none
TMG 2010 EMS Unable to retrieve data from :tmgnode1 and tmgnode2

    Question

  • I am running TMG 2010 Enterprise on Windows 2008r2.  I have one EMS server and 2 TMG array nodes.  The nodes report that they are connecting fine to the EMS (green checks on configuration and system).  The EMS says that it is unable to retrieve data from the nodes (red x's on the system tab).  It does seem to process firewall policy and pass it on to the nodes though.  What are some things to look at?

    Thanks in advance. 

    EDIT . . .

    I also wanted to added, that I believe this was working correctly, but no changes (that I know of) have been made.

    Also I am not using NLB currently.  


    • Edited by drkleeman Tuesday, January 31, 2012 8:45 PM
    Tuesday, January 31, 2012 8:23 PM

Answers

All replies

  • Hi,

     

    Thank you for the post.

     

    Please make sure all the array members and EMS servers install the same rollup, the latest is TMG SP2 rollup1. Based on the error message, it means source TMG console failed to get information from the target TMG service. It may be caused by RPC/DCOM communication failure between TMG console and service. You may try to close and reopen TMG console and see if resolve the issue. If the  issue still retains, you should verify the network connectivity on EMS for theses TMG nodes(use ping with FQDN/IP/Hostname etc).

     

    Regards,


    Nick Gu - MSFT
    Wednesday, February 01, 2012 6:27 AM
  • Hi,

     

    Thank you for the post.

     

    Please make sure all the array members and EMS servers install the same rollup, the latest is TMG SP2 rollup1. Based on the error message, it means source TMG console failed to get information from the target TMG service. It may be caused by RPC/DCOM communication failure between TMG console and service. You may try to close and reopen TMG console and see if resolve the issue. If the  issue still retains, you should verify the network connectivity on EMS for theses TMG nodes(use ping with FQDN/IP/Hostname etc).

     

    Regards,


    Nick Gu - MSFT

    The same is being faced by me too...ping and FQDN are working perfectly. even roll up are same too...

    the actual problem is like this happens often but not all the time... there's no clue why TMG behaving like that...

     

    Wednesday, February 01, 2012 8:17 AM
  • Are these servers domain members?

    If they are domain members, then have you added the relevant computers to

    -Remote Management Computers

    (-Enterprise Remote Management Computers)

    -Managed Server Computers


    Hth, Anders Janson Enfo Zipper
    Wednesday, February 01, 2012 9:48 AM
  • All servers are at SP2 rollup1.  It is definitely odd, because I can ping and resolve DNS from either the TMG array node to the EMS and the other way around.  
    Wednesday, February 01, 2012 12:14 PM
  • So for you, the problem is intermittent?  I thought so too.  I was pretty sure everything was working.
    Wednesday, February 01, 2012 12:14 PM
  • Are these servers domain members?

    If they are domain members, then have you added the relevant computers to

    -Remote Management Computers

    (-Enterprise Remote Management Computers)

    -Managed Server Computers


    Hth, Anders Janson Enfo Zipper
    All servers are domain members and and all servers are in those groups (Enterprise Remote Management, Managed server . . .)Thanks.
    Wednesday, February 01, 2012 12:21 PM
  •  

    Issue is still outstanding...many of my organizational colleagues have reported the same........

    Thursday, February 02, 2012 7:05 AM
  • Run TMG Best Practices Analyzer (TMGBPA, available att http://isabpa.com) all nodes (incl EMS) and if anything stands out.

    If you run live logging on arraymembers you are trying to manage from EMS, do you see any access denied? If so, what rule denies them?

     


    Hth, Anders Janson Enfo Zipper
    Thursday, February 02, 2012 9:41 AM
  • Run TMG Best Practices Analyzer (TMGBPA, available att http://isabpa.com) all nodes (incl EMS) and if anything stands out.

    If you run live logging on arraymembers you are trying to manage from EMS, do you see any access denied? If so, what rule denies them?

     


    Hth, Anders Janson Enfo Zipper
    Nothing out of the ordinary.  Could this be a possible server certificate issue?  
    Thursday, February 02, 2012 12:37 PM
  • You state that all servers are domain members - then no certificate is necessary as the machines authenticate against each others with their computer accounts.

    I would've expected to - at least - seen something in the live logging indicating why this is not working.

    As you have TMGBPA installed now, try using the TMG Data Packager and run a repro for TMG Administration. Run the repro on all machines. Examine the resulting data. Start by looking at netmons and firewall logs.


    Hth, Anders Janson Enfo Zipper
    Thursday, February 02, 2012 1:18 PM
  • You state that all servers are domain members - then no certificate is necessary as the machines authenticate against each others with their computer accounts.

    I would've expected to - at least - seen something in the live logging indicating why this is not working.

    As you have TMGBPA installed now, try using the TMG Data Packager and run a repro for TMG Administration. Run the repro on all machines. Examine the resulting data. Start by looking at netmons and firewall logs.


    Hth, Anders Janson Enfo Zipper
    I installed the Data Packager, and didn't see anything out of the ordinary.  I do see traffic from the array nodes to the EMS(and from EMS to the nodes) over ports 2171 and 2172 . .I can update rules from the EMS and they do get pushed to the TMG nodes.  That said, the EMS still says that it is unable to retrieve data from the nodes.
    Thursday, February 02, 2012 7:30 PM
  • Just an update to this issue . . .this appears to have been cause by overly restrictive GPO. The following settings:

    computer configuration\policies\Administrative Templates\System\Remote Procedure Call\

    RPC Endpoint Mapper Client Authentication

    Restrictions for Unauthenticated RPC Clients

    Both of the above setting were set to enabled (as required by my policy)

    I disabled those, and the EMS was able to connect to the Nodes.

    Here is an interesting MS blog that lead me to this. . . .

    http://blogs.technet.com/b/askds/archive/2011/04/08/restrictions-for-unauthenticated-rpc-clients-the-group-policy-that-punches-your-domain-in-the-face.aspx


    Friday, February 03, 2012 1:49 PM