Windows Update fails for some workstations behind TMG when using WPAD

Introduction This post is about a recent scenario where TMG Administrator was receiving complains that some workstations that were using TMG as proxy were failing to run Windows Update. The interesting part of this issue was that only some workstations were having such problem and only if they were using “Automatic Detection” settings (which use…


Support for NLB on VLAN Tagged or Teamed Network Adapters

One of the most common questions we get is about TMG’s support for NIC Teaming and VLAN tagging with NLB enabled. We have recently released Software Update 2 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1. This is a regular rollup of hotfixes which is available through Microsoft Customer Service and Support. One…


NIS Signature Types (or why some signatures are disabled by default)

NIS Signature set released last month (8.32) contained 4 signatures that were disabled by default: Plcy:Win/Sharepoint.SafeHTML1.XSS!2010-3243 Plcy:Win/Sharepoint.SafeHTML2.XSS!2010-3243 Plcy:Win/HTTP.SafeHTML1.XSS!2010-3324 Plcy:Win/HTTP.SafeHTML2.XSS!2010-3324 We’ve received a number of questions about why these signatures were off by default and thought it may be worthwhile to write about the NIS signature types again. As explained in the NIS in TMG whitepaper,…


When accessing TMG report hosted on IIS, images are not displayed

Consider the following scenario: You have configured reporting with TMG, and you have published the generated reports content on an IIS 7.5 Server (Windows 2008 R2) so that TMG administrators in your organization can access these reports from their workstation using a standard browser like Internet Explorer. Problem: The Reports are not displayed correctly in…


“No network adapters could be identified” error when choosing a network template in TMG

Introduction Some of our customers have experienced the problem described below when doing the initial network configuration of a fresh TMG installation. I wanted to share here the cause and solution to this issue. Consider the following scenario You have installed Forefront TMG 2010, but when running the Getting Started wizard, you get the error…


Unable to join to TMG EMS Array with error: 0xC0040431

Introduction Consider a scenario where TMG Admin reinstalled TMG Enterprise Edition after a hardware failure and decided to rejoin the array member to the EMS. However, when TMG Admin tried to rejoin it the following error occurred: Troubleshooting The first basic step in this type of scenario is to review the event view, since it…


Common Q&A about TMG URL Filtering database

URL filtering is one of Forefront TMG’s most popular features. The feature makes use of a cloud service, also known as Microsoft Reputation Services (MRS) for URL categorization purposes. In this post we’d like to address some of the more frequent questions we’ve received regarding the URL filtering database and the cloud service. What is…


Case sensitivity of ISA/TMG generated proxy auto configuration (pac) files

Scenario From time to time we come across cases where customers complain that the proxy exception list does not work for certain URLs and (Winhttp) clients still try to connect to the destination server using the proxy instead of going directly. Affected applications vary, we have seen issues with outlook 2007, SCCM, but the list…


Unable to Fail Over from one TMG node to another when using NLB in a Virtual Environment

Introduction This post is about a scenario where TMG Administrator was trying to simulate a failover before put the environment in production. TMG nodes were installed in a third party virtual environment. TMG was using integrated NLB with Unicast, the External TMG adapter was connected to a layer 2 switch. To attempt to simulate failover,…


Outlook Anywhere and ActiveSync Http Filter Configuration

Here are the ISA Server/Forefront TMG HTTP Policy settings I use for ECP, OAB and Autodiscover. These settings were tested with Outlook 2007/2010 and Exchange 2007.   Setting and rule *Exchange ActiveSync *RPC over http (Outlook 2003/2007) General tab     Maximum headers length 32768 32768 Maximum payload length 10485760 (10 MB) Any Maximum URL…