For my reference and for all the users reference posting link that has the ISA/TMG server build numbers
http://blogs.technet.com/b/isablog/archive/2009/02/25/isa-server-build-numbers.aspx
For my reference and for all the users reference posting link that has the ISA/TMG server build numbers
http://blogs.technet.com/b/isablog/archive/2009/02/25/isa-server-build-numbers.aspx
By default SSL port is 443 , we can use script given on isatools.org http://isatools.org/tools.asp?Context=ISA2006 and name of tool is ISA tunnel port range. We can download it and add custom SSL ports as shown below
using same script we can also delete custom SSL ports. Usage is explained above.
Updated section below (10 Dec 2014)
e. so I saw messages below and yes the link i have given above does not work so i have created the script file using article (http://technet.microsoft.com/en-us/library/cc302450.aspx) and i m uploading them here(attached is the addtprange.vbs to add tunnel port range.), Please find them attached here
you can run it as
CScript AddTPRange.vbs RangeName PortNumber
e.g. CScript AddTPRange.vbs customport 433
I can not attach another script here, to show the ranges here(it does not allow uploading more then 1 file), so i m pasting that as it is below
**************************copy the script below and save it as showtpranges.vbs*********************
Sub ShowTPRanges()
' Create the root object.
Dim root ' The FPCLib.FPC root object
Set root = CreateObject("FPC.Root")
' Declare the other objects needed.
Dim isaArray ' An FPCArray object
Dim tpRanges ' An FPCTunnelPortRanges collection
Dim tpRange ' An FPCTunnelPortRange object
' Get references to the array object
' and the collection of tunnel port ranges.
Set isaArray = root.GetContainingArray()
Set tpRanges = isaArray.ArrayPolicy.WebProxy.TunnelPortRanges
If tpRanges.Count > 0 Then
For Each tpRange In tpRanges
WScript.Echo tpRange.Name & ": " & tpRange.TunnelLowPort & "-" & tpRange.TunnelHighPort
Next
Else
WScript.Echo "No tunnel port ranges are defined."
End If
End Sub
ShowTPRanges
*************************************************
to see existing ranges
CScript showtpranges.vbs
while working on an UAG case found a very nice technet link, thought of sharing it
Issue/Scenario: Recently I worked on a Ipsec site to site Scenario between TMG and Cisco. Tunnel between these two end point was not getting established.
Troubleshooting approach
1. Checked the settings of the site to site IPsec tunnel.
2. In the addresses tab of the tunnel properties on the TMG server remote end point Ip address was not added, added it.
3. Tested the tunnel after applying the settings still issue persisted.
4. Checked all the settings, site to site settings, network rule and access rule they all look ok.(refer : http://technet.microsoft.com/en-us/library/dd441072.aspx)
5. Took TMG data packager with vpn template(refer : http://blogs.technet.com/b/sooraj-sec/archive/2010/04/10/instructions-for-isa-data-packager-to-collect-data-in-repro-mode.aspx) while trying to ping remote side address.
6. In the ikeetl logs found following
***************************************************************************
QM localAddr: x.x.x.x.0 Protocol 0
QM peerAddr : x.x.x.x.0 Mask x.x.x.x Protocol 0
IF-Luid: 1688850061590528
Profile ID: 3
Acquire flags 1
FwpmFilterEnum returned no matching filters
IkeMatchFwpmFilter failed with Windows error 13825(ERROR_IPSEC_IKE_NO_POLICY)
IkeMatchFwpmFilter failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY)
IkeFindQMPolicy failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY)
*********************************************************************************************************
Researched on it found http://technet.microsoft.com/en-us/library/bb794765.aspx
and following section in it.
Quick policy mode negotiation fails with a "No policy configured" error
Symptom: An event is logged in the system event log, which indicates that quick policy mode negotiation failed with a "No policy configured" error.
Cause: The IPsec network range combines several physical networks with adjacent ranges. If you configure a remote site network, which actually comprises two different networks with adjacent IP address ranges in the same subnet, connections cannot be initiated to either network.
Solution: To avoid this, create two remote site IPsec networks, one for each physical network. Then create appropriate network and access rules for each remote site. For example, suppose you have three networks:
To define remote site network connectivity from Network C to Network A and Network B, you must define two distinct remote networks (one for Network A and one for Network B), rather than combining the address ranges.
Also note that accurate network configuration is essential for IPsec site-to-site communications to work as expected. The VPN network on the local ISA Server computer (usually the default Internal network) must match the IP addresses of the network adapter associated with the network, and should include all subnets accessible from the adapter. Every time a network adapter receives a packet, ISA Server checks whether the source IP address of the packet is a valid address for the specific network adapter. If ISA Server does not consider it valid, an IP spoofing attack alert is issued. An IP address is considered valid if both of the following conditions are true:
7. Informed Admin to check the Cisco end for the address ranges used on that end and as well on TMG end , After the remote end subnet and host addresses were configured properly(i.e. Address ranges were defined without mixing adjacent ranges) , issue got resolved.