mbromb
asked on
Forefront TMG Malware and NIS inspection updates aren't working.
I'm new to TMG, and have just setup a new TMG server. I can't get the updates to work. I thought it was the firewall blocking the requests, but I tried making a very open firewall rule and also shut off the Microsoft Forefront TMG Firewall service. Shutting off the firewall seemed to disable the checks. I've also set the proxy using, "netsh winhttp set proxy", using the netbios and FQDN of the proxy. Any help would be appreciated.
Here's one of the events that may have something to do with it:
-----------------
Failed Connection Attempt
Log type: Web Proxy (Forward)
Status: 10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Rule: [System] Allow HTTP/HTTPS requests from Forefront TMG to specified sites
Source: Local Host (127.0.0.1:25309)
Destination: External (65.55.74.114:443)
Request: 10.ds.mrs.microsoft.com:44 3
Filter information: Req ID: 100caf94; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: SSL-tunnel
User: anonymous
Additional information
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 0 MIME type:
-----------------
Thanks,
Matt
Here's one of the events that may have something to do with it:
-----------------
Failed Connection Attempt
Log type: Web Proxy (Forward)
Status: 10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Rule: [System] Allow HTTP/HTTPS requests from Forefront TMG to specified sites
Source: Local Host (127.0.0.1:25309)
Destination: External (65.55.74.114:443)
Request: 10.ds.mrs.microsoft.com:44
Filter information: Req ID: 100caf94; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: SSL-tunnel
User: anonymous
Additional information
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 0 MIME type:
-----------------
Thanks,
Matt
ASKER
I've set IE as you suggest. It now times out on external sites. It was getting out with our normal proxy settings before. I shose to not do HTTPS inspection on setup, but can't find that setting now. i put a rule in to allow all outbound traffic from all networks to all networks for All Users, while troubleshooting this.
Post the output from an ipconfig /all on the ftmg box
ASKER
Windows IP Configuration
Host Name . . . . . . . . . . . . : TMG1
Primary Dns Suffix . . . . . . . : domain.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.com
Ethernet adapter DMZ Team:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : BASP Virtual Adapter #2
Physical Address. . . . . . . . . : 00-10-55-66-4T-41
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.107.234.11(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 10.107.234.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Internal Team:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : BASP Virtual Adapter
Physical Address. . . . . . . . . : 00-10-55-66-4T-40
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.107.240.11(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.107.234.21
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Host Name . . . . . . . . . . . . : TMG1
Primary Dns Suffix . . . . . . . : domain.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.com
Ethernet adapter DMZ Team:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : BASP Virtual Adapter #2
Physical Address. . . . . . . . . : 00-10-55-66-4T-41
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.107.234.11(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 10.107.234.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Internal Team:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : BASP Virtual Adapter
Physical Address. . . . . . . . . : 00-10-55-66-4T-40
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.107.240.11(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.107.234.21
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You haven't resolved it, you have simply bypassed the protection FTMG provides.
It's your company so it's your call.
Keith - MS Forefront MVP
It's your company so it's your call.
Keith - MS Forefront MVP
ASKER
TMG is technically in the DMZ, but theoretically on the Edge. The issue of TMG getting updates was inhibited because of our actual edge firewall prohibiting HTTP/S, and trouble configuring it to use our in place proxy . We've allowed HTTP/S from TMG through the firewall, and the updates are working. The TMG server browser has the proxy set to localhost port 8080, and so is going through TMG. What part of this is a work around? Are you suggesting we keep the edge blocking and some how configure TMG to use the proxy?
Set the proxy properly as per the setup guides by pointing the FTMG's web browser to its intertnal ip address and port 8080 (or other port if you have changed the default).
Do you have an allow rule from localhost to external?
Are you enabling or disabling https inspection? Https inspection MUST be disabled for windows updates including the sites that provide the FTMG updates.
Keith
MS Forefront MVP