Further details and guidance regarding discontinuation of TMG Web Protection Services

As discussed in the following blog, the Forefront Threat Management Gateway (TMG) Web Protection Services will be discontinued on December 31st, 2015:- http://blogs.technet.com/b/applicationproxyblog/archive/2015/11/02/important-reminder-for-forefront-threat-management-gateway-tmg-web-protection-services-customers.aspx We wanted to provide some additional details on what this will affect and recommendations on actions you should be taking. The services that will be affected by this are:- – URL Categorization-…


Missing BDA hook rules – impact and potential root cause

Some of you may have already heard and know what NLB is and how it works as described in the general Network Load Balancing Overview [http://technet.microsoft.com/en-us/library/cc725946.aspx]. An integral part of a TMG NLB solution is Bi-direction affinity, which is well described at the following link: Bi-Directional Affinity in ISA Server [http://blogs.technet.com/b/isablog/archive/2008/03/12/bi-directional-affinity-in-isa-server.aspx]. Bi-directional affinity creates multiple…


TMG SP2 Rollup 5 now available

We are happy to announce the availability of Rollup 5 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (SP2). TMG SP2 Rollup 5 is available for download here: Rollup 5 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2   Please see KB Article ID: 2954173 for details of the fixes included in…


TMG 2010 – YOU CANNOT REMOTELY CONNECT TO TMG SERVER WHEN IT’S PUBLISHING RDP PROTOCOL

If some of you recently tried to publish RDP protocol through TMG server, and suddenly lost the possibility to perform TS connections to the TMG server itself, you may find this post useful! In TMG 2010, a System Policy rule exists allowing RDP traffic from a white-list of workstations to the TMG server itself. Thanks to…


TMG Service recovery actions

If the Firewall service crashes a number of times within a short time period it does not automatically restart after the 4th crash. If you review the Service Control Manager settings for the Firewall service appears to be configured to restart after all failures. After each of the first three failures, you will see this…


TMG stopped processing web proxy requests

This post is about an issue I worked on several days ago. Symptom: ======== My customer had a TMG array with two nodes running with NLB. The problem they faced was that from time to time some TMG node couldn’t process traffic anymore: requests to the virtual IP (VIP) failed and only rebooting the TMG…


How to configure the TMG Service Account to avoid problem with logging on SQL Server

One of the features introduced with TMG Service Pack 2 is to run the Firewall Service with a Domain account, this allow users to authenticate with Kerberos when using NLB. Find more information about this feature here: http://technet.microsoft.com/en-us/library/hh454304.aspx However you should pay attention when specifying the account name to avoid problems with logging to SQL…


How to implement PEAP-MSCHAPv2 as authentication method for VPN connections in TMG 2010

As you may know, there is a known security vulnerability for the authentication method MS-CHAPv2. The following TechNet article provides some detailed information about it: Microsoft Security Advisory (2743314) Unencapsulated MS-CHAP v2 Authentication Could Allow Information Disclosure http://technet.microsoft.com/en-us/security/advisory/2743314 You may consider moving away from PPTP VPN connections which are configured to use this authentication method…


TMG 2010 – Error “setup failed while registering Forefront TMG managed performance monitor” prompted while installing or repairing the TMG installation

It can happen while installing Forefront TMG 2010 or during a repair that we hit the following error: To this error is also normally linked to the ISA managed control service not starting correctly and errors as the following in the application event viewer: On the other hand it is also possible to hit the…