locked
FF TMG 2010 on Server 2012 RRS feed

  • Question

  • Has anyone tried successfully installing Forefront TMG 2010 on Windows Server 2012?

    I tried but failed, it complained about unable to add roles and features.


    Valuable skills are not learned, learned skills aren't valuable.


    • Edited by SingChung Saturday, July 7, 2012 6:29 AM
    Saturday, July 7, 2012 6:29 AM

Answers

  • Hi,

    Thank you for the post.

    As far as I know, TMG is not compatibility with Windows Server 2012.

    Regards,


    Nick Gu - MSFT

    Tuesday, July 10, 2012 1:46 AM
    Moderator

All replies

  • At this point in time, it does not work and I would assume that it isn't supported.

    Maybe MS will provide an update/service pack for TMG that will resolve this. Otherwise we'll have to hope that a new version is in the works. For the latter, your guess is as good as mine.


    Hth, Anders Janson Enfo Zipper

    Monday, July 9, 2012 10:15 AM
  • Hi,

    Thank you for the post.

    As far as I know, TMG is not compatibility with Windows Server 2012.

    Regards,


    Nick Gu - MSFT

    Tuesday, July 10, 2012 1:46 AM
    Moderator
  • Didn't you hear? Microsoft is stopping development of their best products and moving to the cloud. TMG is a dead product. I've started replacing my customers' deployments with Cisco endpoints. Unbelievable that such a product, with NO equal in the market, is being killed. No TMG but Windows Server 2012 has a Metro start menu! WTFH!!!!! Then there's the whole "Server 2012" thing while Exchange, Sharepoint, Lync and Office are all getting 2013 labels. Why not keep the brand consistent?

    Hey Ballmer, can I run the show for a couple years? I've no education and no experience. I couldn't possibly make things worse :)

    • Proposed as answer by Dave Onex Tuesday, May 14, 2013 6:00 AM
    Wednesday, September 5, 2012 1:01 AM
  • I second that.

    what clowns killed off tmg 2010 and is it going to work with 2012 server.

    man someone has lost there mind.. do we need a touch screen server.. maybe.. but at the end of the day we need solutions...

    Thursday, November 1, 2012 10:35 PM
  • TMG 2010 will not work on Server 2012.

    There's no successor to TMG.

    UAG product future is unsure although MS states it is being "actively developed". But where's the plan? Funnily enough as you all know UAG is based on TMG. DA has moved to Server 2012 so it remains a mystery if the reverse proxy functionality will further developed in "UAG" version that works on Server 2012 (without TMG presumably).

    One question I have is this:

    As MS is touting a move to the cloud (yeah, I am very aware of different flavours of clouds) and on-premise is so last year, how does MS suggest that - if you are interested in using MS products - clients will be securely able to reach the Internet and the cloud? In other words, the forward proxy functionality. Fortigate? Cisco?


    Hth, Anders Janson Enfo Zipper

    • Proposed as answer by Omar N Monday, May 13, 2013 8:04 AM
    • Unproposed as answer by Omar N Monday, May 13, 2013 8:04 AM
    Friday, November 23, 2012 8:55 AM
  • Hi all, I am omar Naser,

    I tried to install TMG 2010 on windows server2012 DAtacenter, The problem in the Roles and Features appears as you know, but i instaaled the roles only manually, and after restraed the server the TMG installed successfully.

    Thank you to all


    • Edited by Omar N Monday, May 13, 2013 8:10 AM
    Monday, May 13, 2013 8:07 AM
  • Hey Ballmer, can I run the show for a couple years? I've no education and no experience. I couldn't possibly make things worse :)

    Priceless, and too true. Microsoft has made so many bad moves over the last 5 years it's just incredible. Very much a case of 'the emperor has no clothes'. But, they are also so large that they really can screw the pooch (and the customer) for a very long time before it ever really affects them.

    I've often said, if Bill Gates really wants to be a humanitarian his first endeavor should be a return to Microsoft...his customers are really hurting and it's a clear case of needing humanitarian intervention.

    But, and let's be clear, Microsoft has never operated from a sincere desire to serve their customers. Instead, they've always operated from a desire to obtain their customer's money.

    This is why you get arbitrary decisions such as killing off TMG. They don't even think about (or care about) their installed client base or how this will effect them. Loyalty never factors into the equation. Their decision making process is strictly governed by what's best for them - that's it. It's a wholly selfish pursuit.

    So if they 'see' another way forward that still enables them to get that loot (or more of it) they'll just arbitrarily change direction - without a thought to their customers.

    In a real business customer satisfaction is key. As a result of that philosophy people are inspired to buy the company's products and tend to trust the company because they see that philosophy in action. This is not Microsoft and almost never has been. Make no mistake, it's gotten worse over the years since Gates left. When Gates was there you could always motivate him by ridiculing him in the press. So if/when Microsoft screwed up, the press would write up an article about it and Gates would immediately address the issue lest he look like an idiot. So, at least there were some checks and balances there.

    I mean, to give you an example of just how screwed up Microsoft is, they can't even release a proper Service Pack for TMG 2010 that incorporates all their hotfixes and rollups. Why? They just don't care. They've also made it very hard to find any documentation on the proper install order etc. Why? They just don't care. They never updated the documentation for it, instead they routinely direct people to the ISA 2004 docs for TMG 2010. Why? They just don't care.

    What you, as a paying customer, thinks or desires is never a part of their decision making process. It does not factor in at all.

    It doesn't matter that you paid a gazillion dollars for TMG or that you implemented a major (and complex) large scale roll-out. Microsoft just woke up one morning and did what they always do, pulled the plug on it with no though to their clients whatsoever.

    When NT Server 4 came out Microsoft wrote many articles mentioning how much better it was at Symmetric Multi-Processing then NT 3.51 was. I mean, entire 100 page white papers were written about it. People took them to task about it and the understanding was that it really wasn't much better. Still, Microsoft kept churning out white papers about how much better it was then 3.51. Why? To sell as many NT Server 4.0 licenses and upgrades as possible.

    Just to be clear, Microsoft did everything possible to promote the 'far superior' SMP functionality in NT Server 4.0 even though the entire world knew it was BS.

    What happened when Windows 2000 Advanced Server came out? Microsoft leaked a document showing how poorly NT Server 4.0's SMP functionality was. Why? To get people to buy/upgrade to Windows 2000 Advanced Server. They shot their own product down and took a public stance in the exact opposite direction of what they publicly maintained all along. No shame whatsoever.

    It goes on and on. I still recall the whole mess of the service packs and feature upgrades that came out for NT Server 4.0 post RTM. It was such a mess that Gates himself issued a mandate that no new product functionality would ever be included in a service pack again and that every service pack, from here to eternity, would be cumulative. This was a smart thing to do, it was learned from the challenging programmatic experience of trying to support a hodgepodge of hotfixes, rollups etc.

    What do you have today? The exact same mess. Just try to figure out what order to install the Service Packs and hotfixes for TMG in. Even worse, Microsoft's own documentation for the hotfixes contradict themselves. On the one hand, they say no prerequisites and on the other, they list prerequisites.  In the end, the only smart way to do a new TMG 2010 install is to install all the service packs and hotfixes as they were released - in that order.

    Why the mess when Microsoft could easily incorporate everything into a single service pack? Because they don't care. Get this through your head, Microsoft does not care about you, their customer. They never really have although it was better when Gates was there.

    The shame of it is that this dollars-first philosophy (and the customer be damned) has rewarded Gates financially. Unfortunately, his success in this manner has served to spread this philosophy to any/all businesses in general - to the detriment of business everywhere.

    It was Gates who really taught people how to break up a product and make more money by selling it's individual components. It was Gates who met with Ballmer late one night and discussed how to drive the stock price down so that he could buy out Paul Allen. This is a fact, it's been broadcast on TV and Paul Allen has publicly spoken about this. Gates was an incredibly ruthless person - period. He killed many businesses on his rise to the top and he never lost sleep over any of it. That should tell you something about his character and the company.

    It was Gates who taught everyone about outsourcing to India. Let's be really clear on that one. What's the state of the world's economy? Pretty darn bad. Do you think all this outsourcing that Gates invented, and proudly promoted to everyone, has had a positive impact on the US? Not a chance, The US has never been in such a mess before in it's life and a great deal of that mess has been created by the very same outsourcing that Gates so 'brilliantly' and aggressively promoted to everyone.

    Just so we're clear on that, whenever you call into any large company and get a poor connection to someone with poor English skills, who doesn't really know what they are taking about at all, you can thank Bill Gates for creating the perception that outsourcing is such a wonderful thing.

    It is for the company, it's not for the country.

    Just last night he was on 60 minutes explaining how he was going to eradicate several 3rd world diseases. Nice. Great stuff, but from my view, it very much seems to me to be a case of a man who beats and robs a person of all their money, on a recurring basis if at all possible, and then elects to spend it on something he deems valid. Should we thank him for that? That's a moral/ethical judgment that I can't make but I do wonder about it often.

    I mean, really, if I stole all the money from all the banks in the world and then decided to give it away does that make me a hero? Of course not. It came at the cost of an awful lot of people. It's worth noting that his wife assured everyone in last night's interview that he does actually have a heart. She wouldn't have married him if he didn't. That's good to know because if one really looks closely at Microsoft and it's actions one begins to wonder!

    Microsoft's strategy has always been to own the entire market such that everyone is forced into buying their product. It really isn't by choice anymore. Yet Microsoft's defense against anti-trust regulation was that they needed to be 'free to innovate'. It really does remind one of Nazi Germany and Adolph Hitler's need for 'breathing room' :)

    Seriously, when you look at the big picture, what did Microsoft's pioneering work in outsourcing to India do for the US economy when you factor in all the other companies that followed suit and outsourced to China? It was Gates who really taught us these 'tricks' and showed us just how profitable they could be. But at what cost to our own countries? The US is effectively bankrupt. Nothing is being made in the USA anymore. Instead, everyone is pulling a 'gates' and squeezing the customer for the every last dollar they have, preferably on a recurring annual basis.

    This truly gives new meaning to the words 'paying the Bill'.

    On the one hand you have this huge self-centered money sucking business (Microsoft) designed to lock in and suck as much money out of you as possible, and on the other, you have this huge money giving enterprise (the Bill & Melinda Gates foundation) where the lion's share of the money comes from what they could effectively steal from the general public.

    Maybe it's just me, but usually you have to vote for that level of authority. Should Gates go down in history as one of the great humanitarians of all time? I don't know. I really don't. But no analyses would be complete without a full understanding of how he got that money in the first place and much of that was through wholly unscrupulous business behavior. I mean, really, really ruthless stuff.

    One thing I know for certain, Microsoft, as a company, has always needed a heart. They just don't have one. When Gates was there, I would see traces of it. With him gone, it's much, much worse. But, like Gates said in his interview, I don't mow the lawn either. I really think that's how he views Microsoft. His vision is extraordinary. What you/they now call 'the cloud' is what he called Application Service Providing more then a decade ago. So he's probably very much in a place of having to wait for his vision to come to pass (it could not sooner for various technical reasons such as bandwidth) but make no mistake, what that ultimate vision is is this, you never buy a CD with the software on it, you just rent it per use and run it off the Internet. Thus, he has the ultimate efficient machine to continue that recurring revenue stream while at the same time reducing operational costs to the lowest and most efficient manner. ie. Maximize the income and minimize the outgo.

    What does this all mean? It's great for him but I can't help but wonder where the middle class went in America in this grand design? There's a lot to this issue and, as mentioned, it really comes back to the fact that normally you have to vote for someone to give them that power. On the other hand, we voted with our pocketbooks over the years although the Gates 'stranglehold' really has made it much less of a choice....



    • Edited by Dave Onex Tuesday, May 14, 2013 6:10 AM
    Tuesday, May 14, 2013 5:59 AM
  • I think the TMG team should do a buyout of the product and go it on their own. Then, someday in the future, Microsoft will see what a great product it is and buy the company out and this way the team can make their money back from the buy out. Wonder if the Schinder's would be interested......

    Best Regards, Morris Fury AFRIDATA.net

    Wednesday, May 22, 2013 8:35 AM
  • Hi all, I am omar Naser,

    I tried to install TMG 2010 on windows server2012 DAtacenter, The problem in the Roles and Features appears as you know, but i instaaled the roles only manually, and after restraed the server the TMG installed successfully.

    Thank you to all


    Hi Omar

    I tried to manually install  the roles and features, but still got the same problem?  Could you please clarify which roles/features have you installed ?

    -----------------

    I got one step further. 

    The TMG installation will call c:\windows\system32\servermanagercmd.exe to preinstall features/roles and even if you manually install it, because there is no such file in windows server 2012, it still failed.

    In windows 2012, it's renamed to servermanager.exe, so I copy this shortcut and rename to servermanagercmd.exe and it's working!

    • Edited by beanxyz Friday, June 14, 2013 12:48 AM find a solution
    • Proposed as answer by James Bradley Monday, July 22, 2013 4:34 PM
    Friday, June 14, 2013 12:10 AM
  • @beanxyz

    is the tmg 2010 fully functional now on the windows server 2012 ?

    could you post some tutorial?

    • Proposed as answer by Asif Hassan Friday, August 28, 2015 2:59 PM
    • Unproposed as answer by Asif Hassan Friday, August 28, 2015 2:59 PM
    Friday, August 16, 2013 12:57 PM
  • Really.  Gates bashing?  That's so Y2K. 

    And tying in the American middle class into the conspiracy while you're at it.

    What a hoot.

    Friday, March 7, 2014 7:33 PM
  • Or just run the setup.exe from \FPC and not bother with doing the runaround, that fail check is just for the pre-requisites check.
    Thursday, April 10, 2014 1:22 AM
  • runing setup.exe from fpc still checks for prerequsites.

    anyone managed to put tmg on 2012 srv?


    bostjanc

    Tuesday, August 26, 2014 9:05 AM
  • its working thanks
    Sunday, February 8, 2015 9:51 PM
  • hi

    Please help how install tmg2010 on windows server 2012?

    (please step to step)

    Friday, February 27, 2015 4:06 PM
  • Please help me for install TMG 2010 on windows 2012
    Wednesday, March 4, 2015 8:57 PM
  • TMG 2010 will not work on Server 2012.

    There's no successor to TMG.

    UAG product future is unsure although MS states it is being "actively developed". But where's the plan? Funnily enough as you all know UAG is based on TMG. DA has moved to Server 2012 so it remains a mystery if the reverse proxy functionality will further developed in "UAG" version that works on Server 2012 (without TMG presumably).

    Is there a web page that clearly compares the full feature set of TMG versus UAG?

    I have to say it is borderline incoherent that Microsoft would ever discontinue fundamental security firewall products for its network servers.   Microsoft can do those functions better than third party vendors because of the ability to closely integrate with application servers.   


    Will

    Wednesday, March 11, 2015 2:44 AM
  • Just so that you know, UAG is also dicontinued.

    There's a very limited successor in Web Application Proxy 2012 R2 (or IIS ARR). WAP will get somewhat better in Windows Server vNext but that has been delayed to 2016.

    To answer your question:

    http://social.technet.microsoft.com/wiki/contents/articles/2929.choosing-between-forefront-tmg-or-forefront-uag-for-publishing-scenarios.aspx

    http://www.microsoft.com/windowsserversystem/solutions/specializedservers/product_guide/product_guide/chapters/07.htm


    Hth, Anders Janson Enfo Zipper

    Wednesday, March 11, 2015 9:46 AM
  • Hi all, I am omar Naser,

    I tried to install TMG 2010 on windows server2012 DAtacenter, The problem in the Roles and Features appears as you know, but i instaaled the roles only manually, and after restraed the server the TMG installed successfully.

    Thank you to all


    Hi Omar

    I tried to manually install  the roles and features, but still got the same problem?  Could you please clarify which roles/features have you installed ?

    -----------------

    I got one step further. 

    The TMG installation will call c:\windows\system32\servermanagercmd.exe to preinstall features/roles and even if you manually install it, because there is no such file in windows server 2012, it still failed.

    In windows 2012, it's renamed to servermanager.exe, so I copy this shortcut and rename to servermanagercmd.exe and it's working!

    does not work in 2012r2. setup  just open ServerManager and that all. Stuck at checking installed features/roles.

    copy servermanagercmd.exe  from 2008R2 does not work too - it's just crash

    any idea's?

    Thursday, July 9, 2015 6:46 AM
  • AOA Omar,

    I hope you fine.  I am try to install manually roles and feature but not successful can you please tell me how manually roles and feature add in windows 2012 for TMG. 

    Friday, August 28, 2015 2:59 PM
  • AOA Sir,

    I hope you fine. Sir can you please tell me how I install roles and features manually for TMG on windows 2012. I am try but not successful. Please reply as soon as possible. 

    Friday, August 28, 2015 3:06 PM
  • Hello,

    Dear i hope you fine. After a very long time i ask question with you regarding you TMG 2010 practice on windows server 2012  can you please tell me how you successfully  install TMG manually on server 2012. I am already replace (servermanagercmd.exe) file. Please reply as soon as possible.   

    Saturday, August 29, 2015 7:52 AM
  • I finally managed to get TMG working on Server 2012.  Steps below:

    1. Create a Windows 2008 R2 server and install TMG in the usual way.  There is no need to configure TMG at this point.
    2. Insert your Windows Server 2012 R2 media (via Vsphere in my case) and upgrade Windows to Server 2012 - retain all settings and applications.
    3. When the Windows 2012 upgrade has completed, run a repair on the TMG application from Programs and Features.  Ignore any errors.  The TMG services will not be able to start at this point.
    4. Reboot the server.
    5. Open Network and Sharing Center and click on Change adapter settings.
    6. Select Properties on one of your NICs and click on Install. 
    7. Select Service and click on Add.
    8. Select Microsoft Corporation and tick the Forefront TMG Packet Filter.  
    9. Click all the OKs.  This will add the TMG filter to the other NICs.  Double check then reboot the server. 
    10. The TMG services should now be started and you can now configure TMG.
    11. Check the Windows Services and enable any required services that were disabled during the Server 2012 upgrade; e.g. SQL Server.


    • Edited by WasDos Monday, March 12, 2018 7:48 PM
    • Proposed as answer by Hamza Zuberi Sunday, August 11, 2019 5:08 PM
    Monday, March 12, 2018 7:39 PM
  • And You no problems with this configuration? You are stopping with 2012 or going to try 2012r2?
    Tuesday, March 13, 2018 12:40 PM
  • Hi WasDos,

    1. did you install the SP1 &SP2 and rollups for TMG?

    2. It doesn't start the TMG Managed Control service after SP install either if it's installed in 2008 R2 and then upgraded, or directly to 2012 ( do you know something about that?)

    3. TMG does work with your solution but not with updates (sp, rollups) and so it becomes useless..

    3.a - 1 Remarque I have to make : from 2008 R2 you have to upgrade to 2012 ST and then to 2012 st R2 and also works on 2016 st.

    Thursday, May 10, 2018 1:43 PM
  • Hi, this isn't working now :(

    copied over the servermanagercmd.exe from my windows 2008 r2 working server to c:\windows\system32 and it crashes with an APPCrash window during checks. did anyone get around this on a windows 2012 r2 sever? THANKS

    Problem event name:   APPCRASH

    Application Name : SERVERMANAGERCMD.exe

    Fault module name : KERNELBASE.DLL

    

    

    

    Friday, March 15, 2019 2:03 PM
  • Hello Wasdoc,

    thanks for your workaround suggestion. we have TMG on a windows 2008 r2 server and it will be toxic by the end of year so trying to get TMG working on Windows 2012 server.

    might need to try your suggestion - OS upgrade then fixup TMG.

    Are you able to install Service packs after this method?

    thanks

    Gerard

    Friday, March 15, 2019 2:11 PM
  • Hello EmilFlorea,

    did you manage to get TMG working on a Windows 2012 r2 server with updates, etc?

    Friday, March 15, 2019 2:12 PM
  • Finally managed to crack it. The steps provided by Wasdoc are correct (thanks!), BUT they're out of sequence. I initially upgraded the OS to 2012 R2 and repaired the TMG installation. Internet services started working immediately during the final "initialization" stage. Then, as per the above steps, I rebooted (once again, clients were able to use the Internet after services started), then added the TMG Packet Filter service to the interface. At this point, all Internet services stopped working. Running TMG repair again did not help.

    (EDIT: After installing TMG 2010 Standard on 2008 R2, I configured it completely, tested all the rules I might need in a production environment, installed all updates for Windows 2008 R2 as well as for TMG 2010. At this point, I made a backup of my VM's VHDX file before upgrading it to 2012 R2 for testing.)

    I started from scratch again with my backup VHDX, upgraded the OS to 2012 R2 and this time round, added the packet filter service to the network adapter BEFORE repairing TMG, and then rebooted. Works like a charm. The only problems i saw were: -

    1. "SQL Server (MSFW)" service was stopped and disabled. This is necessary for logging, so I simply enabled (set to Automatic startup) and started the service.

    2. "Microsoft Forefront TMG Firewall" service stopped without an error a few minutes after booting, due to which Internet services stopped working on the client end. I simply restarted the service which fixed the problem. The firewall service stops after a failed attempt to start the TMG Managed Control Service. If you reboot the server/VM, you'll need to restart the service once.

    3. "Microsoft Forefront TMG Managed Control" service is stopped and refuses to start. Nonetheless, all TMG services operate normally and clients are able to access the Internet. Any further changes to TMG rules and objects etc are saved and committed without any hiccups. In fact, applying changes is much faster in 2012 R2. From what I understand, unless you're running Email protection policies (spam filtering, IP blocking etc), this is really not needed.

    (EDIT2: The TMG Managed Control Service is set to stop the TMG Firewall service if it fails to start itself. To resolve this issue, open the Services snap-in and in properties for the "Microsoft Forefront TMG Managed Control" service, click on the "Recovery" tab and delete the entry for "net.exe" program and the command line parameters "stop /y fwsrv" and click OK to save.

    Alternate method (careful when editing the Registry!): Open Registry (Start -> Run -> Regedit), navigate to HKEY_LOCAL_MACHINE -> SYSTEM -> Current Control Set -> Services -> ISAManagedCtrl and change the data value ("net.exe stop /y fwsrv") for "FailureCommand" Value to blank.)

    (EDIT 3: Just noticed while troubleshooting the Managed Control issue: Even with the above modification to the service's recovery options, if you set the Log On account for the managed control service to anything other than SYSTEM, the firewall service will stop by itself approximately 3 minutes after starting, regardless of how many times you restart it. That's even if the Managed Control service is disabled and the "TAKE NO ACTION" option is selected from the droplists.)

    4. Logging works fine, but generating reports returns an error that the TMG Control service cannot be accessed. If you look up the error, it is a known one with a resolution (Rollup1 for TMG SP2), but when you go to download it, it has been discontinued. This is a serious issue for those who require detailed reporting, but personally, I have no reason to worry as most of my analysis is based on logging (using live or past option in the logging filter). The generated reports are pretty useless unless you need general stats, e.g. the top visited sites, active users, services, protocols etc. I have tried a few things (allowing the service to interact with the desktop, changing the log on account to administrator), these didn't help. I also checked to see if the recommended method of increasing the UIRpcTimeout value works, but couldn't find the parent key in either 2008 R2 or 2012 R2 (HKEY_LOCAL_MACHINE -> SOFTWARE -> MICROSOFT -> FPC -> LOGGING). FPC exists, but the sub-key "Logging" doesn't, before or after the OS upgrade. I will look into this further when I have free time and provide an update here.






    • Proposed as answer by Hamza Zuberi Sunday, August 11, 2019 5:20 PM
    • Edited by Hamza Zuberi Wednesday, August 14, 2019 3:15 AM
    Sunday, August 11, 2019 5:14 PM
  • Even though Wasdoc's solution worked (with my above-mentioned modifications and limitations), we have to keep the following in mind:

    1) TMG is end of sale and end of support. Any vulnerabilities that arise in the future will not be patched by Microsoft.

    2) TMG does not support IPV6 filtering. Not a problem for most of us, but will pose an issue in the future.

    3) Just as a lot of current hardware does not support installation of Windows Server 2003, similarly, future hardware will stop supporting Server 2008/2008 R2. This means that if we wish to keep using TMG, we simply have to move to virtualization (Hyper-V or otherwise). For now, we have the option to install 2008 R2 on the hardware and upgrade it to 2012 R2, but in the future this will only be possible with VMs. Even now, in Hyper-V 2016/2019, we have to use Generation 1 VMs, as Gen2 does not support installing Windows Server 2008, or even booting from a pre-installed VHDX. If Gen1 type VMs are not supported in future Server operating systems, the only way to run TMG would be to stick to running 2008R2 (with or without upgrading to 2012 R2) type Gen1 VMs on OS's up to Windows Server 2019.

    (NOTE: There are tools that can convert a Gen1 VM to a Gen2 VM, which basically create a GPT partition and enable UEFI booting. However, I haven't tested this in our given scenario. Will provide an update here after testing.)








    • Edited by Hamza Zuberi Tuesday, August 13, 2019 8:26 AM
    • Proposed as answer by Hamza Zuberi Thursday, October 24, 2019 2:27 PM
    • Unproposed as answer by Hamza Zuberi Thursday, October 24, 2019 2:27 PM
    Sunday, August 11, 2019 5:41 PM
  • Hi,

    Are you able to get logging and reporting to work as well?

    Monday, August 12, 2019 4:06 PM
  • Hi,

    Are you able to get logging and reporting to work as well?

    Logging works perfectly fine, but reporting doesn't. Check my edited answer above. I will be looking into this issue when I have enough free time and will update you guys here.


    Tuesday, August 13, 2019 4:06 AM
  • Hi WasDos,

    1. did you install the SP1 &SP2 and rollups for TMG?

    2. It doesn't start the TMG Managed Control service after SP install either if it's installed in 2008 R2 and then upgraded, or directly to 2012 ( do you know something about that?)

    3. TMG does work with your solution but not with updates (sp, rollups) and so it becomes useless..

    3.a - 1 Remarque I have to make : from 2008 R2 you have to upgrade to 2012 ST and then to 2012 st R2 and also works on 2016 st.

    1) You should install all TMG updates (SP1, Rollup 1 for SP1 and SP2) before the OS upgrade.

    2) Check my previous answer above for full details on stopped/disabled services and functionality

    What difference did you see when you upgraded to 2012 R2 via 2012? Does this resolve any of the mentioned issues?

    Tuesday, August 13, 2019 4:50 AM
  • Even though Wasdoc's solution worked (with my above-mentioned modifications and limitations), we have to keep the following in mind:

    1) TMG is end of sale and end of support. Any vulnerabilities that arise in the future will not be patched by Microsoft.

    2) TMG does not support IPV6. Not a problem for most of us, but will pose an issue in the future.

    3) Just as a lot of current hardware does not support installation of Windows Server 2003, similarly, future hardware will stop supporting Server 2008/2008 R2. This means that if we wish to keep using TMG, we simply have to move to virtualization (Hyper-V or otherwise). For now, we have the option to install 2008 R2 on the hardware and upgrade it to 2012 R2, but in the future this will only be possible with VMs. Even now, in Hyper-V 2016/2019, we have to use Generation 1 VMs in Hyper-V, as Gen2 does not support installing Windows Server 2008, or even booting from a pre-installed VHDX. If Gen1 type VMs are not supported in future Server operating systems, the only way to run TMG would be to stick to running 2008R2 (with or without upgrading to 2012 R2) type Gen1 VMs on OS's up to Windows Server 2019.

    (NOTE: There are tools that can convert a Gen1 VM to a Gen2 VM, which basically create a GPT partition and enable UEFI booting. However, I haven't personally tested this myself in our given scenario. Will provide an update here after testing.)





    Successfully converted the Gen1 TMG VM (Host OS: 2016, Guest OS; 2012 R2) to a Gen2 VM, all services checked, no changes in TMG functionality (TMG Managed Control service is still stopped, and Reporting is not working). Everything else is okay, as before converting. The only difference is that the newly generated VHDX is of type "dynamically expanding" whereas the original Gen1 VHDX was type "fixed".

    I used the following script for the conversion. IMPORTANT: Read the full notes (especially the warnings) on this page before attempting the conversion: -

    https://code.msdn.microsoft.com/ConvertVMGeneration

    To fully understand the differences between Gen1 & Gen2 VMs, and for details on the three stages involved in the above script, make sure to read the related blog by the author: -

    https://blogs.technet.microsoft.com/jhoward/2013/11/14/hyper-v-generation-2-virtual-machines-part-10/



    Tuesday, August 13, 2019 5:41 AM
  • Hi,

    Are you able to get logging and reporting to work as well?

    Logging works perfectly fine, but reporting doesn't. Check my edited answer above. I will be looking into this issue when I have enough free time and will update you guys here.


    For now, i'm using this on the TMG server to generate and view reports on Server 2012 R2:

    http://127.0.0.1:8008/Reports_ISARS/Pages/Folder.aspx

    Wednesday, August 14, 2019 4:49 AM
  • It didn't work for me, the service can't start the Forefront TMG Packet Filter

    Diego Riera | Linkedin | Twitter | diegoriera.wordpress.com

    Por favor, lembre-se de clicar em "Marcar como Resposta" no post que o ajuda, e clique em "Desmarcar como resposta" se um post marcado na verdade não responder a sua pergunta. Isto pode ser benéfico para outros membros da comunidade. Esta postagem é fornecida, sem garantias e sem direitos.

    Monday, March 23, 2020 2:28 PM