Hotfix Rollup 5 for Forefront TMG 2010 SP2 Now Available

June 28, 2014 9 comments

Hotfix rollup 5 for Microsoft Forefront TMG 2010 with Service pack 2 (SP2) is now available for download. This latest hotfix rollup includes fixes for the following issues:

KB2963805 - Account lockout alerts are not logged after you install Rollup 4 for Forefront TMG 2010 SP2

KB2963811 - The Forefront TMG 2010 Firewall service (wspsrv.exe) may crash when the DiffServ filter is enabled

KB2963823 - “1413 Invalid Index” after you enable cookie sharing across array members in Forefront TMG 2010

KB2963834 - HTTPS traffic may not be inspected when a user accesses a site through Forefront TMG 2010

KB2967726 - New connections are not accepted on a specific web proxy or web listener in Forefront TMG 2010

KB2965004 - EnableSharedCookie option doesn’t work if the Forefront TMG 2010 service runs under a specific account

KB2932469 - An incorrect value is used for IPsec Main Mode key lifetime in Threat Management Gateway 2010

KB2966284 - A zero value is always returned when an average counter of the “Forefront TMG Web Proxy” object is queried from the .NET Framework

KB2967763 - The “Const SE_VPS_VALUE = 2″ setting does not work for users if the UPN is not associated with a real domain

KB2973749 - HTTP Connectivity Verifiers return unexpected failures in TMG 2010

You can download hotfix rollup 5 for Forefront TMG 2010 SP2 here. After applying this update, the new Forefront TMG 2010 build number will be 7.0.9193.644.

Forefront TMG 2010 Computer Certificate Request or Renewal Fails

April 21, 2014 2 comments

When attempting to request or renew a computer certificate on the Forefront TMG 2010 firewall, you may receive the following error message:

Status: Failed
The RPC server is unavailable.

 

forefront_tmg_2010_certificate_01

This occurs because the Forefront TMG 2010 firewall does not, by default, allow the protocols and ports required to request or renew a certificate from a Certificate Authority (CA). Common workarounds suggest stopping the firewall completely or creating a rule allowing all protocols and ports from the TMG firewall to the CA. However, both of these workarounds are problematic. Stopping the firewall is a manual process that will cause a service disruption. It also leaves the firewall in an unprotected state. For edge deployment scenarios, the underlying operating system will be exposed directly to untrusted networks, which is a serious security risk. Creating an open access rule is not desirable because it violates the basic security principle of least privilege by allowing more access than is required.

To properly address this issue and allow for the secure request and renewal of certificates without disruption and with the least exposure, it will be necessary to create an access rule on the Forefront TMG 2010 firewall to allow all dynamic ports (TCP 49152-65535) from the local host network to the IP address of the CA for all users.

forefront_tmg_2010_certificate_02

Note: Allowing all dynamic ports (TCP 49152-65535) might also be considered too much access from the Forefront TMG 2010 firewall to the CA. It is possible to restrict the dynamic ports used by TMG and further tighten the access rule, if required. For information about restricting dynamic ports, click here.

In addition to the access rule allowing all dynamic ports, it will also be necessary to make a change to a system policy rule. To do this, right-click the Firewall Policy node in the navigation tree and choose All Tasks, System Policy, and then Edit System Policy. In the Authentication Services group highlight Active Directory and clear the checkbox next to Enforce strict RPC compliance.

forefront_tmg_2010_certificate_03

Once these changes have been made you can now request or renew a computer certificate on the Forefront TMG 2010 firewall successfully.

forefront_tmg_2010_certificate_04

Forefront UAG 2010 End of Life Statement

December 17, 2013 4 comments

Today, Microsoft announced the end of life for the Forefront UAG 2010 product. Microsoft will continue to provide mainstream support for UAG until April 14, 2015, and extended support until April 14, 2020. Existing customers with active Software Assurance on their existing UAG licenses as of December 1, 2013, may add new UAG server instances, users, and devices without having to purchase additional UAG licenses. In addition, existing customers who have purchased Forefront UAG server licenses will be given upgrade rights to Windows Server 2012 R2, which provides some of the remote access features found in Forefront UAG. For example, Windows Server 2012 R2 supports DirectAccess, client-based VPN, and reverse web proxy with new Web Application Proxy role.

With regard to license upgrade rights, users are entitled to a Windows Server 2012 R2 license for each Forefront UAG server license (or External Connector license) they currently own. Software Assurance for UAG can still be purchased until January 1, 2014. Forefront UAG 2010 will be removed from the pricelist on July 1, 2014. Forefront UAG 2010 will continue to be available from Microsoft OEM hardware partners like Celestix Networks for the foreseeable future, however.

Forefront UAG Service Pack 4 Now Available for Download

November 27, 2013 Leave a comment

Good news! Service Pack 4 (SP4) for Forefront Unified Access Gateway (UAG) 2010 is now available for download. This latest service pack for UAG includes updates to support Windows 8.1 client devices using Internet Explorer 11, the native mail app, and Remote Desktop Connection (RDC) 8.1 client. In addition, SP4 for Forefront UAG 2010 also includes support for publishing RemoteApps from a Remote Desktop Session Host running on Windows Server 2012 or 2012 R2. The service pack also includes fixes for various reported issues.

KB2907776 - The UserMgrCom service crashes intermittently in Forefront UAG 2010

KB2909151 - Trunk authentication fails when the global catalog server is unavailable in Forefront UAG 2010

KB2909168 - The W3wp.exe process randomly stops and causes all sessions to disconnect in Forefront UAG 2010

KB2909182 - “The URL contains an invalid path” error occurs when you try to access an Exchange 2013 OWA website

KB2909191 - You cannot connect to corporate IPv4 resources by using DirectAccess after Forefront UAG 2010 Service Pack 3 is installed

KB2909350 - An SSL VPN application that has the Socket Forwarding mode set to Disabled uses 100 percent of the CPU’s time in Forefront UAG 2010

KB2909353 - You have to authenticate again to the ADFS server when the published server is configured for single sign-on in Forefront UAG 2010

KB2909356 - A detailed HTTP 403.14 error message occurs when you go to a specific InternalSite URL in a Forefront UAG 2010 environment

KB2909365 - A memory leak in W3wp.exe occurs when Outlook Anywhere is published through a Forefront UAG 2010 trunk

KB2909367 - Intermittent HTTP 500 error codes when you access a Forefront UAG 2010 portal

KB2909376 - File uploads do not occur to SharePoint Server 2013 or SkyDrive Pro through Forefront UAG 2010

KB2910407 - An internal 500 error occurs if a custom URL logoff page is configured in Forefront UAG 2010

KB2910413 - Multiple 4625 event IDs are logged when a user logs on in Forefront UAG 2010

KB2910467 - Configuration activation fails on some servers in a large array in Forefront UAG 2010

KB2910498 - A handle leak occurs in Lsass.exe in Forefront UAG 2010

KB2910506 - An authentication prompt is received even though a user is successfully authenticated in Forefront UAG 2010

KB2910517 - An incorrect domain password policy may be used if Active Directory integrated authentication is configured in Forefront UAG 2010

You must have Forefront UAG 2010 SP3 hotfix rollup 1 installed prior to installing SP4. You can download SP3 rollup 1 here. You can download Forefront UAG 2010 SP4 here. Once the update is installed the new Forefront UAG 2010 build number will be 4.0.4083.10000.

Windows Azure Multifactor Authentication and Forefront TMG 2010

November 12, 2013 1 comment

When Microsoft first announced Windows Azure Multi-Factor Authentication, a cloud-based strong authentication solution, my first thought was “I wonder if it works with Forefront TMG 2010?” Being cloud-based, my first thought was perhaps not. However, once I started digging in to it I quickly learned that it includes a software component that can be installed on-premises and will even integrate with on-premises security solutions via a number of interfaces, including RADIUS. Forefront TMG 2010 has supported RADIUS authentication for many years, so I put together a test lab and in no time at all I had Windows Azure multi-factor authentication working with Forefront TMG 2010 remote access VPN. Forefront TMG 2010 integrated with Windows Azure multi-factor authentication provides the highest level of protection for remote access users. Leveraging Windows Azure cloud-based strong authentication is extremely cost effective, with very low per user or per authentication costs and no on-premises hardware to purchase. The Windows Azure public cloud, which is ISO/IEC27001:2005 certified, provides the most secure and reliable strong authentication service available today. To learn how to configure Forefront TMG 2010 to work with Windows Azure multi-factor authentication, click here.

windows_azure

Hotfix Rollup 4 for Forefront TMG 2010 SP2 Now Available

November 8, 2013 Leave a comment

Hotfix rollup 4 for Microsoft Forefront TMG 2010 with Service Pack 2 (SP2) is now available for download. This latest hotfix rollup includes fixes for the following issues:

KB2889345 – Accounts are locked out beyond the AccountLockoutResetTime period in Forefront TMG 2010 SP2

KB2890549 – Incorrect Performance Monitor values when queried from a .NET Framework app in Forefront TMG 2010

KB2890563 – “URL” and “Destination Host Name” values are unreadable in the web proxy log of Forefront TMG 2010

KB2891026 – Firewall Service leaks memory if Malware Inspection is enabled in Forefront TMG 2010

KB2888619 – A password change is unsuccessful if a user’s DN attribute contains a forward slash and an Active Directory LDAP-defined special character in Forefront TMG 2010

KB2863383 – “Query stopped because an error occurred while it was running” when you run a non-live query in Forefront TMG 2010 SP2

KB2899720 – Threat Management Gateway 2010 incorrectly sends “Keep-Alive” headers when it replies to Media Player WPAD file requests

KB2899716 – Firewall service (Wspsrv.exe) crashes when a web publishing request is handled in Forefront TMG 2010

KB2899713 – Access to certain SSL websites may be unavailable when HTTPS Inspection is enabled in Forefront Threat Management Gateway 2010

You can download hotfix rollup 4 for Forefront TMG 2010 SP2 here. After applying this update, the new Forefront TMG 2010 build number will be 7.0.9193.601.

Publishing Exchange 2013 Outlook Web App with Forefront TMG 2010

October 29, 2013 Leave a comment

Recently I wrote an article for ISAserver.org about publishing Exchange 2013 Outlook Web App (OWA) using Forefront TMG 2010. In spite of the fact that many organizations are migrating their e-mail services to the cloud, there are many organizations who cannot, for a variety of reasons, take advantage of cloud services for e-mail. This makes Exchange 2013 a compelling upgrade for many companies. Historically Forefront TMG 2010 and its predecessors were the go-to service for securing access to on-premises Exchange implementations. Forefront TMG 2010 supports OWA publishing with native publishing wizards, allowing you to select which version of Exchange you are publishing, with the added bonus of providing in-box forms-based authentication (FBA) templates that matched the look and feel of the Exchange version you were publishing. Since Forefront TMG 2010 has been deprecated, Microsoft has not updated Forefront TMG 2010 to include support for Exchange 2013 OWA. However, you can still publish Exchange 2013 OWA using Forefront TMG by following the instructions outlined in my ISAserver.org post. When using this method, the Exchange 2010 FBA templates are used. This makes the user experience somewhat disjointed, with the FBA pages not matching the new, updated look and feel of OWA 2013. To remedy this, I reached out to my good friend Scott Glew at Fastvue. Scott is a terrific web developer, as evidenced by the amazing UI included with the TMG Reporter solution. In short order, Scott whipped up some customized Forefront TMG 2010 FBA templates to match the look and feel of OWA 2013 and has made them available for free. Now if you’re publishing Exchange 2013 OWA using Forefront TMG 2010, you can download these custom templates and use them to provide a consistent experience for your Exchange OWA users. Enjoy!

Publish Exchange 2013 OWA with Forefront TMG 2010

Follow

Get every new post delivered to your Inbox.

Join 78 other followers

%d bloggers like this: