Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Microsoft Forefront ISA Server





Microsoft Forefront, formerly known as Internet Security and Acceleration Server (ISA Server), is a network router, firewall, antivirus program, VPN server and web cache that runs on Windows servers. It includes identity management and protection systems, and discontinued systems for threat management and network protection, along with protection for Sharepoint and Exchange. The scope of discussions includes forward and reverse proxy, application and service publishing, virtual private networks (VPNs), outbound access rules, SSL certificates and network routing within either a single node or an highly-available array pairing.

Share tech news, updates, or what's on your mind.

Sign up to Post

TMG 2010 is blocking some websites, when I try to create a rule to bypass the proxy setting of the TMG again I am not able to access the sites, should we say that the status of the TMG now does not accept creating rules or why is it like that? Help me team.
Technology Partners: We Want Your Opinion!
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Yesterday we had an inbound email problem where nothing was being delivered and our scanners would not send email to our inboxes  but internal email to internal email worked just fine. I didnt spend much time on diagnosing this I seen an event in the logs on one of the CAS servers.

Failed to connect to the Edge Transport server ADAM instance with exception The LDAP server is unavailable..  This could be caused by a failure to resolve the Edge Transport server name CTEDGEin DNS, a failure trying to connect to port 50636 on CTEDGE network connectivity issues, an invalid certificate, or an expired subscription.  Verify your network and server configuration.

CTEDGE is our forefront server. After I seen this I rebooted the forefront server without any further thought (which was a mistake) and inbound email and scanners starting working again. My boss seems to think that forefront has absolutely nothing to do with the problem.

If CTEDGE is our edge subscription does this mean ALL email in and out is going through that server before it hits the mailboxes on the cas servers despite the fact we have send connectors that are going directly to our mimecast (external) email filter?
We've a TMG 2010 running in our domain and acting as a proxy server - I'm not aware of any changes being made but users are now being blocked from accessing numerous legit websites and an internal extranet running on IIS.  I'm not at all familiar with Forefront so any suggestions re rule changes would be much appreciated.  Thanks
I am getting the following error when accessing a website.

Denied Connection SERVERNAME 11/8/2016 7:34:02 AM
Log type: Web Proxy (Reverse)
Status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).  
Rule: Default rule
Source: External (
Destination: Local Host (
Request: GET 
Filter information: Req ID: 0a7527f6; Compression: client=Yes, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous
 Additional information
Client agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 1 MIME type:

the issue is that the error is intermittent. you can get to the site with no issues one minute and then the next you get the error. whenever I test the rule from inside tmg it all works fine.

I have read a lot of stuff on the web but have not found a solution so any help would be appreciated.
My company plan to migrate Exchange server 2010 to 2016, and current I am using TMG 2010 on Edge server to make as a proxy. Unfortunately, TMG 2010 doesn't support on Windows 2012, I am looking alternative firewall software to replace it. Is there anyone experience on the replacement TMG? Thanks for your advice!

I am having forefront configured on a machine with a single network card. All the user must configure proxy settings into their browsers.
Now I want a specific range of IP addresses to be bypassed from proxy. Mean I want to provide internet to the certain users with specific network ID, which will not proxy settings. I want them to provide them direct access to the internet.

There are certain medical devices in the network which doesn't work behind proxy, but they need internet to be configured.

Please provide me step-by-step procedure for the same.
I want to use network for such device.

Thanks in advance.
Dear Experts,

what is the best option to publish the SharePoint 2013 in DMZ. Please advice

for some reason I cannot ping any device on the internal network but I can ping the host-name.
DHCP and DNS are running off the server.
Its a 2008  r2 server.
We have a router attached to a switch which all the devices and server are attached to.
DHCP is not running on the router.
I am a Sys Admin but email is not my specialty. We had an email admin who left the company, so I am just managing what I can in the interim. We have a request to whitelist a few domains in Office365. Our Info Sec is using a Security Awareness cloud solution product called Wombat. See PDF attached for whitelisting requirement (make reference to North America) from Wombat. If we configure this appropriately, legit phishing email will be sent to our user's inbox, and not land in the spam list or junk email folder.

I need to know if I am taking the right steps. Please use the PDF as a guide to confirm if I am taking the appropriate steps:

1.  From EAC, do I go to Protection > Spam filter > and doubleclick Default?
2. In the PDF for where it outline Phishing Domains, do I include all the North America Phishing Domains under Allowed Sender or Allowed Domain? Also, if I do need to add it to Allowed Sender, should it be entered as (e.g. * or just simply
3. If I should create a new spam filter policy, instead of the default, What should the setting in the drop down be for Spam?
What would the setting be for High confidence spam dropdown?
4. What would i need to include in the yellow highlighted area?
5. Would I need to adjust anything in the below?
6. Viewing the PDF attached, where in EAC would I include the Platform Assignment Notifications Mail Servers
After building a new Web Application (a simple one-pager actually) with VS 2015 Rev 3, then publishing to WS 2012R2 IIS 8.5, and creating the simple rule in Forefront TMG to allow the site to be visible to the public internet, the site does not respond / times out.

Fiddler on the gateway machine where TMG is based states that all 200's are being returned for the page, and there is no access issue. When browsed from inside the private network, the URL is obviously going through TMG (port 80 is returned, not port 99 which is how the web application is setup internally).

I've been working on this for a day-and-a-half, and have pretty much had it. Other existing websites are responding without issue, even on the same web server.

I can only think this has something to do with the publishing process for IIS 8.5, or something to do with VS2015 Rev3, but I am hoping that someone out there has had an identical issue and resolved it.

Thank you.
Free Tool: ZipGrep
LVL 10
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

For the past few months I receive multiple complains from users how cannot access the internet or applications such as Outlook don't send emails etc...the typical things that all point back to internet/proxy.

I have about 500 clients and they are all using DHCP. In the DHCP scope options a wpad.dat field is configured for all clients. I assume this is to avoid having to configure the IP of the proxy on all PC's and take advantage of the 'auto detect' configure the clients usually come with by default. Its been like this long before i entered the company

Any how, my support team continues to call me periodically telling me that they've had to work around the 'proxy' issue by creating a static proxy entry directly in the 'Internet options' field in IE.

I can't come to a conslusion as to why sometimes some clients face proxy issues which cause them to not hit the internet and when the issue happens again (after settings static proxy on client) removing (setting back to auto detect) fixes their 'internet' problem?

When I look at the health of the ISA proxy server, it seems ok in general. No low disk space, mem leaks or cpu over utilization. The only issue here is that ISA is sitting in a 2003 server - yet no configurations have changed.

thanks in advance

Can i get a Guide line  documentation for  Step by step migration FIM 2010 to MIM 2016

We have to migrate our FIM 2010 to MIM 2016.

Thank you
Dear Experts,
I need to deploy TMG 2010 in my LAN for giving and controlling Internet access to all Users/Workstations. We have a DMZ zone and LAN. Kindly help me out where to place the TMG server so that I can provide internet access to my all client machines.
Hi Experts,

Im looking to deploy IAM and was wondering if anyone knows a good IAM system that could accomplish the following tasks?

We would want to be able to control and automate access to various applications including:

-      Automatic provisioning and de-provisioning of application access - automatically creating and removing user accounts within apps)
-      Single sign on to application – users to be able to login to application automatically based on their AD login
-      Password management within application – system able to automatically manage password expiry and password changes within application
-      Self service password reset (AD) – system have a mechanism for staff to reset and manage their AD passwords themselves

The scope of application has not been specifically defined but the focus would be majority of the application that we use which currently have a separate login and manual user account setup. Let me know if you need further clarification.

I would also be interested in other features of IAM that we can make use of.
Hi Guys,

We've been using TMG for the last couple of years and still no issues, however,
The product has been discontinued and as time goes on the risk for attack will increase.

1.  Is hardware firewalls better than software?  Or is this at the administrators discretion?

2.  Any recommendation for new firewall to replace TMG?

3.  Must be compatible with MS Exchange rules, SSL, etc.

I will appreciate some ideas / input?
i'm new to IRM and its setup also, is IRM installed on Office 2016 Pro by default?

Since a few days, we’re receiving SPAM with our own internal email addresses;
I guess the spammers are using an Exchange configuration which allow to send mail with internal users without authentication (MAIL FROM :

My question is quite simple: is there a way to prevent this ?

Do we got to configure that on the receive connectors properties ?
(We actually got 2: one on 25 port, another one on 465 port).

Hi Experts,

We need to setup radius server for wireless auth. Is it a best practice to setup radius on a separate server or on a domain controller. I was told to install it on its own server but want to get another opinions.

Radius using wpa2 enterprise is the most secure deployment of wireless networking currently, correct?

If it should be installed on its own server, would I still install certificate services on it?

Is there a best practice guide for setting radius up or is there a guide at all (step-by-step)?

domain joined network
server 2012r2

Either with one or more than one Kemp LoadMaster VM?

Which templates would I use?

I have the Lync 2013 templates from here already just not sure which to use:
Free Tool: Port Scanner
LVL 10
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

I have need to use another ip address in my address block.  What I have done is to place a dedicated (meaning only being used for this specific purpose) enterprise switch between my router and my Microsoft TMG proxy/firewall.  While this solution does work and I can point traffic through either external IP address and everything works the downside is that my internet speed has dropped from a tested speed of around 98Mbps to 5Mbps (upload speed equally bad).  I can hear the first thought.........what kind of garbage switch are you running.   Its a new Dell Enterprise level switch with a gigabit backbone.  I have even tried another equally new switch of similar spec.  
I am seeing the forest but not the trees on this one.  Consider that all I have to do is place this switch between the ISP Cisco Router and my Proxy server running Microsoft TMG and my internet speed drops like a rock.  I know there is a simple answer....I just don't see it.
Hi All
We have subscribed to office 365 and employed a 3rd party to set up synchronisation of our AD (selected OU's) using 'forefront identity manager 2010'. Whilst this seems to work OK it only synchronises in one direction (AD to 0-365) so if people change their PW in 0-365 they are then out of sync.

What is the best tool to use for 0-365 2 way synchronisation, dirsync, azure, FIM, something else. There does seem to be a lot of options and I am note sure how to tell which is the correct path?

Any thoughts appreciated.

ISA 2006 on Server 2003 (Please do not ask - Currently in process to get them to update to a newer Firewall)
RRAS on same server.
Currently have VPN working for employees to login, but trying to create a site2site for Azure.
Azure Site to Site is requiring me to use Server 2012 to host RRAS for their VPN to work.

Is there a way to tell ISA to use RRAS on the server 2012 box, or does it require it to be on the same machine?

The end result (for what it matters) is to have a single Server2012R2 (onprem) that is running Veeam Replication to be able to see and connect to the Azure server to backup to.
I have a website policy in forefront TMG, is there a way to copy all the setting and rename the policy website or does this have to be done manually ? Basically I need the same setting for another site.

I am working to upgrade our threat management gateway 2010 servers to Rollup 5. I am fairly new to the TMGs, taking on responsibilities from another Admin. I am hoping to get some insight into the upgrade process but online info is kind of scarce. Right now all my servers are running TMG 2010 SP2 BASE. There have been 5 rollups released. Do I need to do each of them consecutively or do I just need to do #5 to get all the changes/fixes? I have 2 TMGs at each site that are paired together. My plan is to shutdown them one by one, and snapshot the server. Also to do a configuration XML backup prior to doing the rollups. Are there any gotchas I need to account for that I may be missing? the TMGs are on the DMZ. I am not planning any special exchange backups. they are backed up as part of the nightly backup process. As far as I can tell this upgrade really doens't touch exchange itself right? Any help from anyone who's performed these upgrades will help greatly! thanks!
I'm trying to work out the best web filtering solution for about 100 small to medium sized MPLS connected sites. They are all connected back to a central point.

The difficulty I have is the remote sites are not domain joined. If I run with a proxy web filtering solution then I need to deploy proxy settings to all. This is difficult but not a major issue but what about devices like iPhones who's apps are not proxy aware but also the admin /support would be a headache getting users to change proxy settings each time and some are byod so can't use MDM. Sounds like I need a proxy and gateway solution. It would be great to hear from someone in a similar setup.


Microsoft Forefront ISA Server





Microsoft Forefront, formerly known as Internet Security and Acceleration Server (ISA Server), is a network router, firewall, antivirus program, VPN server and web cache that runs on Windows servers. It includes identity management and protection systems, and discontinued systems for threat management and network protection, along with protection for Sharepoint and Exchange. The scope of discussions includes forward and reverse proxy, application and service publishing, virtual private networks (VPNs), outbound access rules, SSL certificates and network routing within either a single node or an highly-available array pairing.

Top Experts In
Microsoft Forefront ISA Server