Comments on: howto://Installing Microsoft Forefront TMG 2010, part one

By: Will

Will — Wed, 18 Jan 2012 15:29:59 +0000

Good info, cheers mate.

Problem being is that our LAN is part of a Local Authority WAN and they have the public IPs on their routers. We just connect to their network from our router and they manage our connectivity to the outside world.

Thanks for your help, it’s much appreciated

By: Ed Fisher

Ed Fisher — Wed, 18 Jan 2012 15:11:15 +0000

Okay, so you do need to have an interface of the TMG on the “outside” and one on the “inside” to do reverse proxy (secure web publishing.)

If your existing router only gives you one publicly routable IP you may have to redo your network so that your TMG is the default gateway on the inside, and has the one public ip.addr on the outside, but from traceroutes to you, it looks like you are on a small subnet, therefore…

Router->TMG external in DMZ->TMG internal in Internal->inside Parental Gateway

Router will forward all necessary traffic (assume TCP 80 and 443) to the ip.addr on the TMG external.
You’ll publish using a listener on the TMG, and make all requests appear to come from the TMG so responses from the Parental Gateway route back properly.

By: Will

Will — Wed, 18 Jan 2012 14:57:39 +0000

Hi Ed,
Thanks for the reply.
We want to setup TMG more for incoming traffic. We host our own Parental Gateway for access to their child’s data/reports etc. According to the developers of the Parent Gateway (Capita), in order to setup a password challenge and ‘reset via email’ procedure we need to have a ISA or TMG server in place.
Hope that makes sense.

By: Ed Fisher

Ed Fisher — Wed, 18 Jan 2012 13:17:06 +0000

Will,
What is it you want to do? Define that, and I can answer your questions better, but in short…
Internet-Router-TMGexternal-TMGinternal-internal clients would be one way to do it, but really depends on whether you want to use TMG to reverse proxy (publish) internal resources, or use TMG as a proxy for your clients. If you want to use it as a client proxy, one NIC is fine and configure your clients to use it as a proxy, no need to use as a default gateway.
Two NICs are required for the best security components of TMG, but they must be on different networks so the TMG routes traffic through…on the same subnet there will be no routing.
Of course, if you don’t have admin access to the router/squid, you may be faced with a very difficult task..again, depends on what you are hoping to accomplish.
HTH
Ed

By: Will

Will — Wed, 18 Jan 2012 11:29:55 +0000

I work in a school, so have an LA provided Router and Squid Proxy that sits on our LAN and provides us with external connection.

How would TMG integrate into a setup like this? Referring particularly to the 2x NICs. Would we need to configure the TMG “external” card to point at the router. Would our clients then need to have their default gateway address pointing at the “internal” card of the TMG? Will there be any issue with the 2 NICs being on the same subnet?

By: Ed Fisher

Ed Fisher — Thu, 17 Nov 2011 18:02:49 +0000

Bengt
Have you published the mail server protocols (SMTP) yet? Use the firewall console, right click, publish a new mailserver to permit inbound email.
Ed

By: Bengt Olsson

Bengt Olsson — Wed, 16 Nov 2011 21:03:23 +0000

Hey!
like your guides you have done about tmg 2010
my problem is i can send out not receive.
i have checked both server there have exchange 2010 hub, cas, mailbox no problem but are something with receive connectors what i can see but how can seeking was is wrong
not sure what is wrong here

Best regards
Bengt Olsson

By: Ed Fisher

Ed Fisher — Sat, 10 Sep 2011 11:46:48 +0000

Open an administrative cmd prompt.
Enter this command
netstat -ano | findstr 2171
That will tell you what the PID is for the process listening on port 2171.
Launch task manager, add the column for PID and sort on it. Find the PID that you got in the netstat command, and then either uninstall or reconfigure that to use an alternate port.
HTH
Ed

By: Albert

Albert — Sat, 10 Sep 2011 10:20:30 +0000

Need help.. how can I go ith this to fix this error

Configuration storage server cannot be installed because port required for installation is currently being used by another service port :2171

By: Ed Fisher

Ed Fisher — Thu, 09 Jun 2011 16:37:45 +0000

Thanks for the update! Glad you got it all sorted.
Ed

By: nick

nick — Thu, 09 Jun 2011 16:21:58 +0000

Hi Ed,
Ok solved the problem, somehow during the move to a new subnet the default gateway on the external NIC was removed… do not know how that happened, but re-adding and everything worked as expected. Arghhhhh!
With regards to changing the internal NIC IP address, I had some vague errors relating to SQL and as my TMG implementation was using locally installed SQL reporting and DB instance, it made sense to check, and if necessary, change the IP address property of the SQL Server Network Comms. It also really helped that I found the following articles which helped validate this approach.
http://social.technet.microsoft.com/Forums/pl-PL/Forefrontedgegeneral/thread/d1d2df7d-d1d6-4249-91fe-c8136d8487ad
http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Storage-101.html
Thanks for your help
Nick

By: Ed Fisher

Ed Fisher — Tue, 07 Jun 2011 19:58:29 +0000

Nick,
If you cannot see any traffic in the logs, my first concern is that the traffic is either not getting to the TMG, or that the network relationships may not be correct. Can you ping the TMG from any internal host? If you haven’t enabled ping, either do so, or stop the firewall service long enough to confirm you have basic layer 3 connectivity to the TMG’s internal interface from your other clients. If you are not configuring clients to use TMG as the proxy, is it a next hop router to the Internet for them? From your route add, you have something at 192.168.2.0/24 and 192.168.0.0/24 that you had to add to TMG’s routing table. But what did you put into the routing table for 192.168.0.1 to identify TMG as the path to the Internet (assuming NAT, not proxy) ?
If you are proxying, and you can ping the TMG, then ensure that the hosts are properly configured to use the TMG as a proxy. If you aren’t my bet is the fix lies in routing properly on 192.168.0.1, whatever that is.
Also, I was good with you on steps 1, 2, 3, 4 and 8, but I have not run into a need to do 5-7. Did you find another post or KB that directed you to do this?
Let me know about that, and whether your clients are supposed to be using the TMG as a proxy, or just as their gateway to the Internet. Also, have you added anything to the TMG, like Web Monitor or other third party plugin?
Ed

By: nick

nick — Mon, 06 Jun 2011 15:11:36 +0000

Hi,
I need to change my TMG2010 Server to a different IP address\ Subnet and support additional subnets being added to the scope of the internal network.
Since changing the address of the internal interface (twice) I have lost the ability to web browse from any subnet or on the TMG and Messaging publishing is not occurring inbound. However I can still can RA to the tmg through both internal \external interfaces. I cannot see any traffic being captured in the log traces.
I used the following approach to change IP addressing and although I no longer get messages reference invalid ranges or IP Spoofing I still cannot operate as expected.
1) Changed internal Interface Address
2) In FW Network objects\computer sets\Array Members\ – changed IP
3) Changed System policies where necessary
4) Added additional Subnets to Network Internal definition
5) Opened up SQL Server Config Manager\ SQL Server Network Config\Protocols for MSFW \ TCPIP\ – properties and change the IP address in IP Address Tab.
6) Did the same as above for ‘Protocols of ISARS’
7) Editing the registry to modify any instance of the following entries associated with the TMG internal interface address – msFPCIPAddress, msFPCName and msFPCIntraArrayAddress
Route added the additional subnets i.e
Route –4 – p 192.168.2.0 mask 255.255.255.0 192.168.0.1 Metric 266 IF 10
Any assistance would be most appreciated as I really do not want to have to rebuild it..

Nick