Back in May 2009 when TMG 2010 was still on Beta 2 I wrote this post talking about a new feature on TMG 2010 that allows you to customize the error message if the user hits a deny rule. Since them I received many questions related to how to customize that page itself. After testing it and do it myself I wrote a post for TMG Team Blog that was reviewed by two developers from TMG Team in Haifa and one of our Escalation Engineers in France. This post explains how to make this customization, see the complete article at: http://blogs.technet.com/isablog/archive/2009/11/26/deny-page-customization-on-forefront-tmg-2010.aspx
I hope you enjoy it.
Microsoft Press revealed last Friday an overview of the Microsoft Forefront Administrator’s Companion Book that includes a brief explanation about the Table of Contents and what we cover throughout the 33 Chapters and 4 appendices. Read the complete post at http://blogs.msdn.com/microsoft_press/archive/2009/11/20/forefront-tmg-2010-administrator-s-companion-available-for-pre-order.aspx
What you were waiting for so many months is finally ready and available for public download, Microsoft Forefront Threat Management Gateway 2010 is now RTM. I’m particularly excited for this product because I work with this line of product from Microsoft since Proxy 2.0 (back in 1997) and now I had a chance to see TMG growing from ground zero.
Since February 2008 this journey of engagement with TMG started, first with MBE and then with 2010 version. From there to now I delivered some presentations about TMG (TechReady, TechEd and MS Community Day were the main ones) and there is on slide in particular from my TMG presentation that I like to pause and discuss more about it, because it is really a question that many people will ask at some point, which is:
By looking to the spectrum of features that is listed in this slide you can see not only random features, but you can see how it fits in a edge scenario. This really reflects what TMG can do to answer this question because it gets the edge to another level of integration and control. Recently in TechEd EMEA 2009, David Cross (Product Unit Manager from TMG) was interviewed by David Tesar and he highlighted some of those features. Watch the complete interview at
http://edge.technet.com/Media/Forefront-TMG-RTM-Overview-Interview/
TMG 2010 is not a dream anymore, it is reality and you probably will start playing with it soon; therefore you need resources to read more about this before deploy. Here are some useful links for that:
TMG 2010 Deployment Guide
http://technet.microsoft.com/en-us/library/cc441445.aspx
TMG 2010 Operations Guide
http://technet.microsoft.com/en-us/library/cc441590.aspx
TMG 2010 Troubleshooting Guide
http://technet.microsoft.com/en-us/library/dd897100.aspx
Microsoft Press Book – Forefront TMG 2010 Administrator’s Companion
Written by Jim Harrison, Yuri Diogenes and Mohit Saxena
Technical Reviewed by Tom Shinder
Foreword by David Cross
Pre Order at Amazon.com.
1. Introduction
When you install ISA Server 2006 by default the Advanced Logging feature is installed and this installs the Microsoft SQL Server Desktop Engine as shown in the screen below from Add or Remove Programs:
What if you want to uninstall this feature? Why? Well, there are some reasons that you might not need this service running: ISA is using text file for logging, your Database team doesn’t want to have an unmanaged SQL instance running on a server, you want to get rid of a service that is using memory without need since ISA is logging in text, etc. The fact of the matter is: you want to remove (or someone wants you to remove it and you need to obey). How to do that in the correct manner?
Notes: before follow the steps below review your ISA Logging configuration to make sure that you are not logging information on MSDE/SQL database. Review KB838241 for more information. Also make sure that there is no other application (it shouldn’t be default) using the local SQL Server Desktop Engine.
2. Performing the Operation
Here are the steps on how to do that:
1. Run the ISA Server 2006 Setup.
2. Choose the option to Install ISA Server 2006.
3. Click Next to Continue and then choose Modify as shown below:
4. Expand ISA Server and choose highlight Advanced Logging.
5. Click the arrow besides Advanced Logging and choose the option “This feature will not be available” as show below:
6. Click Next to continue and Install to proceed with this change.
7. After the setup completes click Finish.
Notes:
· This process “may” restart the Firewall Service (it did not on my repro lab but I had some cases where it did), therefore schedule this procedure to be done on a non production hours.
· In a case of multiple servers in the array, make sure to repeat this operation on each array member that you want to remove this feature.
3. Confirming
At this point you should not see the Microsoft SQL Server Desktop Engine (Microsoft ISA Server 2006 instance) on add or remove programs anymore. Also, the SQL Service Manager icon shouldn’t be in the taskbar anymore. You also can review the setup log files located at %windir%\temp, there are two main logs where you can see that this feature was successfully removed, and they are:
ISAWRAP_XXX.log
20:08:08 INFO: Add/Remove entry was created
20:08:08 INFO: Attempting to uninstall MSDE
20:08:08 INFO: Removing MSDE package {E09B48B5-E141-427A-AB0C-D3605127224A} (C:\Program Files\Microsoft SQL Server\MSSQL$MSFW)
20:08:08 INFO: Activating Uninstall with cmdline='REBOOT=ReallySuppress'
20:08:08 INFO: Activating setup cmdline='C:\WINDOWS\system32\msiexec.exe /qn /x {E09B48B5-E141-427A-AB0C-D3605127224A} REBOOT=ReallySuppress /Lvoicewarmup C:\WINDOWS\TEMP\ISAMSDE_235.log LOGSESSIONNUM=235 FWUILOGFILE=C:\WINDOWS\TEMP\ISAFWUI_235.log '
20:10:01 INFO: Process completed successfully
20:10:01 INFO: Starting services.
20:10:25 INFO: Installation completed successfully
ISAMSDE_XXX.log
MSI (s) (1C:C4) [20:10:01:533]: Product: Microsoft SQL Server Desktop Engine -- Removal completed successfully.
MSI (s) (1C:C4) [20:10:01:543]: Cleaning up uninstalled install packages, if any exist
MSI (s) (1C:C4) [20:10:01:543]: Post-install cleanup: removing installer file 'C:\WINDOWS\Installer\88a24.msi'
MSI (s) (1C:C4) [20:10:01:543]: Post-install cleanup: removing installer file
In any case, if you want to put this feature back you just need to run the setup, modify and choose the advanced logging.
Introduction
Recently working a case where customer was trying to implement the approach explained by my friend Tom Shinder on his post “Clever Way to Redirect OWA Users Who Can’t Remember to Include /Exchange in the Path” and it was not working. The approach explained by Tom is valid and works, but there is a catch and this is what I will explain in this post.
Problem
For this particular case the Exchange OWA publishing rule was working, but only when we typed the full path, in this case https://mail.contoso.com/owa , however the goal was to be able to type only https://mail.contoso.com and get to the OWA logon form. In order to do that the deny rule with the redirect was created as mentioned in Tom’s post “Clever Way to Redirect OWA Users Who Can’t Remember to Include /Exchange in the Path” but after typing the path we got to an endless attempt to access the page and it times out.
Since the traffic from the outside was encrypted, we decided to use HTTP Watch to understand why this behavior was happening. Here it is the result:
Notice that we have tons of HTTP Redirect 302 and this list goes on and on until it times out, in other words: we have a loop right there.
Resolution
The catch for this loop is that the deny redirect rule had one extra character in the paths as shown below:
The flowchart below explains why this loop was happening and the problem with the asterisk (*) in this case:
By having the asterisk in the deny rule, the real OWA Publishing rule never had a chance to be processed and therefore we had this loop. To resolve the problem we changed the path and remove the asterisk and the path looks like this:
As you see, a simple detail that made a huge difference.
Recently Tom Shinder published two very useful and well explained (as usual) articles about TMG ISP Redundancy. This is a new TMG feature that for years ISA administrators were looking for and I’m sure you will be very happy with the end results for this feature on TMG. But, before implement it is good to read through the article to understand how it works. Visit the links below for more info on Tom’s article:
http://www.isaserver.org/tutorials/Kicking-Tires-TMG-2010-RC-ISP-Redundancy-Part1.html
http://www.isaserver.org/tutorials/Kicking-Tires-TMG-2010-RC-ISP-Redundancy-Part2.html
This post is about a specific condition that can triggers the error 502 while browsing some web sites through TMG 2010 RC. The error message that the end users receives is similar to the one shown below:
The TMG Logging will not say much beyond as shown below:
This scenario was interesting because it was working sometimes but it didn’t work most of the time. Looking closely to the data I notice that when it works is because it hits one specific server in the destination web farm and when doesn’t work it hits another web server.
2. Understanding the Behavior
Using network monitor was possible to better understand why this happen:
1) The HTTP Header when it works:
- Http: Response, HTTP/1.1, Status Code = 200, URL: /
ProtocolVersion: HTTP/1.1
StatusCode: 200, Ok
Reason: OK
Date: Tue, 13 Oct 2009 15:57:06 GMT
Server: WEBSRV
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="SRV"
Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.fabrikam.com%2F; path=/; domain=.fabrikam.com
Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.fabrikam.com%2F; path=/; domain=.fabrikam.com
Set-Cookie: test_cookie=1; path=/; domain=.fabrikam.com
Set-Cookie: lsd=zCI0G; path=/; domain=.fabrikam.com
Connection: close
TransferEncoding: chunked
+ ContentType: text/html; charset=utf-8
ContentEncoding: gzip
HeaderEnd: CRLF
+ chunkSize: 10
- ChunkPayload: HttpContentType = text/html; charset=utf-8
HtmlElement: ヒ
FooterEnd: CRLF
+ chunkSize: 8192
We can see that the HTTP response says that the following content will be chucked and after that response, destination server sends the other HTTP chucks:
WEBSRV TMG HTTP HTTP:HTTP Payload, URL: /
2) HTTP Header when doesn’t work
P3P: CP="WEBSRV2"
Set-Cookie: lsd=PQ6kd; path=/; domain=.fabrikam.com
X-Cnection: close
Date: Tue, 13 Oct 2009 15:38:13 GMT
ContentLength: 9970
+ payload: HttpContentType = text/html; charset=utf-8
Notice that the failing server don’t say that the content is chucked, however it is still sending more chucks after that:
WEBSRV2 TMG HTTP HTTP:HTTP Payload, URL: /
Since Chunked Transfer Encoding is a mechanism that allows HTTP messages to be split in several parts the first server is answering correctly, while the second server it is not. According to RFC if a server is using chunked encoding it must set the Transfer-Encoding header to "chunked". In order to compress the content we need to accumulate all the chucks and then compress. When it works, TMG knows that all that content is part of the same HTTP request since it says in the HTTP Response Header; therefore it waits for the entire content, compress and send it back to the client. On the failing server we receive the first answer that doesn’t say that the content is chucked and right after that we receive other chucks, since HTTP Compression is enabled it fails to reassemble all the content since it doesn’t know that they belong to the same content.
3. What can I do to fix it?
The best and most correct thing to do is to contact the administrator for the destination web server and report the problem; they should fix the issue since TMG is acting correctly. However if you want a workaround, that will be disabling the HTTP compression filter.