Although the VPN template screen (see figure below) doesn’t seems to have any news on this area, the new TMG Data Packager introduces new logs that can assist you when troubleshooting VPN site to site issues.
The Oakley log file that TMG Data Packager creates contains the IKEEXT.ETL (IKE Tracing) and the WFP.TMF (file that will be used to parse the ETL file) files. In order to parse this file you will need to download the tools TRACEFMT.exe and TRACEPRT.dll from the Windows XP SP2 Support Tools. After installing those tools you can extract the content of the TMG CAB file to a folder and run the command below to parse it:
C:\Program Files\Support Tools>tracefmt.exe Y:\temp\VPN\TmgPackage\IkeExt\ikeext.etl -tmf Y:\temp\VPN\TmgPackage\IkeExt\wfp.tmf -o Y:\temp\IKEOutput.txt
Setting log file to: Y:\temp\VPN\TmgPackage\IkeExt\ikeext.etl
Getting guids from Y:\temp\VPN\TmgPackage\IkeExt\wfp.tmf
Event traces dumped to Y:\temp\VPN\TmgPackage\IkeExt\IKEOutput.txt
Event Summary dumped to Y:\temp\VPN\TmgPackage\IkeExt\IKEOutput.txt.sum
Exit Status: 38
After converting it you can read the IKEOutput.txt file, there you will find the log in the following format:
Package is received and processed according to IPSec Parameters that should match between both endpoints:
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 0|192.168.0.10|Received packet
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 0|192.168.0.10|Local Address: 192.168.0.7.500 Protocol 0
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 0|192.168.0.10|Peer Address: 192.168.0.10.500 Protocol 0
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 1|192.168.0.10|iCookie 98b22fe79d9d675f rCookie 1610c0b30c6bbe60
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 1|192.168.0.10|Exchange type: IKE Quick Mode Length 300 NextPayload HASH Flags 1 Messid 0x3d6edc77
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 1|192.168.0.10|mmSa: 0x000000000265B9F0
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 1|192.168.0.10|Create QMSA: qmSA 000000000265ED60 messId 3d6edc77
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 1|192.168.0.10|Processing QM. MM 000000000265B9F0 QM 000000000265ED60
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 1|192.168.0.10|Process Payload HASH, SA 000000000265B9F0 QM 000000000265ED60
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 1|192.168.0.10|Process Payload ID, SA 000000000265B9F0 QM 000000000265ED60
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 1|192.168.0.10|Process Payload SA, SA 000000000265B9F0 QM 000000000265ED60
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 1|192.168.0.10|QM propNum 1, transformNum 0, peerSpi 3151228040
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 1|192.168.0.10|QM transNum 1
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 1|192.168.0.10|PROTO: ESP Algo 3
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 1|192.168.0.10|IPSEC_LIFE_TYPE: 1
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 1|192.168.0.10|IPSEC_LIFE_DUR: 3600
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 1|192.168.0.10|IPSEC_ENCAPSULATION_MODE: 1
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 1|192.168.0.10|IPSEC_HMAC_ALG: 2
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 1|192.168.0.10|IPSEC_GROUP_DESC: 2
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 1|192.168.0.10|IsRecvPolicyTunnelPolicy: TRUE
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 1|192.168.0.10|Looking up QM policy for IKE
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 1|192.168.0.10|QM localAddr : 10.10.10.0.0 Mask 255.255.255.0 Protocol 0
[0]00F8.0B50::01/01/1601-05:01:53.375 [ikeext] 1|192.168.0.10|QM peerAddr : 10.40.40.0.0 Mask 255.255.255.0 Protocol 0
Policy identification and verification
[0]00F8.0B50::01/01/1601-05:01:53.387 [ikeext] 1|192.168.0.10|Policy
GUID: {a167bf6c-78ff-4b3d-b619-1ea03d29664a}
LUID: 0x8000000000000003
Name: ISA VPN S2S tunnel to network STSTMG
Description: (null)
Flags: 0x00000000
Provider: <unspecified>
Provider data:
Verification of the Quick Mode parameters
Type: IKE Quick Mode Tunnel
Proposals: 1
-- 0 --
Lifetime:
Seconds: 3600
Kilobytes: 100000
Packets: 2147483647
PFS group: 2
SA transforms: 1
Type: ESP-Auth & Cipher
Auth transform:
Type: SHA1
Config: HMAC-SHA1-96
Crypto module: <unspecified>
Cipher transform:
Type: 3DES
Config: CBC-3DES
Flags: 0x00000080
Dont negotiate 'byte' lifetime
Local tunnelEndpoint: 192.168.0.7
Remote tunnelEndpoint: 192.168.0.10
Normal idle timeout (seconds): 300
Idle timeout in case of failover (seconds): 60
.
. log continues..
The log can be pretty extensive and it is very important to know what you are looking for (which error are you chasing), mainly when the scenario is related to TMG site to site VPN with third party vendors. Sometimes the IPSec parameters doesn’t match and this is the most common cause for failures during the IPSec negotiation. This logging can be pretty handy in those scenarios since it gives verbose information about what it is happening behind the scene.
Just want to drop a quick note about a new hotfix package that we just released for ISA Server 2006, for more information go to http://support.microsoft.com/kb/980067
Consider a scenario where you have a client workstation behind Forefront TMG 2010 and you are trying to download files from a FTP Server. You are successfully able to logon on the FTP but after type the command “dir” you get the error message below:
The message is pretty clear about what is going on, isn’t it? Well, it is but where do I enable this option? I don’t remember having this on ISA!! To address this issue you just need to enable a new option that we have on TMG, this option is located on the FTP Filter properties as shown below:
After enabling this option and apply the changes you should be able to list your files just fine. It is important to mention that this setting has nothing to do with the FTP Read Only option, that you had in ISA 2004/2006 and still have it on TMG. The FTP Filter when running in read only mode (see figure below) will blocks all commands in the control channel except the following ones:
“ABOR, ACCT, CDUP, CWD /0, FEAT, HELP, LANG, LIST, MODE, NLST, NOOP, PASS, PASV, PORT, PWD /0, QUIT, REIN, REST, RETR, SITE, STRU, SYST, TYPE, USER, XDUP, XCWD, XPWD, SMNT”
You can customize this list by using the sample script below (from Configuring Add-ins MSDN article),in this example the script configures FTP Access Filter to allow only the USER and PASS commands:
Note: don’t change the default Read Only commands unless you have a real business need for that.
Many times we hear consultants, firewall administrators and others asking how to use TMG as a Secure Web Gateway, which is a quiet fair question. But sometimes we also hear things like: where do I enable Secure Web Gateway feature on Forefront TMG 2010? Although this is also a valid question, it shows that whoever is asking this question possibly don’t know that Secure Web Gateway is not a feature, it is a combination of many features to be implemented as a single solution. This confusion is critical to really understand TMG value proposition on this area and how to fit TMG on a SWG scenario. In order to better clarify this gap that we have in the market we (MS Press TMG Book Authors) wrote an article for TechNet Magazine (March 2010 issue) that technically explains how to use Forefront TMG as a Secure Web Gateway, read it more at: http://technet.microsoft.com/en-us/magazine/ff472472.aspx
A special thanks to Eric Detoc (Microsoft France) and Thomas Detzner (Microsoft Germany) for reviewing this article.
Just dropping a quick note about some updates at Tales from the Edge:
Enjoy !!
1. Introduction
TMG Data Packager is part of the new TMG BPA that is already available for download and on this new release the Data Packager has some additions to cover new features of the product. What? You don’t know what the Data Packager does? Ok, so review the articles below before continue to read this post:
Using ISABPA for Proactive and Reactive Work with ISA Server – Part 1 of 2
Using ISABPA for Proactive and Reactive Work with ISA Server – Part 2 of 2
2. New Additions
When you select a template, such as Web Proxy and Web Publishing and click Next, you will notice that the new interface shows a comprehensive checklist of the options that are selected by this template as shown below:
When you click Modify Options you will see the new additions, highlighted below:
The new options are:
· Collect GAPA Activity Logs: this option collects the files GapaActivityFirewall.etl, GapaActivityWebProxy.etl and GapaSigStub.log. Those files can help troubleshooting NIS issues.
· Collect Update Center Logs: this option collects the files ISA_UpdateAgent.log, WindowsUpdate.log and MpSigStub.log. Those files can be used to troubleshoot issues related to update center, such as NIS or Malware Inspection update.
· Collect Netstat Output: this option collects the netstat result and save to a file called NetStatOutput.txt, this file can be used for many scenarios and here it is an example of one.
3. Do I need more than that?
Usually TMG Data Packager is enough for the most scenarios, however with the additions of new features in TMG there are some cases that you might need to collect more data in order to move forward in your analyzes. One additional log that you can enable to troubleshoot some types of URL Filtering issues (such as updates from MRS) and Update Center in general, is the winhttp trace. To enable this log you can use the following command line:
netsh winhttp set tracing trace-file-prefix="C:\Temp\wlog" level=verbose format=ansi state=enabled max-trace-file-size=1073741824
After enable this log, restart Firewall Service, reproduce the problem and disable the trace by using the command below:
netsh winhttp set tracing trace-file-prefix="C:\Temp\wlog" level=verbose format=ansi state=disabled max-trace-file-size=1073741824
Note: to run this command you need to open CMD with elevated privileges.
Another useful logging is the WSTrace, which is available after downloading and installing the Windows SDK. The WSTrace can be enabled by opening the Windows SDK Command Shell (under All Programs\Microsoft Windows SDK v7.0\CMD Shell) with elevated prompt and running the commands below:
wstrace.bat create verbose
wstrace.bat on
wstrace.bat dump > C:\Temp\wwstraces.csv
After finishing reproduce the problem, switch to the Windows SDK Command Shell command shell and type the commands below:
Press CTRL+C and press ENTER until the batch file terminates
wstrace.bat off
wstrace.bat delete
4. Conclusion
While troubleshooting TMG issues keep focus on the problem that you are trying to fix, at the same time that is good to have a variety of logs in hands to analyze, don’t use it all unless you really need it. Keep things simple, troubleshooting should start from the most obvious things and move to the most deep inside analyzes, never the opposite.
I’ve being so busy lately that I couldn’t really stop to write some posts that I have on hold, waiting for me to complete it. Me and Tom Shinder are also very busy working on a tight schedule for a new MSPress book (details will be revealed soon) and writing here is getting very challenging, but I will come back soon. That being said, today I would like to highlight some of my friend’s post in the Edge (ISA/TMG/IAG/UAG) Community, here are some good new posts:
Richard Hicks explains in more details how TMG Enterprise Array works and how to manage it:
http://www.isaserver.org/tutorials/TMG-Enterprise-Arrays-Explained.html
Jason Jones explains how to generate a certificate to be used in TMG HTTPS Inspection. Although this one is not new (since it was published in January) but it’s very good:
http://blog.msedge.org.uk/2010/01/generating-tmg-https-inspection.html
Deb Shinder goes over the EMail Protection configuration on TMG on this series of very good articles:
http://www.isaserver.org/tutorials/Installing-Configuring-Email-Hygiene-Solution-TMG-2010-Firewall-Part1.html
http://www.isaserver.org/tutorials/Installing-Configuring-Email-Hygiene-Solution-TMG-2010-Firewall-Part2.html
http://www.isaserver.org/tutorials/Installing-Configuring-Email-Hygiene-Solution-TMG-2010-Firewall-Part3.html
I don’t know if you notice but TMG Best Practices Analyzer is out there already and Marc Grote goes over the core features of the new TMG BPA:
http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Best-Practice-Analyzer.html
Last but not least, did you know that Microsoft released a hotfix update package for Forefront TMG 2010 last January? Yep, it did, review http://support.microsoft.com/kb/979578 for more information and notice that this package contains 3 updates:
I would like to say a special thanks to Miha Pihler for discovering and bring to our attention the bug that was fixed on 979250.