Rollup 5 for Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (SP2).

Microsoft released Rollup 5 for Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (SP2).

Issues that are fixed in this rollup package:

2963805 FIX: Account lockout alerts are not logged after you install Rollup 4 for TMG 2010 SP2
2963811 FIX: The TMG Firewall service (wspsrv.exe) may crash when the DiffServ filter is enabled
2963823 FIX: “1413 Invalid Index” after you enable cookie sharing across array members
2963834 FIX: HTTPS traffic may not be inspected when a user accesses a site
2967726 FIX: New connections are not accepted on a specific web proxy or web listener in Threat Management Gateway 2010
2965004 FIX: EnableSharedCookie option doesn’t work if the Forefront TMG service runs under a specific account
2932469 FIX: An incorrect value is used for IPsec Main Mode key lifetime in Threat Management Gateway 2010
2966284 FIX: A zero value is always returned when an average counter of the “Forefront TMG Web Proxy” object is queried from the .NET Framework
2967763 FIX: The “Const SE_VPS_VALUE = 2” setting does not work for users if the UPN is not associated with a real domain
2973749 FIX: HTTP Connectivity verifiers return unexpected failures in TMG 2010

Download

Rollup 4 for Forefront Threat Management Gateway 2010 Service Pack 2

Issues that are fixed in this rollup package

2889345 FIX: Accounts are locked out beyond the AccountLockoutResetTime period in Forefront Threat Management Gateway 2010 SP2

2890549 FIX: Incorrect Performance Monitor values when queried from a .NET Framework app in Forefront Threat Management Gateway 2010

2890563 FIX: “URL” and “Destination Host Name” values are unreadable in the web proxy log of Forefront Threat Management Gateway 2010

2891026 FIX: Firewall Service leaks memory if Malware Inspection is enabled in Forefront Threat Management Gateway 2010

2888619 FIX: A password change is unsuccessful if a user’s DN attribute contains a forward slash and an Active Directory LDAP-defined special character in Forefront Threat Management Gateway 2010

2863383 FIX: “Query stopped because an error occurred while it was running” when you run a non-live query in Forefront Threat Management Gateway 2010 SP2

2899720 FIX: Threat Management Gateway 2010 incorrectly sends “Keep-Alive” headers when it replies to Media Player WPAD file requests

2899716 FIX: Firewall service (Wspsrv.exe) crashes when a web publishing request is handled in Forefront Threat Management Gateway 2010

2899713 FIX: Access to certain SSL websites may be unavailable when HTTPS Inspection is enabled in Forefront Threat Management Gateway 2010

Publish Exchange 2013 With Forefront Threat Management Gateway

 

TMG doest not support jet Exchange 2013. But with minor changes you get it working Smile

Change in the OWA Rule

In Exchange 2013 changed the published server logoff URL to /owa/logoff.owa

image

You need create a Extra Rule Exchange 2013 APPS Rule

image
You need the ExchangeGuid

Powershell:

Get-Mailbox -Arbitration | where {$_.PersistedCapabilities -like “OrganizationCapabilityClientExtensions”} | fl exchangeGUID, primarysmtpaddress
ExchangeGuid : 3eccca51-d996-49df-b6e0-302d644fdcaa

image

image

image

 

Totally:
image

Publish all Exchange roles on one TMG listener

I have only 1 public IP address in my testlab so I wanted also deploy Outlook Anywhere so dat I can reseice mail from every where I am.

Configure Outlook anywhere rule on TMG

  1. Open Forefront TMG
  2. Click on image_thumb5[1]
  3. In the Action Pane under Task click image_thumb6[1]
  4. Give the rule a Name ill name mine “2010 OA”
  5. image
  6. Next –> Next
  7. image_thumb8[1]
  8. Internal Site Name should be your CAS server FQDN (needs to be on the cert)
  9. image_thumb9[1]
  10. The external name is what you use to access OA (Also needs to be on the cert)
  11. image
  12. Click –> Next –> Finish –> Select the Listener. (Choose the OWA listener you created before)

  13. This step moves the auth from the TMG server and moves it to the Exchange
  14. image
  15. Modify the User set to include “all users” and remove “all authenticated users”.
  16. clip_image002
  17. You may get the following error you can click ok and ignore it. (Do not check require users to authenticate check box on the listener or this method will not work)
  18. clip_image002[5]
  19. Finish
  20. Now Outlook anywhere is published using the same listener as OWA! (Albeit without pre-auth)

Forefront TMG 2010 SP2 Rollup 3

Microsoft released Rollup 3 for Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2.

For Exchange, this Rollup fixes unexpected authentication prompts when using OWA published using Forefront Threat Management Gateway (TMG) 2010 in conjunction with RSA authentication and Forms-based Authentication (2783345)

 

2700248 A server that is running Forefront Threat Management Gateway 2010 may stop accepting all new connections and may become unresponsive

2761736 All servers in a load-balanced web farm may become unavailable in Forefront Threat Management Gateway 2010

2761895 The Firewall service (WSPSRV.EXE) may crash when the firewall policy rules are reevaluated in Forefront Threat Management Gateway 2010

2780562 PPTP connections through Forefront Threat Management Gateway (TMG) 2010 may be unsuccessful when internal clients try to access a VPN server on the external network

2780594 A non-web-proxy client in a Forefront Threat Management Gateway (TMG) 2010 environment cannot open certain load-balanced websites when TMG HTTPS inspection is enabled

2783332 You cannot log on when FQDN is used and Authentication delegation is set to “Kerberos constrained delegation” in a Forefront Threat Management Gateway 2010 environment

2783339 A closed connection to a domain controller is never reestablished when Authentication delegation is set to “Kerberos constrained delegation” in a Forefront Threat Management Gateway 2010 environment

2783345 Unexpected authentication prompts while you use an OWA website that is published by using Forefront Threat Management Gateway (TMG) 2010 when RSA authentication and FBA are used

2785800 A “DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)” Stop Error may occur on a server that is running Forefront Threat Management Gateway (TMG) 2010

2790765 A “Host Not Found (11001)” error message occurs when an SSL site is accessed by using a downstream Forefront Threat Management Gateway 2010 server that has HTTPS Inspection enabled

 

For TMG, support will end on April 14th, 2015 and extended support will end on April 14th, 2020. You have some time to look into alternatives.

You can request Forefront TMG SP2 RU3 directly from support here.

TMG2010: Server Configuration does not match the stored configuration

Issue: Not Synced Server Configuration does not match with stored configuration

image4

Cause: FF TMG 2010 Array certificates expired.

Solutions: The following steps will fix the issue. Please note that I am explaining the situation where my TMG 2010 enterprise Array is deployed in workgroup.

Step1: Run ISA BPA on TMG 2010 Array Member

image1

Step2: Verify certificate expiry date

1. From the Start menu, click Run. Type MMC, and then click OK.

2. In MMC, click File, and then click Add/Remove Snap-in.

3. Click Add to open the Add Standalone Snap-in dialog box.

4. From the list of snap-ins, select Certificates, and then click Add.

5. Select the service account and click Next.

6. Click Next.

7. Select ISASTGCTRL and click Finish.

8. Browse to ADAM_ISASTGCTRL\Personal > Certificates.

9. Open the certificate to see if it is expired.

Step3: Create a Request.inf file. Open notepad and copy the following and paste into notepad. modify CN and domain details as per your own requirement. rename the file as request.inf. An example of the inf file is:

[Version]

Signature=”$Windows NT$

[NewRequest]

Subject = “CN=myTMG.mydomain.com”

EncipherOnly = FALSE

Exportable = TRUE  

KeyLength = 1024

KeySpec = 1 ; Key Exchange

KeyUsage = 0xA0 ; Digital Signature, Key Encipherment

MachineKeySet = True

ProviderName = “Microsoft RSA SChannel Cryptographic Provider”

ProviderType = 12

RequestType = CMC

; Omit entire section if CA is an enterprise CA

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

[RequestAttributes]

CertificateTemplate = WebServer

Step4: request Certificate to the Root/Subordinate CA

Open a elevated command prompt. At the command prompt, type the following command, and then press ENTER:

certreq -new –f request.inf certnew.req

Important! This command uses the information in the Request.inf file to create a request in the format that is specified by the RequestType value in the .inf file. When the request is created, the public and private key pair is automatically generated and then put in a request object in the enrollment requests store on the local computer.

Step5:Submit the request and obtain certificate

Open a elevated command prompt. At the command prompt, type the following command, and then press ENTER:

certreq -submit certnew.req certnew.cer

Important! certnew.req is generated in the previous command. certnew.cer is the certificate you are looking for.

An alternative way of submitting certificate to CA

  1. Open Certificate Authority
  2. Right Click on CA Server>All Task>Submit a New request
  3. Point to the location of certnew.req file
  4. Save Certificate As certnew.CER file into the preferred location

Step6:Convert certificate into .pfx format

Import the certificate certnew.cer into a server or an admin workstation

1. On the head node, click Start, click Run, and then type mmc to start the Microsoft Management Console.

2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.

3. In Available snap-ins, click Certificates, and then click Add.

4. Select Computer account, and then click Next.

5. Select Local computer, and then click Finish.

6. If you have no more snap-ins to add to the console, click OK.

7. In the Microsoft Management Console, in the console tree, expand Certificates, and then expand Personal.

8. In the details pane, click the certificate you want to manage.

9. On the Action menu, point to All Tasks, and then click Import. The Certificate Export Wizard appears. Click Next.

10. Browse to location of certnew.cer file

11. Import Certificate

To export a certificate in PFX format using the Certificates snap-in

1. On the head node, click Start, click Run, and then type mmc to start the Microsoft Management Console.

2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.

3. In Available snap-ins, click Certificates, and then click Add.

4. Select Computer account, and then click Next.

5. Select Local computer, and then click Finish.

6. If you have no more snap-ins to add to the console, click OK.

7. In the Microsoft Management Console, in the console tree, expand Certificates, and then expand Personal.

8. In the details pane, click the certificate you want to manage.

9. On the Action menu, point to All Tasks, and then click Export. The Certificate Export Wizard appears. Click Next.

10. On the Export Private Key page, click Yes, export the private key. Click Next.

11. On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX). Click Next.

12. On the Password page, type and confirm the password that is used to encrypt the private key. Click Next.

13. Follow the pages of the wizard to export the certificate in PFX format.

Step7: Import Certificate into TMG Array

Log on to the TMG Server

Open FF TMG 2010 Console

Click on System>Click Server that is one of the array member>Click Import Server Certificate from the task pan>Browse location of the certificate import certnew.PFX format certificate

Click Ok.

Click refresh on the systems

Step8: Repeat the entire steps into all array members

Step9: Refresh Array members and check system

image2

Check TMG related services.

image3

Special thanks to Raihan Al-Beruni

What is the best way to migrate PDA’s or Tablets from a legacy version of Exchange to Exchange 2010.

Microsoft released November 2010 a great document: Publishing Exchange Server 2010 with Forefront Unified Access Gateway 2010 and Forefront Threat Management Gateway 2010.

One thing that I misted in that document: What is the best way to migrate PDA’s or Tablets from a legacy version of Exchange to Exchange 2010.

In most cases you wil use TMG als a firewall. Between the Internet and your internal Network.

Some weeks ago I did a Exchange 2010 migration en I don’t wanted a big bang scenario.

But I had the all the sort of phone’s that are on the marked today (Iphone, Android, Windows Phone 7.5 and some Windows Mobile phones and all so Ipad’s)

The First thing what is asked my self when design the new infrastructure.

Domain Joining Forefront TMG or Leaving in a Workgroup

In most organizations, the decision whether to domain join the server hosting Forefront TMG your production domain may be one of the most important parts of the deployment.

Forefront TMG deployments are more complex to discuss because Forefront TMG is considered a firewall and can protect the network edge. Domain joining Forefront TMG offers many advantages: it allows certificate based authentication to be used at Forefront TMG, using Kerberos Constrained Delegation to communicate to Exchange; it allows easy use of Active Directory groups and user objects in publishing rules to restrict access; and it provides other benefits. If your are not sure to domain join Forefront TMG, see Debunking the Myth that the ISA Firewall Should Not be a Domain Member.

I thinks that the best practice is to domain join TMG. Because is makes your live a lot easier.

First I created a Exchange 2010 group in the Active Directory.

Second you make the Exchange 2010 group available in TMG

Third you make four rules 2 for Exchange 2010 (OWA & ActiveSync) and 2 for your legacy server of servers (OWA & ActiveSync)

Fourth makes sure that the Exchange 2010 rules are above the legacy rules.

Fith: You change on the Exchange 2010 rules the all authenticated users to Exchange 2010. (After the migration you delete the legacy rules and change on the 2010 rules the Exchange 2010 back to all authenticated users).

pdasync2010pic2

Sixth: When you do a mailbox move you puth the user in de Exchange 2010 group.
Why you thing. When the user is in the Exchange 2010 group the PDA wil use the Exchange 2010 rule. When there user is not in the Exchange 2010 group the legacy rule will do the trick.

I migrated at this way about 300 users with random pda’s and tablets with no downtime at all Knipogende emoticon

Screenshot from the TMG rules.
 pdasync2010pic1

Rollup 1 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2

Microsoft released Rollup 1 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2.

Issues that are fixed in this rollup package:

2654016 A client may be unsuccessful in accessing a Java SSO application published to the web in a Threat Management Gateway 2010 environment

2653703 You receive an "Error: Subreport could not be shown" error message in the User Activity or Site Activity report in a Forefront Threat Management Gateway 2010 environment

2654585 UDP packets may become backlogged when you increase the "Maximum concurrent UDP sessions per IP address" setting in a Forefront Threat Management Gateway 2010 environment

2624178 Threat Management Gateway 2010 administrators may be unable to generate reports

2636183 Both sides of a TCP connection are closed when the client or remote application half-closes the TCP connection in a Forefront Threat Management Gateway 2010 environment

2653669 Summary information for the Top Overridden URLs table and for the Top Rule Override Users table display incorrect information in a Forefront Threat Management Gateway 2010 environment

2617060 Forefront TMG 2010 enables L2TP site-to-site connections in RRAS

2655951 Japanese characters in the subject line of an Alert email message are not readable in the Japanese version of Forefront Threat Management Gateway 2010

2654068 "The Web Listener is not configured to use SSL" warning message may occur when you configure a Web Listener to use a valid SSL certificate in a Forefront Threat Management Gateway 2010 environment

2654193 You receive a "Bad Request" error message when you try to access Outlook Web App in a Forefront Threat Management Gateway 2010 environment

2654074 String comparison may become case-sensitive when you publish a website by using Forefront Threat Management Gateway 2010

2658903 The Forefront Threat Management Gateway Firewall service (Wspsrv.exe) may crash frequently for a published website secured by SSL after you install Service Pack 2

Note that along the lines of products like Exchange, cumulative updates for ForeFront TMG are now also called Rollup instead of Software Update or Update.

You can request ForeFront TMG SP2 RU1 directly from support here.

Internet Explorer Stops Randomly when using TMG als proxy or Error 502 The number of HTTP requests per minute exceeded the configured limit.

Some users report that Internet stops Randomly. After investing i say the following error:

image

On the TMG Management server I saw also the The number of HTTP requests per minute exceeded the configured limit.

Solution:

1. Open TMG Management Console

clip_image001
2. Go Intrusion Prevention System

3. Flood Mitigation
clip_image002

4. Click on the Edit button: The number of HTTP requests per minute exceeded the configured limit
clip_image003
Default = 600 I configured = 3000

No tags for this post.

Running Windows Update on a TMG Firewall Fails with Result Code 80072EE2

Recently I have encountered a problem with the Windows Update client on a server with Forefront Threat Management Gateway (TMG) 2010 installed. The Error is: Windows could not search for new updates with error code: 80072EE2.

When this occurs, Malware Inspection and Network Inspection Systems signature updates are received without issue.

To resolve this issue, open an elevated command prompt and enter the following command:

netsh winhttp set proxy localhost:8080

If you need to configure Windows Update on the TMG firewall to work with WSUS, read this blog post on the Forefront TMG product team blog.