[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Microsoft Forefront ISA Server





Microsoft Forefront, formerly known as Internet Security and Acceleration Server (ISA Server), is a network router, firewall, antivirus program, VPN server and web cache that runs on Windows servers. It includes identity management and protection systems, and discontinued systems for threat management and network protection, along with protection for Sharepoint and Exchange. The scope of discussions includes forward and reverse proxy, application and service publishing, virtual private networks (VPNs), outbound access rules, SSL certificates and network routing within either a single node or an highly-available array pairing.

Share tech news, updates, or what's on your mind.

Sign up to Post

we have a tmg 2010 in our branch office. it has direct connection to the internet with a single network card. company wants to route the traffic through the HQ and we installed a new tmg 2010. configured web chaining by defining the upstream server in our branch procy. we get dns error. wen chaining does not work.

any help is appreciated
Introduction to R
LVL 12
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

We have Migrated all the servers to a new domain.TMG  SERVER 2010 stop responding after joining to a new domain.in the event log following errors are logged

old domain was abc.gov.ca

new domain is xyz.gov.ca

1-the kerberos client received s krb_ap_err_modified error from the server dm-tmg01$.the target server name used was ldap/dm-tmg01.abc.gov.ca:2171.this indicate that the target server failed to decrypt the ticket provided by the client.

2-Windows Could not start the microsoft Forefront TMG Managed control Service On local Computer Error:1068

3-Windows Could not start the microsoft Forefront TMG job schedular Service On local Computer Error:1068

4-Windows Could not start the microsoft Forefront TMG Firewall Service On local Computer Error:1068
I've been using ISA 2006 well with T1 line. I was trying to change Optimum Cable line with 5 static IP instead of T1 but it was denied by the default rule and web rule can't go through as attached files. I have changed only IP address on the external network adapter.
Do you have any comment?
I had this question after viewing TMG Blocking Access to Some External sites on port 8080.

An external provider site is on port 8080 and TMG is blocking traffic to that site.  Any ideas on how to allow the traffic to pass thru TMG?
MS Exchange Transport will not start after removing MS Forefront from SBS 2011 server

Hi I am running MS SBS 2011 Standard SP 1 server which Exchange will not send or receive emails.  

I recently noted that I still had installed MS Forefront software trail version and as was not being used, I tried to uninstall it via control panel / program / add- remove software etc.  Since then Exchange has not worked.  
At first this looked like an IPv6 issue  but soon realised that Forefront had not be properly uninstalled. I have the article https://www.experts-exchange.com/questions/24582063/SBS-2008-Exchange-Transport-service-Stops.html.  which I have followed and managed to correct some of the EVENT errors, but I still can't get the MS Exchange Transport to run and their seems to be a number of errors also happening with sharepoint (this might not have anything to do with Exchange not working.

I am not technical so need as much help as possible
Cannot access FTP Server (Win2016Std) from Internal.  (or from outside, when used with WordPress as a client)

FTP Server ( and IIS on same server behind firewall (TMG 2010). Configured publishing rule to forward External IP (X.X,X,X) to Internal (

All firewall rules are configured. Can connect from outside by FTP client (PASV) - no problems! Do not really need to connect from LAN, but


WORPRESS SITE requires FTP Server setup on WEB Server to upload Updates from WEB Site.

When I try to ftp from WordPress it sends internal IP of the WEB Site as a client IP ( not the Client IP of the Browser machine.
So, TMG does not allow internal to external loopback...

Any solution?
We need to enable ports 8443 and 8445 on our ISA server. We can't see where to do this and because we have very basic knowledge are worried about making changes or using tools that might screw up our configuration. can anyone help.
Hi experts,
I have a TMG server running windows 2k8, after installing some security patch from Microsoft this week, TMG has not worked anymore.
Currently, I cannot ping this server, cannot remote this server, all TMG Services are stopped and cannot start again. We are using .pac file to access Internet, and now we must change to another backup TMG. Please advise, it is urgent. Thanks for any assistance.
how to VPN lan to lan in TMG 2010 and Drayteck 2925n. Please help me! Thank
Last week our Hyper-V server crashed and forced us to rebuild most of our network. While the network has been rebuilt we are having a major problem. We use Forefront TMG to route our web traffic using Web Listeners. We have a rule in place to take the external ip address coming in and translate that to the private website behind the Forefront firewall. Our TMG server has 2 NIC cards, an external one is setup without DNS and the internal one is setup without the default gateway. Our normal default gateway is our CISCO ASA VPN.

My issue is if I don't use our TMG server as the default gate for the webserver and our external DNS then I can't get to the site. As soon as I change it to our ASA the sites don't connect. If I use the TMG as our default gateway I can't get to a large part of the internet. I would like to use our ASA as the default gateway but I don't know what to do at this point.
Determine the Perfect Price for Your IT Services
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

I am using forefront TMG 2010, please help me to block face book for specific one domain user.

We have migrated our Microsoft TMG Server to a new server with same name and same ip address configuration. When we restart our server it is working fine until Microsoft TMG server loads properly it blocks the gateway access for us. We get no gateway message on our DMZ network card.

We have migrated all of our configurations, and certificate. What could we be missing here?
Hi, I am using UAG 2010 and I have hosted one Internal site to access from Public. While uploading large files ( 30 MB)  to site getting error as Server error 404-  File or Directory not found. Appreciated if any suggestions.  I have set the upload limit to 50MB in UAG Trunk
TMG 2010 is blocking some websites, when I try to create a rule to bypass the proxy setting of the TMG again I am not able to access the sites, should we say that the status of the TMG now does not accept creating rules or why is it like that? Help me team.
I am having issues with TMG 2010 trying to install SQL server 2008. TMG 2010 server is associated with SQL Express. How do I unlink the SQL Express and link the new SQL server 2008? How do I keep a copy of the ISA logs on TMG 2010 and SQL server 2008? I have read most of the Microsoft TechNet files on the TMG 2010.
We have a corporate wide area network. The main site is using tmg 2010, and uses Also we have two more site connected to the main site via a vpn tunnel provided by the ISP. The external sites are and

Traffic between the nodes worked just fine until we implemented the tmg 2010 at the main site. We connect to the ISP via a public IP. Also the ISP provides the traffic coming from the other sites, but we have not been able yet to configure the tmg properly  to allow the incoming traffic from those external sites.

Any suggestions?

Here is the network topology.

Our company TMG 2010 Firewall is filtering some websites.
The websites are being filtered without the rules to filter them except facebook, youtube and porn sites are the only ones being filtered. But for some of those site if you remove https are able to be openned.
Please help
Yesterday we had an inbound email problem where nothing was being delivered and our scanners would not send email to our inboxes  but internal email to internal email worked just fine. I didnt spend much time on diagnosing this I seen an event in the logs on one of the CAS servers.

Failed to connect to the Edge Transport server ADAM instance with exception The LDAP server is unavailable..  This could be caused by a failure to resolve the Edge Transport server name CTEDGEin DNS, a failure trying to connect to port 50636 on CTEDGE network connectivity issues, an invalid certificate, or an expired subscription.  Verify your network and server configuration.

CTEDGE is our forefront server. After I seen this I rebooted the forefront server without any further thought (which was a mistake) and inbound email and scanners starting working again. My boss seems to think that forefront has absolutely nothing to do with the problem.

If CTEDGE is our edge subscription does this mean ALL email in and out is going through that server before it hits the mailboxes on the cas servers despite the fact we have send connectors that are going directly to our mimecast (external) email filter?
Dear Experts.....!
not secure secure websites are not opening on isa 2000, 2006 or tmg 2010 websites like:
www.badarruddin.net while i have allowed all traffic but only this types of sites are not opening. While im using this site without isa server like directly to internet so its working with showing that in address bar not secure but opening properly. And with any isa server its not opening other all sites are working properly except it. Please advise regarding this issue.
Fundamentals of JavaScript
LVL 12
Fundamentals of JavaScript

Learn the fundamentals of the popular programming language JavaScript so that you can explore the realm of web development.

Hi all, thanks for your time in advance.

The issue i've got at the moment is:

We host websites for clients, and are using TMG 2010 SP2 RU5 to perform link translation/reverse proxying to internal systems via VPN connection to a 3rd party to access products hosted on another company. e.g.

Client > Our Product > TMG > 3rd Party via VPN > Vendor > HTTP/HTTPS response

HTTP/HTTPS response > Vendor > 3rd Party via VPN > TMG > Our Product > Client

The issue is some of the products that provide an http/https response don't use modern web compatibility. e.g. we have to inject <head><meta http-equiv="X-UA-Compatible" content="IE=5" /> into the header of the html page using TMG. on a page using SSL certs.

we have a number of domains that we can use potentially

e.g. our current solution is hosted on https://test.ourdomain.com.au which is where the TMG link translation occurs.

We either need to do a double redirect for the HTTP requests or redirect it to another SSL domain which we own which i'm not sure is even possible.


(Note actual names and domains changed for security)
We've a TMG 2010 running in our domain and acting as a proxy server - I'm not aware of any changes being made but users are now being blocked from accessing numerous legit websites and an internal extranet running on IIS.  I'm not at all familiar with Forefront so any suggestions re rule changes would be much appreciated.  Thanks
I am getting the following error when accessing a website.

Denied Connection SERVERNAME 11/8/2016 7:34:02 AM
Log type: Web Proxy (Reverse)
Status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).  
Rule: Default rule
Source: External (
Destination: Local Host (
Request: GET http://candelalandscaping.com/ 
Filter information: Req ID: 0a7527f6; Compression: client=Yes, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous
 Additional information
Client agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 1 MIME type:

the issue is that the error is intermittent. you can get to the site with no issues one minute and then the next you get the error. whenever I test the rule from inside tmg it all works fine.

I have read a lot of stuff on the web but have not found a solution so any help would be appreciated.
My company plan to migrate Exchange server 2010 to 2016, and current I am using TMG 2010 on Edge server to make as a proxy. Unfortunately, TMG 2010 doesn't support on Windows 2012, I am looking alternative firewall software to replace it. Is there anyone experience on the replacement TMG? Thanks for your advice!

I am having forefront configured on a machine with a single network card. All the user must configure proxy settings into their browsers.
Now I want a specific range of IP addresses to be bypassed from proxy. Mean I want to provide internet to the certain users with specific network ID, which will not proxy settings. I want them to provide them direct access to the internet.

There are certain medical devices in the network which doesn't work behind proxy, but they need internet to be configured.

Please provide me step-by-step procedure for the same.
I want to use network for such device.

Thanks in advance.
Dear Experts,

what is the best option to publish the SharePoint 2013 in DMZ. Please advice


Microsoft Forefront ISA Server





Microsoft Forefront, formerly known as Internet Security and Acceleration Server (ISA Server), is a network router, firewall, antivirus program, VPN server and web cache that runs on Windows servers. It includes identity management and protection systems, and discontinued systems for threat management and network protection, along with protection for Sharepoint and Exchange. The scope of discussions includes forward and reverse proxy, application and service publishing, virtual private networks (VPNs), outbound access rules, SSL certificates and network routing within either a single node or an highly-available array pairing.

Top Experts In
Microsoft Forefront ISA Server