[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Microsoft Forefront ISA Server

9K

Solutions

10K

Contributors

Microsoft Forefront, formerly known as Internet Security and Acceleration Server (ISA Server), is a network router, firewall, antivirus program, VPN server and web cache that runs on Windows servers. It includes identity management and protection systems, and discontinued systems for threat management and network protection, along with protection for Sharepoint and Exchange. The scope of discussions includes forward and reverse proxy, application and service publishing, virtual private networks (VPNs), outbound access rules, SSL certificates and network routing within either a single node or an highly-available array pairing.

Share tech news, updates, or what's on your mind.

Sign up to Post

One of our customers is having an issue with Threat Management Gateway 2010, realise this is now out of support and appears completely forgotten by MS

I have yet to find out build version, whether service pack 1 or 2 is installed

In the Web Proxy (Reverse) logs

Getting 12202 Forefront TMG denied the specified URL

Gives source and destination address

Theres an issue with Exchange EWS clients connecting from MAC Air

Looks to be a request which mentions the autodiscover.xml of client

Any good background on this and best way to troubleshoot appreciated
0
Become a Certified Penetration Testing Engineer
LVL 12
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

We have Migrated all the servers to a new domain.TMG  SERVER 2010 stop responding after joining to a new domain.in the event log following errors are logged

old domain was abc.gov.ca

new domain is xyz.gov.ca

1-the kerberos client received s krb_ap_err_modified error from the server dm-tmg01$.the target server name used was ldap/dm-tmg01.abc.gov.ca:2171.this indicate that the target server failed to decrypt the ticket provided by the client.

2-Windows Could not start the microsoft Forefront TMG Managed control Service On local Computer Error:1068

3-Windows Could not start the microsoft Forefront TMG job schedular Service On local Computer Error:1068

4-Windows Could not start the microsoft Forefront TMG Firewall Service On local Computer Error:1068
0
I've been using ISA 2006 well with T1 line. I was trying to change Optimum Cable line with 5 static IP instead of T1 but it was denied by the default rule and web rule can't go through as attached files. I have changed only IP address on the external network adapter.
Do you have any comment?
isaT1log.jpg
isaOptimumlog.JPG
web-rule1.jpg
web-rule2.jpg
web-rule3.jpg
0
I had this question after viewing TMG Blocking Access to Some External sites on port 8080.

An external provider site is on port 8080 and TMG is blocking traffic to that site.  Any ideas on how to allow the traffic to pass thru TMG?
0
Cannot access FTP Server (Win2016Std) from Internal.  (or from outside, when used with WordPress as a client)

FTP Server (10.0.5.15) and IIS on same server behind firewall (TMG 2010). Configured publishing rule to forward External IP (X.X,X,X) to Internal (10.0.5.15)

All firewall rules are configured. Can connect from outside by FTP client (PASV) - no problems! Do not really need to connect from LAN, but

THE PROBLEM IS:

WORPRESS SITE requires FTP Server setup on WEB Server to upload Updates from WEB Site.

When I try to ftp from WordPress it sends internal IP of the WEB Site as a client IP (10.0.5.15) not the Client IP of the Browser machine.
So, TMG does not allow internal to external loopback...

Any solution?
0
how to VPN lan to lan in TMG 2010 and Drayteck 2925n. Please help me! Thank
0
Last week our Hyper-V server crashed and forced us to rebuild most of our network. While the network has been rebuilt we are having a major problem. We use Forefront TMG to route our web traffic using Web Listeners. We have a rule in place to take the external ip address coming in and translate that to the private website behind the Forefront firewall. Our TMG server has 2 NIC cards, an external one is setup without DNS and the internal one is setup without the default gateway. Our normal default gateway is our CISCO ASA VPN.

My issue is if I don't use our TMG server as the default gate for the webserver and our external DNS then I can't get to the site. As soon as I change it to our ASA the sites don't connect. If I use the TMG as our default gateway I can't get to a large part of the internet. I would like to use our ASA as the default gateway but I don't know what to do at this point.
0
I am using forefront TMG 2010, please help me to block face book for specific one domain user.
0
Hi, I am using UAG 2010 and I have hosted one Internal site to access from Public. While uploading large files ( 30 MB)  to site getting error as Server error 404-  File or Directory not found. Appreciated if any suggestions.  I have set the upload limit to 50MB in UAG Trunk
Upload-error.JPG
0
We have a corporate wide area network. The main site is using tmg 2010, and uses 192.168.0.0/22. Also we have two more site connected to the main site via a vpn tunnel provided by the ISP. The external sites are 172.16.32.0/24 and 172.16.64.0/24

Traffic between the nodes worked just fine until we implemented the tmg 2010 at the main site. We connect to the ISP via a public IP. Also the ISP provides the traffic coming from the other sites, but we have not been able yet to configure the tmg properly  to allow the incoming traffic from those external sites.

Any suggestions?

Here is the network topology.

WIN_20170622_12_16_26_Pro--2-.jpg
0
CompTIA Cloud+
LVL 12
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Our company TMG 2010 Firewall is filtering some websites.
The websites are being filtered without the rules to filter them except facebook, youtube and porn sites are the only ones being filtered. But for some of those site if you remove https are able to be openned.
Please help
0
Dear Experts.....!
not secure secure websites are not opening on isa 2000, 2006 or tmg 2010 websites like:
www.badarruddin.net while i have allowed all traffic but only this types of sites are not opening. While im using this site without isa server like directly to internet so its working with showing that in address bar not secure but opening properly. And with any isa server its not opening other all sites are working properly except it. Please advise regarding this issue.
Thanks
0
Hi all, thanks for your time in advance.

The issue i've got at the moment is:

We host websites for clients, and are using TMG 2010 SP2 RU5 to perform link translation/reverse proxying to internal systems via VPN connection to a 3rd party to access products hosted on another company. e.g.

Client > Our Product > TMG > 3rd Party via VPN > Vendor > HTTP/HTTPS response

HTTP/HTTPS response > Vendor > 3rd Party via VPN > TMG > Our Product > Client

The issue is some of the products that provide an http/https response don't use modern web compatibility. e.g. we have to inject <head><meta http-equiv="X-UA-Compatible" content="IE=5" /> into the header of the html page using TMG. on a page using SSL certs.

we have a number of domains that we can use potentially

e.g. our current solution is hosted on https://test.ourdomain.com.au which is where the TMG link translation occurs.

We either need to do a double redirect for the HTTP requests or redirect it to another SSL domain which we own which i'm not sure is even possible.

https://test.ourotherdomain.com.au 

(Note actual names and domains changed for security)
0
Hi all,

We configured an Alarm system (module IP) connected to the intranet network protected by a ISA server 2006.
The idea is to create a rule inside the ISA server to permit a connection from outside and activate/deactivate the Alarm system remotely.  They (Alarm company) explain me that the system uses the port 2200 (TCP & UDP).
I configured then two non-web server protocol publishing rules as below:

- server rule name: Alarm external access (TCP)
- server IP to publish (module IP : 172.28.20.13)
- selected protocole: port 2200 TCP Inbound
- listener IP addresses: External

- server rule name: Alarm external access (UDP)
- server IP to publish (module IP : 172.28.20.13)
- selected protocole: port 2200 UDP Inbound
- listener IP addresses: External

When I applied these rules, the result is that my connection arrives to the ISA server on the external interface (initiated connection) and directly closed (closed connection). But impossible to reach the system module...  

Do you have any suggestions or idea?
Thanks Guys!

Javier
0
I am trying to create a site to site VPN with TMG and a SonicWALL. The tunnel comes up but I can't pass traffic through it - the error on the SonicWALL log is INVALID_ID_INFO and IKE Responder: Peer's local network does not match VPN Policy's [Destination ]

The TMG network is 192.168.145.x and the SonicWALL is 192.168.150.x. I have created an address object on the SonicWALL for the 192.168.145.x network and it is bound to the VPN rule. I imagine this is something silly that I am missing, but I am currently at a loss.
0
Hi,

I noticed a HTTP traffic comming from my TMG 2010 to the internet. Log analysis show that this traffic does not match any rule. Part of destination addresses for the last days are attached. This traffic generates up to 8GB of data each day. So this is quite a lot.
It is somehow generated by TMG itself, because network monitoring shows traffic increase only on external card not internal when this traffic appears.

Server windows updates downloads from the LAN, so there shouldn't be any updates from the server itself.

Here are two logs how these packets look like

Closed Connection  
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.  
Source: Local Host (10.3.30.2:47311)
Destination: External (syd09s12-in-f3.1e100.net 216.58.199.35:80)
Protocol: HTTP
 Additional information
Number of bytes sent: 119212 Number of bytes received: 5380704
Processing time: 0ms Original Client IP: 10.3.30.2
 
Closed Connection
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.  
Source: Local Host (10.3.30.2:47692)
Destination: External (a72-247-223-147.deploy.akamaitechnologies.com 72.247.223.147:80)
Protocol: HTTP
 Additional information
Number of bytes sent: 1688 Number of bytes received: 1200
Processing time: 0ms Original Client IP: 10.3.30.2

Maybe anyone has some …
0
EE,

The error in the subject line really says it all. This happens when a client using two factor authentication (like a CAC/Token) from home tries to use OWA on the internal network via the TMG Forefront server which returns error: 12302 the server denied the specified uniform resource locator. (guessing due to the cert issue)

So the little searching I did on this simply means that the certificate name (webmail.com) doesn't match what the client types into the browser? (which is https://webmail.com) or (possibly a hash mismatch which I have yet to look). The rule on the ISA hasn't changed before it stopped working so we are at a loss of things to check here.
0
i just want to edit smtp port 24 to 2525 in ISA Server 2006. How could i do that?
0
To Expert

ISA 2006 that show client user name = Anonymous when click start logging
So How to configuration ISA 2006 Standard Edition to show User account Name of Active Directory at field Client User Name

Reference information on attached

Best Regard

Thank you
Anonemus.png
0
I am trying to make a website in our inside network available for external users. I have setup the WAP server and have tested this website using pass-through authentication and it works successfully. Unfortunately,  i want the external users to authenticate using AD credentials and then with successful authenticate to the website. This internal iis website is a server that is not part of the domain. I have tried to setup non-claims-aware preauthentication on the ADFS server but during the publishing of the site on WAP server it asked for the Backend server SPN. Well, since the backend server is not in Active Directory. What can i use in this option if the backend website is not part of the domain?
0
Hello,

I currently have a two server TMG Array setup that ran into some problems over the past holiday week. A co-worker rebooted one of the servers in the array and it did not come back up. After troubleshoot it was determined to just rebuild the server. After we got the array up and running we took a chance and we rebooted the other server and it ended up doing the same thing. So in a nutshell we had to rebuild both servers in the array. Now we have both servers back and running and basically we have two inside interfaces. One is the inside and one is a wireless interface. The inside interface is basically for all desktops to be used as a proxy server that filters the employees Internet connection. The wireless interface is basically used for people who connect to the wireless and they get a captive portal page and once they agree their traffic is then filtered via Websense.  Now the internal clients are filtering just fine with no problems. The wireless on the other hand is just getting the captive page without filtered Internet.

It is important to mention that both the captive and Websense products both use different TMG web filters. My problem almost seems like the Websense filter is not being applied to the wireless interface but I can’t seem to find anywhere in TMG to apply this. The captive filter is applied using a web access rule and the plugin simply adds a tab/checkbox to enable the portal on a given web rule.

I spoke to Websense today and the tech was …
0

Microsoft Forefront ISA Server

9K

Solutions

10K

Contributors

Microsoft Forefront, formerly known as Internet Security and Acceleration Server (ISA Server), is a network router, firewall, antivirus program, VPN server and web cache that runs on Windows servers. It includes identity management and protection systems, and discontinued systems for threat management and network protection, along with protection for Sharepoint and Exchange. The scope of discussions includes forward and reverse proxy, application and service publishing, virtual private networks (VPNs), outbound access rules, SSL certificates and network routing within either a single node or an highly-available array pairing.

Top Experts In
Microsoft Forefront ISA Server
<
Monthly
>