Welcome back. In our last post we began our install of TMG 2010. We’ll pick right up with that in just a moment, but in case you didn’t read that one, or just want a summary, here is where we stand. We’ve just completed the install of TMG 2010 Enterprise on a Server 2008 R2 machine with two NICs. The server was configured with one NIC on the Internet, and one on the internal network. Following the install, we launched the Management console, and here we are for part two, all caught up and ready to rock and roll.
When we launch the management console, the first thing we’ll see is that our install is not really done. Despite the fact that we configured our internal network during the initial setup (ala ISA 2006 style,) we need to configure network settings. Until we finish this process, not even our TMG server has full Internet access, so you’
Click the first step to launch the Network Setup Wizard. Clicking next presents you with a choice of network setup options, and if you have used ISA 2006 before, you’ll recognise those as the network templates.
If you remember what we discussed in part one of this post, we are deploying TMG as an Edge firewall, so we’ll just click next. The next step is to identify the network adapter connected to our LAN. We’ll pick the internal NIC from the dropdown box and see the settings populate like this.
You may recall that our network is a simple, single subnet. If we had other internal subnets, and did not get our routing table squared away before we began the install, we could add them here. Note though that adding them here does not carry them through to the operating system’s routing table. You will still need to do the old route add –p routine. With nothing needing adjustment here, we’ll click Next again, and select/configure our Internet settings.
Since our ISP (TWC) assigns a an ip.addr through DHCP, we’ll use that option. They want $20 a month for a static, but in a future post, we’ll discuss ways around that. It is just DHCP after all. </wink> Click next again, and accept the prompt about system policy allowing DHCP replies on the external interface. Read the summary and click Finish. You’ll be warned that you might be disconnected (if you are using RDP) but I haven’t seen that happen. If it does, just reconnect.
The next step is to configure system settings. Click the option to begin.
This step is really more of a confirmation than anything else. We belong to the domain, so this just has us confirm those settings and move along.
Click Define deployment options to proceed. In the following screens, we are going to set the basis for TMG’s protection/control of the internal network, more than any ingress firewall or application publishing. We’ll leave the defaults in place, and then make a couple of tweaks to permit outbound traffic. After starting the wizard, our first choice is to use the Microsoft Update service or not.
You may have WSUS instaled internally, but many more updates come from this, including malware site lists, definition files, etc. so our best bet is to leave the default and click next.
TMG comes with two add-ons. The Network Inspection Service is free, and Web Protection comes with a 120 evaluation license. NIS helps to secure your VPN connections, and Web Protection screens your clients from web based threats while they are surfing, so we want both. Future posts should cover both of these in more detail (wow, I am setting myself up for a LOT of writing!)
Clicking Next takes us to settings for updates, customer feedback, and the level of participation. Leave all at the default for now, or change them if you wish to what you are comfortable with. Click through to the end, and notice we have a new option checked; Run the Web Access wizard.
Click close, and off we go. Allons ‘zee!
Again, we’re most interested in getting up and running (and preserving default settings for future posts) we we’re just going to click through the next several screens. You’ll see that they set up a block for minimum URL categories, including anonymizers, bot nets, pr0n, etc. Then you can configure unrestricted users if so required. It’s when we get to Malware Inspection Settings that things get interesting.
Defaults include blocking encrypted zips. This is good in that it prevents infected files that cannot be scanned from being accesses, but it may also cause problems if encrypted zips are a normal part of your business process. We’re going to leave it be and keep going…decide for yourself how critical this is for your company.
The next two screens are both wicked cool, and kind of scary. TMG can do inspection of HTTPS delivered content. It does this by basically pulling off a man-in-the-middle attack. Your clients encrypt between themselves and TMG, and TMG encrypts between itself and the destination server. The first screen is enabling this; the second determines whether or not your users are informed.
I seriously doubt you want to block HTTPS traffic, but you better make sure that your AUP covers everything, including notification of monitoring.
Now, you might be asking yourself how this little bit of eldritch magick is accomplished. The next screen hold the secret sauce.
The TMG server will generate certificates dynamically for any https site your users visit. In order to trust those certs, the TMG CA must be installed as a trusted root. By providing the credentials above, TMG can install the root CA through group policy. There are some critical points about this, though.
- Only Internet Explorer and Chrome on domain members will automatically trust these certificates.
- Firefox, Opera, and any browser on non-domain members will require that you install the root certificate manually.
- The default GPO refresh interval will mean that you may have some clients pop warnings anyway. Just do a gpupdate /force to get past that.
The next screen is where you set aside some disk space for caching web content. On a production box, you will want to use a separate physical disk (or array) for best performance. For our little lab box, I am just going to set aside 100MB.
Clicking Next this time takes us to finishing the wizard. If you used domain admin creds, the root certificate will be added to your GPO and you will see this.
I’m really quite sorry, but we are not done. Almost, but not quite. You should now see the actual TMG management console. Notice up top?
You need to click apply, click the radio button to save the changes and restart the services, and then provide the reason (think configuration change management and documentation) before those settings take effect. Do so, give it a few seconds, and then check your system tray.
So now we have Internet connectivity for our internal network, right? Uhm, yeah, not so much. Our TMG server has connectivity, but we still must permit our internal clients to access the tubes. In the management console, go up and select Firewall Policy, then edit rule number two.
At the very least, add DNS so that your internal DNS server can resolve external names.
Apply the change, give it a few moments, and you should be able to hit the web. However…
- Most of your internal clients won’t have updated group policy yet, so any https sites they try to visit will throw an error about an untrusted certificate.
Remember, GPUPDATE /FORCE will fix this, but only after GP has replicated throughout the domain, and only for domain members running IE and Chrome. - Remember that if you’re using your TMG as your gateway, you need to configure all your internal hosts to use the TMG’s internal ip.addr as their default gateway.
- You are only permitting HTTP, HTTPS, and DNS traffic to pass right now. FTP, IM, and other business-critical traffic is blocked. If you need to permit any other outbound traffic, and you don’t feel like tackling this on your own, don’t start your deployment until you read this upcoming post on configuring access rules.
Sound off! If you liked what you just read, have any difficulties following the instructions, or have tips for streamlining the process, leave a comment!
You might also enjoy:
{ 121 comments… read them below or add one }
Do all of the user computers have to be a member of the domain to use Forefront CLient?
Hi Brad,
No they do not, though it will be easier to manage them if they are since you can use Group Policy. Manually setting up the clients presents more administrative overhead, and if the network changes you will have to go back and touch those workgroup clients again, but they will still work. Just keep in mind that any rules you set up for ‘authenticated users’ will prompt those workgroup computer users for their credentials, while users of domain-joined computers will enjoy pass-through authentication in the background.
Hope that helps.
Ed
Ed,
I have followed both of these installs about Microsoft forefront but can’t seem to get it to work.
I have 4 servers pretty high end that I am testing 2008 R2 on.
The network that I have is a fresh installed of M$ 2008 R2 Enterpise on each computer.
Each computer has 2 nics in them. I setup a DC on one computer and got the network portion on it
On a computer that I have setup TMG it has 2 cards. Internal network card is 172.16.1.xx and external card is a 10.0.0.x poiting to a netgear wireless router with the cables plugged into one of the router ports. The other end of the netgear router is connected to a dsl connection.
I added address reservation to the netgear and actually used a static address on the server.
Nothing is going out except the server that has tmg installed.
Ron,
I don’t quite have enough information in your comment to paint a good picture, but on what I think is your current situation…
1. Is the TMG’s internal interface (172.16.1.x) being used as the default gateway address on the other servers?
2. How are you doing DNS? I presume the DC is running DNS and is configured with root hints, or a forwarder to your ISP, but what happens at a cmd prompt when you try to resolve an external name? Can you?
3. You might want to review the next post I have on TMG, http://retrohack.com/let-me-out-configuring-outbound-access-rules-in-tmg-2010/ which I titled “Let me out!” specifically because, until you permit outbound traffic, only your TMG will be able to access teh tubes.
Please feel free to post another comment that this helps, or ask more questions if you need the assist. More detail is better than less.
HTH.
Ed
Ed,
I was struggling with this. Your comment about the default gateway was the hint. The idea came to me the instant I hit the enter button.
It would be helpful if you mention that the default gateway of the internal network cards need to point to the TMG address.
I was also reading the Let me out post.
DNS is being hosted in the DC. I have a forwarder point to the router. I probably need to point one to the same location as my real network.
Thanks for the information. Now I can move on with my test lab. I am setting up a complete new domain running windows 2008 and DFS and etc. This was a big hassle for me to overcome. Now I have network access I will install WSUS and etc.
Ron
Good idea…and done. Glad things are working for you now.
Cheers,
Ed
Hi Ed,
i have one senario hope you can help me on this i have one EMS server on that EMS server i have created three arrays each array is joined by two TMG servers respectively before installing the TMG server i can able to ping two server which is joined to one another but after installing the TMG i could not able to ping it and my windows based NLB which i have created between two server is also disconnect can you please help me on this.
please reply me on xxxxxxxxxxxxxxxx@hotmail.com (I removed Arsalan’s email addr. as I’m sure he wouldn’t want it to be picked up by bots or spammers)
Arsalan,
I hope you check back on this post, or subscribed to comments. Sorry, but I don’t give personal replies unless you want to compensate me for private consulting. Assuming you see this response…
You’re going to have to edit system policy on each of the servers to allow management. Make sure your EMS server is in the “Enterprise Remote Management Servers” group, and that you allow all appropriate protocols from that group to all TMG servers (everything from remote management through configuration storage) and that all seven servers are members of the array servers group.
And I suggest you add a second EMS server, or if it is virtual, make sure you take a snapshot frequently. That’s a lot of TMG servers to lose management of if your only EMS server goes down.
HTH
Ed
how do i add EMS server a part of Enterprise Remote Management Servers group how i can edit system policy on each servers to allow management.
Click the link in the action pane called Edit System Policy, and go through that. There are many options there beyond what I suggested in the last response.
You can also go into the toolbox, and edit the Enterprise Remote Management Servers group and the Array Servers group directly, adding your servers as appropriate.
Hello, excuse me for my english.
I’m Gianmarco from Itay
i’ve a problem.
Yesterday night i install tmg and everything is ok.
I’ve only a problem.
I’ve an exchange server 2007 on another server.
I recive the mail but the mail don’t go out. infact the mails remain in queqe.
If i use the old my hardware firewal is ok, but i i use tmg server i have this problem.
I set up a rule where al traffic is consent to internal to external.
Can you help me
Ciao Gianmarco,
Your English is much better than my Italian…you’ve got nothing to apologise for. As to your server…
Check the logs on the TMG to see if it is reporting anything. If you created an outbound access rule that permits all, you should be okay. You can also test that by trying to telnet to port 25 on any external mail server. If that doesn’t get out, then you can either create a rule to let everything out, like I covered in this post or just permit outbound 25 for your email server. Since you are commenting on the part 2 of the install post, I think that maybe you published your server to allow inbound mail, but still need to permit outbound.
Please let me know if this helps, and if not, how much further you get and we will go forward from there.
Cheers,
Ed
Hello, excuse me for my english.
I’m Sean from the United States …
When I reboot my TMG system — wow, it takes FOREVER (at least feels like it) to completely come up with both NICS up and running.
In the taskbar the Network notifier just spins and spins. Is this normal? I mean, we are seriously talking about 8+ mins to be fully ready for action.
No Internet access via the local system through Internet Explorer. Checked the system resources .. CPU utilization is low (5-10%), memory sits at 979MB of a 2GB system.
As Charlie Brown would say … Good Grief!
btw: Love the site. You are my new Favorite!!
Hi Sean,
It reads like you need to do a couple of things. Since you are commenting at the end of part 2 of the install, you should be able to access the Internet from the TMG itself if it could do so before you began the install. Check your routing to make sure only the Internet connected NIC has a default gateway, and that you enabled the system rules for http, dns, etc. Speaking of DNS; if your TMG server uses an internal host for DNS…that host cannot resolve out yet. Go through this post to make sure your internal network can get out, and post another comment to let me know how you made out.
If you still have a boggle, I will have some more suggestions for you.
Cheers,
Ed
Anybody can share me your backup defination to me?I am just a starter.I want to learn how to configure and concept.Please sent me at kolinn1 AT mail DOT com.Thanks
Hi Kolinn,
Have a look at this. http://retrohack.com/automatically-backing-up-an-isa-servers-configuration/
That is for ISA, but it works essentially the same in TMG.
Ed
My certificate generation failed during the install. Where do I go to make a new certificate for HTTPS inspection?
See this post…it should work for you. http://www.microsoftnow.com/2010/06/demystifying-outbound-https-inspection-in-forefront-tmg.html
Sorry, I have not run into this problem, and cannot test it now. Please post another comment as to whether or not this works for you.
Ed
I have successfully installed TMG thanks to your posts. But I am unable to access websites although i can ping them. the same websites work if i use https in the url. can u throw some light?
Hi Anton,
If HTTP does not get out, but HTTPS does, I am assuming that you did install the HTTPS inspection which is how this is working, but something is blocking HTTP on the TMG. Check this post out and let me know if that helps.
Ed
Hi Ed
Thanks for your reply. I had already gone through the post and the TMG is open to all access.. Also, the HTTPS inspection is also disabled. The thing I forgot to mention is, the TMG worked fine in the test network. I was able to access both HTTP and HTTPS and was able to allow or block at will. I then changed the network connection settings for my other network where I really wanted to install the TMG. Is this how i do it or should i change some settings in the TMG also. Or should I reinstall the TMG with the correct network settings in place. Also , it is the 10060 connection timed out error I am getting while accessing the websites while the same websites are working when i use https only with some certificate errors. It works fine with ISA 2004. Hope I have made the things clear.
Anton, when you set it up on your test network, you configured the definitions for internal and external. Moving to another network, even though you reconfigure the NICs, does not automatically reconfigure the network definitions in TMG. Redefine your ranges and you should be all set.
Also, you say that HTTPS inspection is disabled, but that is working with certificate warning…that sounds like it IS enabled, and the enrollment of the root certificate into AD failed, or you are using either a machine that is not a part of the domain, or a browser other than IE or Chrome.
Ed
Sorry I couldnt reply sooner. I will redefine the ranges over the weekend and get back to you. will check the HTTPS inspection also. The machine is not part of the domain. Thnaks.
Hello trying to install the tmg 2010. after giving installation path and selecting the internal ip address range or network adapter it not taking the route automatically as is happens and when I enter the route manually click next it shows .”none of the ip address of this forefront tmg computer are included in the internal network at least one ip address for this computer must be in the internal network definition.”
. its not going beyond this step. kindly help
That sounds like the range of addresses you set on the external interface includes your internal network range. Make sure that the external interface includes a default gateway, and the internal network range does NOT. Add any routing to your internal interface (but do NOT include any external ranges) before you begin, and picking interfaces during the TMG install should work for you without issue.
If that doesn’t cut it, do an ipconfig, and then a route print, and paste it into a reply and I will take a look. I suggest you rename your interfaces to INTERNAL and EXTERNAL first. It makes things much easier going forward.
Ed
Hello sir
Thanks you very much for replying me.
I could succesfully over come the problem as I was ignoring the IP ADDRESS CONFLICT. error message now its ok and moved ahead now I am stuck at one more problem.
I have two lan card installed one with internal
ip address 192.168.1.1
(no defaul gateway) only
dns 202.54.15.30
external lan card
115.113.X.Y
sm =255.255.255.248
default gateway=115.113.X.Y-1
no dns
the problem si we have a leased line of 4mbps which is coming through POE(AC adapter)
when I plug cable from this POE to external NIC(of TMG server) it shows network cable unplugged with red -cross.however when the same cable is plugged to another PC(internet server) (where we are simply doing NAT) and distributing the internet through it is working fine without any problem. not showing red cross and unplug.
and when I try to plug in the same external NIC with cable and other end with the switch it does not show any problem gives a link speed of 100MBps. that means lan card is ok (I think so).
even last time when we had tmg server installed. when we use to turn on the server it use to take time to work we used to right click the network connection it use to take somewhere around 15 min to work (it use to show the link with the red cross and unplugged)
then we use to disable and enable it and the it use to work.
so this a problem which is bothering me a lot and not finding a solution of it kindly help.
my server is hp compaq 6000 pro only one inbuilt LAN CARD. which is of gbps configuration.
Rohan
First, check to make sure your link speed and duplex all match on the switch and the NIC. Then, check to make sure that your switch doesn’t have something like port security enabled, which would prevent you from ‘quickly’ swapping between your two servers using the same external ip.addr, since the MAC changing would make the switch think there is a problem. You can either disable that port security, or clear the ARP cache. If you don’t have access to the switch console, you could reboot it unless whoever set it up hard coded a MAC address in the name of SEKURITAH.
Of course the other issue might be that your POE (which I read as Power Over Ethernet) is really PPPoE (Point to Point Protocol over Ethernet) and it is just that your connection is not authenticating to your carrier properly. I have never had to create a PPPoE connection with TMG or ISA 2006 but I believe you need to create a “dial up” connection to provide creds to your carrier.
Sorry I could not be of more help with this, but let me know how you make out.
Ed
Hi,
I have installed a wk8r2 server with Hyper-V with two NIC’s, one dedicated to host and the other one dedicated to VM’s.
The Host’s network parameters:
IP: 192.168.1.50
Mask: 255.255.255.0
Gateway: 192.168.1.1
DNS: 192.168.1.1
I have installed a w2k8r2 as DC, with AD, DHCP and DNS as a VM with a hyper-v internal network.
IP: 192.168.189.1
Mask: 255.255.255.0
Gateway: 192.168.189.2 (The TMG server described below)
DNS: 127.0.0.1
DNS forwarders: 8.8.8.8 and 8.8.4.4
I have installed an other w2k8 as EDGE TMG, with 2 NIC’s, one for VM internal network and one for internet connection.
The Internal NIC settings are:
IP: 192.168.189.2
Mask: 255.255.255.0
Gateway: Not specified.
DNS: 192.168.189.1 (The DC)
The external network:
IP: 192.168.1.49
Mask: 255.255.255.0
Gateway: 192.168.1.1
DNS: not specified
The NIC’s bind order is internal and after it the external.
So, the problem is, that the TMG and the DC can’t communicate to the Internet.
Have you any idea about it?
Hi Ver,
The TMG has two NICs, but is the .49 NIC bound to the same card that you said is dedicated to VMs? If so, how is it getting to your ‘real’ network (192.168.1.0/24) ? I cannot tell from the information you provided, but I think your TMG’s external NIC doesn’t live on the same layer 2 as your router. Can you ping your router from your TMG? Can you ARP it and get the same MAC back as when you try from your Hyper-V host?
If you can, then follow http://retrohack.com/let-me-out-configuring-outbound-access-rules-in-tmg-2010/ to configure outbound rules to allow you to access the Internet.
Comment back if you have any other questions, or if this doesn’t get things working for you.
Ed
Ed,
dedicated means that in Hyper-V host I have 2 NIC’s, one for the host itself and the other for the VM’s, namely External in Hyper-V and is separated from the host communication which is allowed in Hyper-V R2.
In Hyper-V I have defined 2 networks. One Internal only (whis is used by my test domain and contains the DC and the TMG internal NIC), and the Extended (mentioned above), which belongs to the TMG’s External NIC.
In other words from the test domain aspect I have an outside network (192.168.1.0/24, the HV host and the TMG and the router and my Win7 laptop) and the inside network, which contains the DC and the TMG internal NIC.
In case I disable the internal NIC in TMG and set the DNS and gateway in TMG’ external NIC, it reaches the internet.
Ver
Ah, so your TMG server uses the DC for DNS, but if you haven’t configured TMG to allow your DC to forward DNS queries out to the Internet, it cannot resolve anything. You are going to have to configure at least an access rule so that your domain controller can forward DNS queries to the Internet (or at least the Google servers you mentioned earlier.) See http://retrohack.com/let-me-out-configuring-outbound-access-rules-in-tmg-2010/ for a quick ruleset that will permit everything inside to get out, or craft specific rules to be a little more secure. You definitely have to let DNS queries out to start.
Ed
Ed,
yes, I have tried, but no success.
So, I have some questions:
- is the TMG’s NIC binding order relevant? If yes, which is the correct from top to down? internal-external or external-internal? (IMHO internal-external is the correct.)
- I have made some tests. So, the TMG can’t resolve the names (it is normal if the DNS not functioning properly), but it can reach the IP’ of outside world, for example “racert 156.154.70.22″, which is a Comodo Secure DNS server. (The network connection in status bar has yellow exclamation mark, but it is maybe signailng the name resolution problem.)
But, the DC can’t tracert the same machine. It can tracert the TMG itself, but when I try to tracert 157.154.70.22, the first step result is the following:
1 verybyte-dc.test.verybyte.hu [192.168.189.1] The destination not reachable.
So, at this moment I have no idea what can I do.
It looks good everything.
I have the access rule you have mentioned.
Ver
- is the TMG’s NIC binding order relevant? If yes, which is the correct from top to down? internal-external or external-internal? (IMHO internal-external is the correct.)
I would go a step further and disable the client and server services from the external.
- I have made some tests. So, the TMG can’t resolve the names (it is normal if the DNS not functioning properly), but it can reach the IP’ of outside world, for example “racert 156.154.70.22″, which is a Comodo Secure DNS server. (The network connection in status bar has yellow exclamation mark, but it is maybe signailng the name resolution problem.)
That validates that you have connectivity and routing correct.
But, the DC can’t tracert the same machine. It can tracert the TMG itself, but when I try to tracert 157.154.70.22, the first step result is the following:
1 verybyte-dc.test.verybyte.hu [192.168.189.1] The destination not reachable.
That screams that the permit rule I told you to set up is NOT correct. So does the fact that your TMG is set to use your internal DC for DNS, but cannot resolve anything. First, change your TMG temporarily to use only 8.8.8.8 for DNS, and see if you can access web pages. I bet you will be able to. Then, re-read my post on outbound access rules, and verify that your rule allows all outbound for the protected networks. If that still doesn’t work, use the monitoring in TMG to see if DNS queries from your DC are still blocked, to find out why…
Ed,
finally I have found the problem and the simple solution.
The problem was, that the DC routing table containd a 0.0.0.0/0.0.0.0/192.168.189.1 route, which routes to itself.
Maybe this came from an earlier configuration or so on.
I have deleted this, aremaind only the 0.0.0.0/0.0.0.0/192.168.189.2 (route to TMG) and everything is working.
So i have learned again to check the routing table on DC.
Regards,
Ver
Excellent, glad you got things working!
Ed,
We are currently setting up a TMG 2010 server and have a few questions about the configuration of the NIC cards. We have 2 NIC cards, one is currently configured for the internal LAN. The 2nd NIC card needs to represent the external network but I am unsure of what the appropriate way to set this up is. We are looking to find out where to physically connect the 2nd NIC card to and what IP address information we should use. We currently have an ASA 5510 firewall on our outside network. The main goal is have the use the TMG client setup so that it supplies credentials to the URL filtering portion of the software. Let me know what information would be helpful.
Thanks
Hi Joe,
If you’d like some consulting services, use the contact form (linked at the top of the page) to get in touch directly. If you’re just looking for pointers…
Assuming you have a DMZ network hanging off your ASA, then your TMG’s external network card needs an ip.addr/mask for your DMZ network, and should use the DMZ ip.addr of the ASA as it’s default gateway. Unbind all services except ip from that nic, and configure it to use your internal DNS servers but not to register. Disable NetBIOS on that nic too.
On your TMG’s internal nic, use the appropriate ip.addr/mask for that subnet but do not configure a default gateway. Use the route add with the -p to set up any required internal routing. Set it up as well to use your internal DNS and WINS servers and let it register.
For having the ASA handle authentication for users, you’ll need to actually publish a site. I went to get a link for you from my site only to realise I never got around to doing a post on publishing sites that require authentication. Stay tuned and I will try to fix that by next week, or see this post which should have enough to get you started.
Ed
Hello sir
I am planning to configure Remote Access VPN on TMG 2010, I am installing (ERP)client setup of particular software on vpn client and server(ERP) on one machine where we want to make the entry remotely, Could you please tell me how shall I take care of viruses so that we dont have viuses entering into our ERP server. kindly suggest me measure to avoid any catastrophe.
Rohan Gaur
System Admin
Hi Rohan,
I would recommend doing the following;
1. ensure antivirus software is installed on all clients and servers.
2. configure the access rules on the TMG such that the only traffic from VPN clients that can connect to the ERP server is traffic necessary for the software package. Unless there is a need to move files between client and server using CIFS/SMB, that will be a very effective defense against an infected client being able to pass malware over to the server.
3. Consider implementing network access protection to ensure only fully patched clients with approved and up to date antivirus are allowed to connect to the internal network. Until I get the time to write my own post on how to do this, check out this one.
HTH
Ed
Hello Ed,
Nice article, was reassuring to see I am not the only one who experienced the slow Additional Components portion of the install.
However, following this I looked at the event logs to see why that was and saw an long list of SQL related errors. When I try to run a report, after waiting a few days to give population ample time, there is no data. The report is otherwise ok, just devoid of any traffic data.
Everything else seems to be functioning OK. I have yet to apply the SP, updates and rollups until I flnd out more about the report problem.
I installed it on a fresh 2008 R2 which had already joined the domain and used the default domain admin account (yes, I know.. I will disable it eventually
)
Any ideas would be very much appreciated.
Lee
Hi Lee,
I haven’t seen this myself so I need to know what error or errors you are getting to give any hints.
Let me know,
Ed
Hi, thanks for replying.
There are series of 15151 errors, eg:
Cannot find the object ‘fulltext_stopwords’, because it does not exist or you do not have permission.
I get a load of these (with different objects) for both MSFW and ISARS.
The SQL services do work.
If it makes any difference, I am using a hyper-v guest.
Thanks again,
Lee
Update:
Upgrading to SP1 as directed by the article failed:
Setup failed to upgrade ADAM \r\n
Which article, this one?
Well 15151 errors are generic permissions errors, and the error text does indicate perms are the problem. As it cannot find an object, and because this is a Hyper-V guest (which is just fine, my TMG server is too,) my first thought is to flatten and reinstall. It being a Hyper-V guest, I am assuming you can flatten and rebuild quickly and easily. If that is not an option, I will get on another server that has SQL Management studio installed this evening, connect to the default instance of SQL Express running on my TMG server, and check perms. I’m assuming this box of yours was a fresh install, and you didn’t already have SQL (any version) installed. Make sure you let me know if that is not the case. The TMG install puts SQL on the management server, and sets everything up. There is nothing for you to do, but if SQL was already there, you might be bumping into something from a previous app.
Ed
Hi Ed,
I used the MS article (copy as path etc). Although I installed TMG with the domain admin account, I was unable to install SP1 (“setup failed ti upgrade ADAM”) until I used the local admin account. Once that installation finished, I am unable to connect to TMG with any account other than the local admin.
Moreover, installing SP1, update 1, ru1, ru2 and ru3 has not alleviated impossibly slow upload speed.
I have two nics (internal with ip & dns, external with ip and gateway) – all the same settings as I have used for years with ISA 2006 and recommend by Jason Jones. The external line in comes in from ISP device, so I am unable to set speed and duplex for both ends of the connection, as he recommends.
Other than that, I disabled large send offloads on the host nics used for virtualisation due to general hyper-v communication issues.
At this point, Im looking at either going back to ISA 2006 (which I was always very happy with, although it lacks a lot of the better features of TMG) or a cisco device. Very disappointed with TMG.
Hello Ed
Once again I am pop up with a problem, We have TMG installed in our University campus we have one more college which we need to connect to the University campus by SITE 2 SITE VPN. We are going to install another TMG 2010 at college also. I have heard about ARRAYS in tmg is there any way we can manage both the firewall at one place (through central managed console). I install CONFIGURATION STORAGE SERVER on the same machine on which I have installed the tmg 2010. What are the pros and cons of installing configuration storage server on separate machine.
Kindly reply
Rohan Gaur
System Admin
Hi Rohan,
To manage multiple TMG servers in an array, the both need to have connectivity to the configuration storage server (css.) Since you are using these to establish a site to site VPN, you have a problem in that they must establish the VPN before they both will have connectivity to the css (unless you have a lower bandwidth management network they are both already on, or are crazy enough to put your css on the Internet. The way I would do it? Since these are separate locations, keep the css role separate too.
As far as where to install a css…I usually install the css role on the first TMG server, and also on the second when they are going to function in an NLB pair (enterprise licenseing.) I replicate the css data between the two so that I have redundancy for both the TMG functions and the css role.
Hope that helps,
Ed
Hello Ed
Internet in user in our work place are trying to access the particular website http://kundlubluez.blogspot.com/ However our firewall is giving an error page with following information.
Error Code 64: Host not available
Background: The gateway or proxy server lost connection to the Web server.
Date: 6/15/2011 4:20:23 AM [GMT]
Server: NETGUARD.
Source: Remote server
why is it so that our users are not able to access this website even if I have not blocked it. (when we have tmg 2010 disabled distributing the internet through NAT this website is opening) and What is the solution of it.
Regards
Rohan Gaur
System Admin
Hi Rohan,
Unfortunately, 64 is a generic error with multiple possible causes. In my TMG2010 setup, I can browse that site without issue, though it is apparently not a valid site anymore, as Blogger says it is available. You can see this post by Yuri Diogenes at MSFT about some steps to take in troubleshooting, or you can take a look at more specifics in the logging based on the entire client session trying to hit that site. Since there is nothing in the URL you provided beyond the FQDN, I doubt it is a truncate issue, but again, since the site is now not online, I cannot really tell much else.
HTH
Ed
Hello Ed
I am trying to resolve this issue. however when our users trying to download something from http://WWW.TORRENTZ.COM it does not get downloaded I tried to check the tmg logging it shows
Destination IP 209.44.113.116(for torrentz.com) Destination port -80 Protocol- Http Action- Initiated Connection Result Code-0×0 success
Destination IP 209.44.113.116 Destination port- 80 Protocol-DNS Action -Closed connnection Result Code- 0x80074e32 FWX_E_CONCURRENT_CONNECTION Just for testing purpose I have disabled any web-restriction.its like allow all to all rule. Kindly suggest me soem solutino
Rohan Gaur
System Admin
Rohan,
At a guess, whatever your users are trying to download might be blocked due to a malware rule. I don’t use that site myself, but from the name and homepage, it doesn’t strike me as business appropriate; at least not where I work.
Set up a filter for a specific client ip.addr and try to download from that site again. Then check ALL the results in the log for that specific client. My bet is the actual reason will show up in the logs.
Ed
Hello Ed
Thanks for replying I have not configured malware rule. however I’ll try doing your soloution.
Though I am trying to install site to site vpn between two of our university campus. could you tell me is it going to be.
Like
1 HQ In a domain evironment and BRANCH OFFICE in a Workgroup(where user for authentication needed to be made on tmg server that is in workgroup environment ).
or2) Both Headquarter and BRANCHOFFICE in workgroup .(I think it is not feasible)
3) both headquarter and branchoffice in domain environment(if is it so the two domain needed to be paraents-child or different domain with trust configured in between them.)
Need your comment on it and my requiement is fulfilled with the first configuration one in domain and other in workgroup kindly suggest me something more on it.
Thanks
Rohan Gaur
System Admin
Hello Ed
Kindly ignore my previous query, as I am trying to setup a site to site vpn server across two of our University campus. in our headquarter we have 172.16.1.0 /21range user for internet purpose and 192.168.1.0/24 range used for our database application(SIM). I have just installed TMG 2010 in our headquarter and prior to this we had another firewall. now I am configuring vpn between headquarter and branch-office . Now the problem arise is if I configure site to site vpn the remote site client gets the ip of 172.16.1.0 range whereas we want them to get the ip of 192.168.1.0 range so that entry into the database application (SIM)is made from remote location. is there any way we can configure it like the INTERNET client uses the 172.16.1.0 ip and SIM client uses the 192.168.1.0 so that entry is made .
kindly suggest me something. I apologise I ask you very off and on.
Thanks
Rohan Gaur
System Admin
Rohan,
It sounds like you are wanting a LAN to LAN VPN tunnel, but are configuring client VPN access. In a tunnel, you are using the VPN configuration and routing to connect the two sites. The clients on the far side should never know or care how the connection between sites is set up, as long as the tunnel is up, they are just sending traffic to their gateway and letting it go.
Marc Grote wrote a great article on setting this up. Take a look and let me know how you make out.
Ed
Hello Ed
I found the solution of the problem (not able to download from utorrent).
Here it is-
Assuming that you’ll use port 64000 – 64100 for multiple clients
1) Set up the following new Protocols:
Name: BitTorrent (Inbound)
Ports: TCP – 64000 to 64100 Inbound
Secondary connection: TCP 64000 – 64100 Outbound
Name: BitTorrent (Outbound)
Ports: TCP – 64000 to 64100 Outbound
Secondary connection: TCP 64000 – 64100 Inbound
Name BitTorrent (UDP)
Ports: 64000 to 64100 Send Receive
Secondary connection: 64100 to 64100 Send Receive
You can add each of these to the same Access Rule.
Create another new Protocol on a per-client basis:
Name: BitTorrent (Server – )
Ports: Create a TCP Inbound port range somewhere between 64000 and 64100 (e.g. 64000 to 64010)
Create a Non-Web Server Protocol Publishing Rule per BitTorrent client (client machines must have static IP or have DHCP reservations). These rules are the same thing as SOHO router’s “port forwarding”:
Name: What ever you want, be descriptive as to what the client using this rule is
Server IP: The client running BitTorrent
Listen from: External (aka The Internet)
Edit the above Server Publishing rule and go to the To tab. Make sure the radio box “Requests appear to come from the original client” is ticked.
Go to Configuration -> General -> Define Firewall Client Settings -> Application Settings tab
Create two New Applications:
Application: [Executable name without file extension, e.g. utorrent]
Key: RemoteBindUdpPorts
Value: 64000-64100
Application: [Executable name without file extension, e.g. utorrent]
Key: ServerBindTcpPorts
Value: 64000-64100
Save all of the above changes and commit them to the ISA Server.
Open utorrent, go to Options -> Preferences -> Connection, set the/a port that your Server Publishing Rule is using.
Under Advanced, go to net.outgoing_port and set it between 64000 and 64100.
I’ve also set the IP/host name to report to tracker to a Dyndns hostname, though you can also use the ISA Server’s external IP (if you’re running ISA in Edge firewall mode).
Note: I have not gotten DHT to function in my limited tests (sits at Waiting to log in or login with 0 nodes), but uTorrent reports that NAT is functioning correctly. Download speeds are excellent and upload also works.
Also note that these same steps should be applicable to ISA 2004, but NOT ISA 2000.
Regards
Rohan Gaur
System Admin
Nice, thanks for the write up, and I’m sorry I didn’t understand it was the actual Torrent you couldn’t start. If I had realised that I might have had a better suggestion. I thought you were unable to even download the .torrent file.
Ed
Hello Ed
Kindly post the better option of starting the torrent you have
Regards
Rohan Gaur
System Admin
I have no better option; I simply meant I thought you were failing to d/l the .torrent file over the HTTP connection you made to the website.
Hi Ed, i hope you can help me on our objective.. our objective seems to weird but just like what the saying said that in every rules there is an exception.
ok, here it goes.. we want Yahoo messenger enable to specific user group in our network. We have TMG 2010 in our network and we were able to deploy TMG client in each computer in our domain.
It seems that Gmail chat is working base on what we want, but YM (webmessenger) is not working. Is there any special configuration in TMG to allow YM in our network? please help. Thank you.
Roger,
First, I have to point out what you no doubt already know…public IM services are not really the best choice for business communications. If you want some (but not all) users to have IM access, you should block technically and prohibit through policy all IM other than corporate controlled systems like Jabber/XMPP or OCS. Okay, that should satisfy the lawyers.
Blocking YIM is a PITA because the client can connect over 5050, 80, and other ports. You will find it easier to create a network group of ip.addrs associated with the YIM servers, and only allow your privileged group access to those servers, blocking all others.
To get those servers may take a little work. I use Pidgin, which attempts to resolve vcs1.msg.yahoo.com and address.yahoo.com when it makes a connection to YIM. Both of those are CNAMES to several other A records. DO NOT succumb to the temptation of just creating a bogus yahoo.com zone in your internal DNS. Using fake DNS entries to control access might be a reasonable temporary response to malware infections, but should never be used to control Internet access. Trust me on that one…you will create way more problems than you solve if you go down that road.
I know this wasn’t the answer you were looking for, but I hope it helps anyway.
Ed
Hello Ed
I am trying to configure a rule, when we ping our firewall server with packet size less than 100 byte it replies the ping succesfully and denies when it is more than 100 byte it doesnt. to avoid denial of severvice attack.
Thanks
Rohan Gaur
Rohan,
a) I do not believe there is any configurable ruleset on ICMP echo in TMG. I have not seen this, and cannot find it.
b) I do not believe you need to do this. The TCP/IP stack in Windows has not had issues with large ICMP since the 90′s, and if you really want to lock down pings, you can just adjust the system rule to only allow ping from trusted systems, or the internal network.
HTH
Ed
HI Ed,
Can you help me with my problem.
I have installed TMG with single network adapter.
The TMG is placed between internal network and another firewall device.
TMG’s gateway is the firewall device.
Clients gateway is the TMG.
I have created the web access rights with all the needed configuration (firewall policy= from local hots and internal to external) but it still don’t work.
When I try to ping an external address (from TMG server and clients) , it can be resolved but I am getting RTO.
I cannot access internet from from the TMG server and clients.
We have the same configuration with ISA server 2006 and it is working.
TMG address has been allowed in the other firewall and it was setup just like the access of thr working ISA server 2006.
I want to make this successful so that I can remove the existing ISA server and replace it with the new TMG.
Please advise.
Hi Mak,
For starters, I can’t speak to the ISA 2006, since I don’t know how you had it configured, but if it has only one NIC, I’m not sure how you are getting it to do what you want. I never set up a single NIC ISA2006 box.
However, on TMG I wouldn’t do my setup like you did.
A TMG with a single NIC can be a proxy, but not a gateway, since to be a gateway you need to network cards and to route traffic from one NIC to the other. Configuring clients to use the TMG as their default gateway (and with the rule you created allowing internal to external) implies that the TMG needs to live on both networks, and route traffic from its internal NIC to its external.
My suggestion is that you either
1) add a second NIC and route all client traffic through the TMG, configuring appropriate rules, or
2) use the TMG as a web proxy. Configure all clients default gateway to be the firewall, only allow web traffic from the TMG through the firewall, and configure the clients to use the TMG as a proxy.
Might not be the answer you were looking for, but I hope it helps.
Ed
Hi Ed,
Our ISA server is set up just to be a web proxy and that’s what I want with our TMG.
I am trying to access Internet from our TMG first before i it with the clients but unfortunately I am unable to do so.
Web traffic from TMG to firewall has been allowed but I still can’t access internet from TMG server.
Any more pointers or things that I should check?
Hi again Ed,
I got it working already.
Previously I have imported the settings from our ISA server 2006 to TMG after installation without testing it first (Sorry my bad.. )
I was thinking that nothing will go wrong since it our ISA has been working for some time but it turned out that it did not work.
So what I did was to start from scratch and setup it up first working first before importing our ISA config.
Alas! it worked.
I think that there were addresses that were not added correctly after importing the ISA server 2006.
Thanks for your help though.
I’m glad you got it going, and bet that your hunch is correct. Thanks for letting me know!
Ed
Hello Ed
can you help me with my problem
We Have TMG 2010 server configured as EDGE configuration in our network we have giver access to the our student on facebook.com as well for sometime but we are faceing bit problem that few of the photo’s on the wall are not showing up on the wall and its not uploading the photo’ on facebook then just for testing I shutdown the TMG server and ran simple NAT to see whether there is something wrong on facebook or ourBandwidth got to know that its uploading when we did it through simple NAT.
kindly suggest something.
Rohan
system admin
Hi Ed
just an addition to the above note when we look at the photo in facebook it doesnt show up few however it shows up something of size of grain and when we click on it then shows up photo.
kindly help
Rohan
Hi Rohan, it’s nice to hear from you again.
I don’t use Facebook so I have never seen this before, but since you stated that you gave students access, I believe you are using a rule that permits access only to explicitly listed websites. My first thought is that the photos use a different URL from the rest of the content, and that URL is not included in your rule. Create a monitor in TMG that looks at only your client’s traffic, reproduce the problem, and then check the denied URLs to see if any need to be added to your permit rule.
HTH
Ed
Hello Ed
Once again I come up with problem, this time its event id 14057 “The firewall service stopped bcoz an application fileter module c:\program files\microsoft\forefront threat gateway managment gateway\webmonplg.dll genrated an exception code c00000c”
it was showin up urlcache errot too.
FIrewall service remain stopped it starts for a minute then again stopped.
Kindly suggest something
Rohan Gaur
System Admin
Best guess is http://support.microsoft.com/kb/973516 unless you are running something like VNC or GoToMyPC or any other remote access software except for RDP, in which case DONT DO THAT and see http://support.microsoft.com/kb/2497959. That, or stop doing HTTPS inspection if you have to use one of those remote products.
BTW I think you meant c0000005 and not c000000c…if it really was c000000c that usually indicates a buffer overrun in USBD or an orphaned thread, and therefore
a) disregard the above, and
b) I have no ideal.
Good luck,
Ed
I am new to this site but I am already hooked. I have setup ISA2006 in the past and now am gettng ready to install TMG. I am excited that you have chosen to share your knowledge and assistance to us. I will be viewing for the most part and if the need should arise I will post.
Thanks again.
You’re welcome, and good hunting!
Hi ED,
I have installed TMG enterprise 2010 on a live environment and i can access all http sites succesfully.
But HTTps sites were not working. Also i have issues on resolving names for my intranet sites. I can access these sites with out issues with IP address. But same issue if its a HTTPs site. Need your advise Ed.. please help
Sri,
Did you install TMG with the option to do HTTPS inspection? And if so, are you getting a certificate warning, or a 500 error, or what? What happens when you try to reach an HTTPS site?
As for DNS, I assume you mean using the TMG you cannot resolve names for intranet sites, and not your client. The TMG server needs to be configured to use the internal DNS servers for DNS, and system policy has to permit that.
HTH
Ed
Hi Ed,
Thanks for this very useful article. It helped me setting up my TMG, EDGE & FPE.
Now that I have my setup working perfectly fine but the only thing I am searching for is, my Content Filter Definitions are not updating as well as Malware Inspection definitions. In Dashboard of FPE following are the alerts I am getting.
1. Content filter is enabled and tha last definition update was over 12 hours ago.
2. Not all of the antimalware engines enabled for updates successfully updated at the last attempt
3. At least one of the antimalware engines enabled for updates has not been updated in the last five days.
When I see Update Center in TMG console. All Antivrus Engines except Kaspersky & Cloudmark Antispam engines all others are up to date & these 2 are Failed to update & version show 0.0.0
To give you a breif details. I have created TMG firewall rule to allow HTTP & HTTPS from Local host (my TMG, EDGE, FPE Server) to External.
I have Cisco ASA 5505 where also I have created an access list for allowing TMG servers External NIC IP address to allow all HTTP & HTTPS traffic as per the artcle I read on microsoft social network sites.
You help in this regards is highly appreciated.
Regards,
Harshal
hi ed,
i have successfullly installed tmg 2010 in hyper v….2008 r2…. just i need to know that what shoul i do to allow internet access in internal network without using any proxy……i am able to browse internet with proxy and using tmg client……but my network icon shows no internet access…..i want a clear internet access in the internal network….plz help
Parth, did you read the next article yet?
Hit that for the answers to your boggle, and post any follow up questions on that post.
Ed
Hi,
not sure if i should reply on part 1 or 2, but i’ve a little probleme with my TMG server:
internal network is at 192.168.1.*
external network is at 192.168.2.*
the server is on 192.168.1.254(internal NIC), and 192.168.2.252(external NIC)
router(gateway to the internet is on 192.168.2.254
the server itself can acces internet, as well can computers on the external network, but the internal network can’t,
configuration is done as described in your guides.
and how can i enable computers to access shared folders on the TMG server(both internal as external network computers)
Kind regards,
Frank
Cheers Frank,
First, is the TMG internal (192.16.1.254) the default gateway for the internal users? If so, they should be able to do HTTP to the Internet now, HTTPS unless you did inspection but haven’t injected your root cert. Anything else, you need to read http://retrohack.com/let-me-out-configuring-outbound-access-rules-in-tmg-2010/. If the TMG is not the default gateway, you need to configure your clients to use the TMG as their web proxy.
To let your internal users access shares on the TMG can be done, but isn’t the best idea you’ve had…remember this is a SECURITY APPLIANCE, not a file server. To let external machines (I’m assuming your DMZ server on 192.168.2.0/24, and not Interent) is a phenomenally BAD IDEA. The DMZ is the untrusted network, and to try to leverage the fact that the TMG spans the internal and external so you can get to file shares presents a potential for bad guys who take down a lesser box in the DMZ to then have a path into the TMG which then has an open door to the internal network.
If you still want to have internal users access shares on the TMG (don’t be that guy) reply back and I will give you some pointers.
I know it’s a risk, althought I am a home user(experimenting with it for school and such things),
I NEED acces to the shares on my TMG server, this system also holds my back-ups, and 3 computers need to write away back-ups every saturday.
currently writing from an external location without access to the server, so I will let you know how it worked out
thanks for the fast response,
Kind regards,
Frank
just checked..
windows 7 client shows a yellow triangle with a !
it has no network or internet access..
i definetly did something wrong?
i configured it as you described, but as a back-firewall, not a edge, since there is still a router between server and the internet.
Is the client configured to use the TMG’s internal ip.addr as the default gateway?
When you ping an external FQDN, does it resolve? If not, ping an external ip.addr (8.8.8.8 will answer) and what do you get for a response?
Can the TMG server access the Internet using a browser?
Is the network relationship from the internal to external set up as NAT?
client 1 has been configured like this:
Ip adress: 192.168.1.1
gateway: 192.168.1.1
DNS: 192.168.1.1
DNS seems to work now(properly forwarded to ISP), but there is no network connection between internal and local host,
a computer at the external can see the server in the explorer, but not access the shares.
computers on the internal network can’t even see the server
TMG can access everything on the internet,
and i am using the back-firewall topology, so there is still an perimeter between me and internet, so i set it up like:
internal to perimeter is NAT
perimeter to external is routed
thanks for the time you spent helping me so far
Frank
Please recheck what you just commented. A host cannot use itself for the default gateway, and unless it is running the DNS server service, it cannot use itself for DNS. I was expecting to see something like
ip.address 192.168.1.1
gateway 192.168.1.254
dns (some internal server running DNS)
It does sound like you have DNS resolution working, but can you confirm that you are using an internal server for DNS and it forwards to your ISP, or are you using your ISP’s DNS servers directly from the internal client?
Can you also provide names, or simply use more descriptive terms for each node? I can’t follow which is localhost and “the server” etc.
Call an internal client a workstation, the TMG server TMG, a DMZ server “DMZserver” etc. It’s pretty hard to follow along with out a picture, or really clear naming.
I do want to help, but I need more and clearer info to make sense of it all.
confirmed everything,
rechecked..
computernames are as follow:
client 1: W7-Frank
client 2: W7LT-Frank
server: TMG-SVR-Frank
i fixes the gateway thingy, and both all my problems where solved,
thanks for helping me out, this case is closed
keep up the good work!
Excellent news. Merry Christmas!
This is my first time playing around with TMG. I have it working well enough for the moment, however, on my webserver (port 80) I am running a personal PHP based torrent tracker. I can successfully navigate to the actual PHP front end of the tracker, but, when a torrent tries to communicate with the tracker (through port 80 I assume) it is receiving a 500 error. I’m sure this has to do with non HTTP traffic flowing on port 80, but I’m not sure how to specifically allow this type of traffic. Any help would be appreciated.
Matthew,
Logging will be your friend here. Look at the live logging while you try to start a torrent to see what is throwing the error, and what the specific error is from the TMG’s perspective.
You might need to adjust the HTTP filtering, or set up an explicit permit rule, and the logging results should tell you more about it.
HTH
Ed
Funny enough, in uTorrent I added :8080 to the proxy setting and that works just fine internally. As I said before, but now with a bit more information, I can access the actual web interface for the tracker, but ONLY from inside my local network. I tried to access the page externally and Firefox said “The page isn’t redirecting properly. Firefox has detected that the server is redirecting the request for this address in a way that will never complete.” The tracker files are located at /tracker, there is nothing special about that directory so I’m not sure why it’s redirecting it. Here is what the log on the TMG says:
Log type: Web Proxy (Reverse)
Status: 302 Moved Temporarily
Rule: http://www..net
Source: External (:51783)
Destination: Local Host (BACKUP 10.1.0.106:80)
Request: GET http://backup..net/tracker/
Filter information: Req ID: 0e3174d7
Protocol: http
User: anonymous
Additional information
Client agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x411c0000 (Response includes the CACHE-CONTROL: NO-CACHE or PRAGMA: NO-CACHE header. Response includes the CACHE-CONTROL: NO-STORE header. Response includes either the CACHE-CONTROL: MUST-REVALIDATE or CACHE-CONTROL: PROXY-REVALIDATE header. Response includes the EXPIRES header. Response should not be cached.)
Processing time: 1063 MIME type: text/html; charset=UTF-8
Any idea why it would attempt to redirect access to this directory on the web server but not any of the others? I have one directory set up to allow directory browsing, that one is accessible just fine from the outside.
Just a quick comment, In the log paste I edited out identifying information… that is why it says Rule: http://www..net & Request: GET http://backup..net/tracker/. Your site did not like me using ‘s.
Ok, it’s like the gateway knew I was talking about it… It just randomly started working.
And.. chalk one up to automatically switching wireless networks. It indeed still does NOT work externally.
Here is a new error TMG is showing:
Failed Connection Attempt TMG 12/16/2011 4:22:49 PM
Log type: Web Proxy (Reverse)
Status: 64 The specified network name is no longer available.
Rule: http://www.redacted.net
Source: External (redacted:52477)
Destination: Local Host (BACKUP 10.1.0.106:80)
Request: GET http://backup.redacted.net/tracker/
Filter information: Req ID: 0e318c68
Protocol: http
User: anonymous
Additional information
Client agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x411c0000 (Response includes the CACHE-CONTROL: NO-CACHE or PRAGMA: NO-CACHE header. Response includes the CACHE-CONTROL: NO-STORE header. Response includes either the CACHE-CONTROL: MUST-REVALIDATE or CACHE-CONTROL: PROXY-REVALIDATE header. Response includes the EXPIRES header. Response should not be cached.)
Processing time: 1297 MIME type: text/html; charset=UTF-8
Status: 64 The specified network name is no longer available.
Your TMG cannot find whatever it is you are trying to publish. If you created your rule and used an internal FQDN, and your TMG is using only external DNS, this is what can happen. If your rule uses a NetBIOS name and TMG is not configured to do NetBIOS name resolution internally or does not have the appropriate DNS search suffixes configured for internal, this is what can happen.
Check your name resolution, and only if you have no other choice, edit the rule to include the ip.addr when the name cannot be resolved.
Ed’s tips…
1) ALWAYS ALWAYS ALWAYS fix name resolution. When it doesn’t work it’s a symptom of something worse and any workarounds are just bandaids, not fixes.
2) If you really really really cannot do #1, edit your TMG rule to use the ip.addr.
3) Yes, I know, HOSTS is a tempting fix, but don’t be that guy. NOBODY remembers to check the HOSTS file until they first spend hours troubleshooting other drek. If you must use HOSTS, use BGINFO to plaster on the machines wallpaper that you are using HOSTS.
HTH
Ed
Matthew are you trying to publish this torrent tracker to the outside world? I think that is it, but I started with thinking you were trying to access an external site from the inside.
See this post and the second part after it on publishing a site to the outside world, and follow up with any questions on that post’s second part.
I finally found the problem. In this case the tracker php code itself is partly to blame. One of the settings is the url to the actual tracker, which for this case we’ll say it was http://www.redacted.net. The web server that hosts it is named backup.redacted.net but is bound to listen to http://www.redacted.net. I had mistakenly told my publishing rule to NOT forward the original host header which was causing tmg to request backup.redacted.net/tracker instead of http://www.redacted.net/tracker. The PHP code was then trying to forward back to http://www.redacted.net in an eternal loop. Once I changed the option back to forward the original header the problem fixed itself. Using the logs I also discovered another possible problem where the web filter was blocking high bit characters in the url, which I needed to disable since the tracker generate IDs with high bit characters.
Do you happen to have an article explaining the TMG client? When I use the client different protocols seem to grind to a halt. Mainly I cannot connect to any IRC servers when it is running, but I also notice that I can’t stream to any icecast servers either. When I disable the client, all is fine.
I don’t use the client, nor do I use IRC or Icecast, so I got nuthin’ but I would start out by setting up a log to monitor a client, and then run the apps with the TMG client enabled to see what is complains about. Not much help I know, but it might be a start.
Good luck,
Ed
That would do it. Thanks for the update!
hello Ed
I am trying to access a link http://202.141.40.215:8080/brihaspati/servlet/brihaspati
and I am not able to access this link I work in a university and this link leeds to an educational site
in the logs I can see
Log type: denied connextion
status: The policy rule doesnt allow the user requst.
Rule:Default Rule
Source:Internal(192.168.1.4:137)
Destination:External(202.141.40.215:8080)
Protocol:http proxy
After that I created a url set http://202.141.40.215/brihaspati/* move it up the policy rule.
Even than its not opening the page. though when I open http://202.141.40.215 it gives the webpage
but again when I select brihaspati it doesnt work.
Hi Rohan,
I’m very pleased that you looked in the logs, and pasted the result, and tried to create a permit rule…and moving it up higher was just the ticket.
However, look at the log error, and then look at your URL set…what port does HTTP use by default? That’s right, 80. What port is that URL trying to use? Right again, 8080.
Your URL set won’t work, since it specified HTTP but not on TCP port 8080.
You will need to either modify your URL set to specify the correct URL ( http://202.141.40.215:8080/brihaspati/*), or create a permit rule to allow outbound to TCP port 8080. I don’t know if modifying the URL set will work…I don’t use those. Once more I point to my article on “Let me out!” (link above) because, until you create rules that let your users out, you will run into these things, and while I am very much in favour of protecting users from malicious sites, and will go along with blocking access to sites that sit in certain categories, I do not advocate an approach of explicitly permitting access to the Internet. Making sure users are not wasting time on the Internet (or anything else) is their managers’ responsibility, not mine. That’s the way I see it. That’s the way I recommend it. That’s the way I roll
HTH,
Ed
Hello Ed
Thanks for replying my query, The solution that you told me did work for me but when I configure them as WEBPROXY CLIENT making changes into the proxy of internet explorer. how can I do that when we do have cofigured SECURE-NAT CLIENT only.
2) I am facing some problem with tmg logging
1) sql server express service is showing stopped. Bcoz of this I am not able to generated the report (daily).
And the log status tab in logging showing the status as disconnected.(no connection to database). Log queue 1598941 kb
I have installed tmg 2010 sp1 udpate only
Alerts showing – SQL server Reporting service could not be configured for Forefront TMG job scheduler service may resolve this issue. Reporting services error info: connection failure.
2) The SQl server Express (MSFW) service could not open an Active Data objects connection for accessing the SQL Server express database for Microsoft forefront TMG firewall logging. SQL server Express service error description :Invalid connection string attribute ,(DBNETLIB) [Connection open(connect())] .SQL server doesnot exist or access denied.
Connection to the sql server express database will be retrieved periodically until a connection is established log record will be saved in a log queueon the disk forefront tmg will continue to operate normally but the log records in the log queue will not be available in the Forefront TMG logs viewer after a connection to the sql server express database is established the logs records in the log queue will be moved to the sql server express database and will be available in the log viewer.
Even caching is not working. showing error as cache log failure : failed to connect to database cacheperfCounters; this may interfere with cache utilization monitoring. The failure is due to error; A network related or instance specific error occured while establishing a conection to sql serer. The server was not found or was not accessible. Verifiy that the instance name is correct and that SQL server is configured to allow remote connections.(Provider share memmory provide, erro: 40 could not open a connection to sql server).
Kindly give some tips.
Rohan Gaur
Rohan,
I don’t use the secure NAT client, so have no tips for you. An earlier comment of yours indicated you are using TMG as an Edge, and I think you NAT’d through it, but to be clear, the secure NAT client is not supported when TMG is configured with only one NIC…I think you have two, but I can’t find anything else you commented to confirm that.
If SQL is not running, you’re pretty much toast. I would do the usual reboot, checking the account SQL runs under to be sure it is not locked, see what the system log tells you when you try to start SQL by hand, etc. It should be running as Local System, but maybe something changed.
I think this is a SQL issue, not a TMG issue, but TMG depends on SQL. Focus your troubleshooting on SQL.
Good luck,
Ed
First off thanks for all the help, I don’t believe I thanked you last time. Now… HELP! Something has gone complete haywire with my TMG. After running without issue since my last posts on here, starting yesterday (the 30th) my TMG appears to randomly lose its ability to speak with my domain controller (exchange & dns also run on the DC due to server constraints), as such, all computers on the internet network cannot access website as DNS completely stops on external domains. I cannot ping the TMG from the DC. If I restart the firewall service on the TMG I can ping the DC for a random time frame (sometimes lasting 10 or so minutes, sometimes much shorted), out of no where I will suddenly lose the ability to communicate with the DC. Other computers on my network can succesfully ping the DC. I have a connectivity verifier on the TMG that checks the AD link to the DC and that is reporting a “Good” “<1 msec" in its status. When all the problems started, I immeidately suspected DNS and have been troubleshooting that all night. When I restart the firewall service on the TMG I can log all of the DNS requests being forwarded to my ISP's router and to the OpenDNS servers, however, just like the ability to PING the DC from TMG this grinds to a sudden halt. I also suspected that the DNS (DC) server was triggering the flood mitigation on TMG so for testing purposed I have disabled that. I have also disabled the DNS filter on the TMG located in System/Application Filters. I'm at a loss to figure out why this started so suddenly after working for so long.
I’m assuming you have a small home network, so everything internally is on the same subnet. If that is wrong, stop reading and correct my assumptions
1. When you try to ping from the DC to the TMG and it fails, do you get request timed out, or destination unreachable?
2. When you try to ping from the TMG to the DC and it fails, do you get request timed out, or destination unreachable?
3. Did you ever modify the system policy rule in TMG to allow PING from internal, or did you ever add the DC to the Enterprise Remote Management servers?
4. Does your connectivity verifier still say connection from TMG to DC is good even when ping fails? And what is that verifier testing?
Will look for your answers later today.
Ed
Your assumption is correct, everything is on the same subnet.
1) I’m not 100% sure as I have since restarted the firewall service on TMG in order to once again temporarily restore the connection.
2) See above.
3) I had not, but I have added it now. I assume this will allow the TMG to manage certain aspects of the DC? I’m not sure on the specifics of what this does.
4) As far as the verifier, it did continue to say the connection was good. It is testing Active Directory TCP on port 389.
On another note, since I added the DC to the Enterprise Remote Management computers, I have been able to continue pinging TMG from the DC and vice versa.
I was snooping around the computer sets on TMG and tried to open one of them up (Managed Server Computers) and that seems to have hung the TMG interface. As soon as that hung, I was immediately unable to ping the DC or for the DC to ping TMG. They are both giving “Request timed out.”
I think I may have found the problem… http://blogs.technet.com/b/isablog/archive/2009/01/12/isa-server-2006-stops-answering-requests.aspx
I had rule #1 set to block access to certain sites in a very similar fasion as this. “All protocols” was selected. This seems like the best explanations I’ve seen so far. The firewall service was consuming a massive amount of memory and if what that article says is true, and i have not doubt it is, then every single connection was being watched and eventually it grinded to a halt. I have since changed the protocol to HTTP and am awaiting results.
Excellent news! Keep me posted, but yes a deny that has to do all those DNS lookups could definitely cause this to happen on the semi-random interval you were seeing. I’ll assume you’re good to go now, but hit me again if you still get weird issues over the weekend.
Ed
All is well now with the DNS problems since removing that rule. However, now something has gone wrong with the VPN settings. Everything was working fine before, but now VPN clients cannot connect to any internal resources or even access external websites. It looks like DNS may be playing a role again in the problems as nslookup just times out on both internal and external domains. The logs look like everything is completing succesfully… Here is the log of my attempt to access google.com:
Initiated Connection TMG 1/1/2012 2:27:09 PM
Log type: Firewall service
Status: The operation completed successfully.
Rule: VPN Clients to External
Source: VPN Clients (172.16.1.7:49441)
Destination: External (dfw06s06-in-f20.1e100.net 74.125.227.52:80)
Protocol: HTTP
User: ***\Matthew Lindstrom
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 172.16.1.7
And here is a DNS request:
Closed Connection TMG 1/1/2012 2:27:16 PM
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
Rule: VPN Clients to Internal
Source: VPN Clients (172.16.1.7:62879)
Destination: Internal (10.1.0.106:53)
Protocol: DNS
User: ***\Matthew Lindstrom
Additional information
Number of bytes sent: 81 Number of bytes received: 135
Processing time: 55922ms Original Client IP: 172.16.1.7
Internal network is 10.1.0.0-10.1.255.255
VPNs are assigned 172.16.1.1-254
DNS server is 10.1.0.106
On a side note, it looks like the connections are being established, but a lot of times they are timing out:
Closed Connection TMG 1/1/2012 2:31:09 PM
Log type: Firewall service
Status: A connection was terminated because it was idle for more than the time-out period, or the time-out on an incompleted action expired.
Rule: VPN Clients to External
Source: VPN Clients (172.16.1.3:51727)
Destination: External (dfw06s07-in-f3.1e100.net 74.125.227.67:80)
Protocol: HTTP
User: ***\***
Additional information
Number of bytes sent: 152 Number of bytes received: 192
Processing time: 65046ms Original Client IP: 172.16.1.3
Matt,
VPN clients are on a different network than your internal hosts, and as such, need a rule that explicitly permits them to access internal and external resources once they are connected to VPN. See one of my posts on VPN on what needs to be done for that, and ping me with any follow up questions regarding VPN by leaving a comment on the appropriate post dealing with VPN setup.
Ed
Hi
I have setup test envirounment with 3 servers private Ipaddess – 192.168.0.0
1) DC,DNS,DHCP Ip 192.168.0.1
2) Exchange Server Ip 192.168.0.2
3) TMG 2010
i have configure TMG 2010 with 2 NIC , 1 is 192.168.0.0 and another one is our PRD Domian netwrok 10.X.X.X but this server joined test domain
Issue : I cant able to get internet access how we need to NAT this two netwrok to get internet access and also PRD domain netwrok we have Proxy server
I don’t fully understand your setup, but here’s some general guidance.
1) don’t NAT between the 192.168.0.0 and the 10.x.x.x networks; route. These are both internal networks, and NAT’ing can break a lot of stuff you might need to do between them, like set up a trust.
2) Are you saying you have a separate proxy server? If so, either route all Internet bound traffic through that, or configure your clients to use that as a web proxy.
HTH
Ed
Hello Ed
How are you ? I have got a query I have configured TMG 2010 as an edge-firewall with tow NIC interrnal and external(public).
We have internal dns server(192.168.1.100). and now we are tryying to host a website and publish it over tmg 2010.How shall I go about it do I need (SPLIT DNS). OR it can be done with two NIC also without DMZ. or do I need to create a DNS server for external client there is bit confusion. and someone trying to access my website http://www.abc.com(example) got to know about my webserver which is hosted internally. and how the external public dns server will got to know about that http://www.abc.com is the external public ip address of tmg 2010.
or extrenal dns part would be taken care by our ISP.
2) My internal dns server is DC and domain is geu.com I want to host a website with url like http://www.gedu.com how would that be done.
kindly give some solution
Rohan Gaur
System Admin
See this and then this. That should fix you right up. Obviously if you don’t have a farm it will vary a little bit, but you should be able to follow along without issue.
HTH
Ed
Hi Ed,
I am installing foefront TMG2010 Medium business edition software on a server and encountered ” Setup failed to Install ADAM ( 0×80070002).
This occurs when the setup tries to Install Configuration storgae server. With this error, Entire setup is getting rolled back.
The server is on Domain and i have full rights to install the software and connectivity to DC’s were also fair. Please advise.
Thank you.
Sri…
Got more than one NIC? Check your binding order. If correct, check your domain membership trust and GPO.
HTH
Ed