I’ll try to elaborate on the issue using as many illustrations and snapshots as possible. When I came across this issue, it was quite surprising. 32-bit Remote Management Client In the TMG environment, we are using a single EMS (Enterprise Management Server) with a single Array. There are two TMG nodes joined to this…
Category: Uncategorized
TMG SP2 Rollup 3 available
We are happy to announce the availability of Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (SP2). TMG SP2 Rollup 3 is available for download here: Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 Please see KB Article ID: 2735208 for details of the fixes included in…
TMG services hang at startup due to third party service
This post is, once again, about an issue I worked on few days back. Before I start discussing the issue, and how I resolved it, I would like to outline the objective of this post. The objective of this post is to make TMG administrators aware of issues like this; and what can be…
TMG sources outgoing packets with Secondary IP addresses
Hello Everyone! We’ve seen a few cases lately dealing with TMG servers sourcing outgoing packets with secondary IP addresses that have been added to the NICs. This could cause issues in communications between nodes or possibly other issues. One such example that I have seen come across is where a customer had a TMG…
How to delegate credentials sending only the username to an internal webserver using TMG 2010
Sergio Medina here, and today I want to talk about a question we receive every now and then and explain what the solution is just in case some of you run into a similar issue. You could hit this issue when publishing an internal webserver that accepts only the username as a valid format. For…
How to implement PEAP-MSCHAPv2 as authentication method for VPN connections in TMG 2010
As you may know, there is a known security vulnerability for the authentication method MS-CHAPv2. The following TechNet article provides some detailed information about it: Microsoft Security Advisory (2743314) Unencapsulated MS-CHAP v2 Authentication Could Allow Information Disclosure http://technet.microsoft.com/en-us/security/advisory/2743314 You may consider moving away from PPTP VPN connections which are configured to use this authentication method…
How to determine if a client request contains a Multi-Line Header
This post is about an issue that I came across, while working on a case recently. SCENARIO: The scenario was a simple website publishing through ISA server 2006. While accessing the HTTPS website from a client, we were seeing a Failed Connection attempt in the ISA logs. More specifically, the error message was pointing…
Setting up TMG 2010 Where EMS is a Domain Member and Array Servers are in a Workgroup
Introduction I have seen a number of cases where customers were installing TMG 2010 in a “hybrid” scenario. What I mean by this is that the EMS was part of the Domain but the Array Servers were in a workgroup. There are a couple of “gotchas” that I wanted to talk about today. Assumptions…
Using the Account Lockout Feature in TMG 2010
Introduction A much needed feature was added in Service Pack 2 for Forefront TMG 2010. This great new feature gives you the ability to lock accounts on TMG at the local level before accounts are actually locked out in the domain. The account lockout feature, when used properly, will prevent TMG from trying to authenticate…
TMG 2010 – Error “setup failed while registering Forefront TMG managed performance monitor” prompted while installing or repairing the TMG installation
It can happen while installing Forefront TMG 2010 or during a repair that we hit the following error: To this error is also normally linked to the ISA managed control service not starting correctly and errors as the following in the application event viewer: On the other hand it is also possible to hit the…