none
Forefront TMG 2010 SP1 and Update1 RRS feed

  • Question

  • After Installing SP1 the reporting stoped working. I have upgrade with Update1 for TMG 2010 SP1

    getting errors into TMG Monitoring Dash Board and Windows Event Application logs

    1 - Level Date and Time Source Event ID Task Category
    Warning 7/6/2011 5:41:28 PM SmtpEvt 31196 None The SMTP filter detected an invalid DATA terminator or invalid character combination in the DATA section. This may indicate an attack in progress, or be the result of an incompliant mail agent.
    2 -Level Date and Time Source Event ID Task Category
    Warning 7/7/2011 11:16:11 AM Microsoft Forefront TMG Web Proxy 31172 None "Forefront TMG was unable to decompress a response body from www.nzpost.co.nz because the following error occurred: The data is invalid.
    . This error may occur when the available memory is insufficient, the response is corrupted due to a network problem, or the server returns an illegal response. "


    Muhammad Mehdi
    Thursday, July 7, 2011 4:24 AM

Answers

All replies

  • HI,

    1) Check the SMTP filter setting in the TMG MMC - System - Application Filter - SMTP Filter - properties - SMTP command tab - Default command is data with 6 bytes length
    2) Forefront TMG tries to compress / decompress content. It is possible to disale the compression globally or it is possible to create exceptions for some websites:
    http://technet.microsoft.com/en-us/library/bb794746.aspx
    http://support.microsoft.com/kb/838365


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
    Thursday, July 7, 2011 4:32 AM
  • Hi Marc

    Issue1 I have checked it is 6 Bytes Maximum lenth.


    Muhammad Mehdi
    Thursday, July 7, 2011 4:39 AM
  • Hi,

    1) so I think you can ignore this message. It is only a message which tells you that a possible intruder tried to compromise your server through SMTP commands or an SMTP client executes wrong / malformed SMTP commands. If this message doesn't repeat permanently you should ignore the message


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
    Thursday, July 7, 2011 4:47 AM
  • 2) Could you please assist me to create exceptions for some websites

    3) Here is the IP address from one of user on Network. I have checked his PC all up to date does not seems infected.

    Description: The number of HTTP requests per minute from the source IP address 10.15.16.186 exceeded the configured limit. Forefront TMG will block new HTTP requests sent from this IP address.

    This event indicates that this IP address probably belongs to an infected host.

    See the product documentation for more information about Forefront TMG flood mitigation.


    Muhammad Mehdi
    • Proposed as answer by James Hood Wednesday, July 13, 2011 3:31 PM
    • Unproposed as answer by James Hood Wednesday, July 13, 2011 3:31 PM
    Thursday, July 7, 2011 4:51 AM
  • Hi,

    2) TMG MMC - Web Access Policy - task Pane - Configure HTTP compression - It is possible to create exeptions for networks, computers, subnets and more
    3) IMHO this is a "normal" message.If you are sure that the client/server is not infected, you can add the server/client to the flood mitigation exeptions:
    http://www.isaserver.org/tutorials/microsoft-forefront-tmg-behavioral-intrusion-detection.html


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
    • Marked as answer by MM from AUS Thursday, July 7, 2011 11:47 PM
    Thursday, July 7, 2011 5:19 AM
  • Thanks Marc
    Muhammad Mehdi
    Thursday, July 7, 2011 11:47 PM