Archive
Windows 8 Modern UI Apps and Forefront TMG 2010
On a Windows 8 client deployed behind a Forefront TMG 2010 firewall, users may receive the following error when trying to open the Windows Store app.
You’re PC isn’t connected to the Internet. To use the Store, connect to the Internet and then try again.
Other Windows 8 “modern UI” applications may experience similar behavior if they require access to resources on the public Internet. However, you are able to access the Internet using both the modern UI and desktop versions of Internet Explorer 10.
The problem occurs when the Forefront TMG 2010 firewall is configured to require authentication on rules controlling access to the Internet over HTTP and HTTPS, or if the option to require all users to authenticate is enabled on the web proxy listener (which isn’t a good idea!). Authenticated web proxy access requires that client be configured either as a web proxy client or as a firewall client. Internet Explorer can be configured as a web proxy client, typically using automatic configuration (WPAD) through DNS or DHCP, but Windows 8 modern UI applications do not inherit Internet Explorer proxy server settings. As such, they behave as SecureNAT clients which do not support authentication. To resolve this issue, run the following command from an elevated command prompt on the Windows 8 client.
netsh winhttp set proxy <tmg_hostname_or_IP_address>:<web_proxy_listener_port>
For example…
netsh winhttp set proxy tmg.richardhicks.net:8080
More information about configuring WINHTTP can be found here.
Another workaround is to install the Forefront TMG 2010 firewall client. This will ensure that all outbound communication through the Forefront TMG firewall is always authenticated.
Error 0x8004FE2F Activating Windows on Forefront TMG 2010 Protected Network
When attempting to activate Windows Server 2008R2 you may receive one of the following error messages:
A problem occurred when Windows tried to activate. Error Code 0x8004FE2F
Or…
A problem occurred when Windows tried to activate. Error Code 0xC004FC03
If you attempt to activate Windows from the command line using slmgr.vbs -ato you may also encounter one of the following error messages:
Activating Window Server(R), ServerEnterprise edition {GUID}...
On a computer running Microsoft Windows non-core edition, run 'slui.exe
0x2a 0x8004FE2F' to display the error text.
Error: 0x8004FE2F
Or…
Activating Window Server(R), ServerEnterprise edition {GUID}...
On a computer running Microsoft Windows non-core edition, run 'slui.exe
0x2a 0x80072EE2' to display the error text.
Error: 0x80072EE2
The problem may occur for systems that are located on a network that is protected by a Forefront TMG 2010 firewall, and the access rule that allows the traffic requires authentication. The Windows activation process relies on WinHTTP and by default, WinHTTP communication is sent as SecureNAT client traffic. SecureNAT clients unfortunately cannot be authenticated, so the request fails.
There are two ways resolve this issue. The first is to configure WinHTTP on the Windows system you are trying to activate to use a proxy serverexplicitly. Open an elevated command prompt and enter the following command:
netsh winhttp set proxy <name or IP address of proxy server>:<port>
For example:
netsh winhttp set proxy tmg.richardhicks.net:8080
Instead of making this change to each system you want to activate, an alternative is to create an anonymous access rule on the Forefront TMG 2010 firewall that allows HTTP and HTTPS traffic to those destinations required to activate Windows. Using the Forefront TMG 2010 management console, create an access rule that allows HTTP and HTTPS from the Internal network to a Domain Name Set that contains the following destinations for all users:
activation.sls.microsoft.com.nsatc.net go.microsoft.com *.sls.microsoft.com
Make sure this rule is placed before any other rules for HTTP or HTTPS that require authentication.
Once configured, activating Windows should work without issue.
Connect
Richard Hicks' Forefront TMG Blog 