[isalist] Re: TMG Client

  • From: Jim Harrison <Jim@xxxxxxxxxxxx>
  • To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 9 Feb 2012 20:00:11 +0000

..shades of "Google Toolbar"!
Glad you sorted it; now it's time to get a free case from CSS...
:)

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ball, Dan
Sent: Thursday, February 09, 2012 8:40 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: TMG Client

Interesting twist on this one... While troubleshooting this a bit I uninstalled 
the "Bing Bar" from the workstation and the TMG client started working 
properly...


From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx]<mailto:[mailto:isalist-bounce@xxxxxxxxxxxxx]>
 On Behalf Of Jim Harrison
Sent: Friday, February 03, 2012 1:40 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: TMG Client

99.444 sure it's a name resolution problem; probably domain suffix or DNS 
server.
Get a netcap from the client and let's see what shakes out.
Do this at the failing client:


1.       Open an elevated cmd window

2.       Type:

net stop fwcagent & ipconfig /release & ipconfig /flush & nbtstat -RR

3.       Start Netmon capturing

4.       Type:

ipconfig / renew & net start fwcagent

5.       in the TMGC UI, try to auto-detect the TMG

6.       stop capturing

the capture will tell you the whole story.

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx]<mailto:[mailto:isalist-bounce@xxxxxxxxxxxxx]>
 On Behalf Of Ball, Dan
Sent: Friday, February 03, 2012 10:16 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: TMG Client

<no Forefront TMG detected>

If I configure it manually and test it though, it works fine.  Other computers 
autodetect like their supposed to.

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx]<mailto:[mailto:isalist-bounce@xxxxxxxxxxxxx]>
 On Behalf Of Jim Harrison
Sent: Thursday, February 02, 2012 3:01 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: TMG Client

Assuming all clients use the same TMG network interface, probably.
What appears in the TMG client auto-detection window?

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx]<mailto:[mailto:isalist-bounce@xxxxxxxxxxxxx]>
 On Behalf Of Ball, Dan
Sent: Thursday, February 02, 2012 11:18 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: TMG Client

Thanks, I had already changed the address (where shown below) to the IP address 
of the server instead of a DNS name.  Do you think that will work better?


From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx]<mailto:[mailto:isalist-bounce@xxxxxxxxxxxxx]>
 On Behalf Of Jim Harrison
Sent: Wednesday, February 01, 2012 9:45 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: TMG Client

Sadly, although fwctool and TMGC both use DHCP, DNS, HTTP and RWS to validate 
auto-detection, each one employs slightly different methodology.  TMGC received 
some changes in response to the WPAD 
vulnerability<http://technet.microsoft.com/en-us/security/advisory/945713> that 
fwctool did not.  There was much discussion about syncing them before ship so 
that they would behave identically (and thus avoid your confusion), but 
unfortunately, fwctool failed to make the cut.

WPAD operation and the TMG settings that affect it are described in the TMG 
book in chapter 15 and Appx C.

99 times out of 10, the problem you describe is name resolution (usually a lack 
of proper domain suffix).
You need to ensure that your array "DNS name" is properly set :
[cid:image001.png@01CCE722.5E739840]

..and that each protected network has the TMGC settings configured for the DNS 
suffix it serves:
[cid:image002.png@01CCE722.5E739840]

Network Monitor has built-in filters designed specifically to help you 
troubleshoot such issues.
Bear in mind that

Jim

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx]<mailto:[mailto:isalist-bounce@xxxxxxxxxxxxx]>
 On Behalf Of Ball, Dan
Sent: Thursday, January 26, 2012 11:59
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] TMG Client

Is there any particular reason why the TMG client would come up with "Failed to 
detect Forefront TMG" Immediately upon pressing the Detect Now button, but when 
running the "fwctool testautodetect" command it shows a success?  I have a few 
computers doing that.  Setting it manually works.



PNG image

PNG image

Other related posts: