The case of the big AD LDS database

recently we were working with customers, who did run into issues where the AD LDS database grew very large and they ended up with a full disc on System Drive. The AD LDS database files can be found in %windir%\ADAM. The file which did grow quite big is the adamntds.dit. The AD LDS on TMG…


TMG SP2 Rollup 4 available

  We are happy to announce the availability of Rollup 4 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (SP2). TMG SP2 Rollup 4 is available for download here: Rollup 4 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2   Please see KB Article ID: 2870877 for details of the fixes included…


ISA 2006 / TMG 2010: DISABLE CLIENT-INITIATED SSL RENEGOTIATION, PROTECTING AGAINST DOS ATTACKS AND MALICIOUS DATA INJECTION

In these days we received a considerable number of support requests asking for more info about SSL/TLS Renegotiation and the risk it introduces of being exposed to DoS attacks and malicious code injections. The requests in object were focused on ISA/TMG products, considering they are used as reverse proxy for web publishing purposes, but the…


TMG Service recovery actions

If the Firewall service crashes a number of times within a short time period it does not automatically restart after the 4th crash. If you review the Service Control Manager settings for the Firewall service appears to be configured to restart after all failures. After each of the first three failures, you will see this…


TMG stopped processing web proxy requests

This post is about an issue I worked on several days ago. Symptom: ======== My customer had a TMG array with two nodes running with NLB. The problem they faced was that from time to time some TMG node couldn’t process traffic anymore: requests to the virtual IP (VIP) failed and only rebooting the TMG…


How to configure the TMG Service Account to avoid problem with logging on SQL Server

One of the features introduced with TMG Service Pack 2 is to run the Firewall Service with a Domain account, this allow users to authenticate with Kerberos when using NLB. Find more information about this feature here: http://technet.microsoft.com/en-us/library/hh454304.aspx However you should pay attention when specifying the account name to avoid problems with logging to SQL…


Clients Are Not Prompted to Choose a Certificate When Authenticating to ISA/TMG

  Recently I have been seeing an increasing number of cases with the same symptom especially in the military and the government sector and even in contractors for the government. In these highly secure environments clients largely rely on the use of a “smart” card known as Common Access Cards (CAC) for authentication to their…