couldn't connect, morover when I disable HTTPS inspection feature it's work just fine.
regards, 

guys any one have the same problem!?

Similar Messages

  • Problem with blocking upload file TMG 2010

    I'm using TMG 2010. I have 3 rules : 
    1/Allow Internet Access : 
    protocols : dns, http, https
    from: loclahost, internal to: External
    2/Allow Protocols :
    protocols : all traffics
    from: localhost, internal to: localhost, internal
    3/Defaul Rule : Block all.
    The problem is : i want to block upload file from internal to external so i've made HTTP filter in Allow Internet Access like this : Config HTTP --> Signature : Search in: Request Header 
     Http header: Content-Type:
     Signature: mutipart/form-data
    Methods : Block method POST
    Unfortunately, it's not work and i dont know why. If i create a rule block web, it's work. Plesase help me. Thanks !

    Hi,
    You could check the following blog to see whether you missed anything.
    How to block Attachment Uploads using Microsoft TMG
    http://www.kuwaitgeekz.com/?p=2248
    (Note: Microsoft provides third-party contact information to help you find technical support. This contact
    information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.)
    Best Regards,
    Joyce
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • TMG 2010 report problem Operation has timed out

    Hello.
    I stuck and i'm really need assistance
    We has a TMG 2010 RTM version and i decide to update it to latest rollup and SP (dumb head)
    So at now we have TMG 2010 SP2 rollup 4.
    Before i update TMG reports work fine but at now reports not working at all.
    When i try execute a report ( or shedule daily or weekly report) i have same issue 
    Error 31289:
    The report "Daily" could not be generated. Report Server error information: The report Daily could not be generated. Report Server error information: The operation has timed out.
    The error occurred on object 'Reports' of class 'Reports Configuration' in the scope of array 'TMG`
    I read all guidliness( include this http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-How-to-use-SQL-Server-2008-Express-Reporting-Services.html) and not find something useful.
    Settings correct, and i not changed any settings.
    And at now my ideas end i ask your help.

    That would be expected as the RAT key does not exist by default on a TMG system. You will need to create it and the subkeys referenced along with the values.
    Create as described in the article. 
    Hth, Anders Janson Enfo Zipper

  • Forefront TMG 2010 Error from management console

    Hi,
    I am having a problem connecting to a TMG 2010 array from an installation of TMG management console we are receiving the error 'Refresh Failed' 'Error 0x80070057' ' The Parameter is incorrect'.
    The only article i can find on this error is this http://support.microsoft.com/kb/2591719 which doesn't seem to apply to our setup or this problem but I have applied Service pack 2 anyway but still get same error. The only other thing i can find is
    a few people saying the management console needs to be at the same version as the TMG servers you are trying to connect to but I cannot see how this can be done as when I try to run the service pack on the machine with only the management console I get an
    error as the full installation is not there.

    Hi,
    Firstly, have you found any related information in the event logs?
    Nest, you can check the version of the TMG server from the TMG help menu, TMG system node or using Control Panel. For more detailed information, please refer to the link below:
    How to Determine Which Version of TMG
    Server 2010 Is Installed
    In addition, what hotfix rollup or Server pack have you installed? Please refer to the recommended order below:
    Forefront TMG 2010 Service Pack, Rollup, and
    Version Number Reference
    Best regards,
    Susie

  • TMG 2010 publishing Exchange 2010 OWA cannot change password if user must change password at first logon is set

    Hi,
     I have an odd issue whereby if I set "user must change password" on an AD account, the end user cannot logon, they're simply taken back to the OWA login page as if their password is incorrect.
    My setup is as follows:
    outer TMG -- uses a listener for email.contoso.com and is configured for no authentication.This uses a publishing rule to publish the inner TMG server. This server is not a domain member.
    inner TMG - uses a listener for email.contoso.com and is configured for NLTM\kerberos negotiation with forms authentication (Windows Active Directory). This server is a domain member and use a publishing rule to publish the internal CAS. Allow users to change
    password is selected in the publishing rules.
    Exchange 2010 SP1 - uses integrated windows and basic authentication. Has the appropriate registry key configured to allow users to change their AD password on first logon.
    I've registered an snp for "http/email.contoso.com mailserver-dc1", all SSL certificates being used are valid and my configuration used to allow users to login and change their password with "user must change password on first login"
    set in AD.
    If I launch a web browser on an internal server and point it to email.contoso.com I'm immediately presented with a generic Windows authentication request (similar to what's seen in ADFS) rather than the standard OWA page. No matter what I do, I cannot login
    and change my password using the correct URL. However if I point my browser at
    http://192.168.4.10/owa I'm prompted to login and I can change my password using the sam credentials.
    The only recent changes made are:
    - Disabling SSL 3.0 and enabling TLS  (http://www.isaserver.org/articles-tutorials/configuration-security/improving-ssl-security-forefront-threat-management-gateway-tmg-2010-published-web-sites.html)
    - Replacing the TMG listener certificates so that they now use SHA2 rather than SHA2 (certificates are trusted on each TMG server)
    Looking on the outer TMG and the DC logs I can see schannel errors which I believe are related to the problem. TMG monitoring also shows "Failed connection attempt: 1907 The user'spassword must be changed before logging on for the first time"
    I've checked that my inner TMG and DC are using the same certificate for server authentication and gone through this guide:
    http://blogs.technet.com/b/keithab/archive/2012/02/29/setting-up-and-troubleshooting-ldaps-authentication-in-forefront-tmg-2010.aspx
    If I try to use ldp.exe on the inner TMG, I get the error in the pic below
    Thanks
    IT Support/Everything

    Hi,
    You could try to analyze the TMG tracing and try the troubleshoot steps in the blog below.
    TMG 2010 – FBA, troubleshooting the change password feature 
    http://blogs.technet.com/b/isablog/archive/2012/05/07/tmg-2010-fba-troubleshooting-the-change-password-feature.aspx
    Best Regards,
    Joyce

  • Can't open ports on TMG 2010

    The main issue is that the external Lync clients can't connect to the Lync server. The reason this happens is blocked ports on TMG.<o:p></o:p>
    There is Non-web server publishing rules setup allowing inbound connection from  public ip to Lyncedge server's external ip using tcp ports: 443, 444, 445, 5061, 50000-59999 (inbound).<o:p></o:p>
    All the rules use to work fine and the external Lync clients were connecting fine, but now when i test the ports on the public ip, using
    web tools (like checkmyports.net) I am getting "Port is Closed" for all of them.
    What is not allowing the ports to be open?<o:p></o:p>
    Nothing has been changed on the TMG server. The other rules (Activesync and OWA access) on the TMG work with no problem.<o:p></o:p>
    Any help would be greatly appreciated!<o:p></o:p>

    Hi,
    Thank your for your post here.
    Please double check your configuration via the article below:
    http://ucbeacon.blogspot.com/2013/03/configure-forefront-tmg-2010-as-reverse.html
    Please also check the TMG live logging.
    Best Regards
    Quan Gu

  • Unable to install Forfront TMG 2010 on Server 2008 R2 with SP1

    Hi I am  Installing TMG 2010 on Server 2008R2 with service pack 1 ... then I am getting the error as below snapshot...kindly help me out

    Hi Deepak
    THanks a lot for your quick responce . Please find below logs which I 've find from C:\Windows\Temp.  there are three text file in this folder. here I 've paste three files content as below
    14:14:02 INFO:    Installer activated, command-line=''
    14:14:02 INFO:    Expanded full extraction path of SQL Express 2008 SP1 Package is 'C:\Windows\temp\{196A1AC7-AE04-46AA-8CB3-196D6F4760C0}'.
    14:14:02 INFO:    Install scenario
    14:14:02 INFO:    CMsiAttendantInstaller::Prepare: Upgrade code is not set
    14:14:02 INFO:    CMsiAttendantInstaller::Prepare: There is no any product code for upgrade code
    14:14:02 INFO:    CMsiAttendantInstaller::Prepare: Upgrade code is not set
    14:14:02 INFO:    CMsiAttendantInstaller::Prepare: There is no any product code for upgrade code
    14:14:02 ERROR:    CSSEInstaller::GetInstanceId failed to open reg key 'SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL'
    14:14:02 INFO:    CSSEInstaller::Prepare: Failed to get the instace id of MSFW
    14:14:02 ERROR:    CSSEInstaller::GetInstanceId failed to open reg key 'SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL'
    14:14:02 INFO:    CSSEInstaller::Prepare: Failed to get the instace id of ISARS
    14:14:02 INFO:    CMsiAttendantInstaller::Prepare: Upgrade code is not set
    14:14:02 INFO:    CMsiAttendantInstaller::Prepare: There is no any product code for upgrade code
    14:14:02 INFO:    Installing ISA (Core components)...
    14:14:02 INFO:    CFirewallInstaller: Activating installation, command line args = '-I "F:\FPC\MS_FPC_Server.msi "WRAPPER=1 ARPSYSTEMCOMPONENT=1 MEDIAPACKAGEPATH=\FPC\ REBOOT=ReallySuppress'
    14:14:16 ERROR:    Setup failed. Error returned: 0x643
    14:14:16 ERROR:    CBasicInstaller: Install failed, hr=0x80070643
    14:14:16 ERROR:    Installation failed. hr = 0x80070643
    14:14:16 ERROR:    Installation failed, hr=0x80070643
    14:14:16 ERROR:    InstallProducts: Install ISA (Core components) failed, hr=0x80070643
    14:14:26 ERROR:    Wrapper: Install failed, hr = 0x80070643
    14:14:26 ERROR:    Wrapper: DoSetup failed, hr = 0x80070643
    14:14:26 ERROR:    Wrapper: DoSetup failed, hr = 80070643
    14:14:26 ERROR:    Setup of ISA failed. Return value: SETUP_ERROR_ISA
    IInd File
    14:14:10 ISA setup CA INFO   : ENTRY: ValidateSKU, PID 2220 (0x8AC), Current user is WIN-BTIIPGG01E6\Administrator
    14:14:10 ISA setup CA INFO   : OriginalDatabase = F:\FPC\MS_FPC_Server.msi
    14:14:10 ISA setup CA INFO   : This is EE installation
    14:14:10 ISA setup CA INFO   : EXIT: ValidateSKU, Custom Action succeeded
    14:14:10 ISA setup CA INFO   : ENTRY: SetServerServiceRunning, PID 2220 (0x8AC), Current user is WIN-BTIIPGG01E6\Administrator
    14:14:10 ISA setup CA INFO   : Service lanmanserver is running
    14:14:10 ISA setup CA INFO   : EXIT: SetServerServiceRunning, Custom Action succeeded
    14:14:11 ISA setup CA INFO   : ENTRY: PropertyAssign, PID 2220 (0x8AC), Current user is WIN-BTIIPGG01E6\Administrator
    14:14:11 ISA setup CA INFO   : FW Services feature state: -1
    14:14:11 ISA setup CA INFO   : EXIT: PropertyAssign, Custom Action succeeded
    14:14:11 ISA setup CA INFO   : ENTRY: SetDotNetInstalledProperty, PID 2220 (0x8AC), Current user is WIN-BTIIPGG01E6\Administrator
    14:14:11 ISA setup CA INFO   : EXIT: SetDotNetInstalledProperty, Custom Action succeeded
    14:14:11 ISA setup CA INFO   : ENTRY: SetRebootRequiredBeforeInstallationProperty, PID 2220 (0x8AC), Current user is WIN-BTIIPGG01E6\Administrator
    14:14:11 ISA setup CA INFO   : CheckExistValue failed. key = PendingFileRenameOperations.
    14:14:11 ISA setup CA INFO   : FOpenKey failed. key = SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired.
    14:14:11 ISA setup CA INFO   : FOpenKey failed. key = SOFTWARE\Microsoft\Updates.
    14:14:11 ISA setup CA INFO   : EXIT: SetRebootRequiredBeforeInstallationProperty, Custom Action succeeded
    14:14:11 ISA setup CA INFO   : ENTRY: SetISARegistrySettingsForCOM, PID 2220 (0x8AC), Current user is WIN-BTIIPGG01E6\Administrator
    14:14:11 ISA setup CA INFO   : VerifyPropertyEqualValue: Property Sku =
    14:14:11 ISA setup CA INFO   : EXIT: SetISARegistrySettingsForCOM, Custom Action succeeded
    14:14:11 ISA setup CA INFO   : ENTRY: Set_RrasIsVpn, PID 2220 (0x8AC), Current user is WIN-BTIIPGG01E6\Administrator
    14:14:11 ISA setup CA INFO   : RRAS is configured as VPN.
    14:14:11 ISA setup CA INFO   : EXIT: Set_RrasIsVpn, Custom Action succeeded
    14:14:11 ISA setup CA INFO   : ENTRY: EE_ValidatePropertiesSyntax, PID 2220 (0x8AC), Current user is WIN-BTIIPGG01E6\Administrator
    14:14:11 ISA setup CA INFO   : Checking the length of properties
    14:14:11 ISA setup CA INFO   : VerifyPropertyLength: Property ENTERPRISE_NAME length < 300
    14:14:11 ISA setup CA INFO   : VerifyPropertyLength: Property ENTERPRISE_DESCR length < 300
    14:14:11 ISA setup CA INFO   : VerifyPropertyLength: Property STORAGESERVICE_ACCOUNT length < 300
    14:14:11 ISA setup CA INFO   : VerifyPropertyLength: Property STORAGESERVICE_PWD length < 300
    14:14:11 ISA setup CA INFO   : VerifyPropertyLength: Property STORAGESERVER_CONNECT_ACCOUNT length < 300
    14:14:11 ISA setup CA INFO   : VerifyPropertyLength: Property STORAGESERVER_CONNECT_PWD length < 300
    14:14:11 ISA setup CA INFO   : VerifyPropertyLength: Property ARRAY_NAME length < 300
    14:14:11 ISA setup CA INFO   : VerifyPropertyLength: Property ARRAY_DESCR length < 300
    14:14:11 ISA setup CA INFO   : VerifyPropertyLength: Property ARRAY_DNS_NAME length < 300
    14:14:11 ISA setup CA INFO   : VerifyPropertyLength: Property REPLICATION_SOURCE_PATH length < 260
    14:14:11 ISA setup CA INFO   : VerifyPropertyLength: Property ARRAY_ENTERPRISEPOLICY length < 300
    14:14:11 ISA setup CA INFO   : VerifyPropertyLength: Property CLIENT_CERTIFICATE_FULLPATH length < 260
    14:14:11 ISA setup CA INFO   : VerifyPropertyLength: Property SERVER_CERTIFICATE_FULLPATH length < 260
    14:14:11 ISA setup CA INFO   : VerifyPropertyLength: Property SERVER_CERTIFICATE_PASSWORD length < 32
    14:14:11 ISA setup CA INFO   : VerifyPropertyLength: Property FULLPATHANSWERFILE length < 260
    14:14:11 ISA setup CA INFO   : Length of all properties is correct
    14:14:11 ISA setup CA INFO   : Checking the syntax of some properties
    14:14:11 ISA setup CA INFO   : Syntax condition of all properties is correct
    14:14:11 ISA setup CA INFO   : Checking the syntax of the MSIPROP_ARRAY_INTERNALNET properties
    14:14:11 ISA setup CA INFO   : Syntax of the properties internal range property is correct
    14:14:11 ISA setup CA INFO   : Checking the syntax of the property ARRAY_INTERNALNET_ENT_NETS
    14:14:11 ISA setup CA INFO   : Syntax of the property ARRAY_INTERNALNET_ENT_NETS is correct
    14:14:11 ISA setup CA INFO   : Checking the syntax of the property INTRA_ARRAY_ADDRESS_IP
    14:14:11 ISA setup CA INFO   : Checking the syntax of the property HOST_ID
    14:14:11 ISA setup CA INFO   : Checking the existance of files in properties
    14:14:11 ISA setup CA INFO   : All properties that contain files exist
    14:14:11 ISA setup CA INFO   : EXIT: EE_ValidatePropertiesSyntax, Custom Action succeeded
    14:14:11 ISA setup CA INFO   : ENTRY: ValidateRDPAddressType, PID 2220 (0x8AC), Current user is WIN-BTIIPGG01E6\Administrator
    14:14:11 ISA setup CA INFO   : TMG remote installation uses IPV4 connection
    14:14:11 ISA setup CA INFO   : EXIT: ValidateRDPAddressType, Custom Action succeeded
    14:14:11 ISA setup CA INFO   : ENTRY: GetEnvParams, PID 2220 (0x8AC), Current user is WIN-BTIIPGG01E6\Administrator
    14:14:11 ISA setup CA INFO   : The machine does not belong to any domain
    14:14:11 ISA setup CA INFO   : EXIT: GetEnvParams, Custom Action succeeded
    14:14:11 ISA setup CA INFO   : ENTRY: CalculateFirstDialog, PID 2220 (0x8AC), Current user is WIN-BTIIPGG01E6\Administrator
    14:14:11 ISA setup CA INFO   : Current dialog Flow is: /Dialogs/Dialog[@name='Flows']
    14:14:11 ISA setup CA INFO   : Updated flow CurrentDialogFlow = /Dialogs/Dialog[@name='Flows']/Dialog[@name='EE']
    14:14:11 ISA setup CA INFO   : Current dialog Flow is: /Dialogs/Dialog[@name='Flows']/Dialog[@name='EE']
    14:14:11 ISA setup CA INFO   : Updated flow CurrentDialogFlow = /Dialogs/Dialog[@name='Flows']/Dialog[@name='EE']/Dialog[@name='InstallWelcome']
    14:14:11 ISA setup CA INFO   : First Dialog in the flow: FirstDialog = InstallWelcome
    14:14:11 ISA setup CA INFO   : EXIT: CalculateFirstDialog, Custom Action succeeded
    14:14:13 ISA setup CA INFO   : ENTRY: CalculateNextDialog, PID 2220 (0x8AC), Current user is WIN-BTIIPGG01E6\Administrator
    14:14:13 ISA setup CA INFO   : Current dialog Flow is: /Dialogs/Dialog[@name='Flows']/Dialog[@name='EE']/Dialog[@name='InstallWelcome']
    14:14:13 ISA setup CA INFO   : Updated flow CurrentDialogFlow = /Dialogs/Dialog[@name='Flows']/Dialog[@name='EE']/Dialog[@name='InstallWelcome']/Dialog[@name='LicenseAgreement']
    14:14:13 ISA setup CA INFO   : Next dialog in the flow is: NextDialog = LicenseAgreement
    14:14:13 ISA setup CA INFO   : EXIT: CalculateNextDialog, Custom Action succeeded
    14:14:15 ISA setup CA INFO   : ENTRY: CalculateNextDialog, PID 2220 (0x8AC), Current user is WIN-BTIIPGG01E6\Administrator
    14:14:15 ISA setup CA INFO   : Current dialog Flow is: /Dialogs/Dialog[@name='Flows']/Dialog[@name='EE']/Dialog[@name='InstallWelcome']/Dialog[@name='LicenseAgreement']
    14:14:15 ISA setup CA INFO   : Updated flow CurrentDialogFlow = /Dialogs/Dialog[@name='Flows']/Dialog[@name='EE']/Dialog[@name='InstallWelcome']/Dialog[@name='LicenseAgreement']/Dialog[@name='CustomerInformation']
    14:14:15 ISA setup CA INFO   : Next dialog in the flow is: NextDialog = CustomerInformation
    14:14:15 ISA setup CA INFO   : EXIT: CalculateNextDialog, Custom Action succeeded
    14:14:16 ISA setup CA INFO   : ENTRY: ValidatePIDGenX, PID 2220 (0x8AC), Current user is WIN-BTIIPGG01E6\Administrator
    14:14:16 ISA setup CA INFO   : OriginalDatabase = F:\FPC\MS_FPC_Server.msi
    14:14:16 ISA setup CA ERROR  : LoadLibrary(F:\FPC\Program Files\Microsoft ISA Server\msfpcPidGenX.dll) failed, ec=193
    14:14:16 ISA setup CA ERROR  : Setup failed while validating Product ID.
    14:14:16 ISA setup CA ERROR  : (Error 28021) Setup failed while validating Product ID.
    14:14:16 ISA setup CA ERROR  : EXIT: ValidatePIDGenX, Custom Action failed (0x643)
    IIIrd File
    Logging stopped: 4/7/2014  14:14:16 ===
    MSI (c) (E4:34) [14:14:16:224]: Note: 1: 1708
    MSI (c) (E4:34) [14:14:16:224]: Product: Microsoft Forefront Threat Management Gateway EE  -- Installation operation failed.
    MSI (c) (E4:34) [14:14:16:224]: Windows Installer installed the product. Product Name: Microsoft Forefront Threat Management Gateway EE . Product Version: 7.0.7734. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status:
    1603.
    MSI (c) (E4:34) [14:14:16:224]: Grabbed execution mutex.
    MSI (c) (E4:34) [14:14:16:224]: Cleaning up uninstalled install packages, if any exist
    MSI (c) (E4:34) [14:14:16:224]: MainEngineThread is returning 1603
    === Verbose logging stopped: 4/7/2014  14:14:16 ===
    Below error Code I got from Application Event
    Product: Microsoft Forefront Threat Management Gateway EE  -- Setup failed while validating Product ID.
    Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events
    cannot be delivered through this filter until the problem is corrected.

  • Publis a monitoring camera through TMG 2010

    Hi, I have a monitoring IP-camera inside my LAN what I want to publish through TMG 2010 to access from outside. The camera has a build in webserver running (currently) on port 80. Insuide the LAN (no restrictions) everybody who has a login to the cam can
    watch. So the cam is working pretty well. Now I created a web publishing rule in TMG 2010 for the Cam but it seems not to be enough. I easily can connect to the log-on screen of the cam, I can log in, but than I get an empty (black) picture(Cam healthy light
    on the screen is yellow instead of green, means the video is not working)! No stream is visible. The cam should not use any other (additional) ports, I checked that by using wireshark. What can be the problem that TMG blocks the stream?

    Hi,
    As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark
    the answer as you wish.
    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
    Best regards,
    Susie

  • ]TMG 2010 SP2 Rollup 5 - None Available Worker threads

    Hi Guys,
    We're experiencing some problems with our TMG 2010 Array (SP2 Rollup 5 ),and the first thing I can see is that the "Available Worker Threads" are 0 many times during the day. How can debug further this issue to know the root cause?'
    Best Regards
    Federico Giampietri Latamsupport IT Infrastructure Services

    Hi,
    >>"Available Worker Threads" are 0 many times during the day.
    Could you see any other abnormal symptom in TMG?
    The issue in the KB below has a symptom that "The Available Worker Threads counter in the Forefront TMG Firewall Service may suddenly decrease to zero". But this has been fixed in Rollup 5. If you still have the same issue after
    installing Rollup 5, you may need to open a case with Microsoft.
    FIX: Server that's running Forefront Threat Management Gateway 2010 stops accepting all new connections and becomes unresponsive
    Best Regards,
    Joyce
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • TMG 2010 anonymous access

    Hi all,
    I upgrade from ISA server 2006 to TMG 2010 . In the ISA server we using forward proxy from authenticate and nonautheticated users . But after I upgrade to TMG 2010 nonautheticated users which try use proxy , the proxy return access denied.... in the proxy
    is setting all users ... How I set for nonautheticated user ?
    thanx
    Falcon

    Hi,
    Proxy traffic always needs the session to be authenticated. Only secure NAT client can work as unauthenticated sessions.
    For your problem, change all the client gateway to TMG and put an anonymous access rule.

  • TMG 2010 Array Brings down the entire internal network

    Ok, so this is a weird as it sounds. 
    We've been working with ISA and TMG since 2004, this is the first time I've seen this kind of behavior. Let me explain the details.
    We implemented 3 TMG 2010 Servers in an Array and 2 EMS Servers on Windows Server 2008 R2. Each TMG Server has 4 NICs (Internal, External, DMZ-Intra-array). At first we wanted to enable them with an F5 Hardware Load Balancer but after weeks of trying to
    make them work together we couldn't (SNAT and routing issues related), so we tried using Windows NLB but had problems with the Multicast configuration using VMWare and after some other battles we decided to first try out just using one TMG Server as the main
    one to try to make it work. The customer we are implementing this is currently using ISA 2006 and they wanted to upgrade to TMG 2010 using basically the same stuff as their ISA had, so we backed up that configuration and imported it into TMG without problems.
    We added the TMG Servers on the EMS configuration and everything replicated just fine.
    Since they already had IPS, Cisco ASAs and Ironports as Proxy they decided to disable NIS, Malware inspection, Flood Mitigation and all those things TMG has for better securing Internet traffic.
    The firewall policy rules are about 100 and they have 3 publishing rules to HTTPS Services. 
    So after making the necessary configuration changes to the TMG infrastructure, we then decided to unplug the ISA Servers, change the TMG servers IP Address to the ISA Server ones and test to see if everything worked just as ISA Server did. However it didn't.
    At first we have issues related to slow internet traffic, after troubleshooting for some time we ended up finding out that the Source IP used by TMG was different that the one ISA was using, even if the same IP was configured in the NIC and the other IPs
    were configured as alternate. We found out after some searching that Windows Server 2008 R2 uses some RFC and manipulates the IP Address on a NIC in a way that 2003 didn't. We found out that we needed to add the other IPs via Netsh int ipv4 add address
    <Interface Name> <ip address> skipassource=true
    After that configuration we got things working fine... for a while, several hours later, servers started losing connectivity, switches stopped responding and the entire network was collapsed! After unplugging the TMG Servers, everything returned back to
    normal.  We though this was a issue related to drivers or something to do with VMWare plataform, so it was decided to reinstall everything on physical servers.
    After some days of reconfiguring again TMG Servers, we made the switch again, unplugged the ISA Servers, configured the TMG with the ISA IP Addresses, did the NETSH thing and then tested out everything and everything worked.
    But again hours later the same behavior appeared once more! Servers and switches stopped responding and the entire network went down once more! Again we unplugged the TMG Servers and everything returned back to normal!
    So here we are, back to square one with no clue on what is causing this behavior on the network. The current physical servers are running HP 3666i 4 multiport 10Gb NICs, we don't know if that has something to do with this. Or the fact the the switch core
    to which the TMG servers are directly connected to is a Nexus 7000 and there is some configuration issues with it against the TMG or something. The TMGs are patched with Service Pack 2 Update Rollup 5.
    We are probably going to open a support case with Microsoft with this issue, but we first wanted to see if anyone else may have had, seen or heard something related to this and has an explanation or ideas on why is this happening.
    I appreciate any replies.
    Thank you all.
    Eduardo Rojas

    Hi, I belive your TMG is virtual and NLB is setup. If so you need to bind the physical swith port with NLB MAK address in multicaste mode. Let's take an example, if your internal NLB physical NIC is connected to swith port 1 and 2 then you need to manually
    bind the NLB MAK to port 1 and 2 like wise for all NLB enabled zone.Read VM ware NLB as they support multicaste in virtual. So do not use unicaste in NLB if it's virtual. All should be okay with the above configuration.

  • Lync 2013 clients behind TMG 2010

    Hi
    My escenario is as follow
    Lync Client 2013 --> TMG 2010 --> ISP Router (without fillter ports)
    I have a problema with this escenario because TMG drop me the voice calls and sudendly drop me the connection with the server.In TMG i created the following rullo
    From internal to external, and URL Set (*.microsoftonline.com,
    *.microsoftonline-p.com , *.onmicrosoft.com, sharepoint.com, *.outlook.com )
    Protocols: http, htpps, RTP, SIP, Sip Server, Sips, Sips Server,
    50040-50059 TCP Outbound
    50000-50019 UDP Send Receive
    3478 UDP Send Receive
    59999 UDP Send Receive
    50020-50039 UDP Send Receive
    So what is the problema with this TMG 2010 (with all updates, SPs and rollouts)
    Thanks

    Hi,
    The following blog might help.
    http://www.jaapwesselius.com/2012/12/21/publish-lync-2013-services-in-tmg-2010/
    (Note: Microsoft provides third-party contact information to help you find technical support. This contact
    information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.)
    Best Regards,
    Joyce
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Hyper link of public image(hyperlink or image) can not be saved on windows server 2012 and sharepoint 2010 problem

    hyper link of public image(hyperlink or image) can not be saved on windows server 2012 and sharepoint 2010 problem, is this a bug?
    thanks for any reply.
    Rosone

    It is not a bug, you might be using IE in Windows server 2012 and and browser might be restricting your site actions to respond properly.
    Check this in a different browser or access site in a differ OS.
    Adnan Amin MCT, SharePoint Architect | If you find this post useful kindly please mark it as an answer.

  • Error the service FWSRV of TMG 2010 on Windows server 2008 R2 Enterprise

    Please help me about a issue of TMG 2010:
    My company installed TMG 2010 on Windows server 2008 R2 Enterprise but it happen error " Due to an unexpected error, the service fwsrv stopped responding to all requests. Stop the service or the corresponding process if it does not respond, and
    then start it again. Check for related error messages."
    and " The Firewall service stopped because an application filter module C:\Windows\SYSTEM32\ntdll.dll generated an exception code C0000005 in address 0000000077A72F86 when function CompleteAsyncIO was called. To resolve this error, remove recently
    installed application filters and restart the service."
    I have reinstall but there error also appear again. My company use about 2000 clients access through TMG 2010.
    i have try update windows and TMG latest but can not solved this issue.
    i hope everyone help me as soon as. thank you so much.

     
    HI Luis,
    Not sure whether this will fix your issues however give it a try and let us know so that other can also provide suggestion.
    Disable
    Antivirus
    Monitoring Tools / Hardware Diagnostics tools which comes with Server vendor
    Try -
    http://support.microsoft.com/kb/2649961
    http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=2649961&kbln=en-us
    Ensure you have enough space for Log to be stored

  • How to add HTTP Header Response X-Frame-Options:SAMEORIGIN from OWA published via Forefront TMG 2010 to stop Clickjacking

    How to add HTTP Header Response X-Frame-Options:SAMEORIGIN from OWA published via Forefront TMG 2010 to stop Clickjacking. I have put the IIS setting X-Frame-Options:SAMEORIGIN  on my Internal CAS Server. However as the OWA page is published through
    Forefront TMG 2010, the iFrame tag is not blocked when the page is first opened. Only when you login with your credentials to the OWA page inside the frame and the page reaches IIS on the Internal CAS it gets blocked. I want to block it in the first
    instance when it is opened from TMG.

    Hi,
    Thank you for the post.
    To modify the http header, please refer to this blog:
    http://tmgblog.richardhicks.com/2009/03/27/using-the-isa-http-filter-to-modify-via-headers-and-prevent-information-disclosure/
    Regards,
    Nick Gu - MSFT

Maybe you are looking for

  • Error in FB60 - Additional account assignment required for field BSEG-HBKID

    Hi Experts While posting an Invoice for a particular company code in FB60, we are facing the following error : "Additional account assignment required for field BSEG-HBKID" Message no. F5A122 Diagnosis Additional account assignment has to be carried

  • 7k vPC best practice with multiple line cards?

    I have a pair of 7k's that have a single line card with a 2 port vPC linked to a pair of 5k's, another 2 port vPC linked to the layer 3 VDC and a 4 port vPC used for peer link.  I recently added an additional line card to the 7k's and want to add red

  • Transformation in 7.0

    Hello all, I have created a transformation in version 7.0. When I want to transport it, I can not find it in the transformations collector. Pls help. Thank you

  • Loading Image file

    hi All, i have created a jar file for my Application jar cvf Myjar.jar manifest.txt *.class *.PNG when i i opened , the appln will be opened but the image (PNG) is not displayed , but it is in jar file how to solve it please if you know thanks vinoth

  • Links in Faded div are invisible but still clickable

    I am using Dreamweaver CS3 with the Spry 1.6.1 updater installed. I have an AP Div that is initially hidden. Using Dreamweaver's Behaviors Panel to add Effects, I have successfully made that div fade in when a button is clicked. I then fade it away w