Forefront TMG Service Pack 2 Now Available

We are happy to announce the availability of Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (SP2). The service pack is available for download from the Microsoft Download Center. Here are some of the improvements we are introducing in Forefront TMG SP2: Site activity report – Forefront TMG SP2 includes a new site activity…


Use the Power of Excel Pivot Tables to analyze attacks and session distribution

Usually we’re using tools like Network Monitor, various text file parser, Procmon, Windbg… to solve ISA/TMG cases every day in and out in Microsoft Customer Service & Support. Sometimes we also use Excel to be able to filter the exported Firewall or Web Proxy Logs our customers send to us, e.g. only display traffic for…


How to generate a certificate with subject alternative names (SAN)

When publishing services like Outlook Anywhere, OWA and Active Sync for exchange in ISA/TMG, we sometimes need certificates with subject alternative names (SAN). This enables us to publish multiple DNS names using one SSL Web Listener. Requesting SAN certificates is something we can perform directly through a Microsoft internal CA. However there are some steps…


How to patch a TMG array– some thoughts on NLB high availability

One of the reasons for using an array is the availability of NLB, which is known to provide fault tolerance and load balancing. NLB relies on heartbeats to determine whether the cluster nodes are alive. The nodes divide the potential client IP addresses among each other (in fact actually the hashes of the IPs) and…


“Slow Performance” accessing CRM IFD published with ISA/TMG

In this article I want to provide a detailed view on a possible performance issue you might face, when you’re publishing CRM 2011 IFD using ISA Server or TMG. Please note that the screenshots provided in this article are based on TMG, however the configuration in ISA is very similar to the configuration described in…


Understand ISA/TMG updates

The purpose of this blog post is to provide you with some interesting information about the different kind of product updates the ISA/TMG Sustained Engineering (SE) team can release during the lifecycle of ISA Server or Forefront Threat Management Gateway. First of all, we will make the distinction between a bug and a design change…


Publishing SharePoint mobile for Windows Phone 7

Preface Publishing SharePoint mobile for Windows Phone 7 with UAG is easy. However, it is possible to achieve similar results using TMG (or even other 3rd party reverse proxies) In this post we will provide the high-level topology architecture used in order to access published SharePoint sites from WP7. This post also provides a step-by…


Exchange Content Filter settings are ignored

Symptom Consider that you have deployed Forefront TMG 2010 along with Exchange Edge and Forefront Protection for Exchange 2010 (FPE), and you have also enabled the E-Mail Policy feature in TMG. In addition, you have configured from the TMG Management console some Content Filtering settings related to Exchange Edge. The problem is that you notice…


Microsoft Forefront TMG 2010 (Standard Edition and Enterprise Edition) has passed Common Criteria Evaluation Assurance Level 4+ (EAL 4+)

I’m happy to announce that Microsoft Forefront TMG 2010 (Standard Edition and Enterprise Edition) has passed Common Criteria Evaluation Assurance Level 4+ (EAL 4+). The certification work has been performed by the Federal Office for Information Security (BSI), the Common Criteria certification body of the German government and TÜViT Evaluation Body for IT security which…


Requiring Strong Authentication Only for Specific Published Paths or Sites

Introduction Recently we’ve encountered a number of cases where customers wanted to use TMG to require strong authentication for some parts of a published web site (e.g. Outlook Web Access, OWA) but not for others (e.g. Exchange Active Sync, EAS). This post will describe how to configure TMG for similar scenarios. Background The TMG authentication…