Comments for Richard Hicks' Blog

Comment on Load Balancing and Forefront TMG Firewall Clients by Richard Hicks

Richard Hicks — Thu, 23 Feb 2012 23:52:50 +0000

Hi Sherry,

DNS round robin is indeed supported for load balancing Forefront TMG 2010 firewall clients. Information on how to configure DNS round robin can be found here:

http://technet.microsoft.com/en-us/library/cc787484(v=WS.10).aspx

Thanks!

Comment on Slipstream Service Pack 2 for Forefront TMG 2010 by Jim Duncan

Jim Duncan — Thu, 23 Feb 2012 17:38:00 +0000

Great info, thanks!

I was having problems slipstreaming SP1 (getting a “Internal error 2203″); it turns out that the MS_FPC_Server.mis file was marked read-only when it was copied from the DVD image. Once I removed the read-only attribute things went perfectly.

Thanks again!

Comment on Load Balancing and Forefront TMG Firewall Clients by Sherry

Sherry — Thu, 23 Feb 2012 01:23:50 +0000

Thanks richard and all the commentators for valuable information.

I have two TMG boxes (enterprise FF) in a Single Array – we use firewall client and it resolves to ONE member at a time –

How can I setup DNS Round Robin within this scenario ?
Would DNS Round Robin cause connectivity issues (as you say about the firewall client control chanel thing) ?

Will be grateful if you could provide a step by step to create a dns round robin for my two TMG boxes in a Single Array and Firewall Client in action on the client side.

TMGSNR = 192.168.1.1
TMGJNR = 192.168.1.2

Thanks ever so much !

Comment on WPAD Considerations for Kerberos Authentication with NLB VIP on Forefront TMG 2010 by Richard Hicks

Richard Hicks — Sat, 18 Feb 2012 03:07:40 +0000

Yes, it is a statically updated file. You could probably update it using some type of file replication I would guess…

Comment on Running Windows Update on a TMG Firewall Fails with Result Code 80072EE2 by Richard Hicks

Richard Hicks — Sat, 18 Feb 2012 03:05:25 +0000

Have you confirmed that name resolution is working correctly and that you in fact have outbound network connectivity? Also, you can find more details in the windowsupdate.log file located in the Windows directory.

Comment on Running Windows Update on a TMG Firewall Fails with Result Code 80072EE2 by xyyz

xyyz — Sat, 18 Feb 2012 01:53:02 +0000

sadly, this hasn’t worked for me. anyone have any more ideas?

Comment on WPAD Considerations for Kerberos Authentication with NLB VIP on Forefront TMG 2010 by mikehowells

mikehowells — Sat, 18 Feb 2012 01:12:39 +0000

Does the login script deploy a manually configured PAC file? If so, how is it kept updated as changes are made to the ISA/TMG array?

Comment on WPAD Considerations for Kerberos Authentication with NLB VIP on Forefront TMG 2010 by Richard Hicks

Richard Hicks — Sat, 18 Feb 2012 00:47:33 +0000

I wouldn’t say “most” clients, but I’ve worked with quite a few customers to enable group policy to configure their web proxy client settings. Using GPOs does workaround the WPAD issue we’re discussing here, but as you correctly observed, this is a potential sticking point for mobile devices that need to connect to the Internet outside of the office. In cases like this I’ve actually seen organizations deploy a PAC file on the local file system which is configured to use a direct connection if the proxy server is unavailable. The PAC file is distributed via logon script or any other file replication mechanism.

Comment on WPAD Considerations for Kerberos Authentication with NLB VIP on Forefront TMG 2010 by mikehowells

mikehowells — Fri, 17 Feb 2012 20:48:05 +0000

In your experience, do you typically see most clients using GPO’s to distribute the proxy name to web browsers?

Since this would not use WPAD this would then allow them to utilize Kerberos (I’m assuming that they would just run that script to change the MakeProxies behavior to return FQDN’s instead of IP’s).

My next question is, if you indeed do see clients using GPO’s to point to the proxy server, how do you handle it when a laptop user leaves the office? Won’t the web browser continue to try to hit the proxy server as served-up by the GPO if the web browser is launched outside of the office?

Comment on WPAD Considerations for Kerberos Authentication with NLB VIP on Forefront TMG 2010 by Richard Hicks

Richard Hicks — Fri, 17 Feb 2012 17:49:54 +0000

Yes, this script works with Forefront TMG 2010 in addition to ISA 2006. There is no requirement to configure SPNs for array members, as they are already registered in the Kerberos database. The only time you need to configure SPNs is when you are using a name that is not the hostname of an array member (for example, the array DNS name). If you want to use WPAD *and* have all requests delivered to the VIP, you will have to use a custom script file.