On Forefront TMG(Threat Management Gateway) 2010 server, Reports are being generated, but the email is not sent

 

Introduction :

When configuring TMG Reports to run at a Scheduled time, you can also configure it to send an email once the Report is generated. This can be useful for administrators to know that the reports have run and to let other people know that the reports are available. In this case the Reports were being generated but the emails were not being sent for some reason.

Scenario:

The TMG server was configured to generate Daily Reports at a scheduled time and to use the ISP’s SMTP server. When it failed we could see the following error on the Alerts tab:

Description: The report "DailyActivityReport" could not be generated. Report Server error information: The e-mail signaling that the report DailyActivityReport was generated could not be sent. Error information:

The error occurred on object 'Reports' of class 'Reports Configuration' in the scope of array 'TMG2010'.

This TMG alert tells us that the email could not be sent, let us determine why this failed.

Troubleshooting:

We collected a TMG Data Packager package and looking at the TMG Firewall logs and filtering on port 25 we could see that there was an issue with SMTP server connectivity. Here we found a Log Record that DENIED access to the SMTP server:

clip_image001

So we can see the SMTP traffic to this address is getting DENIED by the [Enterprise] Default rule. And if you see the text above its showing the SMTP server destination IP address is in the External Network (In an ideal scenario, SMTP server will be in the Internal Network).

We verified the name resolution from the TMG server for smtp.contoso.com. We did this by reviewing the TMG internal network trace and filtering the trace for DNS lookups to this record.

Filter:

(dns) && (dns.qry.name == "smtp.contoso.com")

Here we could see the response and as you can see the FQDN resolves to the IP Address that is DENIED in the above TMG Logs.

smtp.contoso.com: type A, class IN, addr 2.2.2.2

So it’s pretty clear that they don’t allow this traffic by the System Policy for SMTP from TMG server. By default we allow SMTP traffic from Localhost to Internal. And in this case the SMTP server was in the External Network of TMG.

We then checked the TMG configuration using ISAInfo and we could see the System Policy for SMTP was not modified.

clip_image002

So, to make this work we had to modify this System Policy rule and add a computer set with the SMTP server in it.

We then added the SMTP server's Computer Set in the System Policy Rule and that solved the issue.

Conclusion:

If you are doing something different to the default scenarios, then please make sure that you configure the TMG server accordingly so it matches the new requirements. Otherwise things may not work as expected as described in the above case.

Author :

Nitin Singh

Security Support Escalation Engineer

Microsoft CSS Forefront Security Edge Team

Technical Reviewers:

Lars Bentzen

Security Sr. Escalation Engineer

Microsoft CSS Forefront Security Edge Team

Billy Price

Security Sr. Support Escalation Engineer

Microsoft CSS Forefront Security Edge Team