Archive for the ‘TMG2010’ Category

Installing Configuration Manager 2012 clients on all my servers was fairly easy and straight forward. With one exception – My TMG2010 server running Server 2008R2.
For some reason, the client would install, but would never assign itself to my site, or download policies. The firewall rules allowed it to talk to the ConfigMgr server, and monitoring the traffic showed nothing was being blocked at all.
Much digging in TechNet etc and I found various mentions relating to certificates. This put me on the right track and got me 80% of the way there, but not quite.

There was not a lot of indication of what was going wrong. Most of the logs just weren’t reporting anything, let alone an error. The one log that was showing something is the “ClientIDManagerStartuplog” with repeating entries of

RegTask: Failed to get certificate. Error: 0x80004005

This was the only place I could find an indication of what was wrong.

Various articles say to delete all the files in the MachineKeys certificates folder. That is VERY BAD, DO NOT DO THAT!

While they are misguided, they do point to the correct resolution. Some suggest deleting one specific file which is the SMS certificate. At first, permissions blocked me doing this, but even after deleting it, the problem would repeat.

(more…)

Advertisements

After *yet another* disk crash, my TMG service wouldn’t start. Databases were all fine and no disk errors to be found. I was just about to repair\reinstall when I noticed the following blog post which sorted the problem out much more easily!

http://social.technet.microsoft.com/wiki/contents/articles/16488.tmg-2010-firewall-service-crashing-event-id-pointing-to-malware-updates-resolution.aspx

Must be fate considering that post was only made a few short weeks ago. Almost like they *knew* it was about to happen to me… Maybe they caused it just to drive traffic to their site… hmm…

 

It pays to be paranoid in the security world.

I came across this blog post while trying to find ways to change the TMG2010 Forms based login page to match the Exchange 2013 OWA page. I haven’t figured out how to do the OWA 2013 thing yet, but I think this will be quite sufficient:

http://www.fastvue.co/blog/mobile-friendly-forefront-tmg-forms-based-authentication-template

Those instructions are specifically for if you are using TMG Form Based Authentication (FBA) in front of a (non-owa/normal) web site. To make it work with Exchange OWA it needs to be done slightly differently. I’m using TMG 2010 and Exchange 2013, but the settings should be the same for Exchange 2007/2010 as well.

(more…)

I’ve been seeing this error on my TMG 2010 Standard server ever since I put it into production and I couldn’t understand what it was or why it was happening

 

I never understood this message because I’m running Standard edition, which doesn’t do arrays (you need Enterprise). I’ve also never configured any array settings, and I’ve never seen any array settings on the Standard edition that could be configured.

It turns out that even though this is Standard edition, and there are no array, TMG seems to still think of itself as being in an “array of one”. When I built the server it had a temporary IP address that was changed when I switched over from the old Firewall server. It is this change of IP address that caused the error. It never seems to have caused any problems that I noticed, so I ignored it.

Until now.

As part of the “big recovery” I decided to kill all annoying errors. And this TechNet post had the solution.

(more…)

The continuing journey in the very slow quest to restore everything.

This post is the recovery of the SQL Express database used by the Threat Management Gateway (TMG 2010) firewall. The SQL Server (ISARS) and (MSFW) instances were failing to start with an eventid:9003 message saying “The log scan number passed to log scan in database ‘master’ is not valid”

Essentially it would appear the MASTER database was corrupted, and as per the other servers the backup was also messed up. :sigh:

(more…)