TMG URL Filtering fails

TMG URL Filtering fails

  • Comments 3
  • Likes

 

Introduction

Consider the scenario where we have URL Filtering enabled on TMG 2010 Server and it is not working.

Troubleshooting

A quick look at the Alerts section in TMG MMC shows:

The failure is due to error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Description: An error occurred while trying to communicate with the Microsoft Reputation Service server. If this Forefront TMG server is chained to an upstream server, verify that the WinHTTP proxy is set to localhost. If this issue persists, check that Internet connectivity is available.

In our case we were able to access the Internet properly and all other settings looked good.

As a troubleshooting step we accessed the MRS Websites https://10.ds.mrs.microsoft.com and https://10.ts.mrs.microsoft.com from TMG Server and we received an error that the certificate is not trusted.

We discovered that the root certificate from “GTE CyberTrust Global Root” was missing from the server.

In order for URL Filtering to work properly we need to have trusted root certificate installed on TMG Server.

After installing “Update for Root Certificates Update” the issue was resolved.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=25249786-2B8E-4C51-8F4B-727CE25CC2C5

Conclusion:

URL Filtering is a cloud based service and must be able to successfully establish an HTTPS connection to the either of the MRS (Microsoft Reputation Service) sites mentioned above.

http://technet.microsoft.com/en-us/library/ee869543.aspx

Authors

Junaid Ahmad Jan

Security Support Engineer,

Microsoft CSS Forefront Security Edge Team

Technical Reviewer

Richard Barker

Sr. Security Support Escalation Engineer,

Microsoft CSS Forefront Security Edge Team

Comments
  • thanks for post, but now i have problem with my tmg server

    if i try to conenct with 10.ts.mrs.microsoft.com , i recieve error, warning from my IE, adress missmatch, certificate is for portal.ts.mrs. microsoft.com  

    TMG  test conectivity failed connect to 10.ts.mrs.microsoft.com, certificate revoked,

    pls help

  • i have installed TMG 2010 and created url filtering rule for facebook.com but that problem is ever after five minutes i can see that the users can access facebook. and then i check in TMG MMC so i can see that the Category Query says me that facebook.com is unknown....but just after five minutes i can see facebook has been automatically blocked and i can also see in Category Query it says me facebook is in blog/wiki category...
    so why it is changing automatically every after 5 or 10 minutes :( ?
    where is the problem ???
    i need your help please !!

  • hello,
    thank you very much for your Email.
    yes i need your help because i just little bit searched about Fastvue and downloaded but not be able to use it.
    i need to make weekly report of my network.
    i'll be glade if you can help me, how to make a report in Fastvue?
    i'll be glade for you positive response.
    thank you very much for your time.

    Regards:
    Ashraf Ali

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment