Forefront Threat Management Gateway Forum

Traffic Being Blocked

Tue, 01 Dec 2009 17:28:17 Z

I'm having some trouble getting Forefront TMG to work properly. I have created a rule to allow all traffic from the FTMG server to any network, and that rule works just fine. However traffic returned from such requests is denied.

For example, if I try to browse a website, I see that the request is sent out and allowed, but that the response back from the web server is being denied. It's like it's not tracking stateful information.

This is preventing the server from funcitoning at all, I can't even get my server to activate. I'm running Windos 2008 Server Standard, 32 bit. Any help would be gratly appreciated.

publishing POP3 Failed

Tue, 01 Dec 2009 15:09:23 Z

Hi,

we did setup an test enviorment with Exchange Exchange 2007 Hub Transport and Mailbox role on one server, Exchange Edge and ISA and FEP 2007 on othere server, now I would like to publish the standard POP3 (not secure), so I did first subscrrib the Edge with Hub (then went ok),then i used wizard for publish an mail server, then choose the standard POP3. after I did connect an PC to the same network rang of external NIC of ISA, then on this PC I did setup the outlook to point to the external IP of NIC for the POP3 Server,I also create an test user account and mailbox, but the problem is here, when I say to check configuration it find the POP server and I get an logging prompt I try the test username and password but I get the propmt back.I also did check the logs of ISa and it says connection on port 110 initiated
the outlook version is 2003
I want to also add that when I telnet the external NIC of ISA on port 110 I get:
+OK Microsoft Exchange Server 2007 POP3 service ready

I also in the property of the role did check the option request coming from ISA server

this is my configuration:

ISA has 2 nics,

intern: 10.0.0.1
Extern: 62.221.189.145

Exchange: 10.0.0.11

External Client: 62.221.189.150

Any idea why is this heppening?

ISA 06 & Windows 7 problem

Wed, 02 Dec 2009 00:45:21 Z

Hi,
I have a Server 2008 R2 domain that has a ISA 06 at the gateway with Firewall and Web Proxy enabled. I am using DNS and DHCP to hand out WPAD and auto config script. Most clients have the firewall client installed. I require authentication for internet access for all users therfore I do not hand out the gateway IP. there is no SecureNAT.
I have a mix of XP and Vista machines that have Outlook installed and therfore I have the firewall application setting for Outlook set to Disable 0. This enables outlook to poll for mail on the external mail servers without a gateway assignment, the firewall client does not ignore the mail request.
Since installing windows 7 machines and giving them the same setup as all the XP and Vista machines with Firewall Client I am unable to poll for mail with them without handing them a gateway. The windows 7 machines when set to autoconfig script assignment without the gateway can internet browse OK but no polling for mail. When I log the access on ISA there is nothing, no traffic when you send receive. The outlook message is " server cannot be contacted or is down" The outlook client does not know where to go to poll for mail. Again if you iniate a browser it can get onto the Net, but no mail. ISA logs show this traffic OK.
Give the client a gateway and instantly the Windows 7 Outlook client receives mail.
I don't understand why this is isolated to just the Windows 7 machines. For the time being I have to set either static IP's on windows 7 machines with a gateway who require outlook mail access or do a reservation with scope options again with a gateway.
All the Xp and vista machines work as they should, no gateway with firewall client and autoconfig + WPAD. Firewall client application settings for Outlook set to Disable 0. Message delivery is successful.
Same setup on windows 7 and it can't find the server as it has no gateway.
What am I doing wrong?
Can anybody assist?
Much appreciated...........

publish smtp

Tue, 01 Dec 2009 11:38:01 Z

I did install exchange 2010 (hub and mailbox roles) on a server, then install the Exchange 2010 edge role and FPE 2010 on a diffirent server and did install the TMG 2010 on the same server as edge and FPE.
now my question is do we have to still publish the smtp through TMG 2010? or this not neccecry? if we have to publish SMTP, does anyone has an toturial on how to do this?

Thanks,

Shahin

Shahin

Traffic shaping

Mon, 30 Nov 2009 09:23:16 Z

We look for software solution for traffic shaping (http://en.wikipedia.org/wiki/Traffic_shaping) with Forefront TMG.
Do you have any guess how to implement this?
If Forefront TMG have no built-in features due to traffic shaping, maybe third party and/or partner solutions can help?
I believe that traffic shaping and traffic policing for TMG/ISA exist.

Publishing CRL through TMG

Wed, 22 Jul 2009 20:26:03 Z

Trying to create a website publishing rule for my internal CRL list.

internal site is http://DC01/certenroll/
external is CRL.<domainname>.com
public IP for TMG is set to CRL.<domainname>.com
rule and listener is create for crl.<domainname>.com
but the rule keeps getting skipped and gets blocked by the default rule. testing the rule succeds. not sure what else i am missing

Preferred editions of Windows server 2008 for TMG 2010 deployment ?

Thu, 26 Nov 2009 16:13:43 Z

Hi,

    It seems that Forefront TMG 2010 (RTM version) only supports "Windows Server 2008 SP2" or "Windows Server 2008 R2"

What about TMG 2010 support for other 64-bit editions of Windows server 2008. ?

Is it possible to deploy TMG 2010 on other flavors of Windows 2008 like : Windows Server 2008 Datacenter , Windows Server 2008 R2 Datacenter,  Windows Server 2008 Standard and Windows Server 2008 R2 Standard?

Also, Can anyone please tell us, the preferred editions of Windows server 2008 widely used for TMG 2010 deployment in an organization?

Thanks,
LK

Howto protect TMG client for change configuration

Thu, 26 Nov 2009 10:39:05 Z

How I protect TMG client for change configuration ?

User without administrative rights is possible disable to TMG FWC - how block it ?
Via GPO ? - where is ADM/ADMX files ?

Thanks,
L.

Web protection

Tue, 24 Nov 2009 16:23:17 Z

Hi,

After installing the TMG RTM when configuring Define Deployment Option, it ask if we want to enable NIS and web protection, on NIS I though just live it enable but on web protection it says: start using the evaluation licence or use a licence (this is not possible becuse the licence is not available yet) or disabling it, I would like to know how long is the evaluation periode? and if this option is disabled what is the consequence of that? and last question: is it possible to change this settings, once it has been configured?

Thanks,

Shahin

Shahin

Forefront TMG 2010 support for Itanium-based Systems ?

Wed, 25 Nov 2009 11:17:37 Z

Does Forefront TMG 2010 supports “Windows Server 2008 for Itanium-based Systems” ?

We are able to run setup on Windows server 2008 (Itanium) system but not able to find any Microsoft link or references which claims support for Win 2008 (Itanium) system.

Any idea ?

Thanks,
Lk

FTMG 2010 Technet

Tue, 24 Nov 2009 11:34:07 Z

Good Morning.

FTMG 2010 isn't currently available via Technet.
Can anyone shed any light of when it may become available, if at all?

Regards,

Steve.

Monitoring or real-time reporting ???

Tue, 24 Nov 2009 10:05:35 Z

Does the new ISA brings some kind of monitoring or monitoring in real time?

I need a firewall that at any time can show me which computer in my company use the most of the network, which protocols are most used, which user most load on the network etc...

Does the TMG have the possibility of monitoring in real time?

TMG Control Service - Crash

Sat, 21 Nov 2009 00:26:00 Z

I have problem with TMG Control Service. When I connect to OWA(2007) published on TMG - Control Service crash and Firewall service stops working.
Sometimes it works but very occasionaly and after while Control Service crash.
My Configuration:
Hyper-V Server 2008 R2, 2 x Nic, 3 x Virtual Machines - W2k8 SP2,
1 - Virtual Machine = TMG 2010 + Exchange EDGE 2007 SP2
2 - VM = DC,
3 - VM = Exchange 2007 SP2 (Hub Transport, Client, Mailbox)

Event Log errors:
------------------------------------------------------
Log Name:      Application
Source:        Application Error
Date:          17. 11. 2009 22:50:29
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      edge.domain.sk
Description:
Faulting application mspadmin.exe, version 7.0.7734.100, time stamp 0x4ad4f893, faulting module ncrypt.dll, version 6.0.6002.18005, time stamp 0x49e0419b, exception code 0xc0000005, fault offset 0x000000000000310e, process id 0xb78, application start time 0x01ca67ce75f5f759.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
   <Provider Name="Application Error" />
   <EventID Qualifiers="0">1000</EventID>
   <Level>2</Level>
   <Task>100</Task>
   <Keywords>0x80000000000000</Keywords>
   <TimeCreated SystemTime="2009-11-17T21:50:29.000Z" />
   <EventRecordID>13150</EventRecordID>
   <Channel>Application</Channel>
   <Computer>edge.domain.sk</Computer>
   <Security />
</System>
<EventData>
   <Data>mspadmin.exe</Data>
   <Data>7.0.7734.100</Data>
   <Data>4ad4f893</Data>
   <Data>ncrypt.dll</Data>
   <Data>6.0.6002.18005</Data>
   <Data>49e0419b</Data>
   <Data>c0000005</Data>
   <Data>000000000000310e</Data>
   <Data>b78</Data>
   <Data>01ca67ce75f5f759</Data>
</EventData>
</Event>
---------------------------------------------
Log Name:      Application
Source:        Application Error
Date:          17. 11. 2009 22:50:30
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      edge.domain.sk
Description:
Faulting application mspadmin.exe, version 7.0.7734.100, time stamp 0x4ad4f893, faulting module mspadmin.exe, version 7.0.7734.100, time stamp 0x4ad4f893, exception code 0xc0000005, fault offset 0x00000000000f0ab0, process id 0xb78, application start time 0x01ca67ce75f5f759.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
   <Provider Name="Application Error" />
   <EventID Qualifiers="0">1000</EventID>
   <Level>2</Level>
   <Task>100</Task>
   <Keywords>0x80000000000000</Keywords>
   <TimeCreated SystemTime="2009-11-17T21:50:30.000Z" />
   <EventRecordID>13151</EventRecordID>
   <Channel>Application</Channel>
   <Computer>edge.domain.sk</Computer>
   <Security />
</System>
<EventData>
   <Data>mspadmin.exe</Data>
   <Data>7.0.7734.100</Data>
   <Data>4ad4f893</Data>
   <Data>mspadmin.exe</Data>
   <Data>7.0.7734.100</Data>
   <Data>4ad4f893</Data>
   <Data>c0000005</Data>
   <Data>00000000000f0ab0</Data>
   <Data>b78</Data>
   <Data>01ca67ce75f5f759</Data>
</EventData>
</Event>

FTMG 2010 Trial Expiration Date.

Tue, 24 Nov 2009 11:31:14 Z

Good Morning All.

Does anyone know when a trial installation of TMG 2010 will expire?

Regards,

Steve.

Terminal Services

Tue, 24 Nov 2009 15:30:17 Z

Hi,

Could someone direct me to some artical on how to configuer the TMG or ISA 2006 for Terminal services, our clients accessing some of our servers to use certine applications, now we want to implament ISA 2006 or TMG in our network, so clients most first make VPN connection and then start an RDP session to there servers
my question is,
what is the next step here? should we create access rules on ISA to access T.S servers? or that is not nececery?

Thanks,

Shahin

Shahin

SQL Reporting failed

Tue, 24 Nov 2009 15:40:04 Z

Hi,

I did download the TMG (the RTM version), but I have to say that before that we had on the dame server the TMG Candidate release and I did first remove this version to install the new version, now when I install the software at the end of installation syas:

Microsoft SQL server Express reporting couldnot be installed.

after clicking ok it says for more info go to C:\program files\SQL server\100\Bootstrp setp\logs for more info, but I could not find any logs here.

Any idea why is this heppening?

Shahin

Web filtering without proxy?

Wed, 18 Nov 2009 23:49:32 Z

Here is my setup, I run the network for a high school and I am testing out tmg, However It seems like in order to filter sites, you have to setup a proxy. For the schools computers that are on the domain, thats not a problem. However we allow students to join the wireless network and it seems like they could get around it by disabling the proxy. I dont want to have to make a rule that denys them interent if they are not joined to the proxy because some computers disable the obtaining proxy information from the DHCP.

So what are my options here? I would also like to add that these are high school students, they are not the most computer savy in the world, so we dont want to do anything to their computers for this to work.

Also when is TMG going to be posted on technet?

Moving from TMG RC to RTM

Tue, 24 Nov 2009 15:57:57 Z

When the RC was released, I installed it on 2008 R2 server in order to continue testing before it was RTM. According to:

http://blogs.technet.com/isablog/archive/2009/10/11/forefront-threat-management-gateway-2010-release-candidate-now-available.aspx

we should be able to move to RTM no problem from RC. Now that RC has been released, I would like to do this but have not seen any documentation as to how to do. I am a volume license customer and have the license key available. Do I enter this somewhere in the RC to license it or do an "in place upgrade" with the RTM version? Thanks.

Jeff

HTTP listener does don't redirect to internal site

Thu, 05 Nov 2009 19:39:06 Z

Hi all,
Have a little trouble with a HTTP listener i setup, setup a firewall rule for a site, created a listener that checks both HTTP and HTTPS, added the cert and tested the rule, was succesful in reaching the webpage from the TMG box.

the problem part now, when i try to connect externally from the http:// address, the connect is blocked by the default rule. but if i use the Https:// the listener succeds in redirecting me to the site. Not sure what i am missing on this one.

Error in the log state the connection was blocked by the default rule.

Status: 0x80072741 WSAEADDRNOTAVAIL What I can do ?

Tue, 10 Nov 2009 16:00:24 Z

When clint try to get e-mail connections failed with this error message:
Failed Connection Attempt R0002SRV 10/11/2009 13:00:04
Log type: Firewall service
Status: 0x80072741 WSAEADDRNOTAVAIL
Rule: Allow Web Access for All Users
Source: Internal (192.168.251.116:51130)
Destination: External (66.228.121.124:110)
Protocol: POP3

I try the sugested on
http://support.microsoft.com/default.aspx?scid=kb;EN-US;927695

AND disable "Receive Side Scaling" hardware options on all networks interface on my Dell server (one Broadcon and one Intel)

Can someone help me?

Standard Vs Enterprise !

Sat, 27 Jun 2009 07:38:52 Z

Hello.

Previously with TMG beta one and two, there was no standard and enterprise versions of TMG, why with TMG beta three this change ?

For example, in Tarek's article (http://www.elmajdal.net/ISAServer/Installing_Forefront_Threat_Management_Gateway_Beta_2.aspx) "As you may have noticed, the concept of Standard Edition or Enterprise Edition is no more available with Forefront TMG. There are new terms that we will have to get used to them , such as Standalone Server, Array Manager, Standalone Array, Enterprise Management Server (EMS). You might find it misleading at the current moment. Don't feel that, later on we will get used to these terms, and they will be covered in future articles. To give you a brief illustration, at the moment I'll be installing a Standalone Forefront TMG server. "

and i've seen this also on different forums and blogs as well, but now I feel myself lost why this was not illustrated before ! that there will be a standard and enterprise editions again !

and where can we find any difference between the two ?

Remote Desktop Connection to Forefront TMG Server

Mon, 16 Nov 2009 17:31:28 Z

I am trying to remotely manage the Forefront TMG server but I can't seem to get it to work. I have added my desktop's IP address to the Enterprise Remote Management Computers and have made sure the system policy is set to allow connections from the group. When I try to connect via RDP on my desktop, it just times out trying to connect.

The logs show the connection initiating but then it closes without connection. The log shows, "A connection closed becasue no SYN/ACK reply was received from the server."

You must restart this computer before installing Forefront TMG (final trial release)

Mon, 23 Nov 2009 14:55:22 Z

Hi,

I am very happy that Microsoft has released the final version of TMG Server 2010. At this moment and as far as I know you can only download the trial. I have downloaded the trial version. But I cannot install it because I get a warning message during the Installation Wizard and setup cannot continue.

1. Deployed a new and clean Virtual Machine with Windows Server 2008 R2 (x64); succesfully
2. Run Windows Update; succesfully
3. Run Preperation Tool; succesfully
4. Run Installation Wizard; warning meesage

Then, the Installation Wizard says "A computer restart is required. You must restart this computer before installing Forefront TMG". But... when you restart the server, it keeps coming with this error message. You can restart as often as you want, same result.

At isaserver.org I saw the same issue. http://forums.isaserver.org/m_2002095201/mpage_1/key_/tm.htm#2002095201

I know there is a status in the registery somewhere and you can clean it. But I don't know where anymore and if this will result in unwanted behaviors. Any suggestions?

Boudewijn

ForeFront TMG as Hyper-V guest

Wed, 06 Aug 2008 19:00:56 Z

I'm using TMG in a Win 2008 Hyper-V virtual environment using a physical server (Athlon 64 x2- 5600+/8GB Ram/Dual NIC) and setup a lab environment with the following configuration:

DNS server(also Domain PDC server): Win08 STD, One Virtual NIC (IP:192.168.3.1/255.255.255.0 GW:192.168.3.254)
TMG Server: Win 2008 STD (stand alone domain member), Dual virual NICs: Public nic (IP:192.168.2.254/255.255.255.0 GW:192.168.1.254 NO DNS IP) and Local NIC(IP:192.168.3.254/255.255.255.0 DNS:192.168.3.1 No GateWay IP)

As it's suggested by Microsoft, the TMG server is refering to internal DNS server on Local NIC and has just one Gateway on Public NIC.
What I'm experiencing is that I can not lookup DNS records on both (virtual) servers and because of that I don't have internet access on both TMG and DNS server.

I noticed when I'm doing a nslookup on DNS server (or TMG) the TMG logs show all the requests from DNS server denied by Default rule (that denies all traffics) Then I created an Allow policy to allow DNS requests (port 53) from Internal network to External networks. Now I see that the nslookup initiated requests comming from DNS server are getting allowed to the external DNS server (192.168.1.254) by the new policy but the closing response is not getting back from the external DNS and because of that the DNS lookup fails.

I thought TMG should allow DNS lookups by default using system policies (like what ISA 2006 was doing) and if not, then why it's still not working after creation of the allow DNS policy?

I thought maybe it's because I'm using TMG as virtual and did a reseach and followed on the direction to set EnableTCPA and EnableRSS to (DWord) 0 and disabled task offload for both NICs on TMG virtual but still no luck. I wonder if anybody have the solution and can help with this.

PPTP VPN / DNS issue

Tue, 17 Nov 2009 23:25:13 Z

Hi guys,

i recently set up a testbox with ForeFront TMG with VPN access using PPTP, DHCP address assignment from the internal network DHCP. The configuration was straight forward and most settings were kept by default.
I firewall rule is in place which allows VPN clients complete access (all protocolls) into the internal network.

The clients can connect via VPN will get a IP from the DHCP but do not register in DNS.
I already put in manually the option (on the client) to register in DNS but did not help.

I can ping and resolve FQDN of all clients and servers in the internal network but not vise versa.
The VPN clients cant ping or resolve there names neither.

// I think the TMG Server accquires the IP addresses from the DHCP so the VPN clients wont get any further configuration and do not register in DNS either.

Is that by design or can I get the VPN clients resolving each other and the internal servers to resolve external clients?

Another questions would be if the VPN clients can resolve additional configuration from the DHCP like WPAD.dat configuration etc.?

Thank you for help in advace!

Cheers,

Florian

Reporting Failure with RC

Sun, 18 Oct 2009 09:48:32 Z

I was running TMG Beta 3 on 2008 server without any problem. I upgraded to TMG RC and reporting now generates reports without any data.

I uninstalled & reinstalled and this made no difference. In the end I tried :-

Decomission old server and remove from domain
Build new 2008 R2 server with the same name and join to the domain
Install TMG and import old configuration

This still hasnt made any difference. I am getting the error :-

The daily summary for day "10/15/2009" was not created. This may cause the report for this period to be inaccurate. Verify that no prior reporting configuration alerts exist, and that the reporting services on the designated Forefront TMG report server are running and accessible from all the array members. Use the source location 1001.105.7.0.7733.100 to report the failure.
The failure is due to error: 0x80040e57

If I go to Monitoring\Services I can see that the following are running ok :-

SQL Server (ISARS)
SQL Server Reporting Services (ISARS)
SQl Server Express

Any guidance greatly appreciated!

Force HTTPS redirect for specific published webpath

Tue, 29 Sep 2009 20:44:44 Z

Is it possible to force HTTP to HTTPS redirection for a specific published public web path? For instance, given the following paths on www.contoso.com:

/
/images
/pages
/publicforms

I would want to allow public access to all paths, but ensure content to and from /publicforms is properly passed through HTTPS.

The web listener that I am currently using is configured for both HTTP and HTTPS connections, with no redirection configured. I have looked at using the "Notify HTTP users to use HTTPS instead" option within the web publishing rule, which ensures the content is delivered through the appropriate protocol but is not as customer/user friendly as a redirect.

If there are other options to support this type of deployment, I'd be happy to evaluate them as well.

RPC (DCOM) Behaviour on TMG RC

Mon, 16 Nov 2009 20:49:17 Z

Hello,

I'm using TMG RC version 7.0.7733.100.I have a W2008 R2 Ent DC in Internal Network which also has Enterprise CA installed.
When I try to use mmc console on TMG to request a certificate, I get an RPC error.Unchecking "Enforce strict RPC compliance" in System Policy's Active Directory section doesn't help either.I also tried creating a Firewall Access Rule which allows all traffic from "Local host" to "DC" and unchecking "Enforce strict RPC compliance" in that rule's options,but that also didn't work.What worked in the end was,I did both at the same time;I created the rule without the RPC compliance AND disabled RPC compliance in System policy. Funny thing is, after I get the certificate, if I remove the rule I created,it still works. Btw,I not only applied each time after I made a modification but also restarted MS FF TMG Control service just to make sure.

Am I missing something or is this a bug?
Thanks.

What TMG version can we deploy in production environment.

Mon, 09 Nov 2009 09:09:15 Z

What TMG version can we deploy in production environment and what are the OS prerequisites

NLB Setting on TMG

Mon, 16 Nov 2009 08:47:06 Z

I have set up a TMG array on Hyper V virtual machine , and am trying to configure Network Load Balancing between 2 TMG machines . We have configured NLB in the Multicast mode , and are using a Single NIC for config. We are unable to get the NLB working it . Can any one help as to what should be the correct settings for our setup.

TMG - PPTP VPN Connection

Thu, 24 Sep 2009 18:55:40 Z

I am trying to create a PPTP VPN Client to Server Connection using TMG.
I followed the setup instructions have have enabled vpn and added a firewall rule. When trying to connect from a Windows 7 client the client says connecting but after a while errors reporting a timeout.
The logs within TMG monitor show a successful connection.

Can anybody offer me any advise, would be much appreciated.

Differencing VPN access

Thu, 05 Nov 2009 10:24:31 Z

Hi

I have en TMG server i front of several networks and several AD's.
Can i difference what access I have when a user connects?

Currently I have setup vpn authentication to RADIUS (to the domaincontroller), so I can add more sources.

I have tried to apply one VPN access rule to only one user, but I can't seem to get i working.

Maybe it's something with the user I specify, even though I have tried both domain\user and user@domain, and of cause chose that its an RADIUS user.

/Lars

Status 64 Specified network name is no longer available.

Tue, 03 Nov 2009 19:15:04 Z

Seems to timeout at 3 min 20 Sec every time. While downloading a report.

Windows Server Standatd 2008 SP1

Forefront Threat Management Gateway Version 6.0.6417.100 MBE

Failed Connection Attempt	ISA-01V 9/15/2009 11:08:00 AM
Log type: Web Proxy (Forward)
Status: 64 The specified network name is no longer available.
Rule: Lee - Unrestricted PCs
Source: Internal (10.10.11.187)
Destination: External (wpmt.buildingtrustinc.com 63.171.212.39:80)
Request: POST http://63.171.212.39/wpCompCost.aspx
Filter information: Req ID: 0e140838; Compression: client=No, server=Yes, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous

Which one is suitable for me?

Tue, 03 Nov 2009 16:55:58 Z

Hai all,

I am planning to have a firewall product of ISA Server family to install within our office to secure internet communication betweek office and outside. We are using Windows Server 2008 -64/32 bit server only. Which one I have to select?

Manu

ManuPhilip

Major issues with a remotely located TMG server

Mon, 02 Nov 2009 20:03:29 Z

The scenario is that I have a server that is a member of a domain. It has TMG installed on it. I'm not trying to set up a site-to-site VPN between the main location and this server (for testing purposes). There is no domain controller local to the remote TMG server. The endpoints for the site-to-site VPN are both TMG RC.

Here are the issues I'm seeing:

1. The server gets stuck in an endless logical loop. It cannot apply the configuration with the site-to-site VPN tunnel because it can't contact the domain (event ID is 21257, the specified domain can't be contacted). Of course it can't be contacted, the site-to-site VPN tunnel isn't up but you can't apply the configuration with the tunnel in it because it can't contact the domain. The logic here fails my comprehension.

2, Once I get an L2TP site-to-site tunnel up (I created a manual tunnel to apply the configuraiton with the site-to-site tunnel!) then from the TMG gateway I can ping anything behind the other TMG gateway. Great! BUT anything behing the TMG gateway cannot ping anything on the remote network. I have allowed all traffic between the two networks, see it going out on one side and nothing on the other side.

Is this just flakey behavior in the "Release Candidate". It seems like basic site-to-site VPN behavior is severely broken.

Rob

FTP issue

Mon, 02 Nov 2009 15:10:32 Z

HI,

We having a problem with our clients PC and FTP, when clients that are behind the TMG try to open ftp://36.55.214.223 I get a loging box after entering the user name and passwords, we can see the content of the ftp folder, but when try to copy some file from client to FTP site I get this error:

200Type set to I
227 entering passive mode(36,55,214,223,12,167)
550 Access Denied.

But when I access the same FTP site (by the same user name and password) from othere clients that are not behind the TMG server,I can connect to FTP site and copy my file there.
I did create an access rule in TMG:

From: intertnal
TO: External
Protocol: FTP
Users: All users

SO any idea why is this heppening?

Thanks,
Shahin

Shahin

Redirect http to https

Fri, 30 Oct 2009 01:39:00 Z

I have asp.net page with the following code:

<%
Response.Redirect(https://mysite/default.aspx);
%>

By going through TMG RC, it does not redirect https, instead it just redirect http.

Does anyone else experience this?

Templates of the errors of malware inspection

Thu, 29 Oct 2009 23:53:29 Z

hi peoples!

somebody knows where is the archives of models of errors standards that are presented for the user through the malware inspection?

Regards!

Charles S. Tavares

TMG Setup Fails on: (Error 37020) Setup failed while creating the services configuration.

Fri, 11 Apr 2008 10:07:41 Z

Hello

i tried to install TMG but get always the failure: (Error 37020) Setup failed while creating the services configuration.

part of log: Setup failed while creating the services configuration.

Action 09:49:32: ConfigureFweng. Creating the services configuration...
09:49:33 ISA setup CA INFO   : ENTRY: ConfigureFweng, Current user is IGUS\Administrator
09:49:33 ISA setup CA INFO   : About to call InstallNetComponent(MS_Fweng,C:\Program Files (x86)\Microsoft ISA Server\fweng.inf)
09:49:33 ISA setup CA INFO   : InstallNetComponent: ComponentID MS_Fweng InfPath C:\Program Files (x86)\Microsoft ISA Server\fweng.inf
09:49:33 ISA setup CA INFO   : NCGetINetCfg: NetCfg 0035EF54
09:49:33 ISA setup CA INFO   : NCGetINetCfg: hResult 0x0, NetCfg 0035EF54
09:49:33 ISA setup CA INFO   : InstallNetComponent: Calling NCInstallNetComponent NetCfg 031707F8 ComponentID MS_Fweng GUID_DEVCLASS_NETSERVICE
09:49:33 ISA setup CA INFO   : NCInstallNetComponent: NetCfg 031707F8 ComponentId MS_Fweng ClassGuid 6FDA163C
09:49:36 ISA setup CA INFO   : NCInstallNetComponent: hResult 0x0 NetCfg 031707F8 ComponentId MS_Fweng ClassGuid 6FDA163C
09:49:36 ISA setup CA INFO   : NCReleaseINetCfg: NetCfg 031707F8
09:49:36 ISA setup CA INFO   : NCReleaseINetCfg: hResult 0x0 NetCfg 031707F8
09:49:36 ISA setup CA INFO   : InstallNetComponent Return 1
09:49:36 ISA setup CA INFO   : InstallNetComponent() completed
09:49:37 ISA setup CA INFO   : Fweng.sys was installed properly by InstallNetComponent()
09:49:37 ISA setup CA INFO   : EXIT: ConfigureFweng, Custom Action succeeded
Action 09:49:37: ConfigureServices_Rollback.
Action 09:49:37: ConfigureServices. Creating the services configuration...
09:49:37 ISA setup CA INFO   : ENTRY: ConfigureServices, Current user is IGUS\Administrator
09:49:37 ISA setup CA INFO   : ModifyServiceDepend(RemoteAccess, fwsrv, 1)
09:49:37 ISA setup CA INFO   : Found the service, add the dependency
09:49:38 ISA setup CA INFO   : spService->SetServiceSidType success for service fwsrv
09:49:38 ISA setup CA INFO   : Adding NT SERVICE\fwsrv Service-Sid permission...
09:49:38 ISA setup CA ERROR : the function AddSidToNetCfgOp failed with status = 80070057 at the function AddFwsrvPermissions.
09:49:38 ISA setup CA ERROR : the function AddFwsrvPermissions failed at the function ConfigureServices.
Setup failed while creating the services configuration.
MSI (s) (F8!94) [09:52:10:026]: Product: Microsoft Forefront Threat Management Gateway -- Setup failed while creating the services configuration.

09:52:10 ISA setup CA ERROR : Setup failed while creating the services configuration.
09:52:10 ISA setup CA ERROR : (Error 37020) Setup failed while creating the services configuration.
09:52:10 ISA setup CA ERROR : EXIT: ConfigureServices, Custom Action failed (0x643)
Action ended 09:52:10: InstallExecute. Return value 3.
Action 09:52:10: Rollback. Rolling back action:
Rollback: Creating the services configuration...
Rollback: ConfigureServices_Rollback
09:52:10 ISA setup CA INFO   : ENTRY: RestoreServicesConfiguration, Current user is IGUS\Administrator
09:52:10 ISA setup CA INFO   : ModifyServiceDepend(RemoteAccess, fwsrv, 0)
09:52:10 ISA setup CA INFO   : EXIT: RestoreServicesConfiguration, Custom Action succeeded
Rollback: Creating the services configuration...
Rollback: ConfigureFweng_Rollback
09:52:10 ISA setup CA INFO   : ENTRY: RemoveFweng, Current user is IGUS\Administrator
09:52:10 ISA setup CA INFO   : UnInstallNetComponent: ComponentID MS_Fweng
09:52:10 ISA setup CA INFO   : NCGetINetCfg: NetCfg 0276F974
09:52:10 ISA setup CA INFO   : NCGetINetCfg: hResult 0x0, NetCfg 0276F974
09:52:10 ISA setup CA INFO   : UnInstallNetComponent: Calling NCUninstallNetComponent NetCfg 02A856B8 ComponentID MS_Fweng
09:52:10 ISA setup CA INFO   : NCUninstallNetComponent: NetCfg 02A856B8 ComponentId MS_Fweng
09:52:11 ISA setup CA INFO   : NCUninstallNetComponent: hResult 0x0 NetCfg 02A856B8 ComponentId MS_Fweng
09:52:11 ISA setup CA INFO   : NCReleaseINetCfg: NetCfg 02A856B8
09:52:11 ISA setup CA INFO   : NCReleaseINetCfg: hResult 0x0 NetCfg 02A856B8
09:52:11 ISA setup CA INFO   : UnInstallNetComponent returned 1
09:52:11 ISA setup CA INFO   : EXIT: RemoveFweng, Custom Action succeeded
Rollback: PATCH_DisablePatchRemoveForSlipstream

Please help!

IT-Admin

Install Error

Sat, 26 Jul 2008 03:18:53 Z

I'm trying to install the Windows 2008 x64 TMG in the area where I xxx.local but he's wrong:
Setup failed while creating the services configuration

How do I install?