We help IT Professionals succeed at work.

Forefront TMG Malware and NIS inspection updates aren't working.

I'm new to TMG, and have just setup a new TMG server.  I can't get the updates to work.  I thought it was the firewall blocking the requests, but I tried making a very open firewall rule and also shut off the Microsoft Forefront TMG Firewall service.  Shutting off the firewall seemed to disable the checks.  I've also set the proxy using, "netsh winhttp set proxy", using the netbios and FQDN of the proxy.  Any help would be appreciated.

Here's one of the events that may have something to do with it:
-----------------  
Failed Connection Attempt
Log type: Web Proxy (Forward)
Status: 10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.  
Rule: [System] Allow HTTP/HTTPS requests from Forefront TMG to specified sites
Source: Local Host (127.0.0.1:25309)
Destination: External (65.55.74.114:443)
Request: 10.ds.mrs.microsoft.com:443
Filter information: Req ID: 100caf94; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: SSL-tunnel
User: anonymous
 Additional information
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 0 MIME type:  
 -----------------  

Thanks,
Matt  
Comment
Watch Question

Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
Shutting off the services stops everything.
Set the proxy properly as per the setup guides by pointing the FTMG's web browser to its intertnal ip address and port 8080 (or other port if you have changed the default).

Do you have an allow rule from localhost to external?
Are you enabling or disabling https inspection? Https inspection MUST be disabled for windows updates including the sites that provide the FTMG updates.
Keith
MS Forefront MVP

Author

Commented:
I've set IE as you suggest.  It now times out on external sites.  It was getting out with our normal proxy settings before.  I shose to not do HTTPS inspection on setup, but can't find that setting now.  i put a rule in to allow all outbound traffic from all networks to all networks for All Users, while troubleshooting this.
Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
Post the output from an ipconfig /all on the ftmg box

Author

Commented:
Windows IP Configuration

   Host Name . . . . . . . . . . . . : TMG1
   Primary Dns Suffix  . . . . . . . : domain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.com

Ethernet adapter DMZ Team:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : BASP Virtual Adapter #2
   Physical Address. . . . . . . . . : 00-10-55-66-4T-41
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.107.234.11(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.240
   Default Gateway . . . . . . . . . : 10.107.234.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Internal Team:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : BASP Virtual Adapter
   Physical Address. . . . . . . . . : 00-10-55-66-4T-40
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.107.240.11(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.240
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.107.234.21
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Commented:
it turns out that our firewall was blocking http/s traffic, and A proxy was necessary.  I knew that, but I thought the updates would work using the proxy.  After allowing the server togo directly out to the Internet the updates came down without a problem.
Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
You haven't resolved it, you have simply bypassed the protection FTMG provides.
It's your company so it's your call.
Keith - MS Forefront MVP

Author

Commented:
TMG is technically in the DMZ, but theoretically on the Edge.  The issue of TMG getting updates was inhibited because of our actual edge firewall prohibiting HTTP/S, and trouble configuring it to use our in place proxy .  We've allowed HTTP/S from TMG through the firewall, and the updates are working.  The TMG server browser has the proxy set to localhost port 8080, and so is going through TMG.  What part of this is a work around? Are you suggesting we keep the edge blocking and some how configure TMG to use the proxy?