Further details and guidance regarding discontinuation of TMG Web Protection Services

As discussed in the following blog, the Forefront Threat Management Gateway (TMG) Web Protection Services will be discontinued on December 31st, 2015:- http://blogs.technet.com/b/applicationproxyblog/archive/2015/11/02/important-reminder-for-forefront-threat-management-gateway-tmg-web-protection-services-customers.aspx We wanted to provide some additional details on what this will affect and recommendations on actions you should be taking. The services that will be affected by this are:- – URL Categorization–…


Important Reminder for Forefront Threat Management Gateway (TMG) Web Protection Services customers

Just a quick FYI in case you missed it. The information below was posted to the Microsoft Application Proxy blog on November 2nd, 2015. ===== Back in September 2012, we communicated broadly on Forefront product roadmap changes. At this time, we would like to remind you that Forefront Threat Management Gateway (TMG) Web Protection Services…

1

Modernizing Microsoft Application Access with Web Application Proxy and Azure Active Directory Application Proxy

As the trends toward bring-your-own-device (BYOD) and Internet Protocol version 6 (IPv6) security increase, Microsoft understands that remote/mobile access is a strategic area and continues to heavily invest in it. Our solutions for cloud and server technologies are an integral part of the Microsoft portfolio, with security continuing to play an important role in Microsoft’s…

1

KB: HTTPS inspection in Forefront Threat Management Gateway 2010 doesn't use the full URL path for URL categorization

When HTTPS inspection is enabled, Microsoft Forefront Threat Management Gateway 2010 (TMG 2010) uses only the host part of the URL for URL filtering. For example, consider the following scenario: – Assume that www.contoso.com belongs in the Education category. – You set a URL category override for www.contoso.com/poker to the Gambling category, and a deny…

0

Missing BDA hook rules – impact and potential root cause

Some of you may have already heard and know what NLB is and how it works as described in the general Network Load Balancing Overview [http://technet.microsoft.com/en-us/library/cc725946.aspx]. An integral part of a TMG NLB solution is Bi-direction affinity, which is well described at the following link: Bi-Directional Affinity in ISA Server [http://blogs.technet.com/b/isablog/archive/2008/03/12/bi-directional-affinity-in-isa-server.aspx]. Bi-directional affinity creates multiple…


How to create a CNG HTTPSi cert using a 2008r2 CA

In a previous article we explained how to create a self-signed CNG certificate, suitable for the HTTPS Inspection feature, which can be used to inspect sites using an SHA-256 certificate. In this article we will explain how to generate a similar certificate using your internal CA based on Windows 2008 R2. Using a certificate issued…


TMG SP2 Rollup 5 now available

We are happy to announce the availability of Rollup 5 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (SP2). TMG SP2 Rollup 5 is available for download here: Rollup 5 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2   Please see KB Article ID: 2954173 for details of the fixes included in…


TMG Web Listener Certificate "Private Key handle error" 0x80090016

You may face an issue with a certificate assigned to a listener that suddenly becomes invalid and therefore the incoming SSL connection are dropped. Restarting the service you will show the following error: Event Source: Microsoft Firewall Event ID: 14060 Description: Description: Cannot load an application filter Web Proxy Filter ({4CB7513E-220E-4C20-815A-B67BAA295FF4}). FilterInit failed with code…


TMG 2010 – YOU CANNOT REMOTELY CONNECT TO TMG SERVER WHEN IT’S PUBLISHING RDP PROTOCOL

If some of you recently tried to publish RDP protocol through TMG server, and suddenly lost the possibility to perform TS connections to the TMG server itself, you may find this post useful! In TMG 2010, a System Policy rule exists allowing RDP traffic from a white-list of workstations to the TMG server itself. Thanks to…