Iniciar sesión
 
InicioBibliotecaAprendizajeDescargaSoporteComunidadForos
Recursos para Profesionales de TI >
TMG: Accessing the Performance Monitor remotely doesn't work

Respuesta propuesta TMG: Accessing the Performance Monitor remotely doesn't work

  • miércoles, 14 de marzo de 2012 22:51
     
     
    Inicie sesión para votar
    0

    hi there, I'm having trouble connecting remotely to Performance Monitoring on our TMG server from my local machine.  The version of Forefront TMG is 7.0.9193.500.  I've added my computer to Remote Management Computers group in TMG.  I've made sure  "Enable this configuration group" under System Policy > Remote Management > Microsoft Management Console (MMC), System Policy > Remote Monitoring > Remote Performance,  and System policy > Conifguration Storage Service > Local Configuration Storage Server Access and NetBIOS is enabled on the IP address.

    There is no other security appliances (other firewalls, etc) between my local computer and the TMG server.  I cannot explain why I cannot connect...when I watch the firewall logs, I see the Ip come across but I don't see anything blocked.

    Any ideas?

     

Todas las respuestas

  • jueves, 15 de marzo de 2012 6:10
     
     
    Inicie sesión para votar
    0

    Hi,

    you must disable the "enforce strict RPC compliance" in the System Policy rule set:
    http://blogs.technet.com/b/isablog/archive/2007/05/16/rpc-filter-and-enable-strict-rpc-compliance.aspx

    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

     
  • jueves, 15 de marzo de 2012 6:54
     
     
    Inicie sesión para votar
    0

    Hi Marc, thanks for your response.  I read the blog and follow the directions but it didn't work. 

    In the blog, I followed this set of instructions:

    • Problem: You cannot use DCOM between a computer in the Remote Management Computers sets and the ISA Server computer
    • Workaround: In the system policy rule, there is no option to configure remote management to allow non-strict RPC traffic, so all DCOM traffic between the Remote Management Computers set and the Local Host network (the ISA Server) is dropped. As a workaround, remove the computer from the set, and create an additional access rule for the same traffic. Then clear the "Enforce strict RPC compliance setting" on the rule.

    So, I jumped on the TMG server and did the following:

    (1) remove my computer from Remote Computers Group (that way it won't be picked up by System Policy)

    (2) Create Access Rule w/ protocols NetBios Datagram, NetBios Name Service, NetBios Session, RPC Server (all interfaces), From: my machine to: Local host For: Condition: all users

    (3) On the rule itself, clear checkbox Enforce strict RPC compliance

    (4) publish change

     
  • jueves, 15 de marzo de 2012 7:03
     
     
    Inicie sesión para votar
    0

    Hi,

    this may also be an WMI/DCOM/RPC issue. the clients tries to establish a RPC/WMI connection to the TMG Server and this technique uses dynamic TCP/IP high ports. If you do not want to restrict DCOM/RPC to specific ports via Registry changes you must extend your Firewall rule with a custom WMI protocol definition which allows access to the port range x to y. You can see the blocked ports in the Live logging on the TMG Server when the client tries to connect to the TMG Server.

    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

     
  • jueves, 15 de marzo de 2012 18:41
     
     
    Inicie sesión para votar
    0

    I went ahead and created a port range.  I'm not seeing blocked ports (when running live logging on the firewall).  If I try to connect to TMG perfmon by FQDN, perfmon reports "The RPC server is unavailable".  If I try to connect to TMG perfmon by IP address, I get "The parameter is incorrect".  In the live logging, I'm not seeing anything blocked.  (this is becoming quite an effort!)

     
  • jueves, 15 de marzo de 2012 18:50
     
     
    Inicie sesión para votar
    0

    My port range is 1024-65524 (almost all the ports)

     
  • viernes, 16 de marzo de 2012 6:20
    Moderador
     
     Respuesta propuesta
    Inicie sesión para votar
    0

    Hi,

    Thank you for the post.

    Please refer to this blog: http://tmgblog.richardhicks.com/2010/01/21/remote-performance-monitoring-and-forefront-threat-management-gateway/.

    Regards,

    Nick Gu - MSFT

     
  • viernes, 16 de marzo de 2012 21:09
     
     
    Inicie sesión para votar
    0
    Thanks Nick.  Still no luck...  It is OK, this isn't that important.  It may be something outside of TMG that is causing the issue...
     
  • jueves, 22 de marzo de 2012 20:46
     
     
    Inicie sesión para votar
    0
    I've got the same issue - it just doesn't seem to work.
    • Propuesto como respuesta Dave Onex lunes, 09 de abril de 2012 6:52
    • Votado como útil Dave Onex lunes, 09 de abril de 2012 7:03
    •  
     
  • lunes, 09 de abril de 2012 6:53
     
     Respuesta propuesta
    Inicie sesión para votar
    0

    Q: Marking a question as answered when it's not - is this something new?

    A: Not at all, it's standard Nick Gu!

    • Editado Dave Onex lunes, 09 de abril de 2012 7:03
    • Propuesto como respuesta Dave Onex lunes, 09 de abril de 2012 7:03
    •