Forefront TMG (ISA Server) Product Team Blog

Compiling Forefront TMG 2010 SDK Samples

isablog — Mon, 08 Feb 2010 15:38:19 GMT

The Software Development Kit (SDK) for Forefront Threat Management Gateway (TMG) 2010 is available for download from the Microsoft download center here.

We have received a number of questions about issues compiling the SDK samples and wanted to share a few tips with you.

Preparing Your Environment

When compiling the SDK with Visual Studio 2008/2005, the MIDL compiler may fail with the following error:
midl : error MIDL2379 : the compiler reached a limit for a format string representation. See documentation for advice.

To solve this issue, do the following:

a. Verify that Visual Studio 2005/2008 SP1 is installed (you can download VS 2005 SP1 from here and VS 2008 SP1 from here ).

b. Install the updated Windows 7 SDK, which contains a newer version of the MIDL compiler, using the instructions provided in http://blogs.msdn.com/windowssdk/archive/2009/08/07/using-the-win-7-sdk-build-environment-with-vs-2008.aspx

To build the samples for a 64 bit environment, do the following:

1. Make sure you’ve implemented the steps above. Failing to complete these steps will result in a MIDL compiler error on a 64 bit platform.

2. Start Visual Studio 2008.

3. Open the requested sample solution.

4. Complete the conversion wizard (to convert a Visual Studio 6.0 solution to a Visual Studio 2005/2008 solution).

5. By default, the solution targets a 32 bit environment. For Forefront TMG to work with this project you will need to change the target platform to 64 bit. Please follow these steps:

Open the Visual Studio Configuration Manager by selecting Build->Configuration Manager.
Under “Active solution platform” select the “New…” option. A dialog box will open:
Select the new platform as x64. Verify that the other settings (‘Copy settings from’ and ‘Create new project platforms’) are selected the same as in the image above. Click OK, and close the Configuration Manager dialog box.
The solution now has the new x64 platform settings in place.
Save the solution to finalize this step.
Select Project -> Properties from the menu. In the dialog box, expand Configuration Properties, expand Linker and then select General. Make sure the output file settings are .\x64\Debug/WebResponseModifier.dll
Select Advanced. Make sure the Target Machine settings are set to Machine X64 (/Machine: X64)
Select Command Line. Make sure the Additional Option box is empty and does not include any directive (if you find the ‘/MACHINE:I386’ directive there – remove it).
Press OK to finalize changes.

6. You can now build the solution for the x64 bit platform.

Sample specific information

1. Web filters

WebExeBlock – When building the sample you may receive the following warning:
WebExeBlockFilterImpl.cpp
.\WebExeBlockFilterImpl.cpp(548) : warning C4068: unknown pragma
You may ignore the warning as it does not influence the code generation and the final outcome.
WebResponseModifier – when building the sample you may receive the following link error (for both debug and release configurations):
1>.\Debug\main.obj : fatal error LNK1112: module machine type 'x64' conflicts with target machine type 'X86'
This error happens due to conflicting linker directives. To solve this issue, right-click on the project and select Properties. Under Configuration Properties->Linker->Command Line you will find under Additional options the ‘/MACHINE:I386’ directive. This confuses the compiler because the directive appears twice – once with X64 and once with the I386 option.

Remove the ‘/MACHINE:I386’ directive, press OK and compile the project again.
Note: you must do it twice – once for each build configuration (debug or release)

2. Application filters

DataMonitor –
i. When converting the project to Visual Studio 2008 you will get an error in the conversion process. You may ignore it and remove the redundant project (see image below):

ii. When building the sample you may receive the following compiler error:

c:\program files (x86)\microsoft forefront tmg tools\sdk\samples\appfilters\datamonitor\admin\stdafx.h(42) : fatal error C1083: Cannot open include file: 'wspfwext.h': No such file or directory

To fix this issue, right-click on the “DataMonitorAdmin” project and select the Dependencies option. Make sure that the DataMonitor checkbox is checked:

Clean and rebuild the solution again.

iii. When building the sample you may receive the following compiler errors:

1>Performing Custom Build Step
1>mc : error : 0x2 trying to open file <EventMsgs>.
1>Project : error PRJ0019: A tool returned an error code from "Performing Custom Build Step"

This error (in both debug and release configurations) happens due to a missing file extension in a custom build process. To solve this issue, right-click on the file EventMsgs.mc and select the Properties option. The dialog box (shown below) will appear.

Under Custom Build Step, select Command Line and add the extension ‘.mc’, so it will show the following text: mc $(InputName).mc
Click OK to close the dialog box and then right-click on the project and select Properties. Under Configuration Properties->Build Events->Post-Build Event, remove the regsvr32 command.

Press OK and Compile the project.

Author:
Noam Ilovich, Program Manager

Reviewers:
Ori Yosefi, Senior Program Manager
Meir Feinberg, Technical Writer

Forefront TMG 2010 Email Protection Updates

isablog — Thu, 04 Feb 2010 12:19:00 GMT

First I would like to start this post by emphasizing a recently article that was published at Tales from the Edge, that explains how to configure Exchange Sync with Forefront TMG 2010, here it is the link for it: http://technet.microsoft.com/en-us/library/ee513174.aspx. Also I want to remind you about the supported scenarios with Forefront TMG 2010 and Exchange 2007 Edge role, mainly the support matrix below:

From: http://blogs.technet.com/isablog/archive/2009/11/10/email-protection-in-forefront-tmg-2010-release-candidate.aspx

The * on this table says:

Recently a blog post was published by the Exchange team saying that they reconsidered and are planning to support Windows Server 2008 (SP2). To read more about it please follow this link: http://msexchangeteam.com/archive/2009/11/04/453026.aspx

There is a newer update on that, which is the one below:

“…we will be adding support for Exchange 2007 on the Windows Server 2008 R2 platform. While we had hoped to add this application/operating system combination quickly, unfortunately adding this support requires code changes to setup in Exchange 2007. Therefore, our vehicle for adding this support will be via a third Service Pack for Exchange 2007 in the second half of calendar year 2010.”

From: http://msexchangeteam.com/archive/2009/11/30/453327.aspx

In other words: If you want to deploy Exchange 2007 Edge role on Forefront TMG 2010 you will need to:

Windows Server 2008 SP2
Exchange 2007 SP2

If you already installed Forefront TMG 2010 on Windows Server 2008 R2 and want to install Exchange Edge role to enable EMail Protection feature your current supported options are:

Install Exchange 2010 Edge Role
Wait for Exchange 2007 SP3 to come out so you can install Exchange 2007 Edge Role on Windows Server 2008 R2

Author

Yuri Diogenes

Sr Security Support Escalation Engineer

Microsoft CSS Forefront Edge Team

Technical Review

Noam Ilovich

Program Manager

Microsoft Forefront Edge Team

Forefront TMG 2010 Web Protection Services Licensing

isablog — Tue, 02 Feb 2010 15:14:00 GMT

Introduction

Forefront TMG 2010 adds two new subscription-based features, known collectively as Forefront TMG Web Protection Services (WPS). These features include URL Filtering (URLF) and Anti-Malware or Enhanced Malware Protection (AM or EMP). One thing that makes these features unique within Forefront TMG is that they are licensed separately from Forefront TMG itself. This blog will discuss the various licensing and purchasing options available for URLF and EMP subscriptions and guide you through managing the license details in Forefront TMG management.

WPS Purchasing and Pricing

The first thing most people want to know is “How do I get a Forefront TMG WPS license and how much does it cost?”

Forefront TMG WPS is subscription product licensed per user or per device. This subscription is only offered through Microsoft Volume Licensing programs, and must be purchased separately from Forefront TMG 2010. Forefront TMG WPS is included in Forefront Protection Suite and ECAL. You can find information on purchasing Forefront TMG WPS through Microsoft or a Microsoft partner at http://www.microsoft.com/forefront/threat-management-gateway/en/us/purchase.aspx.

The Forefront TMG WPS pricing structure is outlined in http://www.microsoft.com/forefront/threat-management-gateway/en/us/pricing-licensing.aspx.

Verifying the Evaluation License

You may want to take advantage of Forefront TMG WPS while you wait for your license to arrive; or perhaps you want to give WPS a test drive before you decide whether you want to purchase a license. Regardless, TMG provides a free 120-day trial subscription that goes into effect as soon as you deploy Forefront TMG 2010.

Using the Getting Started Wizard (GSW)

The Getting Started Wizard (GSW) provides one way to configure these options. During this process, you can choose to enable HTTPS Inspection, URLF and EMP as well as whether to use the evaluation license (selected by default). The following steps show you where you make these choices in the GSW.

Note: if the TMG computer is a member of an array, the GSW is not available. In this case, you must use the Without the GSW steps

Immediately after FOREFRONT TMG Installation

When the installation wizard completes successfully, you are offered the option to launch the Forefront TMG management console. Select Launch Forefront TMG Management when this wizard closes and click Finish as shown below:

Figure 1 - GSW TMG management startup

1. When the Forefront TMG management console opens, the GSW appears. Proceed through the Configure Network Settings and Configure System Settings wizards

2. When the Configure System Settings wizard completes, click on Define Deployment Options as shown below:

Figure 2 - GSW deployment options

3. In the Welcome to the Deployment Wizard page, click Next

4. In the Microsoft Update Setup page, select Use the Microsoft Update service to check for updates (recommended) and click Next

5. In the Forefront TMG Protection Features Settings page Web protection area, make the following selections as shown below and click Next:

Figure 3 - GSW Web protection license

Note: as shown above, Forefront TMG automatically enables the evaluation license and sets the expiration data for 120 days from the installation date, regardless whether you enabled Forefront TMG WSP. If you already have your Forefront TMG WPS subscription license, you should change the license options using your license key and expiration date according to your license specifics as shown below:

Figure 4 - Entering the license in GSW

6. Continue through the remaining Deployment Options Wizard pages using options appropriate to your environment

After Running The GSW

If the GSW has already been run, but Forefront TMG is not yet joined to an array, you can still use the GSW to perform these tasks.

1. Open the Forefront TMG management console

2. In the left pane, select <ArrayName>

3. In the right pane, click Launch Getting Started Wizard

4. When the Getting started Wizard appears, click on Define Deployment Options as shown below:

Figure 5 - Re-running the GSW

5. Continue with step (4) in Immediately After TMG Installation

Without the GSW

If you joined Forefront TMG to an array, the GSW isn’t available to configure Forefront TMG WSP licensing. In this case, you need to accomplish this task in a different way.

Note: because the same license information applies equally to URLF and EMP, this task only needs to be performed once; not once for each feature.

1. Open the Forefront TMG management console

2. In the left pane,

3. Expand

a. (Enterprise Edition) Arrays, then <ArrayName>

b. (Standard Edition) <ArrayName>

4. Select Web Access Policy

5. In the right pane, click Configure Malware Inspection

6. In the Malware Inspection page, click License Details.

7. In the License Details page, you will see that the license is “Evaluation” as shown below:

Figure 6 - License details in Malware Inspection controls

8. If you want to activate your license, enter the license number and expiration date in the fields provided as shown below:

Figure 7 - Entering license details in MI control

9. Click Apply, then OK

All done

In the center pane, click Apply to enforce your new policy. When prompted, enter a description for this change (hey - the URL for this blog could work) and click OK

Monitoring License State

Something the Forefront TMG product team foresaw is the need for the Forefront TMG administrator to get advance warning that the Forefront TMG WPS license is nearing expiration or that it has already expired. Thus, they created two new alerts specific to this feature set as shown below:

Figure 8 - License alerts

· License Expired this error alert is triggered when the Forefront TMG WPS license expiration date has passed. At this point, Forefront TMG is no longer receiving EMP updates nor is it issuing MRS queries.

· License Nearing Expiration this warning alert is triggered when the current date is within two weeks of the expiration date. Forefront TMG continues to obtain EMP updates and issue MRS queries until the license actually expires.

These two alerts are enabled by default and both are configured to write an event to the Windows Application event log when they are triggered. This makes it possible for any standard server monitoring system to be monitor for these alerts and thus make you aware when you need to take action regarding your license.

If your license has expired, and you attempt to initiate an update cycle from the Update Center in Forefront TMG management, this action will result in the warning message shown below:

Figure 9 - Update Center license expired warning

If you click Yes, Forefront TMG will attempt to perform an update cycle for NIS signatures only.

Summary

By default, Forefront TMG provides and enables an evaluation license for Forefront TMG WPS that expires 120 days after installing Forefront TMG; not 120 days after you enable EMP or URLF. Forefront TMG provides two alerts relevant to Forefront TMG WPS licensing that also write to the Windows Application event log. Finally, changing and verifying your Forefront TMG WPS license details is as simple as a few mouse clicks.

Author
Jim Harrison, Program Manager, Forefront TMG

Reviewers
Adwait Joshi, Senior Product Manager, Identity & Security BG
Brita Jenquin, Senior Product Manager, Identity & Security BG

Announcing the availability of TMG Best Practices Analyzer Version 8

isablog — Fri, 22 Jan 2010 16:24:00 GMT

I am happy to announce to the community that the next version of Forefront TMG Best Practices Analyzer Tool (TmgBPA version 8) has been released and is now publicly available.

TmgBPA is used by TMG administrators to verify proper configuration, and to help troubleshoot TMG-related issues. TmgBPA is also used for collecting all the relevant data when an administrator requires Microsoft Product Support services. In many cases collecting all the relevant data upfront helps shorten the resolution time quite drastically.

The focus of v8 is its adaptation to Forefront TMG 2010, released in late 2009. Compared to ISA Server 2006, TMG supports many new major scenarios, including URL Filtering, ISP Redundancy, HTTPS Inspection, Anti-Malware Protection, Enhanced VoIP support, and much, much more. These new components require new configuration checks, and they also generate new logs that BPA must collect. (A list of TMG features can be found here.)

Please note that we now support two separate tools: IsaBPA (v7), intended to run on ISA Server computers, and TmgBPA (v8), intended to run on TMG computers.

I feel obliged to mention the outstanding contribution of Alexey Doctorovich and Idan Plonsky to this release, together with a long list of contributors from the TMG product team and from the TMG Product Support Services team.

I encourage every TMG administrator to download the TmgBPA tool and give it a test-drive. The tool is available now online. Note: The tool will require .NET 2.0 framework and above to be installed first.. We are always excited to hear feedback and you can mail your comments, requests, information about bug reports, etc. to isabpafb@microsoft.com alias.

Neta Amit

Senior Program Manager

Tips and Tricks – ISA Data Packager Fails to Start

isablog — Mon, 18 Jan 2010 22:28:36 GMT

When troubleshooting ISA Server one of the most common procedures in order to understand what is happening behind the scenes is to use the ISA Data Packager tool, which is part of the ISA Best Practices Analyzer, also known as ISABPA. This tool collects data like network traces, configuration state, event logs and ISA configuration. For more information on how to use this tool review the articles below:

Using ISABPA For Proactive And Reactive Work On ISA Server - Part 1

Using ISABPA For Proactive And Reactive Work On ISA Server - Part 2

This post is about a scenario where ISA Data Packager doesn’t run as it should and triggers the following error: “The IsaBpaPack.exe process failed to start” as shown in Figure below:

As you can see this is not a very friendly error, hence we can’t really say why it happens just with that information. However it was noticed, that if we uncheck the option below (Performance Monitor Snapshot) the issue didn’t happen:

In this specific case, if you open the performance monitor you would find that all the counters would be empty. The quick solution for this is to rebuild them using the command Lodctr /R as shown below:

After this process ISA Data Packager was able to run successfully.

Author

Samuel Jacob

Support Engineer

Microsoft CSS Forefront (ISA/TMG) Team

Technical Reviewer

Yuri Diogenes

Sr Security Support Escalation Engineer

Microsoft CSS Forefront (ISA/TMG) Team

Forefront TMG Administrator's Companion Goes to the Printers

isablog — Fri, 15 Jan 2010 00:06:00 GMT

http://blogs.msdn.com/microsoft_press/archive/2010/01/13/forefront-tmg-2010-administrator-s-companion-sample-chapters.aspx

If you didn't know, Forefront TMG 2010 is the subject of a new Administrator's Companion from Microsoft Press.
This book has been sent to the printer and is expected to be found on the shelves in mid-February 2010.

If you haven't yet, go pre-order yours at Amazon.com.

Jim Harrison, PM, FF Edge CS

SCOM pack for Forefront Threat Management Gateway 2010 has been released

isablog — Thu, 14 Jan 2010 09:59:31 GMT

As we go through the final steps related to the release of Forefront Threat Management Gateway 2010 (TMG), it is our pleasure to announce the availability of the official (final) management pack (SCOM pack) for TMG. To read more about the content of this management pack, see our previous blog post here.

The released version, in 11 different languages, is available for download on the Microsoft download center from this link. You can also download the management pack guide from the same location.

The Management pack is also registered in the System Center Operations Manager 2007 Catalog for improved discoverability.

Author:
Ori Yosefi, Senior Program Manager

Reviewer:
Meir Feinberg, Technical Writer

Hardware recommendations for Forefront TMG 2010

isablog — Tue, 12 Jan 2010 13:23:53 GMT

In this post, we discuss the hardware recommendations for Forefront TMG, based on the number of users and deployment scenario. Enabling different features on Forefront TMG carries different costs. When considering the hardware required for your deployment, take into account the projected growth of your organization and the Internet’s increasing bandwidth demands. The recommendations that follow are based on an allocation of 100 kilobits per second (Kbps) per user during peak time.

In this post:

· Design server hardware generously

· CPU considerations

· Storage considerations

· Network adapter considerations

· Redundancy recommendations

· Typical configurations

Design server hardware generously

Design your server hardware according to current and future requirements to prepare for future growth. You might want to consider additional processors, additional memory, and a reliable storage subsystem that has a capacity of at least two or three times your estimated requirements. Note that hardware technology evolves at a rapid pace. Within a relatively short period of time, upgrade options might not be available for your server platform, which can pose a serious problem if future demands require you to increase system performance; for example, in the event that you need additional processors.

CPU considerations

Microsoft does not recommend one processor architecture over another. The configurations below simply show the results of our tests, which you can use to help you plan your deployment and configuration.

The Forefront TMG product team has tested TMG in a variety of scenarios with the following processors:

· Intel Xeon E5410—a mid-range processor.

· AMD Opteron 2387—a Quad-core processor, with 6 MB shared L3-cache.

· Intel Xeon L5520—a high-end processor, Intel’s Nehalem microarchitecture provides a significant performance boost over earlier Xeon processors.

Storage considerations

Forefront TMG has the following disk space requirements:

· System–Holds OS and program files, approximately 40 GB.

· Logging–You should store log records for 3 days in addition to the current day. When calculating the necessary storage space, estimate that each user creates about 25 MB of logs per day, which means that 1000 users create about 25 GB of logs per day. Hence, you will need 100 GB of space to store logs for this period of time.

· Web Caching–Some scenarios require separate physical drives for caching. It is recommended to limit the cache file to a maximum of 40 GB on any disk. See Caching considerations for details.

For deployments of 500 users or less

If you are deploying Forefront TMG for fewer than 500 users, in most cases a 250 GB hard drive is sufficient for system, logging and cache. You can install a single hard drive, or for redundancy, a small redundant array of independent disks (RAID).

For deployments of more than 500 users

If you are deploying Forefront TMG for more than 500 users, the hardware requirements begin to increase, and if you enable Web caching, you may need to add disk drives (see Caching considerations below). The following table shows the recommended hard disk size based on number of users.

Table 1: Recommended Space for System and Logging

Maximum Number of Users	Hard Disk Size
2000	250 GB
4000	500 GB
10000	1 TB
13000	2 TB

Caching considerations

If you enable Web caching in a deployment of more than 500 users, for performance reasons, you should have one or more separate, physical disks dedicated to Web caching. The recommended maximum size of a cache file is 40 GB per physical disk drive; allocating more disk space for caching will actually impair performance. If, according to your scenario, you need more disk space for caching, use separate physical drives for each 40 GB cache file. There are two possible configurations:

· Multiple physical disks (not RAID)—Use one hard disk for system and logging, and separate hard disks for caching. This option involves deploying more storage space than is actually consumed, as only 40 GB on each drive should be used for caching.

· RAID (preferably RAID-5, for redundancy)—RAID allows for more flexibility. You can allocate up to 40 GB per disk for caching, and use the remaining space on each disk for system and logging.

Use the following table to help you determine the number of additional disk drives you should have for your deployment.

Table 2: Recommended Number of Disk Drives for Web Caching

Maximum Number of Users	Number of disk drives
500	0
1500	1
2500	2
3500	3
4500	4
5500	5
6500	6
7500	7
8500	8
9500	9
10500	10
11500	11
12500	12
13500	13

Network adapter considerations

In testing, a 1 Gigabit Ethernet adapter was found to support throughput of approximately 600 megabits per second (Mbps). As we mentioned in the introduction, these hardware recommendations are based on an allocation of 100 Kbps per user during peak time. Dividing 600 Mbps by 100 Kbps yields support for 6000 users for every pair of internal/external network adapters. If your organization averages more or less bandwidth per user, adjust the number of adapters accordingly. The following table shows the recommended number of network adapters per 6000 users.

Table 3: Recommended Number of 1 Gigabit Network Adapters

Maximum Number of Users	Number of Adapters
6000	2 (1 internal, 1 external)
12000	4 (2 internal, 2 external)
12000+	6 (3 internal, 3 external)

Best Practice – Assign each network adapter a unique IP address, and load balance all adapters uniformly on the same subnet via DNS lookup or wpad configuration.

Redundancy recommendations

Deploy an array

It is recommended that you deploy an array of Forefront TMG computers for redundancy. Use the test results below to determine the number of computers your deployment requires, and then add at least one more computer for redundancy that will allow your deployment to continue functioning during a computer failure or other required maintenance.

Load balancing

Deploying a Forefront TMG array requires a load balancing mechanism – either Network Load Balancing (NLB), DNS round robin, or a hardware load balancer. Note that NLB has a maximum total bandwidth limit of 500 Mbps; if your traffic volume exceeds this limit, your deployment requires a different load balancing mechanism.

Typical configurations

The following section contains hardware recommendations based on test results of Forefront TMG in its principal deployment scenarios.

Secure Web gateway

Forefront TMG’s secure Web gateway, a solution designed to protect enterprise users from Web-based threats, incorporates the following features:

· URL filtering—Blocks user access to Web sites based on URL categorization service

· Malware inspection—Inspects Web content for viruses and spyware at the network edge

· HTTPS inspection—Inspects SSL-encrypted Web traffic for malware and validate secure Web site certificates

· Network Inspection System—Detects exploits of known vulnerabilities in operating systems and applications

· Web caching—Enhances user Web surfing experience and reduces bandwidth costs.

Special Forefront TMG Edge roles

You can deploy Forefront TMG as a secure Web gateway with the following features as well:

· Mail protection—Helps protects your network against spam and viruses that enter your organization via electronic mail.

· SIP/VoIP—Enables VoIP communications while protecting your network from malformed SIP traffic.

The table below shows the number of users supported in this scenario by a specific hardware configuration.

Table 4: Recommended Hardware for Secure Web Gateway, with Mail Protection & VoIP

Maximum Number of Users	# CPUs	CPU	RAM (GB)
500	1	Intel Xeon E5410	4
1000	1	Intel Xeon E5410	4
1000	1	AMD Opteron 2387	4
1500	2	Intel Xeon E5410	8
1500	1	Intel Xeon L5520	8
2000	2	AMD Opteron 2387	8
3000	2	Intel Xeon L5520	12

Proxy server (including URL filtering)

Forefront TMG’s proxy server solution includes the following features:

· Web caching— Enhances user Web surfing experience and reduces bandwidth costs.

· URL filtering—Blocks user access to Web sites based on URL categorization service

The table below shows the number of users supported in this scenario by a specific hardware configuration:

Table 5: Recommended Hardware for Proxy Server Scenario, with URL Filtering

Maximum Number of Users	# CPUs	CPU	RAM (GB)
4000	1	Xeon E5410	4
5000	1	Opteron 2387	4
6000	2	Xeon E5410	8
8000	1	Xeon L5520	8
8000	2	Opteron 2387	8
13000	2	Xeon L5520	12

Secure mail gateway

Forefront TMG’s secure mail gateway solution protects your network against spam and viruses that enter your organization via electronic mail. For more information about the secure mail gateway, see http://blogs.technet.com/isablog/archive/2009/11/10/email-protection-in-forefront-tmg-2010-release-candidate.aspx.

The table below shows the number of users supported in this scenario by a specific hardware configuration.

Table 6: Recommended Hardware for Secure Mail Gateway Scenario

Maximum Number of Users	# CPUs	CPU	RAM (GB)
1500	1	Xeon E5410	4
2000	1	Opteron 2387	4
3000	2	Xeon E5410	8
3500	1	Xeon L5520	8
4000	2	Opteron 2387	8
6000	2	Xeon L5520	12

Author
David Strausberg, Technical Writer – Forefront TMG

Reviewers
Ittai Gilat, Senior Development Engineer Test - Forefront TMG
Tom Shinder, Technical Writer – Forefront UAG
Vladimir Holostov, Senior Program Manager – Forefront TMG
Zakie Mashiah, Principal Group Manager – Forefront TMG

Scripting URL overrides in Forefront TMG

isablog — Thu, 07 Jan 2010 10:20:19 GMT

You can use Forefront TMG scripting capabilities to allow non-TMG administrators to locally override a URL (enabling advanced help-desk scenarios). Here’s a script snippet that demonstrates adding www.contoso.com/* to the Anonymizers category:

set fpc = CreateObject("FPC.Root")

set arr = fpc.GetContainingArray

set overrides = arr.ArrayPolicy.WebProxy.UrlFilteringSettings.OverridingUrlCategories

overrides.Add "www.contoso.com/*", 2

arr.save

As you can see, the Add method takes the Category ID (the number 2, representing Anonymizers) as a parameter. Here’s a list of the Category IDs:

1 Alcohol

2 Anonymizers

3 Art/Culture/Heritage

4 Blogs/Wiki

5 Botnet

6 Chat

7 Child Friendly Materials

8 Criminal Activities

9 Dating/Personals

10 Digital Postcards

11 Dubious

12 Edge Content Servers/Infrastructure

13 Education/Reference

14 Employment

15 Fashion/Beauty

16 Financial

17 Forum/Bulletin Boards

18 Free Hosting

19 Gambling

20 Games

21 General Business

22 General Entertainment

23 Government/Military

24 Hacking/Computer Crime

25 Hate/Discrimination

26 Health

27 Humor/Comics

28 Illegal Drugs

29 Internet Services

30 Legal Services & Reference

31 Lifestyle Choices

32 Malicious

33 Mature Content

34 Media Sharing

35 Motor Vehicles

36 News

37 Non-Profit/Advocacy/NGO

38 Nudity

39 Obscene/Tasteless

40 Online Communities

41 Online Trading/Brokerage

42 P2P/File Sharing

43 Parked Domain

44 Personal Network Storage

45 Phishing

46 Politics/Opinion

47 Pornography

48 Portal Sites

49 Public Information

50 Real Estate

51 Recreation/Hobbies

52 Religion/Ideology

53 Remote Access

54 Restaurants/Dining

55 School Cheating Information

56 Search Engines

57 Self Defense

58 Shareware/Freeware

59 Shopping

60 Social Opinion

61 Spam URLs

62 Sports

63 Spyware/Adware

64 Streaming Media

65 Technical Information

66 Tobacco

67 Travel

68 Usenet News

69 Violence

70 Weapons

71 Web Ads

72 Web E-mail

73 Web Phone

74 Web-based Productivity Applications

You can download the Forefront TMG SDK here.

Eric Detoc, ISA Escalation Engineer

Nathan Bigman, Content Publishing Manager

Localized versions of Forefront TMG 2010 documentation released to TechNet

isablog — Mon, 04 Jan 2010 09:09:57 GMT

Forefront TMG 2010 TechNet documentation is now available in 10 localized versions:

· Chinese-Simplified

· Chinese-Traditional

· French

· German

· Italian

· Japanese

· Korean

· Portuguese-Brazilian

· Russian

· Spanish

To access the localized content based on your browser’s language setting, click here. TechNet’s language auto-detection will take you directly to the site that is localized to the language of your browser.

About the content

This release of the documentation culminates a customer- and solutions-focused effort undertaken by the Forefront TMG User Assistance team since the release of ISA Server 2006, resulting in a new content structure, new content, and the streamlining of content that was previously available.

We are looking forward to receiving your feedback on this content.

The Forefront TMG User Assistance team

Author:
Rachel Aldam, Technical Writer

Reviewers:
Simon Farr, Content Project Manager
Bruno Lewin, Senior Program Manager

Categories for URL Filtering

isablog — Sun, 03 Jan 2010 14:53:30 GMT

URL Filtering allows you to control end-user access to Web sites, protecting the organization by denying access to known malicious sites and to sites displaying inappropriate or pornographic materials, based on predefined URL categories. Visit TechNet to read about Planning for URL Filtering and Managing URL Filtering.

The table below summarizes the URL categories available. Those marked with an asterisk are blocked by Forefront TMG when in the Web Access Policy Wizard you choose to create a rule blocking the minimum recommended URL categories.

Category Set	Category	Description
Liability		Aggregation of sites that may be in conflict with applicable legal and/or policy compliance obligations.
	Alcohol	Alcohol Web sites promote or offer for sale alcoholic beverages or the means to create them; supplies, recipes or paraphernalia; glorifies, touts, or otherwise encourages alcohol consumption or intoxication.
	Gambling*	Gambling Web sites are sites where a user can place a bet or participate in a betting pool (including lotteries) online; obtain information, assistance or recommendations for placing a bet; receive instructions, assistance or training on participating in games of chance
	Tobacco	Tobacco Web sites glorify, promote, offer for sale or otherwise encourage the consumption of tobacco.
	Obscene/Tasteless*	Obscene/Tasteless Web sites provide vulgar, crude, disgusting or otherwise offensive material, e.g., mutilation, murder, and defecation.
	Profanity	Profanity Web sites are sites that advocate or convey what may be interpreted as insulting, rude or vulgar behavior (through words, gestures, or other behavior); or otherwise show disrespect towards, or desecration of, something held sacred.
	Violence*	Violence Web sites are sites which advocate or provide instructions for causing physical harm to people or property through use of weapons, explosives, pranks, or other types of violence.
	Weapons	Weapons sites are sites which sell, review, or describe legal weapons such as: guns, knives, or martial arts devices; provide information on their use, accessories, or other modifications.
	Nudity	Nudity Web sites are sites containing images of human nudity, e.g., nude art, incidental nudity
	Pornography*	Pornographic Web sites are sites containing sexually explicit material for the purpose of arousing a sexual or prurient interest.
	Provocative Attire	Provocative attire Web sites are sites which sell, review, or describe alluring attire but do not involve nudity.
	Mature Content	Mature sexual content sites contain sexually explicit information that is not of a medical or scientific nature.
	Criminal Activities*	Criminal activities Web sites are sites which promote, offer, sell, supply, encourage or otherwise advocate illegal activities, or describe how to commit criminal activity.
	Dubious	Dubious Web sites are sites with questionable, suspicious, or ethically ambiguous content.
	Hacking/Computer Crime	Computer hacking/crime Web sites are sites which advocate or provide instructions for causing harm to people or property through use of unauthorized computer activity.
	Hate/Discrimination*	Hate Web sites are sites which advocate hostility or aggression toward an individual or group on the basis of race, religion, gender, nationality, ethnic origin, or other involuntary characteristics; a site which denigrates others on the basis of those characteristics or justifies inequality on the basis of those characteristics; a site which purports to use scientific or other commonly accredited methods to justify said aggression, hostility or denigration.
	Illegal Drugs*	Drug Web sites are sites which promote, offer, sell, supply, encourage or otherwise advocate the recreational or illegal use, cultivation, manufacture, or distribution of drugs, pharmaceuticals, intoxicating plants or chemicals and their related paraphernalia.
	Illegal Software	Illegal Software Web sites are sites which promote, offer, sells, supply, encourage or otherwise advocate the use, cultivation, manufacture, or distribution of software that is illegal in one or more major jurisdictions.
	School Cheating Information	School Cheating Information Web sites are sites which promote, offer, sell, supply, encourage or otherwise advocate information used to cheat in school.
Bandwidth		Bandwidth Web sites are sites which may result in large amounts of data being uploaded or downloaded, e.g., video download, file download, etc.
	Media Sharing	Media sharing Web sites are sites which promote, sell, offer, supply or allow sharing between users of media, e.g., video download, file download, etc.
	Streaming Media	Streaming media sites provide media for streaming consumption, e.g., on demand video, internet radio.
Business		Business Web sites are sites which promote, sell, offer, or supply business information, e.g., employment services, financial institutions, online trading and brokerages.
	General Business	Business Web sites are sites which promote, sell, offer, or supply business information, e.g., corporate Web site, business to business sites.
	Employment	Employment Web sites are sites which promote, sell, offer, or supply employment information including providing job seeking information.
	Financial	Financial Web sites are sites which promote, sell, offer, or supply financial information including financial account access.
	Online Trading/Brokerage	Online Trading/Brokerage Web sites are sites which promote, sell, offer, or supply trading information including online trading and brokerage account access.
Communication		Communication Web sites are sites which provide a means for digital communications. These sites may include access for adding, removing, and updating personal content, e.g., chat, forums, and blogs.
	Blogs/Wiki	Blog/Wiki Web sites are sites which provide dynamic content where users frequently add, remove, and update content.
	Chat	Web chat Web sites are sites which provide Web-based chat as the main feature or function of the site.
	Digital Postcards	Digital postcard Web sites are sites which enable users to send and receive digital postcards and greeting postcards.
	Forum/Bulletin Boards	Forum/Bulletin Board Web sites are sites which provide dynamic content where users frequently add content.
	Instant Messaging	Instant Messaging Web sites are sites which provide Web-based or downloadable chat-related applications as the main feature or function of the site.
	Online Communities	Online Community Web sites are sites which provide dynamic content for the purpose of social networking. These sites may include access for adding, removing, and updating personal content.
	Portal Sites	Portal Web sites are sites where the main purpose is to route users to Web content.
	Usenet News	Usenet news Web sites provide access to Usenet archives.
	Web E-mail	Web E-mail Web sites are sites that enable users to send and receive email.
	Web Meeting	Web Meeting Web sites are sites which provide online meeting services.
	Web Phone	Web Phone sites are site which provide online phone services.
	Web-based Productivity Applications	Web-based productivity application Web sites are sites which provide Web browser-based productivity application services, e.g., Web browser-based word processing.
Entertainment		Entertainment Web sites are sites that distributes, displays, discusses or promotes entertainment related content - e.g., games, humor, recreation or hobbies.
	Art/Culture/Heritage	An art/culture/heritage site is a site that distributes, displays, discusses or promotes art, culture, or heritage related content - e.g., books, literature, theater.
	General Entertainment	Entertainment Web sites are sites that distribute, display, discuss or promote entertainment related content, e.g., movies, television, and music.
	Games	Games Web sites are sites that distribute, display, discuss or promote game related content, e.g., board games, video games, etc.
	Humor/Comics	Humor/Comics Web sites are sites that distribute, display, discuss,. or promote humor related content, e.g., comics, cartoons, etc.
	Recreation/Hobbies	Recreation/Hobby Web sites are sites that distribute, display, discuss or promote recreation and hobby related content, e.g., model airplane building, knitting, sewing, etc.
General Productivity		General productivity Web sites are an aggregation of sites believed to engage users in time or resource-intensive activities that may be in conflict with expected use of computer and network resources.
	Education/Reference	Education/reference Web sites are sites which promote, offer, sell, supply, encourage or otherwise advocate educational or reference information.
	Child Friendly Materials	Child friendly materials Web sites are sites which promote, offer, sell, supplies, encourage or otherwise advocate child-friendly materials.
	Government/Military	Government/Military Web sites are sites created and maintained by an official government or military organization
	Health	Health Web sites are sites which promote, offer, sell, supply, encourage or otherwise advocate health information.
	History	History Web sites are sites which promote, offer, sell, supply, encourage or otherwise advocate historical information.
	Legal Services & Reference	Legal services and reference Web sites are sites which provide, promote, offer, sell, supply, encourage or otherwise advocate legal services and reference information.
	Non-Profit/Advocacy/NGO	Non-profit/Advocacy/NGO Web sites are sites which promote, offer, sell, supply, encourage or otherwise advocate non-profit, advocacy, or NGO information.
	Politics/Opinion	Politics/Opinion Web sites are sites which promote, offer, sell, supply, encourage or otherwise advocate politics or opinion information.
	Public Information	Public information Web sites are sites which provide general reference information for public consumption, e.g., listings, maps, weather, etc.
	Religion/Ideology	Religion/Ideology Web sites are site which promote, offer, sell, supply, encourage or otherwise advocate religion or ideology.
	Search Engines	Search engine Web sites are sites where the main purpose is to provide search Web content based on user-defined queries.
Information Technology		Information technology Web site are sites which promote, offer, sell, supply, encourage or otherwise advocate technology information, e.g., free hosting, Internet services, Web ads.
	Technical Information	Technical Information Web sites are sites which promote, offer, sell, supply, encourage or otherwise advocate technical information, e.g., tutorials for computer programming, reviews of computer software or hardware, technical forums, information security.
	Edge Content Servers/Infrastructure	Edge content servers/infrastructure Web sites are sites which hosts files for other Web sites usually for high-volume consumption.
	Free Hosting	Free hosting Web sites are sites which promote, offer, sell, supply, encourage or otherwise advocate free Web hosting information, e.g., Web sites that allow users to create personal homepages.
	Internet Services	Internet services Web sites are sites which promote, offer, sell, supply, encourage or otherwise advocate Internet services information, e.g., domain registration, ISPs.
	Web Ads	Web ads Web sites are sites from which advertising content originates. Advertising content includes but is not limited to banners, marketing trackers, and text ads.
Lifestyles		Lifestyle Web sites are sites that cater to or discuss personal or social interests and activities with content intended for a specific audience.
	Dating/Personals	Dating/Personals Web sites are sites which promote, offer, sell, supply, encourage or otherwise advocate dating or personal information.
	Special Interests	Sites that reflect a group or collection of persons that have a common interest or issue that is representative of who they are, their life situation, or is of closely held significance to them. This includes without limitation, cultural or ethnic identity, organization/club affiliations, or sexual orientation/identity.
	Restaurants/Dining	Restaurants/Dining sites are sites which promote, encourage or otherwise advocate information about restaurants or dining choices.
	Social Opinion	Social Opinion Web sites are sites that provide information related to variety of social topics, e.g., movie reviews, actor critiques.
	Self Defense	Self defense Web sites are site which promote, encourage or otherwise advocate information about self defense - e.g., karate, mace, stun guns.
	Travel	Travel web sites are sites which promote, encourage or otherwise advocate traveling.
News/Reports		News/Reports Web sites are sites that provide news or report information.
	News	News Web sites provide news media such as local weather, and other relevant regional, national and international information.
	Sports	Sports Web sites are sites which promote, offer, sell, supply, encourage or otherwise advocate professional athletics, e.g., professional or recreational baseball leagues.
Purchasing		Purchasing Web sites are sites which promote, offer, sell, supply, and encourage purchasing of products.
	Fashion/Beauty	Fashion/Beauty Web sites are sites which promote, offer, sell, supply, encourage or otherwise advocate the use, or distribution of fashion or beauty related products.
	Motor Vehicles	Motor Vehicles Web sites are sites which promote, offer, sell, supply, encourage or otherwise advocate the use, distribution or discussion of motor vehicle related products.
	Shopping	Shopping Web sites are sites which promote, offer or sell products or services online.
	Pharmacy	Pharmacy Web sites are sites which promote, offer, sell, supply, encourage or otherwise advocate the use, distribution or discussion of prescription drugs.
	Real Estate	Real estate Web sites are sites which promote, offer, sell, supply, encourage or otherwise advocate the buying, selling, managing or maintenance of real estate.
Security		Aggregation of sites which may either directly constitute a risk to IT resources, or are associated with activities suspected to increase risk of exposure to these dangers.
	Anonymizers*	Anonymizer Web sites are sites used to anonymize a user's originating IP address
	Anonymizing Utilities	Anonymizing utilities Web sites are sites which promote, offer, sell, supply, encourage or otherwise advocate the use, manufacture, or distribution of anonymizing utilities.
	P2P/File Sharing	P2P/File sharing Web sites are sites which offer, sell, supply, encourage or otherwise advocate the use, manufacture, or distribution of P2P/File sharing software.
	Parked Domain	Parked domain Web sites are sites that no longer contain content or are no longer registered.
	Personal Network Storage	Personal network storage Web sites provide Web-based storage for personal files, e.g., pictures, documents, etc.
	Remote Access	Remote access Web sites are sites which provide Web-based or downloadable remote access related applications as the main feature or function of the site, e.g., a Web site that allows a user to access a computer from a remote location.
	Resource Sharing	Resource sharing Web sites are sites that provide information about applications that utilize otherwise unused system resources, e.g., SETI@home.
	Shareware/Freeware	Shareware/Freeware Web sites are sites which provide Web-based or downloadable applications as the main feature or function of the site.
	Botnet*	Botnet sites are sites which covertly install applications onto targeted systems allowing unauthorized remote control for malicious activity.
	Malicious*	Malicious Web sites covertly install applications onto targeted systems with the intent of causing harm to people or property through use of unauthorized computer activity.
	Phishing*	Phishing sites are sites that masquerade as a trustworthy entity for the purpose of tricking users into disclosing personal information.
	Spam URLs	Spam Web sites are sites that contain unsolicited information from spam e-mails.
	Spyware/Adware*	Spyware/adware Web sites are sites which covertly install applications onto targeted systems with the intent of performing unsolicited activity, namely, transmitting personal information or providing unsolicited advertisements.

Vladimir Holostov, Senior Program Manager

Nathan Bigman, Content Publishing Manager

Forefront TMG 2010 documentation now available on TechNet

isablog — Tue, 29 Dec 2009 09:57:00 GMT

Forefront TMG 2010 TechNet documentation is now live with Forefront TMG Release to Web content. This release of the documentation culminates a customer- and solutions-focused effort undertaken by the Forefront TMG User Assistance team since the release of ISA Server 2006, resulting in a new content structure, new content, and the streamlining of previously-available content.

New structure

The new content structure focuses on Forefront TMG’s core value to your business: protecting IT environments from Internet-based threats, while providing both internal and remote users fast and secure access to the Internet and to internal applications and data. The Planning and Design, Deployment, and Operations guides are synched to guide the Forefront TMG administrator through system deployment in various topologies, enabling access through Forefront TMG, and setting up the protection of organizational resources from Internet-based threats.

Solution guides

We are proud to publish the first solution guides in a planned series of guides, aimed at walking Forefront TMG administrators through end-to-end Forefront TMG solutions:

· Secure Web Gateway solution guide—A secure Web gateway allows business employees to safely and productively use the Internet for business without worrying about malware and other threats. It provides multiple layers of continuously updated protections that are integrated into a unified, easy-to-manage gateway, reducing the cost and complexity of Web security. The secure Web gateway solution guide is intended to help administrators plan, deploy, and maintain a Forefront TMG secure Web gateway, according to the requirements of their organization and the specific design that they want to create.

· Interoperability with BranchCache solution guide—Addresses the interoperability of Forefront TMG and BranchCache, a feature of Windows 7 and Windows Server 2008 R2, that enables Web content on a wide area network (WAN) to be cached on computers at a local branch office, thus improving application response time and reducing WAN traffic.

New content

As with every major documentation release, the new content addresses the product’s new features:

· Network Inspection System (NIS)

· Enhanced Network Address Translation (NAT)

· Enhanced Voice over IP support

· Windows Server 2008 with 64-bit support

In addition, the content includes the following documents:

· Troubleshooting the installation

· Troubleshooting HTTPS inspection

· Unsupported configurations

· Customizing HTML forms

· Customizing HTML error messages in Forefront TMG

· Upgrading from Forefront TMG evaluation to Forefront TMG RTM

· Joining a standalone server to an array in a workgroup deployment

Streamlining of available content

ISA Server has been around for a long time, and its accompanying documentation has accumulated into a comprehensive yet somehow exhausting content-set. When faced with the challenge of updating the ISA Server content to Forefront TMG, we decided to take the long route and determine the scope of the content based on user needs, rather than simply update the existing ISA Server content. We started off by creating a completely new Table of Contents, based on extensive product group, customer support, and field feedback and requirements. Only then did we dive into the actual writing, leveraging valuable existing content and adding new content, as required. This process resulted in content that we believe is more easily discoverable and manageable by our target users. Be sure to tell us how you like this new experience!

We are looking forward to receiving your feedback on new content.

Enjoy the ride!

The Forefront TMG User Assistance team

Author:
Rachel Aldam, Technical Writer

Reviewers:
David Strausberg, Technical Writer
Meir Feinberg, Technical Writer
Michelle Friedmann, Technical Editor

Using Forefront TMG/ISA Server BPA for documenting your deployment

isablog — Thu, 24 Dec 2009 10:04:26 GMT

Introduction

An administrator of Forefront TMG or ISA Server may want to document their current configuration, so that they can:

Recreate the Forefront TMG/ISA Server setup from the documentation in the case of data loss/corruption.
Share the documentation with other people, so that they can understand what settings are used (e.g. in the case of a deployment handover).

This document describes how Best Practices Analyzer (BPA) can be used to automatically document the configuration.

Forefront TMG/ISA Server BPA

There are 2 separate tools, one works for Forefront TMG, the other for ISA Server:

The procedures below, and all the examples, reference Forefront TMG BPA. The same procedure is equally applicable to ISA Server BPA.

How to document a Forefront TMG Server

To create a new document:

Run the BPA application and click “Select options for a new scan”.
When scanning is finished click “View a report of this Best Practices scan” and then export the report to an XML file.
The output file can be used for configuration review and network visualization by the BPA2Visio tool (will be explained below).

How to review a pre-saved document for a Forefront TMG Server

If you still have BPA open after following the procedure above, you already have the report available. If not, the following steps will load the report:
a. Launch BPA and click “Select a Best Practices scan to view”.
b. Choose one of the available scans, or choose “Import scan” to load a different scan result from a file.
c. If you choose to use a report from the list, you’ll need to choose the “View a report of this scan” option to actually view the scan. The view will bring you to the “All Issues” tab, the same location within the UI where you ended up after completing the “How to document a Forefront TMG Server” procedure above.
Choose the “Tree Reports” radio button, and then click on the “Detailed View” tab, which will display the configuration data and the “TMG configuration” data node.
It is possible to copy specific node contents to the clipboard. To do that, right-click on the node and choose the “Copy to clipboard” option. The node will be copied to the clipboard and the resulting text will also preserve the existing data hierarchy. For example, you can copy the “Exception” node, and the text can be pasted into your favorite editor as shown below.
Now you can review the configuration and do the required work. The “TMG Configuration” node contents are designed to mimic the Forefront TMG Management MMC console hierarchy, making it simple to map the data to the appropriate place in the Forefront TMG UI. The Forefront TMG BPA application highlights the problematic nodes with “Error”, “Warning” and “Info” icons, as shown above.

How to visualize a pre-saved document for a Forefront TMG Server

As we have already said, we have a specially designed tool called BPA2Visio that can visualize the network deployment of your server based on the BPA report.

To visualize your network you should run BPA2Visio on a machine where the Microsoft Visio tool is installed (not necessarily the server machine). To do that you need to run the application. You can run it from the Start Menu as follows: “Start Menu” > “All Programs” > “Microsoft Forefront TMG Server” > “TMG Tools” > “BPA2Visio”. Another way to run the application is to invoke it from within the “Forefront TMG BPA” application directly. To do that, you should open the report for review – just like we did in the previous explanation, and then click the “Start BPA2Visio” button on the left pane.
After the BPA2Visio application has started, please “Load an existing report” from the location you have saved it, and then click “Generate Diagram”. This will generate a network diagram in the Visio tool.
Here is an example of a generated diagram:
And you are done! BPA2Visio will highlight the problematic elements, as detected by “Forefront TMG BPA”, at the same time that the report is generated.

Author:
Alexey Doctorovich, Software Development Engineer, Forefront TMG Team

Reviewers:
Neta Amit, Senior Program Manager, Forefront TMG Team
Adi Kurtz, Senior Test Lead, Forefront TMG Team
Ori Yosefi, Senior Program Manager, Forefront TMG Team
Meir Feinberg, Technical Writer, Forefront TMG Team

RRAS Service fails to start on ISA Server 2006 when enabling RADIUS Authentication for VPN Users

isablog — Wed, 23 Dec 2009 20:41:00 GMT

Introduction

Consider a scenario where the ISA Server administrator has dial-in VPN correctly configured and working through ISA Server 2006. Now he needs to use RADIUS as the credentials authority and he makes the appropriate changes to the RADIUS configuration on the VPN settings as shown in Figures 1, 2 and 3:

Figure 1 – RADIUS correctly enabled on ISA.

Figure 2 – RADIUS Server using the default authentication port.

Figure 3 – RADIUS Server with the shared secret set.

After applying the changes, the RRAS service stops and the following event appears in Event Viewer when RRAS tries to restart:

Event Type: Error

Event Source: Microsoft Firewall

Event Category: None

Event ID: 21098

Date: 12/15/2009

Time: 4:16:46 PM

User: N/A

Computer: ISACONTN1

Description:

The RADIUS server list is empty. As a result, the Remote Access Service may fail to start.

Understanding the Behavior

Clearly the RADIUS server list is not empty as you can see in Figure 2 and 3. However if you observe other events in the event viewer you will see that the RADIUS server failure event is almost immediately preceded by this one:

Event Type: Warning

Event Source: Microsoft Firewall

Event Category: None

Event ID: 21301

Date: 12/15/2009

Time: 4:16:43 PM

User: N/A

Computer: ISACONTN1

Description:

The server name dccont cannot be resolved by DNS to a valid IP address.

Using Network Monitor during the moment of the failure, you can see that the Windows OS (where ISA server is installed) sends the DNS query for this name:

10.20.20.1 dccont.contoso.com DNS DNS:QueryId = 0xDE85, QUERY (Standard query), Query for dccontn1.contoso.com of type Host Addr on class Internet

The DNS Server reply with the following answer:

dnsrv.contoso.com 10.20.20.1 DNS DNS:QueryId = 0xDE85, QUERY (Standard query), Response - Name Error

What happens is that if ISA Server is not able to resolve the name of the RADIUS Server it can’t really proceed with this configuration because it has no credentials authority for the VPN client connections.

Common errors that can cause this are:

1. “dccont” was specified as an unqualified name (as shown in Figures 2 & 3). This leaves the server having to rely on the domain suffix devolution to resolve the name to an IP address. If the ISA has no domain suffix or the domain where the “dccont” RADIUS server registers its name is unknown to the ISA server or its DNS servers, the ISA server won’t resolve that name. You should always use fully-qualified names to avoid this behavior.

2. dccont.contoso.com is not known to the DNS server used by the ISA server. This may be due to an incorrect DNS configuration at the ISA server or the RADIUS server is not properly registered in DNS

3. DNS forwarding or recursion is failing at the DNS server used by the ISA server.

There are no doubt many other reasons for name resolution to fail at the chosen DNS server; you’ll just have to put on your Sherlock Holmes hat and get sleuthing.

Author

Yuri Diogenes

Sr Security Support Escalation Engineer

Microsoft CSS Forefront Edge Team

Technical Reviewer

Jim Harrison

Program Manager

Microsoft CSS Forefront Edge CS Team

How to get NLB to work with Forefront TMG when running in Hyper-V.

isablog — Tue, 22 Dec 2009 11:47:00 GMT

If you are running your Forefront TMG servers as Windows 2008 Hyper-V guests and you have enabled NLB in Forefront TMG, you may have noticed that the NLB cluster nodes fail to converge.

There is a known issue with Unicast NLB and Hyper-V that affects ISA 2006 and Forefront TMG deployments.

Note: This blog post only applies when running TMG 2010 or ISA 2006 as a guest running on Hyper-V RTM. If you are running Hyper-V R2, checking “Enable spoofing of MAC addresses” on the network adapters settings achieves the same result as the steps below.

To enable NLB on a Hyper-V guests, perform the following steps:

1. For Forefront TMG deployments, you must install the update referenced in MSKB 953828. This update is not required or applicable to ISA Server deployments

2. From one of the Forefront TMG servers, run the following command to find out the
Unicast MAC address (write it down): nlb.exe ip2mac <clusterIP>

3. Enable Integrated NLB in the Forefront TMG management console as you would normally do.

4. Apply the changes. Wait for the policy to be properly applied before continuing (if you enabled NLB on the Internal network you will get an error that the management console cannot see the servers in the array; at this point you know the policy has been applied).

5. Shutdown the Forefront TMG servers in the array. Shut down is required as we need to change the properties of the network adapter setting in the Hyper-V console.

6. Open the Hyper-V console

a. Right-click the Forefront TMG virtual machine and click Settings

b. Select the network adapter that you enabled NLB in Forefront TMG.

c. In the details pane, select Static MAC Address and enter the Unicast MAC address you wrote down in step #1.

d. Click OK

7. Repeat steps 6.a - 6.c for the second Forefront TMG in the array.

8. Restart both Forefront TMG Servers

Important: If you turn off NLB support you will need to shutdown the servers in the array and revert the changes made in step 5 back to Dynamic MAC address.

Note: On a few rare occasions we have seen that NLB has not been properly configured on one of the servers in the array even after following the steps outlined above. To correct this, open the NLB Manager on this server and manually configure the NLB cluster. The cluster IP address should be the VIP address you configured when you enabled NLB in the Forefront TMG management console.

Author

Gershon Levitz

Program Manager - Microsoft Forefront Edge

Technical Reviewers

Jim Harrison

Program Manager - Microsoft Forefront Edge

Bala Natarajan

Support Engineer, Microsoft CSS Forefront Edge Team