• RELEVANCY SCORE 4.55

    DB:4.55:Error 3219 Perimeter Network Host 10.0.10.21 Cannot Be Used In Physical-To-Virtual Or Virtual-To-Virtual Conversions. f3




    I amusing VMM 2008 R2 and tryingP2Vto convert physical server (Joined to the AD Domain)into Hyper V host (Not joined to the AD domain but Residing on Network Perimeter), All feasibility passes by but i receive an error message as
    below:
    Error (3219):
    Perimeter network host 10.0.10.21 cannot be used in physical-to-virtual or virtual-to-virtual conversions.
    Recommended Action:
    Specify a host located in a trusted domain, then try the operation again.
    Please Advise.

    Sumeet Khokhani

    DB:4.55:Error 3219 Perimeter Network Host 10.0.10.21 Cannot Be Used In Physical-To-Virtual Or Virtual-To-Virtual Conversions. f3

    Hello Kristian

    I run into the same problem as Sumeet Khokhani. I have a windows server 2008 R2 with HyperV and the HyperV server is not a member of my domain. I just want to convert a physical machine (member of my domain)into the hyperV host with Scvmm 2012. As fare as
    I know so is scvmm 2012 supporting this. Is that correct or wrong? looking forward to hear from you.
    Best Regards
    Chris

  • RELEVANCY SCORE 3.65

    DB:3.65:Error (3219): Perimeter Network Host 192.168.0.233 Cannot Be Used In Physical-To-Virtual Or Virtual-To-Virtual Conversions. f1




    Все доброго вреени суток!
    Иеется гипервизор Windows Server 2008 R2 не в доене. На неразвернута ВМ с установлены SSCVMM 2012.
    Иеется физическая ашина под Windows Server 2008 R2 Foundation, которую необходио виртуализиоравать.

    Все три сервера находяться в одной подсети.
    При установке SSCVMM 2012 у сервера был IP-адрес из другой подсети.
    При попытке виртуализации физического сервера под Windows Server 2008 R2 Foundation выдается ошибка:
    Error (3219):
    Perimeter network host 192.168.0.233 cannot be used in physical-to-virtual or virtual-to-virtual conversions.
    Recommended Action:

    Specify a host located in a trusted domain, then try the operation again.

    host 192.168.0.233 - гипервизор, у него один сетевой интерфейс, который сотрит в туже подсеть что и остальные сервера.
    Ввел гипервизор в доен, нечего не изенилось.
    В статье http://technet.microsoft.com/en-us/library/cc764232.aspxсказано что: To perform a P2V conversion, your source computer: ... Cannot be in a perimeter network. Но все сервера
    находятьсяв одной подсети.
    В че ожет быть проблеа?

    DB:3.65:Error (3219): Perimeter Network Host 192.168.0.233 Cannot Be Used In Physical-To-Virtual Or Virtual-To-Virtual Conversions. f1


    Удалите и добавьте снова хост Hyper-V в качестве управляеого.

    Пробовал, не поогло

  • RELEVANCY SCORE 3.61

    DB:3.61:Autocreated Run As Accounts - Perimeter Network mx




    I notice I have several Autocreated by VMM Run As Accounts. There is one for each host that I added using the Perimeter Network option. Under the Consumers tab on the Run As Account it lists the host. Are these still needed after
    the host is added, or can these be removed?

    DB:3.61:Autocreated Run As Accounts - Perimeter Network mx

    When you install an agent locally on a host on a perimeter network, the Agent Setup Wizard automatically generates a local account with

    administrator privileges on the host and a set of credentials for the account. It then encrypts the account credentials and other agent access
    information into a security file. After you add the host, VMM uses the credentials to communicate with the agent on the host.
    You cannot change the credentials for the local account during setup; however, you can update the password after you have added the host. For more information about updating the password, see
    How to Update the Agent Password on a Host on a Perimeter Network

    Source http://technet.microsoft.com/en-us/library/bb740809.aspx.

    Mohamed Fawzi | http://fawzi.wordpress.com

  • RELEVANCY SCORE 3.60

    DB:3.60:Perimeter Network Host - Access Denied cm


    Hello,I had tried to add a perimeter network host to the SMVMM 2008 (patch installed), and I am getting the following error message on Refresh-VMHost:Error (500)Could not retrieve configuration data from the virtual machine host LCORE.  (Access is denied (0x80070005)) Recommended ActionVerify that Windows Management Instrumentation, Windows Remote Management (WS-Management), Virtual Server, and Virtual Machine Manager Agent services are running on LCORE. Then try the operation again.I have done the following steps on SCVMM Server:Installed Windows 2008Installed SCVMM 2008 beta with the default optionsInstalled SCVMM PatchI have done the following steps on host:Installed server core 2008

    Cscript %WinDir%\System32\Scregedit.wsf /ar 0
    Cscript %WinDir%\System32\Scregedit.wsf /cs 0

    wusa Windows6.0-KB950050-x64.msu
    netsh firewall set opmode disable
    WinRM qc

    netdom renamecomputer %computername% /newname LCORE

    bcdedit /set hypervisorlaunchtype auto
    start /w ocsetup Microsoft-Hyper-V

    diskpart
    copied

    c:\Program Files\Microsoft System Center Virtual Machine Manager 2008\agents\amd64 from SCVMM2008 server

    vcredist_x64.exe
    msiexec /i vmmAgent.msi

    After this I had copied the SecurityFile.txt to the SCVMM server and added the host as Windows perimeter network host with the server name LCORE ( DNS resolution ok )

    DB:3.60:Perimeter Network Host - Access Denied cm

    You may want to check out this similar thread:
    http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3344477SiteID=17
     

  • RELEVANCY SCORE 3.25

    DB:3.25:Thread: Dns x7


    I am setting up a Novell DNS server on NW6 sp4 to allow me to use Dynamic DNS for workstation netbios name resolution. My main DNS server controlled by our perimeter guys is using some version of BIND. I have my DNS server setup as a secondary zone and a secondary IN-ADDR.ARPA zone as well. The BIND server is set to allow zone transfers to the Novell DNS server. I get an error during a zone-in transfer. Also I have set my primary DNS server as the forwarder for my Novell server but it seems to work for some things but not others. If I set my workstation to only use the Novell DNS I can browse the Internet all day long but I cannot resolve internal host names. For instance we have created records in our primary DNS server for all the Netware boxes, when I use that DNS server I can resolve them but not when I use my Novell DNS server. I guess my long term goal is to have a local Novell DNS server setup for DDNS for workstation name resolution and for local DNS lookups with my BIND server being the primary for network devices that I create records for. I am not allowing zone-out transfers from Novell to my primary as I don\'t want all the workstation records on that box. Any help would be appreciated.

    Thanks,

    Jason

    DB:3.25:Thread: Dns x7

    In article TOMqc.1001$1N1.788@prv-forum2.provo.novell.com, Jason

    Emery wrote:

    What do you think about that, something like domain.local?

    That could well be the simplest thing to do.

    bd

    NSC Volunteer SysOp

  • RELEVANCY SCORE 3.18

    DB:3.18:Hol-Sdc-1303 Mod 2 - Pg 107 3-Tier Webapp Not Communicating - Can Anyone Check My Config? 8a



    pretty sure I did it right. went over it numerous times and all the settings appear correct for OSPF. IPs, etc on both perimeter and distributed edges.

    I saw one error msg which said something like the vNIC needed to be on the right ?network?

    only other thing I noticed was on perimeter edge-Manage-settings-Interfaces page: the netmask for vNIC 4 Transit_to_VDR 192.168.9.1 interface had a /29 which seemed wrong since everywhere else that subnet is /24. I changed it but it did not make a difference.

    everything looked OK but page 107 connecting back to the 3_Tier webapp page and refreshing still shows Service Unavailable Error 503

    - Stew 8^(

    DB:3.18:Hol-Sdc-1303 Mod 2 - Pg 107 3-Tier Webapp Not Communicating - Can Anyone Check My Config? 8a


    that might be it. Tomorrow, I'll make sure they are correct and try again. thanks.

  • RELEVANCY SCORE 3.07

    DB:3.07:Routing To Subnets Through A Router. 3s


    Hello Everyone,

    I've a problem routing Internal and Perimeter traffic to Subnets through a router.

    Our network Layout:

    What I want to achieve:
    - Use TMG as the default gateway for the Internal and Perimeter network.
    - Route Internal, subnets and Perimeter.
    - Accomplish this without using a static route in the clients machines.

    What I've done so far:
    - Added a third NIC and Network for Perimeter.
    - Added a Route rule between Perimeter and Internal.
    - Added an Access Rule to allow traffic between Perimeter and Internal.
    - Added a Range address in the Internal network (172.16.0.0 ~ 172.16.255.255).
    - Added a static route using the OS or/and TMG console (172.16.0.0 255.255.0.0 172.16.71.8).

    TMG settings:
    - IPv6 is disabled in all NIC's.
    - Adapters binding orders is (Internal, Perimeter, External)
    - Only one gateway is set, and it's in the External NIC.
    - Only one DNS server is set, and it's in the Internal NIC.

    What is working:
    - TMG to ALL.
    - Internal to subnets (ONLY ping works)
    - Perimeter to Internal (172.16.71.0)

    What is NOT working:
    - Perimeter to subnets.
    - Internal to subnets (other than PING)

    what I don't understand is that I have another TMG (built for tests) machine
    with the same settings (without TMG SP 1 2) that can route to
    subnets.

    Thanks for your help.

    DB:3.07:Routing To Subnets Through A Router. 3s

    Hi,
    Thank you for the post.
    You may specify the router as the default gateway for internal clients as per this guide:

    http://technet.microsoft.com/en-us/library/cc302656.aspx#ClientConnectionsFromARemoteSubnetDenied, and on TMG server, add static route to point to router.
    Regards,Nick Gu - MSFT

  • RELEVANCY SCORE 2.98

    DB:2.98:Unable To Add Perimeter Host Scvmm 2008 R2 f3


    I receive the following error when attempting to add a perimeter host to my SCVMM console. I have completed a debug trace log and will send it along if you can help me identify the issue. Thanks!
    I attempted to add the host by ip address, which I have substituted below with the word 'host.'
    Error (10409)
    Virtual Machine Manager cannot contact 'host.'

    Recommended Action
    1. Verify that the correct security file is specified.
    2. Verify that DCOM access, launch, and activation permissions are enabled for the Administrators group on 'host'
    3. Use dcomcnfg.exe to modify permissions as needed and then try the operation again.

    DB:2.98:Unable To Add Perimeter Host Scvmm 2008 R2 f3

    Nevermind... I was able to resolve the issue with a group policy setting. The local administrator group needs access to the server over the network; we disable ours by default.

  • RELEVANCY SCORE 2.95

    DB:2.95:Rdp Through Rras Server (Hyper V) kp


    Here's the deal, I have two Server 2008 R2 servers running Hyper V only. Both host several virtual Machines. Both have two NIC's one for the Domain side, one for the perimeter side. All nic's, switches, routers are Gigabit. None are enterprise class devices.
    Both are connected to Domain side but not to perimeter side. Some of the VM's are on domain side and some are on perimeter side. All VM's on domain side are domain joined, all VM's on perimeter side are not.
    One of the VM's is setup as an RRAS server running only Remote access and LAN routing, this VM is connected to both of the NIC's of its host in order for it to act as the router between the Domain side and Perimeter side. All routes are setup static, I.E.
    routing manager is disabled on both interfaces. (Although I have tried all later steps with it enabled on each and both.)
    I cannot for the life of me RDP through it to the VM's on the perimeter side. I ussually just get a black screen, once in awhile I will get a desktop for a few seconds, and then back to black screen. All machines on the Domain side have internet access and
    it seems routing is fine. (sometimes websites dont come up but a refresh ussually brings it up fine, dont know if its related problem or not and doesn't happen very often. Can be frustrating for Clients though.)
    All VM's on the Domain side list their location as Domain Network, all VM's on the perimeter side list as Public. Ping doesn't work to these machines since public profile is active on firewalls, but telnet to any one of the perimeter side on port 3389 seems
    to connect, it shows a flashing cursor anyway. Dont know much about telnet yet other then to test if the port connects but it seems to. As a side note the RRAS server lists both interfaces as Domain profile, but ping to it doesn't work either unless I disable
    firewall alltogether.
    I have tried everything I can think of and every post i can find on the internet and nothing has fixed the problem. (Disabling firewalls all the way through, including Hosts, double checked all routes, checked that remote access is enabled on all machines,
    and many others.)
    I have sort of come to the conclusion that there is something going on in the RRAS server that is not letting RDP traffic through effeciently if at all. If I switch the VM to the domain side NIC all i well. I have read some things about default filtering
    on the RRAS server role in server 2008 R2 but on the filtering tab all filtering is off, and in the RRAS MMC it shows filtering off on all interfaces.
    I have thought about putting all perimeter side VM's on both NIC's as i know it would work this way, but trying to maintain Perimeter/Domain envorinment. Thought about putting an RODC on the perimter to Domain join all the Perimter side VM's to Domain, but
    dont know if this would solve the problem. If I put these VM's on both NIC's would this pose a security risk? (Being as this is test environment its really not a big deal, but trying to maintain the environment to be as real as possible.)
    I should mention this is purely a lab environment as I am an IT student, so cant afford enterprise class routers, switches etc... but my devices seem to work fine and they are all cisco small business devices, so offer alot of enterprise class functionality.
    I.E. port forwarding, advanced routing etc...
    Any help would be greatly appreciated.
    Thank you,
    Chris

    DB:2.95:Rdp Through Rras Server (Hyper V) kp

    What antivirus or security apps are installed? If you disabled all of them andthe Windows firewall, does that work?
    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 Exchange 2007 Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

  • RELEVANCY SCORE 2.89

    DB:2.89:Create Virtual Machine: Failed? a1


    hello,i tried to deploy a virtual machine from a template to a W2K8 R2 hyper-v host on a perimeter network.i deployed on this way already 3 VMs.since some days this is no longer possible: i always get the error:
    Error (2941)VMM is unable to complete the request. The connection to the agent on machine HV-Host1 has been lost. (Unknown error (0x80072efe)) Recommended ActionEnsure that the WS-Management service and the agent are installed and running and that a firewall is not blocking HTTP traffic.
    the VM folder on the VM storage is created but it seems that when the template disk is being copied the JOB fails after some minutesat 1.2 deploy file (using BITS over HTTPS): 0 if 1 files (oKB/7,57 GB) time remaining...the VM.vhd file is created with 0KBif i do the same to a seccond W2K8 R2 hyper-v host (not on a perimeter network) its running without any problems.so ???thx!

    DB:2.89:Create Virtual Machine: Failed? a1

    check this The underlying error (0x80072efe) is an http error: ERROR_INTERNET_CONNECTION_ABORTED. I have seen this error when VMM attempts to transfer files between machines through BITS and fails. I am not sure of the exact cause of these errors, but I think they are usually related to a firewall or SSL certificate issue on port 443 between the machines involved in the file transfer. In this case, I am not sure which part of the P2V process is failing, and the file transfer could between: source machine - destination host VMM server - destination host destination host - VMM server What OS are your VMM server and host machines? If this is related to the bug Chetang pointed out, I think the workarounds were to restart the host machine or deregister the SCVMM SSL certificate. I would check the following first:   You can check the certificates by: 1) open Microsoft Management Console (start - search - MMC) 2) File - Add/remove Snapin 3) Add Certificates snapin, manage certificates for Computer account 4) SCVMM certificate for local machine is stored in Personal folder, certificates for other machines SCVMM knows about are in Trusted People folder On host machine: 1) Check that trusted people folder contains only 1 SCVMM certificate for your VMM server (SCVMM_* will be in friendly name) , 2) Check that thumbprint of this certificate matches the one stored in the Personal folder of the VMM machine On VMM Server machine: 1) Check that trusted people folder contains only 1 SCVMM certificate for the host server (SCVMM_* will be in friendly name), 2) Check that thumbprint of this certificate matches the one stored in the Personal folder of the host machine on command prompt, type: netsh http show sslcert Make sure that thumbprint of certificate listed matches the SCVMM certificate of the local machine.

    If this post is helpful, please mark it as such.

  • RELEVANCY SCORE 2.80

    DB:2.80:Cannot Connect To Vm On Host In Perimeter Network k1


    Hi,
    i have Server1.domain1.com (W2k8 R2) with hyper-v. On one of it's VM's i have Server2.domain2.com (W2k8 R2) with SCVMM 2008 R2 installed. On scvmm i have added server1 (netbios name ) as a host on perimeter network. I can start,stop, etc it's
    vm's, but i can't connect to them. I'm getting promt Your remote desktop connection failed because the remote computer cannot be authenticated. The remote computer could not be authenticated due to problems with it's security certificate.

    DB:2.80:Cannot Connect To Vm On Host In Perimeter Network k1

    i gave a try with all of the steps mentioned in the thread but the issue persist.

  • RELEVANCY SCORE 2.80

    DB:2.80:Ssh Trough Forefront Tmg 2010 ka


    Hi,
    I have to permitt the SSH traffic from our clients to an external SFTP server. I've created a rule which permitts the port 22 TCP outbound from Internal to External/Perimeter..
    When I try to connect to the host I get the error messagen:
    A connection closed because no SYN/ACK reply was received fromthe server
    Is there something I have forgotten to permitt?
    Thx
    Robert

    DB:2.80:Ssh Trough Forefront Tmg 2010 ka

    give a shot to this also .. from inside clients telnet to your router and check the NAT ip address which is coming and then do the telnet from tmg and check the NAT address on router .. dont know can sense this as a NAT problem also.. check is this helpsThanks
    Happiness Always
    Jatin

  • RELEVANCY SCORE 2.76

    DB:2.76:Ssh Configuration On Perimeter Router. j8



    How do I configure my internet router (perimeter router) to accept ssh from my inside network. The router has an IOS capable of ssh v1 2.

    DB:2.76:Ssh Configuration On Perimeter Router. j8


    Bernadette

    I am glad that you got it resolved. Thank you for posting back to the forum to indicate that it was resolved and how you resolved it. It makes the forum more useful when people can read about a problem and can read what did resolve the problem. The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

    HTH

    Rick

  • RELEVANCY SCORE 2.75

    DB:2.75:Nat Done On Perimeter Router Or Firewall xa



    Hi,

    I am setting up a new network. Is NAT configured on the perimeter router, or the ASA5505 firewall?

    Thanks.

    DB:2.75:Nat Done On Perimeter Router Or Firewall xa


    Hi

    Depends on the addressing you have been allocated. A typical setup is a service provider controlled router and they then allocate you a block of ip public ip addresses. One of these will be allocated to the inside interface of the SP router and the rest you use on your own devices.

    Usually the device you place behind the SP router is a firewall so it is normally done on a firewall.

    Jon

  • RELEVANCY SCORE 2.74

    DB:2.74:Failing To Add Pxe Server In A Differnt Domain From Vmm Server pc


    I'm trying to set up for bare metal Hyper-V host deployments, and I've run into a problem trying to add the needed PXE Server.
    When I try to add our existing PXE Server using the VMM Admin console, it goes on for a while and than fails with error 2912. Doing a lot of investigating, it appears this is because the VMM agent running on the PXE Server cannot communicate with the
    VMM Server to see if the machine is allowed to PXE boot, and eventually fails.
    From working with DPM,I know it is necessary to supply the agent with the appropriate credentials to communicate with the server; if the server is in a different domain, or in an edge/perimeter network. I suspect the same is true for VMM, but
    I cannot see any way to give the agent the appropriate credentials. (I did find some references, but they were using SC 2007.)
    So the question is: how do I give the VMM agent the necessary credentials to communicate with the VMM Server when the agent is on a system not in the VMM Server's domain?
    Thanks in advance.
    - Mark

    DB:2.74:Failing To Add Pxe Server In A Differnt Domain From Vmm Server pc

    OK. It seems as though the trust I had established wasn't working. I tried to validate the trust and it failed.
    I won't bore you with the details, but the root cause of the failure was not having the appropriate DNS stub zones in place for the domain controllers to find each other. Once I got the stub zones in place, I re-created the two-way trust and was able
    to validate the trust.
    After that, I was able to add the PXE Server to VMM.
    Now the problem I'm running into is the VMM GUI crashing when I try and do a bare-metal provision of a Hyper-V host.
    - Mark

  • RELEVANCY SCORE 2.73

    DB:2.73:Unable To Add Machines To Rodc In Dmz 9k


    We rolled out a RODC to our Perimeter network.  There is a firewall between our perimeter network and our Corp Network.  We followed the steps per TechNet article:  http://technet.microsoft.com/en-us/library/dd728035(WS.10).aspxThe problem we are having is trying to add machines via the suggested script.  We are trying to add a Windows 2003 server to the network from the Perimeter.  We WERE getting Error: 87 until we applied hotfix: WindowsServer2003-KB944043-v5-x86-ENU.exe.  Now that the hotfix has been applied we are now gettingError: 1354  Still unable to add the server to the Domain from the Parimeter network.Has anyone run into this issue?

    DB:2.73:Unable To Add Machines To Rodc In Dmz 9k

    please checkhttp://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1d18b9ad-0a2a-437b-94e0-edeebf156e9f

  • RELEVANCY SCORE 2.72

    DB:2.72:Scvmm 2012 - Creating A Template For Host On A Perimeter Network ck


    We have a install of SC VMM 2012 which is managing a Windows Server 2012 host machine located in a DMZ/perimeternetwork. That server is NOT (and cannot be) part of the domain.
    I have a virtual machine created on the host that I want to become a template. However, attempting to do so gives the error:
    The virtual machine (name) cannot be used in this operation because it is on a perimeter network.
    I found this related thread:http://social.technet.microsoft.com/Forums/en-US/virtualmachingmgrhyperv/thread/de49c18e-5506-4a23-997a-ceb9c489bfa4/
    However, the first two options presented there will not work. The machine cannot be joined to the domain, and there are no other physical hosts being managed. This is the ONLY host managed by SC VMM 2012.
    The third option seems incredibly manual and time consuming for something that we may find ourselves doing on a semi-recurring basis (refreshing a template with current Windows Updates, etc).
    I guess I don't understand - if the management server can copy things like ISO images out to the host server, then why can't it pull the pieces necessary for a template off of the host server? The library is ON the VMM server - it is not some other
    remote server.
    I'm hoping there is a better option here that has come about since that 2011 thread.
    Thanks

    DB:2.72:Scvmm 2012 - Creating A Template For Host On A Perimeter Network ck

    We understand there is no logical connection between the host and the DMZ, just a physical one routed to a virtual network, but even that opens up potential problems. Maybe they trust me to manage/configure it right, but if someone else takes over
    at some point in the future, they could change the configuration (after all, one little check-box is all it takes) and all of a sudden the host DOES have a logical connection. We've discussed that more than a few times (we have a internal hyper-v setup
    on Windows Server 2008 R2 / VMM 2008 R2, but we decided not to use it for this purpose). This Server 2012 / VMM 2012 environment was purchased for the explicit purpose of managing the DMZ hyper-v server as aperimeterhost.

    Regarding copying the template files:
    1) If I successfully get a template into the library, will it successfully deploy? I am still a bit confused about the permission issue. Why would things copy from library out to the host successfully (such as mounting an ISO), but not the opposite
    way (creating template from a VM)? It seems the same permission issues would exist in both cases, and yet I cansuccessfullymount an ISO.
    2) The only other way to create it (with the current licenses we have available), would be to create the template on a VMM 2008 R2 system. Will copying the template files from that library over to the VMM 2012 library work?

  • RELEVANCY SCORE 2.66

    DB:2.66:Problems With Windows Backup (System Image) 1c


    When I try to do a backup to a network share, the file level backup works ok, but the System Image Backup writes about 37 GB of data, then fails with error code 2155348315 (0x8078015b - error when accessing the remote shared folder). The system itself
    is using about 50 GB of disk on C: and 18 GB on E:.
    The network share isona Mac OS 10.6 system (i.e. Samba).

    DB:2.66:Problems With Windows Backup (System Image) 1c

    so, i know this is an old post and i aslo commented on another post as well, but for anyone that is searching for a solution for the 0x8078015b backup error, i have the solution.
    I had the same error when trying to backup and this is what i did to fix it.
    It seems that the target that you should save the backup, MUST have at least twice the free space of the size of your backup.
    So when i tried to backup my 74GB system disk on a 120GB (free space) HDD i kept getting the 0x8078015b error, but when i changed the save target on a 500GB HDD (the amount of free space i had on a 1TB HDD), the backup process completed without errors.
    And after some search on the onternet i also found some other forum posts that were stating the same.
    YOU MUST HAVE TWICE THE FREE SPACE ON THE TARGET YOU ARE SAVING YOUR BACKUP.

  • RELEVANCY SCORE 2.66

    DB:2.66:Scvmm 20008 Beta Local Agent Problem 1p


     
    Hi all,
    i have a problem with local agent of SCVMM 2008 installed in my W2008 Ent with Hyper-v RC.
     
    I have an host, in workgroup, with some virtual machine installed.
    In one of this i have installaed SCVMM 2008 Beta. After that i have installed the local agent, as perimeter host,
    on my host Win2008. SCVMM see all information about virtual machine that runs on the host. All is fine.
     
    Now i have turned off the virtual machine with SCVMM 2008 and after that all the virtual machine cannot start and this errors are logged:
    ------------------------------------
    Log Name:      Microsoft-Windows-Hyper-V-VMMS-AdminSource:        Microsoft-Windows-Hyper-V-VMMSDate:          5/9/2008 1:29:14 AMEvent ID:      15500Task Category: NoneLevel:         ErrorKeywords:      User:          SYSTEMComputer:      SRV2008Description:'Vista32' failed to start worker process: The extended attributes are inconsistent. (0x800700FF). (VMID 5846669F-A657-4729-94B4-E1ED5572EE12)
     
    Log Name:      Microsoft-Windows-Hyper-V-Worker-AdminSource:        Microsoft-Windows-Hyper-V-WorkerDate:          5/9/2008 1:29:03 AMEvent ID:      17040Task Category: NoneLevel:         ErrorKeywords:      User:          NETWORK SERVICEComputer:      SRV2008Description:The authorization store could not be initialized from its persistent location 'msxml://C:\ProgramData\Microsoft\Virtual Machine Manager\HyperVAuthStore.xml'. Error: General access denied error (0x80070005).
     
    ------------------------------------------------------------------------
     
    If i deinstall the local agent all is fine and all virtual machine starts again !
     
    Any Idea ?
    Thanks in advance,
    Sandro De Matteis

    DB:2.66:Scvmm 20008 Beta Local Agent Problem 1p

    ... and it work also with much better read permission to everyone !
     
    Sandro De Matteis

  • RELEVANCY SCORE 2.64

    DB:2.64:Win2k8 R2 Radius 802.1x Peap With Windows Xp Sp3 za


    Hi,

    We have Win2k8 R2 NPS configured for RADIUS 802.1x authentication and client machines are running WinXP SP3. The RADIUS server is also the Certification Authority. The DC is a Windows 2003 Std machine. The certificate was already loaded on the testing xp machine,
    after we connect the cable for 802.1x and enter the username and password and domain on XP PC, the xp machine can't seem to get a DHCP address from the server.

    Upon checking the event logs from RADIUS server, there's always an event failure from security logs (NPS denied access to a user - Event 6273)

    Reason Code: 23
    Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

    Not sure if there's misconfiguration or missing something here. Any help will be much appreciated. Thanks in advance!

    DB:2.64:Win2k8 R2 Radius 802.1x Peap With Windows Xp Sp3 za

    Hi,
    The error you found is somewhat generic. A list of reason codes is here:
    http://technet.microsoft.com/en-us/library/dd197464(WS.10).aspx. This article gives you the EAP log file location as
    %windir%\System32\Logfiles.
    Since you mentioned a Certification Authority, I assume you are using PEAP or EAP-TLS. Is this true? Perhaps you are only using the CA for a server certificate. A certificate problem can cause the error you see, such as when a certificate is expired or not
    trusted. It's hard to know which problem you have without knowing more about the configuration.
    Event 6273 should also tell you what connection request policy and network policy were matched.What EAP configuration is usedin these policies?

    It will also help to know if other clients are connecting OK and only some clients are failing. The probable reason that the client cannot get a DHCP address is that when the client fails 802.1X authentication, the line protocol is dropped.

    -Greg

  • RELEVANCY SCORE 2.64

    DB:2.64:Abortively Closed On Almost Everything But Http aa


    Hi all,
    I have a weird problem that I cant resolve whenrunning TMG 2010Enterprise SP2 in my HP C7000 bladesystem with Virtual-Flex 10Gb nics.

    Right now its scaled down to a simple3 leg setup with all traffic allowed from Internal and Localhostto External and Perimeter.
    All traffic originating from the localhost works perfect to both Outside and Perimeter networks.
    However, when connecting from another host (blade) on the Internal network that uses TMG as default gateway, HTTP and DNS works fine but HTTPS (among others) does not. The log shows the connection Initiating and 20 secs later its abortively closed after
    one of the peers sent an RST packet. Sometimes followed by a couple of non-SYN errors since the connection is closed.
    The behaviour is the same with RDP and to both External and Perimeter hosts.
    All content scanning, proxy, compression etc is disabled. No nic teaming or anything special.

    Any thoughts? I have never seen this before and Im running out of ideas.
    Beginning to wonder if it is the VirtualConnect system that screw things up.

    DB:2.64:Abortively Closed On Almost Everything But Http aa

    Rob,
    I have been having this same problem for a number of weeks now and have not found a solution. Interestingly, I had taken almost the same troubleshooting steps as you did to no avail. I was wondering whether you ever found the cause/solution?
    Naveed

  • RELEVANCY SCORE 2.64

    DB:2.64:Re: Vla-Get-Perimeter... p1


    Do I need to make a dummy region to use for a polyline
    (lwpolyline) perimeter calculation? When I use (vla-get-Perimeter ) it returns an error. However If I make a region based on
    my polyline (lwpolyline) object the vla-get-Perimeter function works fine.
    Is there any direct way of getting polyline perimeter? I can calculate all
    vertexes' length separately including arches. Is this the only choose I
    have?

    DB:2.64:Re: Vla-Get-Perimeter... p1

    Thank guys,

    "Jürg Menzi" wrote in message
    news:4173886B.7953123E@menziengineering.ch...
    Hi 3ABTPA

    In addition to Jeff's answer I would propose to use always the
    vlax-curve-*
    stuff. In opposite to the 'Length', 'ArcLength', etc. properties you can
    get the length from *Polylines, Splines, Lines, Arcs, Circles and Ellipses
    with the same function.
    Note:
    Don't forget to initialize the ActiveX interface by (vl-load-com).

    Cheers
    --
    Juerg Menzi
    MENZI ENGINEERING GmbH, Switzerland
    http://www.menziengineering.ch

  • RELEVANCY SCORE 2.63

    DB:2.63:Connection Via Scvmm Console To A Vm On A Perimeter Network Fails With Certificate Issue 17


    hi,i have a hyper-v host 1 W2K8 R2 in a perimeter networkon this host there is a VM with the AD servera seccond host 2W2K8 R2 (domain member)on this host is the SCVMM console installedif i try now to connect via SCVMM to a VM on host 1 i get always:
    your remote desktop connection failed because the remote computer cannot be authenticated.. CERTIFICATE errors!on the MS Technet i found:If your connection to a virtual machine fails because the certificate is not valid for a Virtual Server host on a perimeter network, open the Virtual Server administration website, go to Server Properties, and then select NTLM from the Authentication drop-down list.
    BUT, where can i "find" the virtual server administration website and the "autentication drop-down list" ???thanks!

  • RELEVANCY SCORE 2.62

    DB:2.62:Routes And Acls Between Nvgre Vm Networks For Single Tenant 3c


    We're running into a situation where multiple tenants need NVGRE VM Networks with multiple routed/ACL'd subnets. These tenants have multi-tier services that need a perimeter network.
    We can accomplish this for these tenants with VLAN VM Networks by deploying virtual firewalls/routers to their VM networks or by managing their firewall/routers between VM networks. We do this by deploying a front-end perimeter VLAN VM Network, a back-end
    perimeter VLAN VM Network, and an internal VLAN VM Network. This all works well and is secure. The only problem is that it doesn't scale well because the tenant is taking up three VLANs; and its also a burden to provision.
    NVGRE VM Networks could solve all our problems IF we had a way of doing the following:

    Give a tenant multiple NVGRE VM Networks. It seems like this is possible today, but they're completely isolated with no routing capabilities which doesn't meet our needs most of the time.We need the ability to route between multiple NVGRE VM Networks. This is currently not possible from what I can tell because no default gateway is used for VMs within a single VM Network on the same host.
    We need the ability to create ACL rules between routed NVGRE VM Networks.The last part of this is that we need to be able to assign multiple internet-facing IP addresses to a client's NVGRE VM network for NAT/ACL rules. This would mean that we could have 4x different services deployed within a front-end perimeter VM Network
    and each of those services could have a unique public IP that is either being load balanced to a service or pointing directly to a service.

    The NVGRE based VMM private cloud isn't production ready for us until we can check these boxes.
    I'm willing to think outside the box if anyone has any alternative solutions to these problems.
    Thank you for taking the time to read this and help.

    DB:2.62:Routes And Acls Between Nvgre Vm Networks For Single Tenant 3c

    We know that there are some challenges in order to realize all scenarios with the NVGRE solution today. The feedback is registered, and I recommend to read up on the Windows Server technical preview to get a look into the future.
    Here's a short blog post I wrote on what's already public:http://kristiannese.blogspot.no/2014/10/scratching-surface-of-networking-in.html
    As you can see, we get a new Windows Server Role (Network Controller) that will be responsible for several virtual network functions.
    If you also search through the content from TechEd, you should get more insight.
    -knKristian (Virtualization and some coffee: http://kristiannese.blogspot.com )

  • RELEVANCY SCORE 2.62

    DB:2.62:Hyper-V Joined To The Domain Or Not Join To The Domain x8


    I have just installed a Hyper-v host. I plan to vitualize all 5 servers to the host. I am planning a SBS 2011 server and 4 other 2008 R2 Enterprise servers. I have read to NOT join the Hyper-V host to the domain in a SBS environmentbut
    the Microsoft SCVMM tools require the hyper-vserver to be on the domain. So I created a Virtual Machine to install the SCVMM tools and was successful however when I try to do a P2V I get an error error 3219: Perimeter network host cannot be used
    in physical-to-virtual. Should the host be on the domain? Seems like everything would work that way but I don't want to caused Active Directory problems or slow downs on the Host. Can I do a P2V on a host that is not part of the domain?

    DB:2.62:Hyper-V Joined To The Domain Or Not Join To The Domain x8

    the SCVMM P2V process requires that the Hyper-V Server be domain joined that hte VM is being sent to and the machine being converted must be domain joined. (many, many complaints about this)
    Other SCVMM actions can be sompleted using the perimeter or DMZ options.
    One way that folks get around this is to use the Disk2VHD and creat the VM from the VHD. Or use other third party P2V tools. This is especially when converting servers that provide Active Directory or DNS.
    Personally, re-build as a VM whenever necessary and only P2V when absolutely necessary. P2V always brings baggage.Brian Ehlert (hopefully you have found this useful) http://ITProctology.blogspot.com

  • RELEVANCY SCORE 2.62

    DB:2.62:Migrate Perimeter Server To Domain Host Error 1238 17


    Hi,
    I got 3 machine, i am having problem to moving my perimeter VM to hyper-v server as error prompted below. I understand the reason why it stop me but i am finding solution how to migrate my perimeter vm without additional server?

    1238 The virtual machine %VMName; cannot be
    transferred because it is located in a
    perimeter network.
    Ensure that the selected virtual
    machine is not in a perimeter network,
    and then try the operation again.

    Machine1 (Perimeter with VMM agent installed)
    Windower server 2008 R2 sp1 installed, not joined to domain
    (DC) (SCVMM) is on this machine, and others VM

    Machine2 (Joined domain)
    Hyper-V R2

    Machine3 (Joined domain)
    Hyper-V R2

    MT | MCITP ----- Please vote helpful or mark as answer if it's answered your question, this help us follow up the question status.

  • RELEVANCY SCORE 2.62

    DB:2.62:Installing Updated Vmm R2 Agent - Download? fc


    Referencing:
    http://technet.microsoft.com/en-us/library/cc917969.aspx
    You cannot use the Update Agent action to update an agent of a host that is on a perimeter network. You must uninstall the existing agent, and then install the new version of the VMM agent. For information about uninstalling and installing
    agents, see
    New Installation of VMM (http://go.microsoft.com/fwlink/?LinkID=125914).
    Referencing:
    http://technet.microsoft.com/en-us/library/cc764218.aspx
    To install a VMM agent locally on a host on a perimeter network

    On the product media or network share, right-click setup.exe , and then click
    Run as administrator .
    Problem:
    I've installed the agent from my install media, and since this server is on a perimeter network I cannot update the agent.
    Note: The VMM Server has been updated after installing from the installation media (all other hosts have been also updated).
    How can I install the updated VMM agent on a perimeter server? I've tried searching for VMM R2 Agent downloads, with no luck.
    Until solved, our perimeter server will continue to display Needs Attention in the Hosts overview.

  • RELEVANCY SCORE 2.60

    DB:2.60:Remoteapp In Dmz ca


    Scenario is TS Gateway in a dmz.com domain and RemoteApp server in internal.com both servers joined to respective domians. TS Gateway is exposed to internet. How to I configure this scenario so I can get to the RemoteApps internally ? There is a one-way
    domain trust from external to internal, so the external domain trusts the internal domain. However I cannot get the RemoteApp internal as a source. Setup was followed by section 3.2http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
    See below. Any help would be greatly appreciated.

    3.2. RD Gateway with forest trust model deployment:

    In this deployment, there is AD DS in the perimeter network which trusts the internal network forest to authenticate the internal network forest users in the perimeter forest domain. RD Gateway is joined to the perimeter network domain. The trust between the
    perimeter network forest and the internal network forest is one-way, so configuring RD Gateway to use a central NPS server which is in the internal network is required in this deployment.

    The following diagram shows the traffic flow from the Internet to the perimeter network and from the perimeter network to the internal network in this deployment.

    DB:2.60:Remoteapp In Dmz ca

    In the MSDN document posted above the Gateway is supposed to be in the DMZ with RD Web Access internal. This is the link.
    http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx

    I have applications on internal RD Web Access servers that need to be accessed from outside. The applications do not live in the DMZ.

  • RELEVANCY SCORE 2.59

    DB:2.59:Pix Dmz Configuration Problem zk



    Hi,

    I do have some trouble to get my dmz settings working. I have a reverse proxy, located in the dmz, which is supposed to redirect all http traffice to a certain domain to web server that is in the inside network. The PIX does NAT all connections originating for inside and dmz (perimeter):

    global (outside) 1 interface

    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    nat (perimeter) 1 0.0.0.0 0.0.0.0 0 0

    First of all I created a static to outside for my reverse proxy:

    static (perimeter,outside) x.x.x.x 192.168.109.52 netmask 255.255.255.255 0 0

    Then I permitted access to the reverse proxy:

    access-list 100 permit tcp any host x.x.x.x eq www

    And bound the access-list to the outside interface:

    access-group 100 in interface outside

    So far so good, everything’s working at this point. But as soon as I add an access-list for using the web server in the inside network, it interrupts my connection flow.

    Excemption to nat from inside to dmz:

    static (inside,perimeter) 192.168.108.0 192.168.108.0 netmask 255.255.255.0 0 0

    static (inside,perimeter) 192.168.107.0 192.168.107.0 netmask 255.255.255.0 0 0

    Permit access to the inside web server:

    access-list 200 permit tcp host 192.168.109.52 host 192.168.108.34 eq 7777

    Now what happens is (or at least I assume it): A host connections to the IP x.x.x.x for a http request. The PIX passes the request to the reverse proxy using the acl 100. The reverse proxy picks up the request and processes it respectively forwards it to the internal web server. The answer is sent back to the reverse proxy and then it tries to transmit the response back to the requester. Actually this should work based on the inferface definition of the security level: inside 100, perimeter 50, outside 0. But the responses does not get through to the outside anymore. I guess it must be somewhere between the reverse proxy and the PIX since the network connections (a) is hold between reverse proxy and requester and a new connection (b) is hold by reverse proxy and inside web server.

    Does anyone have a clue on how to solve this problem?

    Thanks in advance.

    Kai Keong Ng

    DB:2.59:Pix Dmz Configuration Problem zk


    Hi Kay Keong,

    Your config look good. You can capture packets in DMZ to examine incoming outgoing packets, you should be able to identify where is the problem. If not, you need to go deeper by using debug/syslog feature on PIX to see if it has something wrong.

    Regards

    Ben

  • RELEVANCY SCORE 2.58

    DB:2.58:Windows Update In Perimeter Network (Https Getting Blocked) zc


    We have a 3 leg perimeter network configured with Forefront TMG 2010.
    I need servers on my perimeter network to update themselves directly via the Internet. (I'd rather not use a proxy server)
    I have added a Firewall Policy rule:
    Protocols: HTTP and HTTPS
    From: Local Host and Perimeter networks
    To: Microsoft Update Sites (Domain Name Set)
    Condition: All Users
    The logs indicate that HTTP connections to the Microsoft update sites are being allowed, but HTTPS connection are being denied and thus Windows Updates are failing. One code I've been getting is 80244018.
    If I change the To: part of the rule to External network, traffic is allowed to all web sites, including HTTPS.
    I created a new Domain Name Set rule, using different web sites, and duplicated this behavior using Internet Explorer -- http works, https does not.
    I've suspected DNS as the culprit. I have two DNS servers configured on the Local Network leg only, and they are able to resolve all of these Microsoft update sites successfully.
    This TMG is not being used for outbound Internet access for any other purposes or clients, and I need to enable ONLY outbound access from the perimeter network for Windows Update.

    DB:2.58:Windows Update In Perimeter Network (Https Getting Blocked) zc


    Only just back from a few weeks holiday. I have never had to add reverse dns entries so that is a new one on me.
    Please confirm:.....
    No servers nics on the local host or elsewhere have any reference to external DNS server ip addresses.
    Only the FTMG internal nic has DNS ip addresses assigned and these point to the internal DNS server ip addresses.
    The only reference to ISP/external DNS server ip addresses are in your forwarder tabs on the intrnal dns servers.
    The FTMG internal nic is bound first in the network bind order.
    Can you also confirm that you have amended the System Policy to allow the perimeter network to talk to the MS update sites over http/https? (Rule 28 on my system policy)

    Keith Alabaster - MVP/Forum Moderator
    Keith,
    I can confirm all of your statements as being true. My System Rule #28 (Allow HTTP/HTTPS from Forefront TMG to specified Microsoft Update sites) does not have a reference to the Perimeter network, but adding it yields the same results.
    Microsoft Support has escalated this to their Product team. It seems they're looking at a possible problem with the software.
    To summarize this issue:
    1) TMG is configured to deny all web sites except ones allowed via a Domain Name Set
    2) Clients are SecureNAT (no proxy, no firewall client)
    3) HTTP sites work, HTTPS does not.
    4) MS Support indicates that the issue is that TMG is unable to perform Reverse Lookups on some domains due to them not having proper PTR records configured (e.g. MS Updates sites), thus it is unable to identify exactly which site you're trying to access, and
    then fails it by the Default Rule.
    Workarounds include:
    1) Enabling TMG as a proxy server on the desired Interface, then setting a proxy server on the clients.
    2) Using the Firewall Client software
    The Workarounds succeed because with a Proxy server, the client passes the desired URL in plain text, allowing the TMG to do the dns lookup after verifying the sites is allowed.. With a Secure NAT client, the client does the DNS lookup and passes only
    the IP to the TMG. The TMG must perform a reverse lookup to determine if it's an allowed site or not.
    We're now waiting to hear back from the product team, which, according to my support rep, may or may not happen depending on the priority assigned to this case. It would be interesting if anyone cares to try to duplicate this issue.
    I'm still curious about what Forward SSL Inspection might be able to do for this scenario, as mentioned in my 10/12 post.

  • RELEVANCY SCORE 2.57

    DB:2.57:Tmg Web Publising Site - Error Code 10061 Connection Refused 31


    Buenas,
    Tengo un TMG configurado como Back Firewall. Tiene 2 placas de red (Interna y Externa)
    Cuando quiero publicar una pagina Web en los logs de la consola veo el error
    Failed Connection Attempt - error code 10061 connection refused

    Log type:
    Web Proxy (Forward)

    Status: 10061 No connection could be made because the target machine actively refused it.

    Rule: Perimeter to LocalHost

    Source:
    Perimeter (172.30.201.1:10087)

    Destination:
    Local Host (172.30.201.2:80)

    Request:
    GET http://172.30.201.2/

    Filter information:
    Req ID: 0a3550e4; Compression: client=No, server=No, compress rate=0% decompress rate=0%

    Protocol: http

    User: anonymous

    La IP 172.30.201.1 es la interfaz del FW y la 172.30.201.2 es la Publica del TMG.
    Hay algo que tenga que tener en cuenta que este omitiendo ?
    GraciasSebastian

    DB:2.57:Tmg Web Publising Site - Error Code 10061 Connection Refused 31

    Sebastian, sumandome al comentario de Lester... Tienes que tener una regla de Publicacion para servidor web y esta regla debe de contener un Web Listener... Podrias comentarnos como tienes configurada la regla que publica el sitio web !?
    De todos modos te dejo esta informacion para que revises el procedimiento de tu regla.
    http://technet.microsoft.com/en-us/library/cc984433.aspxJimcesse / mjk_b25@hotmail.com

  • RELEVANCY SCORE 2.57

    DB:2.57:Error: 1238 When Creating Vm Template From A Virtual Machine 31


    Hi,
    I encounter a issue when creating a VM template from a virtual machine whihc is store on hyper host, Can anyone give a suggestion to resolve it.
    The virtual machine Windows 2008 R2 20110722 cannot be used in this operation because it is on a perimeter network.
    Move virtual machine Windows 2008 R2 20110722 off of the perimeter network or select a virtual machine that is not on a perimeter network, and then try the operation again.
    ID: 1238

    Many thanks in advance.

    DB:2.57:Error: 1238 When Creating Vm Template From A Virtual Machine 31

    Yep. In the SCVMM world there is a difference.
    The assumption with a 'perimeter host' is that it has an interface in the DMZ or some untrusted network. Therefore it and the machines on it has an implied lower level or trust. So it imposes the block.
    I have run into many of these little trust boundaries over the years, and there are moreappearing all the time - acrossdifferent products.
    Now you added the host in a way that says that you trust it, and the VMs on it - you just can't implicitly trust it through AD.
    Brian Ehlert
    http://ITProctology.blogspot.com
    Learn. Apply. Repeat.

  • RELEVANCY SCORE 2.56

    DB:2.56:Sharepoint And Adfs 2.0 Extranet Deployment az


    I have implemented the following scenario.
    # Corporate network has AD Server (corp AD) and ADFS 2.0server (corpADFS).
    # Internet DMZ(a segment in perimeter) has Sharepoint 2010 application in a different domain (company policies do not allow perimeter to host machines as part of corp network).
    # DMZ also hosts an ADFS Proxy server linking ADFS server and Sharepoint server.
    # Sharepoint is configured with both FBA and ADFS based authentication.
    The aim is to provide access to this application to both corp users and external users.

    Test scenario
    Corp user logs into a machine with his windows ID. Accesses the sharepoint application in Perimeter. The user gets authenticated with ADFS and gets access to the application.
    Issue
    The user is already logged in into copr somain on his local machine. But when he accesses the application he gets a prompt for authenticating to corp domain. Is there some way to get a SSO experience here? I mean since he is logged into the corp domain already,
    can he get logged into sharepoint, without a prompt.
    thanks and regards
    Seshu

    DB:2.56:Sharepoint And Adfs 2.0 Extranet Deployment az

    2 things you check
    1) Is your ADFS server configured to accept AD credentials as one of its trusted providers?
    2) Is the ADFS server's URL in your users' clients' Intranet Security Zone?
    Dave Weinstein (MCS)

  • RELEVANCY SCORE 2.55

    DB:2.55:Add Host Problem On Scvmm xp


    I try to add a host on the SCVMM but it says failure (can't find the host) even I installed the agent locally on the host (I choose the host is in the perimeter network). The only thing I question is it need host must join to the AD domain?Thanks, Michael

    DB:2.55:Add Host Problem On Scvmm xp

    If it CAN't find, then you either have a name resolution issue, that can be solved with a static entry on DNS or in the local hosts file on the SCVMM and in the final host. Of course you should also make sure that the FW allows comunication for both hosts on the agent configured ports.I hope that the information above helps you.

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

  • RELEVANCY SCORE 2.54

    DB:2.54:Tmg 2010 - Rdp Connectivity Problem. 18


    Hi,

    I have created new rule to publish my network computer and access externally. (RDP Terminal Services) Server.
    When i try to connect externally, below are the logs.
    Closed Connection

    Log type: Firewall service

    Status: A connection was abortively closed after one of the peers sent an RST packet.

    Rule: LAN_ServersRouters

    Source: Perimeter (88.xx.xx.94:51134)

    Destination: Local Host (88.xx.xx.89:3389)

    Protocol: RDP (Terminal Services)
    Can anyone help.

    Thanks.

    DB:2.54:Tmg 2010 - Rdp Connectivity Problem. 18

    I have resolved the problem:
    I didnt created and network rule for NAT, as soon as i created the rule my RDP start working.
    Thanks to every for helping me.

  • RELEVANCY SCORE 2.54

    DB:2.54:Self-Service Portal For Host On Perimeter Network In Scvmm 2012 7c


    Hello,
    I have added some host on perimeter network in SCVMM 2012.
    While assigning owner to any VM in perimeter network, I am unable to add/see any role.
    As While creating Self-Service user role you need cloud to add role but as hosts are in perimeter network they are getting added but not showing any VMs in it.
    Can any one please help me how to configureSelf-Service Portal for Host on perimeter network in SCVMM 2012 step by step?
    Thanks,
    Stephen

    DB:2.54:Self-Service Portal For Host On Perimeter Network In Scvmm 2012 7c

    Hi,

    Facing same issue... :(

    It will helpful if any one let me know how to configureSelf-Service Portal for Host on perimeter network in SCVMM 2012 step by step?
    Thanks

  • RELEVANCY SCORE 2.52

    DB:2.52:Tmg Ent. Sp2 Back-Firewall Topology And Non-Web Protocol Publishing Issue ca


    I have TMG SP2 with 2 last hotfixes as Back-Firewall topology with Internal Network, Perimeter and Inter-Array Communication NICs. NLB is configured on Internal and Perimeter NICs. In Perimeter the DGW is of the Edge hardware firewall.There are no host in
    Perimeter Network. I want to publish non-web protocol ex DNS . I have created a new Network as Perimeter. Also created Network Rules as
    Perimeter- Internal = Route
    Internal- Perimeter = Route
    Internet Access - External = NAT
    I'm facing issue with published rule. What should be From and To and Networks. I have tried FromAnyware To DNS Servers IP Request appears to come from the original client and Networks External . With this publishing rule TMG does not allow DNS traffic
    The policy rules do not allow the user request. In logs it shows as protocol DNS instead of DNS Server.

    In publishing rule should it be Perimeter in Networks be chosen with what options ALL, NLB or Specific? We have public IP with Static NAT in Edge firewall. Should this IP added as additional VIP in Perimeter network?

    Could anyone point to right configuration and resolution steps

    DB:2.52:Tmg Ent. Sp2 Back-Firewall Topology And Non-Web Protocol Publishing Issue ca

    Thanks Nick,
    Infact i have changed the network template to Edge. Everything works fine now,except NLB Manager where it shows common RPC error, while TMG NLB is working fine. Even though I have created FW rule for DCOM Dynamic based on JJ's post. Still the same issue.

    I want to know is it possible to change the network template now or add a new network called Perimeter. As I want to assign current Network address in TMG EMS to Perimeter and enable NLB. What is the recommendation on this changes? I'm worried
    it might cause other issues in configurations.

    Thanks

  • RELEVANCY SCORE 2.52

    DB:2.52:Ftp Server Configuration Through Tmg Firewall Help xj


    Hello Everyone,
    I am having some issues allowing access to my ftp server from outside.
    However, accessing from inside network works fine.

    I have forefront 2010 edge firewall (My network layout is Internet-------TMG ForeFront-------Windows Web Server 2008R2 - This server has two NICs - one is connected to Inside LAN and another one is connected to TMG network)Network Topology. I run through
    the setup wizard create new server publishing rule.

    I am using the FTP Server protocol

    My Firewall Policy (Non-Web Server Publish)

    Traffic: FTP Server
    From: External
    To: Server IP (10.10.10.30)
    Selected Requests appear to come from the Forefront TMG computer
    Network: Perimeter

    FTP Access Rule

    Protocols: FTP
    From: External
    To: Server Name (FTP Server IP Address 10.10.10.30)
    Users: All Users

    FTP Server: Windows Web Server 2008R2

    When I try to ftp from LAN it works. However, when I try to ftp from external address I

    get following log report in my TMG Logs Report Screen

    Denied Connection TMGServer 4/11/20xx 10:26:28 PM
    Log type: Firewall service
    Status: The policy rules do not allow the user request.
    Rule: Default rule
    Source: Perimeter (xxx.xx.xxx.xx:2801)
    Destination: Local Host (xxx.xx.xx.xx:21)
    Protocol: FTP

    I am using TMG Logs Reports to check traffic in TMG/Forefront. When I access FTP server from outside Network my TMG Log Report shows:

    Denied Connection TMGServer 4/14/20xx 10:26:28 PM
    Log type: Firewall service
    Status: The policy rules do not allow the user request.
    Rule: Default rule
    Source: Perimeter (xxx.xx.xxx.xx:2801)
    Destination: Local Host (xxx.xx.xx.xx:21)
    Protocol: FTP

    If you can help me to figure out this problem I would really appreciate.

    Thanks and regards,

    AJ

    DB:2.52:Ftp Server Configuration Through Tmg Firewall Help xj

    Hello Everyone,

    Thank you all for your help. We have resolved our issue.

    After all your suggestions and tips, I was still getting the same Denied Connection message see below):

    Denied Connection TMGServer
    Log type: Firewall service
    Status: The policy rules do not allow the user request.
    Rule: Default rule
    Source: Perimeter (xxx.xx.xxx.xx:2801)
    Destination: Local Host (xxx.xx.xx.xx:21)
    Protocol: FTP

    We were running out of time for further troubleshooting. So, we decided to call Microsoft and Keith A. Abluton helped us to sort out our issue.
    Many thanks to Microsoft and full credit goes to Keith.

    Solution

    Non-web Server Protocol Publishing Rules will not work on a Forefront TMG 2010y that was installed as a Back Firewall unless the Perimeter Network is removed. The following step is required to remove the perimeter network:
    On the Network Rules tab in Networking, remove Perimeter Network rules (we had two rules - rule 4 and 5 listed as Perimeter Network Rules) and keep External (Built in network.) Network Rule.
    To configured the Non-web Server Protocol Publishing FTP rule, please click this link
    http://technet.microsoft.com/en-us/library/cc995163.aspx . For more information about how to create FTP server please refer the links that Mark Grote listed above.
    Thanks again for your help.
    Best regards,
    AJ

  • RELEVANCY SCORE 2.52

    DB:2.52:Tmg 2010 Back Firewall Sql Publishing To Perimeter Web Server fj


    Hi,
    Ihave got TMG 2010 configured as a back firewall andI need to have the Web server in the Perimeter (DMZ)to access the SQL server in the internal network.
    Network is:
    Internet--Firewall/NAT--DMZ Web Server--TMG2010--SQLServer
    I have used the 'non-web server protocol'publishing wizard and configured this to publish the SQL server, but it is not working and I am getting blocked with:
    Denied Connection
    Status: The policy rules do not allow the user request
    Rule: Default rule
    Source: Perimeter (x.x.x.x)
    Destination: Local Host (IP Address of TMG perimeter NIC)
    Protocol: Microsoft SQL (TCP)

    The thread below suggests that I need to remove the perimter network from the 'networks' for thisto work with TMG as aback firewall, butthis just doesn't seemright to me, not that I can remove the perimeter network due to the caching
    policy tied to the perimeter network.
    (http://social.technet.microsoft.com/Forums/en-US/Forefrontedgegeneral/thread/490e285b-6aaa-4f69-8de5-82ef83a826d2)
    What I think I am misunderstanding is the Note belowfrom the Techent article (http://technet.microsoft.com/en-us/library/cc995162.aspx)
    about SQL server publishing:
    Server publishing rules are typically used when there is a network address translation (NAT) relationship defined by a network rule between the network on which the clients sending requests to the published server are located and the network on which the
    published server is located. Server publishing rules can also be used when the network rule between the client network and the network where the server is located defines a routing relationship. However, in this case, the clients must
    send requests directly to the IP address of the published server.
    I am not too good with networking (getting better each day!) but Ihave changed over from Linux IPtables to TMG 2010 and in IPtables I had a'DNAT' and Forwardrule configured for this scenario to work for port 1433 but I can't seem
    to get this going on TMG 2010.
    Hope someone can help?
    Thanks,
    Dave

    DB:2.52:Tmg 2010 Back Firewall Sql Publishing To Perimeter Web Server fj


    Hi,
    which type or network relationship exists between the DMZ and the Internal networks where the SQL Server is placed?
    NAT or ROUTE?
    http://technet.microsoft.com/en-us/library/bb794774.aspx
    If you use NAT you must use a non webserver publishing rule to publish the SQL Server.
    http://technet.microsoft.com/en-us/library/cc441596.aspx
    If you use Route you can use access rule to allow access to the internal SQL Server
    The SQL Server must be a SecureNAT client:
    http://technet.microsoft.com/en-us/library/bb794762.aspx

    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

    Thanks, Marc. You have helped greatly with those URLs to the KBs. You sure seem knowledgeable in this field.
    It was the fact that I had 'Route' as the internal-Perimeter network relationship, which but I can recall seeing the prompt regaring the relationship for the back firewall network configuration but I didn't realise\note that I had selected 'route'
    during the build.
    So I changed this Internal-Perimeter NAT network relationship to NAT, cleaned up my rules (back to default, almosy) restarted the TMG server and (re)created the SQL Publishing Rule via the wizard as per the article
    http://technet.microsoft.com/en-us/library/cc441596.aspx.
    One thing I had to change in the SQL Publishing rule from the default was to select the option of Requests appear to come from theForefront TMG Server on the To tab for it work with the Internal-Perimeter NAT network relationship, of course (understanding
    this correctly I hope).
    Once again, I appreciate your help and thank you for your ongoing efforts you put towards these forums.
    Regards, Dave

  • RELEVANCY SCORE 2.52

    DB:2.52:Provideraddress Is Not Set On Perimeter Network mx


    Hi all;

    to Hyper-V in the perimeter network in scvmm2012sp1
    Set the network virtualization,
    When you create a virtual machine,
    Can not communicate the virtual machine.

    Hyper-v to the perimeter network,
    CustomerAddress is set but, ProviderAddress is not set.
    The Hyper-V of domain member, there is no problem.

    no router.
    all Hyper-V host and guest on the same physical subnet.

    In the case of perimeter network, or need additional configuration ?

    DB:2.52:Provideraddress Is Not Set On Perimeter Network mx

    hi Brian.
    thank you response.

    SCVMM Change properties of virtial machine job is complete. no error.

    event log check on SCVMM, Hyper-V Host1 and Host2. no error log,
    not find success log related virtual network operation.

    enable SCVMM Trace on Hyper-V Host1 and Host2.
    difference of trace.

    * Host1 (domain member):
    include BindPAtoNIC: adding PA: log.

    [0]0654.0E84::?2013?-?05?-?04 05:37:44.915 [Microsoft-VirtualMachineManager-Debug]2,2,VARPWMIProvider.cpp,1276, == Processing MACAddress port: [001DD8B71C05] (vm: [test-33-6] in RoutingDomainID: [{68a3c4b4-18aa-4cc5-af0a-f7671f940537}], VMSubnetID:
    [2195746] (CA: [192.168.31.51] on switch: [Gigabit Ethernet - Virtual Network] = PA: [192.168.3.80]). Action: 1 (hostname: [p910ew12nv],{00000000-0000-0000-0000-000000000000}
    [0]0654.0E84::?2013?-?05?-?04 05:37:44.915 [Microsoft-VirtualMachineManager-Debug]2,2,VARPWMIProvider.cpp,1294, == found! Going to ADD AVEZ rules for MACAddress: [001DD8B71C05] (POLICY_LOOKUP_APPLY_IMMEDIATE),{00000000-0000-0000-0000-000000000000}
    [2]0654.0E84::?2013?-?05?-?04 05:37:45.072 [Microsoft-VirtualMachineManager-Debug]2,2,VARPWMIProvider.cpp,2801,GetExternalNetAdapterIndexForSwitch: Virtual switch [Gigabit Ethernet - Virtual Network] is mapped to interface [\\P910EW12NV\root\virtualization\v2:Msvm_ExternalEthernetPort.CreationClassName=Msvm_ExternalEthernetPort,DeviceID=Microsoft:{9E24489A-2FA5-464D-8E72-6067DEAAA43C},SystemCreationClassName=Msvm_ComputerSystem,SystemName=P910EW12NV]
    and has InterfaceGuid: [{9E24489A-2FA5-464D-8E72-6067DEAAA43C}],{00000000-0000-0000-0000-000000000000}
    [2]0654.0E84::?2013?-?05?-?04 05:37:45.072 [Microsoft-VirtualMachineManager-Debug]2,2,VARPWMIProvider.cpp,2871, == BindPAtoNIC: adding PA: [192.168.3.80] to switch: [Gigabit Ethernet - Virtual Network] (interfaceIndex: [13]),{00000000-0000-0000-0000-000000000000}
    [0]0654.0E84::?2013?-?05?-?04 05:37:45.228 [Microsoft-VirtualMachineManager-Debug]2,2,VARPWMIProvider.cpp,2965, == AddAddressLookupRecord: adding CA: [192.168.31.51] - PA: [192.168.3.80] to MAC: [001DD8B71C05] on vmSubnetID:
    [2195746] (RoutingDomainID: [{68a3c4b4-18aa-4cc5-af0a-f7671f940537}]), Rule: 1,{00000000-0000-0000-0000-000000000000}
    [0]0654.0E84::?2013?-?05?-?04 05:37:45.363 [Microsoft-VirtualMachineManager-Debug]2,2,VARPWMIProvider.cpp,1222,CVARPEntry::xxxx: Processing network ID: [5864178],{00000000-0000-0000-0000-000000000000}
    [0]0654.0E84::?2013?-?05?-?04 05:37:45.363 [Microsoft-VirtualMachineManager-Debug]2,2,VARPWMIProvider.cpp,1276, == Processing MACAddress port: [routeCA-p910ew12nv] (vm: [Route] in RoutingDomainID: [{68a3c4b4-18aa-4cc5-af0a-f7671f940537}], VMSubnetID:
    [5864178] (CA: [192.168.33.0/24] on switch: [] = PA: [0.0.0.0]). Action: 17 (hostname: [p910ew12nv],{00000000-0000-0000-0000-000000000000}

    * Host2 (workgroup):
    not include BindPAtoNIC: adding PA: log.

    [1]0640.0DF4::?2013?-?05?-?04 05:42:46.567 [Microsoft-VirtualMachineManager-Debug]2,2,VARPWMIProvider.cpp,1276, == Processing MACAddress port: [001DD8B71C06] (vm: [test-33-7] in RoutingDomainID: [{68a3c4b4-18aa-4cc5-af0a-f7671f940537}], VMSubnetID:
    [2195746] (CA: [192.168.31.52] on switch: [Gigabit Ethernet - Virtual Network] = PA: [192.168.3.81]). Action: 1 (hostname: [192],{00000000-0000-0000-0000-000000000000}
    [1]0640.0DF4::?2013?-?05?-?04 05:42:46.567 [Microsoft-VirtualMachineManager-Debug]2,2,VARPWMIProvider.cpp,1294, == found! Going to ADD AVEZ rules for MACAddress: [001DD8B71C06] (POLICY_LOOKUP_APPLY_IMMEDIATE),{00000000-0000-0000-0000-000000000000}
    [1]0640.0DF4::?2013?-?05?-?04 05:42:46.567 [Microsoft-VirtualMachineManager-Debug]2,2,VARPWMIProvider.cpp,2965, == AddAddressLookupRecord: adding CA: [192.168.31.52] - PA: [192.168.3.81] to MAC: [001DD8B71C06] on vmSubnetID:
    [2195746] (RoutingDomainID: [{68a3c4b4-18aa-4cc5-af0a-f7671f940537}]), Rule: 1,{00000000-0000-0000-0000-000000000000}
    [1]0640.0DF4::?2013?-?05?-?04 05:42:46.567 [Microsoft-VirtualMachineManager-Debug]2,2,VARPWMIProvider.cpp,1222,CVARPEntry::xxxx: Processing network ID: [5864178],{00000000-0000-0000-0000-000000000000}
    [1]0640.0DF4::?2013?-?05?-?04 05:42:46.567 [Microsoft-VirtualMachineManager-Debug]2,2,VARPWMIProvider.cpp,1276, == Processing MACAddress port: [routeCA-p910ew12nv] (vm: [Route] in RoutingDomainID: [{68a3c4b4-18aa-4cc5-af0a-f7671f940537}], VMSubnetID:
    [5864178] (CA: [192.168.33.0/24] on switch: [] = PA: [0.0.0.0]). Action: 17 (hostname: [p910ew12nv],{00000000-0000-0000-0000-000000000000}
    [1]0640.0DF4::?2013?-?05?-?04 05:42:46.567 [Microsoft-VirtualMachineManager-Debug]2,2,VARPWMIProvider.cpp,3046, == AddRouteRecord: DestinationPrefix: [192.168.33.0/24] - [0.0.0.0] on VMSubnetID: [5864178] (RoutingDomainID:
    [{68a3c4b4-18aa-4cc5-af0a-f7671f940537}]),{00000000-0000-0000-0000-000000000000}
    [1]0640.0DF4::?2013?-?05?-?04 05:42:46.567 [Microsoft-VirtualMachineManager-Debug]2,2,VARPWMIProvider.cpp,1276, == Processing MACAddress port: [routeCA-192] (vm: [Route] in RoutingDomainID: [{68a3c4b4-18aa-4cc5-af0a-f7671f940537}], VMSubnetID: [5864178]
    (CA: [192.168.33.0/24] on switch: [] = PA: [0.0.0.0]). Action: 17 (hostname: [192],{00000000-0000-0000-0000-000000000000}
    [1]0640.0DF4::?2013?-?05?-?04 05:42:46.567 [Microsoft-VirtualMachineManager-Debug]2,2,VARPWMIProvider.cpp,3046, == AddRouteRecord: DestinationPrefix: [192.168.33.0/24] - [0.0.0.0] on VMSubnetID: [5864178] (RoutingDomainID:
    [{68a3c4b4-18aa-4cc5-af0a-f7671f940537}]),{00000000-0000-0000-0000-000000000000}

    this information useful?

    regards.

  • RELEVANCY SCORE 2.50

    DB:2.50:Perimeter Network Passing Https Fails za


    Has there been an update to http://social.technet.microsoft.com/Forums/en-US/ForefrontedgeIA/thread/02f9704c-b296-42f9-9f8e-8e5fd3acfa1b/

    I have repro-ed this condition where https is blocked from hosts on the perimeter network. Wondering if there is a hotfix for this defect. Anyone heard anything?

    Thanks,

    John

    DB:2.50:Perimeter Network Passing Https Fails za

    Hi,

    Thank you for the post.

    I have repro-ed this condition where https is blocked from hosts on the perimeter network- do you mean all the https sites or some certain site, like
    only Microsoft Update Sites? Would you please elaborate the issue?

    Regards,Nick Gu - MSFT

  • RELEVANCY SCORE 2.50

    DB:2.50:Sharepoint Extranet Split Back To Back 1z


    Experts,
    We have a fully functional intranet farm with 2 front end, 1 Index and 1 SQL server. Everything is working fine. Now we have a need for an Extranet access to SharePoint and found Split back-to-back topology more promising. We wanted to host only the WFE is the perimeter network and have Index and SQL inside our corporate domain. This way, we can manage external users in outperimeterAD / domain controller. This is a must.

    DB:2.50:Sharepoint Extranet Split Back To Back 1z

    There is only one SharePoint farm mentioned in the split back-to-back topology. All the services in perimeter network and corporate network belong to the same SharePoint farm. Why are you going to use one index server for 2 farms? Why are there 2 farms?

  • RELEVANCY SCORE 2.50

    DB:2.50:Unable To Connect To Vm Using Virtual Machine Viewer To Host On Perimeter Network sf


    I have a host that I'm able to successfully manage with SCVMM 2008 R2 SP1 on a perimeter network that has no trust with the internal domain (where the SCVMM host resides). The perimeter domain is 2008 R2 functional domain/forest level. When I
    try to connect to the VM, I get a credential dialog box:
    Your credentials did not work
    Your system administrator does not allow the use of default credentials to log on to the remote computer IP address because its identity is not fully verified. Please enter new credentials.
    Even if I authenticate with local administrator credentials (or domain-based credentials that have local admin access), I get a certificate error followed by a failure to connect.
    I've already adjusted the Allow Delegating Default Credentials with NTLM-only Server Authentication via local group policy (not domain, domain has this policy set to Not Configured) to addMicrosoft
    Virtual Console Service/* and TERMSRV/* followed by running a gpupdate with no luck. Any other ideas?http://sharepoint.nauplius.net

    DB:2.50:Unable To Connect To Vm Using Virtual Machine Viewer To Host On Perimeter Network sf

    After some time I have tested this feature again and it was surprisingly working... I have no idea why (probably because hosts restart)...

  • RELEVANCY SCORE 2.49

    DB:2.49:Scvmm 2012 Agent Installation Failed. 1j


    Dear Experts,
    My hyper-v host is in perimeter network. I tried to install the scvmm 2012 agent locally on the host. But, the installation ended prematurely with the error event 1603.
    Please help me to fix this issue.
    Thanks,
    Kumaresan

    DB:2.49:Scvmm 2012 Agent Installation Failed. 1j

    I found the solution to the above problem (installing SCVMM 2012 SP1 Agent localy on a perimeter host, wherehost is Windows Server Enterprise 2008 R2 and is not domain member).
    All we had to do was to add local account hostname$on the perimeter host (where hostname isname of the host).
    - Mitja Tomazic

  • RELEVANCY SCORE 2.48

    DB:2.48:A Srv Records On Public Dns Server For External Connectivity mx


    I have deployed Lync Edge server in the perimeter network and have tested its functionality through the perimeter network. I'm now planning to create A and SRV recordson the public DNS server. I have prepared following URLs for Lync Edge server. In
    the list below,y.com is thename of my domain.
    access.y.com (Access Edge)
    wc.y.com (Web Conferencing Edge)
    av.y.com (A/V Edge)
    sip.y.com
    SRV record (for client auto sign-in) which I plan to publish and which was tested through the perimeter network (by creatingthis record in the host file of the test workstation) is
    _sip._tls.y.com -- [443] sip.y.com
    I have below queries
    1. Is the SRV record format/syntax correct and can it be published on the public DNS server?
    2. Should the IP address of sip.y.com and access.y.com be the same? When I tested it internally, I kept the IP address of both the same.In short should I point sip.y.com to access.y.com?
    3. If IP address for both is same, then should I create an A record or theCNAME record for sip.y.com?MPS

    DB:2.48:A Srv Records On Public Dns Server For External Connectivity mx

    Thank you SKHATRI and KENT, Lync Guy
    Thamara.Wijesinghefor all your help. Your guidence has helped me successfully set up the Edge server and meet the business requirment. I very much appreciate your time and effort to guide me.

    MPS

  • RELEVANCY SCORE 2.48

    DB:2.48:External Cannot Access Perimeter Web Server mp


    I have 3 network cards on my ISA server 2003 standard edition. I plan to use one for external network, one for perimeter, one for internal. IIS server is setup on perimeter network, the default web page works. I have created a 3 legs perimeter network, also publised web server listening on port 80. When i try to access the IIS web address (ip) from a PC which is in same network as external, i am not able to connect to the web page. There are only 3 firewall rules: 1. Web Access Only-allow-protocol(http,https,ftp)-from(internal,vpn clients)-to(external,perimeter) 2.Web Server Perimeter-allow-protocol(http)-from(web listerner port 80, external)-to 172.16.0.2 (which is the IIS Server in perimeter) 3.VPN Clients to Internal network-allow How do i let the external traffic to access my IIS in perimeter network? thanks PW

    DB:2.48:External Cannot Access Perimeter Web Server mp

    Hi,if you use public IP addresses in the DMZ, you can use ROUTE relationship, if you use private IP addresses in the DMZ you must use a NAT relationship.regards Marcwww.nt-faq.dewww.it-training-grote.de

  • RELEVANCY SCORE 2.48

    DB:2.48:Need Help Publishing Servers On A Perimeter Network jm


    I have an ISA2006 EE array. There are 4 NIC's in each array member (Intra-array, WAN [External]{NLB}, LAN [Internal]{NLB}, Perimeter{NLB}). My intra-array and internal networks are private addresses (NAT) and my external and perimeter networks are public routable addresses. My ISP has issued me 2 network IP ranges and programmed their router to forward the Perimeter subnet traffic to one of the NLB VIPs on my External network. Everything works as expected. My question is one of confusion for publishing servers on the perimeter network......I dont understand how to define the IP on the perimeter network I want the publishing rule to listen on. On my publishing rules for the external network (to internal {NAT}) I choose the external network and select one of my VIPs to listen for say port 8000 (random meaningless port). If I want to publish that same port but on the perimeter network I must choose the external network as well and leave it set to All IP Addresses on the Network. I am having a hard time understanding how I would publish the same port for multiple servers on multiple Perimeter addresses because I am not defining which Perimeter address to listen on, only which to forward to.My only assumption is that ISA looks at the to address in the publishing rule and uses that as a delineator in this routed network. As opposed to a publishing rule on a NAT network where you define a specific external VIP to a specific internal private IP.Can someone help to clarify this for me?

    DB:2.48:Need Help Publishing Servers On A Perimeter Network jm

    Hi,
     
    Thank you for posting.
     
    As far as I know, When you configure NLB for arrays with published servers, the network is load balanced according to the IP addresses of the clients. ISA Server enables you to add additional virtual IP addresses to network adapters across your array. And you can configure one virtual IP address on the External network for one server and a second virtual IP address for an additional server. In another scenario, you may require more than one virtual IP address when you are publishing two Web servers to two distinct public names on the Internet. Two Web listeners are required, each with its own digital certificate matching the public site name, and they must listen on separate virtual IP addresses.
     
    Regards,Nick Gu - MSFT

  • RELEVANCY SCORE 2.47

    DB:2.47:Erro (3219) Convert Physical To Virtual dp


     Dear,
    Perimeter network host 192.168.1.70 cannot be used in physical-to-virtual or virtual-to-virtua conversions.
    I'm remembering that want to convert a machine that outside of a domain. grateful

    DB:2.47:Erro (3219) Convert Physical To Virtual dp

     
    in this case I have to add a new machine to domain, so that it can receive my virtual machines.

  • RELEVANCY SCORE 2.47

    DB:2.47:Disable Nic On Host But Enable In Vm - Hyper-V Core 2012 sf


    I have multiple NICs on my hyper-V Host.
    I am running a router/firewall as a VM on this host. This is my perimeter/border protection.
    The issue I am having is that one of the NICs on the Hyper-V host is dedicated to WAN connectivity for this VM. I want to somehow disable this NIC on the host but have it enabled for the router/firewall VM. Is this possible?
    So logically, what I want is: Modem -- Router/Firewall VM -- rest of network (including other NICs on Hyper-V host)
    Currently it is: Modem -- Hyper-V Host NIC -- Router/Firewall VM --rest of network (including other NICs on Hyper-V host)
    Obviously without doing anything, the host got assigned an IP and it had no firewall in front of it. I have since given it a static IP (10.0.0.24/255.255.255.224), but is there any way to just disable it on the host level?
    Thanks!

  • RELEVANCY SCORE 2.47

    DB:2.47:Link Error Playwndasf Microsoft Sample az


    Hi all:
    I can't complie the sample for this error.
    LINK : fatal error LNK1104: cannot open file D:\Program.objError executing link.exe.
    D:\ is the directory which include DX90SDK and VS,VC6.0.
    Why Program.obj is needed?
    Thank you.

    DB:2.47:Link Error Playwndasf Microsoft Sample az

    It looks like you are missing quote marks somewhere.  That's probably supposed to be c:\program files\something

  • RELEVANCY SCORE 2.47

    DB:2.47:Unable To Add Workgroup Agent(Windows Xp) To Dpm 2010 k8



    Hi,
    I am currently having problem to attach agent to a workgroup computer (windows XP). It gives an error as belowafter i run the command on the protected sever (setdpmserver.exe -dpmservername XXXX -isnondomainserver -user user1)
    make sure that this computer is not part of a perimeter network. DPM does not support protection
    of computers on a perimeter network.

    FYI, i was able to add the PS but due to some errors, i removed it and now i'm trying to attach the PS again but failed.
    The PS is in different segment and there is no firewall between the PS and the DPMServer. The Error log on MSDPM shows
    0x80070002.

    Can someone please help.

    DB:2.47:Unable To Add Workgroup Agent(Windows Xp) To Dpm 2010 k8

    Hello!
    I got the same error. It was fixed when disablingthe ForceGuest in the Windows XP client.
    See: http://support.microsoft.com/kb/290403/en-usMarkus Bölske, Lumagate. www.lumagate.se

  • RELEVANCY SCORE 2.47

    DB:2.47:P2v And Virtual Machine Host With Different Domain Or Workgroup j8


    Hi,
     
    As a follow of this post : http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3675962SiteID=17
     
    I would like to know if it will be able to P2V a source server to an HyperV Host which is not on the same domain (no trust relationship) of the VMM server ?
     
    My test lab:
     
    - one 2008 std server core with hyperV on a domain A + agent installed for integration as a virtual machine perimeter host on SCVMM .
    - one 2008 std + SCVMM 2008 beta on a domain B.
    - one 2003 std R2 on a domain B (source server of P2V).
     
    HyperV and SCVMM work fine.
     
    When i try to P2V the source server (2003 of domain B) with SCVMM to the target server (perimeter host in domain A), i have an error 3229 with warning 3219 : perimeter host cannot be used in P2V or V2V.
     
    Thus VMM server and host virtual machine server (target server) has to be on the same domain (or a trusted domain) ?
    The support of perimeter host is somehow limited ?
     
    Full features support on perimeter host is planned for the final release of SCVMM 2008 ?
     
    Thanks
     
    Regards
     
    Guillaume
     

    DB:2.47:P2v And Virtual Machine Host With Different Domain Or Workgroup j8

    Hi
     
    The param work for me on powershell with workgroup host and no trust domain host.
     
    P2V a 2003 DC to a hyperV host on workgroup at the moment.
     
    Many thanks
     
    Regards
     
    Guillaume
     

  • RELEVANCY SCORE 2.46

    DB:2.46:Error 26402. Failed To Create User Due To Invalid Password. 1d


    Getting the following error message.
     
    VH Host is an x64 box sitting in the Perimeter Network.
     
    1. Ran the WinRM patch locally on the VM Host:  WindowsServer2003.WindowsXP-KB936059-x64-ENU.exe.
    2. Ran the installation package to install the client locally:  SCVMMv1RTM_Eval.exe
    3. After you answer the installation questions, including the encryption key, and click install, about 5 seconds into the installation we get an error message saying.
     
    Failed to create user due to invalid password.  (-2147022651   SCVMM32426thKzx      ). 
     
    The SCVMM32426thKzx part changes each time the error message appears but the rest is the same.  Below is the App log entry.
     
    Event Type: ErrorEvent Source: MsiInstallerEvent Category: NoneEvent ID: 10005Date:  12/12/2007Time:  11:59:05 AMUser:  ACCOUNTS\saini.rajeev$Computer: CCM-QA-VSH1Description:Product: System Center Virtual Machine Manager Agent (x64) -- Error 26402. Failed to create user due to invalid password.  (-2147022651   SCVMM32426thKzx      )
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Data:0000: 7b 31 39 30 46 46 34 30   {190FF400008: 38 2d 30 32 43 30 2d 34   8-02C0-40010: 35 46 34 2d 39 30 39 39   5F4-90990018: 2d 41 36 45 30 32 42 36   -A6E02B60020: 39 36 45 38 31 7d         96E81} 
     
     
    I have attempted the install on 2 VM Hosts with the exact same results.  Not sure which password the error is talking about.  I am an admin on both boxes.   We are a TAP customer and any and all help will be appreciated.
     
    Thanks...

    DB:2.46:Error 26402. Failed To Create User Due To Invalid Password. 1d

    Domain Policy:  12 character PWs.
    SCVMM Perimeter install tries to create a local user account with a 10 character PW.  Hence the error.
     
    Workarounds: 
    1. Open FW to allow for SCVMM Ports to communicate.
    2. Change Domain Policy to allow for 10 character PWs
     
    If someone from MS reads this.  Since the account being created is a local service account.  Can you change the installer to use a 36 character complex password instead of 10.  I thought we were becoming security conscious in this day and age.  10 characters?  C'mon now...

  • RELEVANCY SCORE 2.46

    DB:2.46:Scvmm 2008 R2 - Console Connection To Perimeter Network Not Working Due To Certificate Issue (Only On Windows7 And Server 2008 R2) ka


    Hello, we are using SCVMM 2008 R2 and all hosts are on Hyper-V. On perimeter network hosts are joined into the DMZ domain (their FQDN is like host001.dmzdomain.loc). When I try to connect through the SCVMM console to the VM on perimeter network I get this error: The remote computer could not be authenticated due to problems with its security certificate ... This certificate is not from a trusted certifying authority. I solved this by adding this certificate into the Trusted Root Certification Authorities/Local Computer, BUT then I get another certificate error: Name mismatch. Requested remote computer: host001 Name in the certificate from the remote computer: host001.dmzdomain.loc The server name on the certificate is incorrect. I tried add host001 by its IP address instead of the name, but I get the same error as above. The only difference is that Requested remote computer is the IP address instead of host001. If i were able to add host on perimeter network by it's FQDN instead of hostname or IP address it should work. But I think that this is not possible. Is there any way I can solve this name mismatch? This problem is happening only if I run SCVMM console or Self Service Portal from a computer with Windows Server 2008 and Windows 7. There is no certificate issue on the older OSs.

  • RELEVANCY SCORE 2.46

    DB:2.46:Adfs For Multple Ad Domain ms


    Hi,

    I have situation where I have a set of application in the perimeter network.
    I have an internal AD in corporate network for our internal users.
    I have to maintain a separate AD in perimeter network for external users /customer who need access to the perimeter applications.
    How manyADFS instances I need?
    Can I configure ADFS instance in corporate network and a ADFS proxy in perimeter network.
    Is it possible to add internal AD and perimeter AD in the internal ADFS instance to serve both internal and external user to access the perimeter applications. without a trust between internal AD perimeter AD.
    Or I need to setup 2 different ADFS instances one for perimeter and one for internal? and in this case how to configure the application redirect to multiple ADFS instances to get STS for internal users from internal ADFS and for external users from perimeter
    ADFS?
    Also, what should be the proxy server placement?
    Thanks,

    Soumen Ghosh

    DB:2.46:Adfs For Multple Ad Domain ms

    Jorge,
    What are the benefits and drawbacks of having the following setup:
    Perimeter Network
    - AD with separate forest to store external user accounts

    - ADFS providing tokens for external users
    - Relying Party application configured to authenticate against to Perimeter Network ADFS

    Internal Network:
    - Corporate AD
    - ADFS providing tokens for internal users only
    - Relying Party application configured to authenticate against Internal ADFS

    I believe that this setup will be more secure. However the problem is that:
    - internal users cannot access application externally
    - ADFS setup needs to be done in 2 places

    Anything else that I am missing?

  • RELEVANCY SCORE 2.46

    DB:2.46:Internal Network And Local Host Cant Ping Devices In Perimeter Network xk


    I just setup a TMG firewall, and all is well with Internet access. I am not able to access devices on the perimeter network, however. I copied the routing and firewall policy for the perimeter that was successfully used on our ISA 2004, but
    this does not work. Here are the rules I have setup: 1.) A network rule is setup as a route with the Source being Internal and Destination being the perimeter. 2.) A firewall policy is setup for all outbound traffic with Source and
    Destination both setup with Internal, Local Host, and the perimeter network.

    DB:2.46:Internal Network And Local Host Cant Ping Devices In Perimeter Network xk

    Hi,

    Thank you for the post.

    You may launch getting started wizard to reconfigure network template as per:

    http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-How-use-TMG-network-templates.html, and then configure NIC refer to:

    http://social.technet.microsoft.com/wiki/contents/articles/recommended-network-adapter-configuration-for-forefront-tmg-enterprise-edition-servers.aspx
    Regards,Nick Gu - MSFT

  • RELEVANCY SCORE 2.45

    DB:2.45:Imap With Tmg2010 Doesnt Work 9x


    Hi all. I've been banging my head against a brick wall with this and I can't get my head around it.
    As part of a BES Express install I need to reverse proxy IMAP so that Blackberry users can contact the Exchange CAS array. TMG 2010 SP1 can handle Exchange 2010 services (OWA, EAS, OA) just fine, but the IMAP rule I have created doesn't work.
    Exchange 2010 CAS servers are represented by array IP 172.20.2.251. The TMG server has 2 nics, one on the internal network andone in the DMZ, and is joined to the domain. The Cisco firewall switch module handles the NATting so no NATting takes place
    on the TMG. The DMZ address is 10.20.30.x.
    I have created a network rule as mentioned in another question in this forum, which NATs from internal to external and perimeter, with network relationship set to Route.
    The firewall rule itself is a server publishing rule, allowing IMAP (143) from anywhere to the CAS array address. Requests appear to come from the original client. Networks selected are External and Perimeter.
    I am testing the IMAP connection using outlook express on a PC which is on a separate ADSL line to our network so is a true representation of what we would like.
    When using the traffic simulator I use the IP address of the internet PC and the CAS array address and port 143. The result is 'Allowed Traffic' and the log states that 'a route relationship is specified'.
    When looking at the log and trying a connection from Outlook express for an IMAP connection, I get:

    Denied Connection
    LONSCHISA01 10/18/2011 12:00:47 PM

    Log type:
    Firewall service

    Status: The policy rules do not allow the user request.

    Rule: Default rule

    Source:
    External (90.155.46.4:50622)

    Destination:
    Local Host (10.20.30.38:143)

    Protocol: IMAP4

    I'm not entirely sure why this is happening.
    There are 2 outgoing network rules - the default Internet Access rule which NATs from internal to external, and another rule for IMAP I created that routes from internal to external and perimeter. I created this because the IMAP firewall rule states that
    the request should appear to come from the forefront tmg computer. Is this correct?
    I'm not sure why the traffic simulator states that it has allowed the packet, but the log is blocking the packet, and outlook express can't connect to the mailbox. The outlook error message is 800ccc0e, 'connection to the server has failed'.
    If anyone could help out I would really appreciate it.
    Many thanks
    Andoni

    DB:2.45:Imap With Tmg2010 Doesnt Work 9x

    Hi Nick,
    I had disabled the last rule (Internet to Perimeter Route). I enabled it and changed it to NAT.
    The IMAP publishing rule was created again from Anywhere, to the cas array, listening on the perimeter IP that IMAP was allowed on.
    When testing IMAP access from outside, the connection was made but no response came from the server. I changed the IMAP server publishing rule so that requests appear to come from the Forefront TMG computer, and it worked.
    After creating an IMAPS rule, that also worked.
    Many thanks for your help, much appreciated.
    Andoni

  • RELEVANCY SCORE 2.45

    DB:2.45:Tmg 2010 Back Firewall Perimiter Config 33


    A question about the configuration of the perimeter network in a Back firewall configuration.
    When you run the wizard for a Back Firewall configurationthe Perimeter network is configured with all ip-addresses (including the public ones)except the Internal one.
    So if you need a rule for access from or to theperimeter ip-range you need to create a subnet for that?
    Let me give an example:
    Lan: 192.168.1.0/24
    Perimeter: 192.168.2.0/24
    The Back End default configuration will include also all public ip-number to the perimeter network, so if a need a access rule from say internal to perimeteri need to create subnet and allow from internal to subnet name.
    Or do you need to
    manually configure the Perimeter network with only the assigned subnet? In my example 192.168.2.0/24?
    The configuration would be:
    lan - tmg - perimeter - HW based FW - public
    Erwin.

    DB:2.45:Tmg 2010 Back Firewall Perimiter Config 33

    Personally speaking, I always do the perimeter manually as it forces me to double check the settings and values and the relationship I want it to have to all of the other networks.
    KeithKeith Alabaster - MVP/Forum Moderator

  • RELEVANCY SCORE 2.44

    DB:2.44:Store Vm In Library With Scvmm On A Perimiter Network 8j


    Hi
    Im trying to store a Vm on my library using SCVMM and its failing sayin.

    The virtual machine Servertemp cannot be stored to a library server because its host is on a perimeter network.
    Virtual machines cannot be transferred from hosts on perimeter networks because of security concerns. For more information about how to add a host in the perimeter network go to Virtual Machine Manager Help.
    ID: 1737

    My setup is this. Non production Test setup.
    Server host is running hyper v server R2, it is part of a workgroup.
    All Vms running are managed with SCVMM on a VM thats part of a domain thats running on another VM.
    SCVMM has a passthrough USB drive attatched to it for use as a library storing all ISO,s and templates.
    It it posible to store VM,s on my library drive or does the host need to be part of the domain.
    The host was setup as a perimiter host in SCVMM and the agent installed on the host manualy.
    Any help on this matter would be most greatfull

    Chris

    DB:2.44:Store Vm In Library With Scvmm On A Perimiter Network 8j

    For security reasons, SCVMM does not allow transferring of VMs from perimeter hosts back to fully trusted library servers. You can go to the Hyper-V host export the VM and copy all the files manually to Library share. Once you do that SCVMM will refresh
    in the VM.
    Thanksposting is provided AS IS with no warranties, and confers no rights. User assumes all

  • RELEVANCY SCORE 2.43

    DB:2.43:Launching Application In The Work Perimeter 9f



    Hi,

    I have created a small app to experiment with the InvokeRequest API.

    invokeRequest.setTarget("com.mycompany.myapp.messaging"); invokeRequest.setAction("bb.action.VIEW"); InvokeTargetReply* reply = _invokeManager-invoke( invokeRequest ); if(reply) { reply-setParent(this); QObject::connect(reply, SIGNAL(finished()),this, SLOT(onInvokeResult())); _invokeTargetReply = reply; }Myapp.messaging is installed in the work perimeter. The sample app works nicely if it is launched from the work perimeter, but if the app is launched from the personal perimeter it gives an error in the reply return value.

    It gives InvokeReplyError::NoTarget. Anyway to specify that the target is in the work perimeter? I do not see a method setPerimeter in the InvokeRequest API ...

    Is it normal that you cannot invoke apps from the work perimeter when you are residing in the personal perimeter? Is it possible to enforce that we switch to work perimeter (including entering the work space password) before doing the invoke?

    Best regards,

    René Heuven

    E rene@inmote.com

    DB:2.43:Launching Application In The Work Perimeter 9f


    That's what's supposed to happen. In #2, there is no target. It doesn't matter if there was a potentially valid target in the work perimeter, if your app isn't there it doesn't exist.

    What usecase specifically do you have where it would matter if there was a target in the perimeter you're not in?

    #3 may be a bug or just a bit unfortunate. When do you push the lock button to make that happen?




    Paul BernhardtApplication Development ConsultantBlackBerry@PBernhardtDid this answer your question? Please accept this post as the solution.Found a bug? Report it to the Developer Issue Tracker

  • RELEVANCY SCORE 2.43

    DB:2.43:Tmg Ems With Nlb - Internal To Perimeter - Nat Or Routing? zp


    I am in the process of building an TMG EMS array with 2 member that are configured to use NLB.
    The NLB has been configured to work on the Internal, Perimeter and the Internet interface.
    I would prefer for traffic to always use the VIP's of theInternal, Perimeter and the Internet interface so that servers in the Perimeter are still reachable when one of the TMG array members goes down.
    What is advisable to choose for the Network relations ship of the Internal to Perimeter network rule, NAT or Route?

    DB:2.43:Tmg Ems With Nlb - Internal To Perimeter - Nat Or Routing? zp

    Hi Marc,
    well, i've tried to create a route relationship, it looked like it worked for a while.
    Then i restarted one of the TMG members, tried to logon on the restarted member and it hung at welcome. Then, after some time the other member suddenly was no longer reachable from the console of TMG EMS server.
    I tried the NAT relationship and there were no problems.
    I eventually solved it by adding a route on both TMG array members, that routes traffic destined for the perimeter, to the IP of the perimeter VIP.
    Can you confirm that in a load balancing setup with a route relationship for the perimeter, one needs to always add a route on each array member, so that only the VIP is used for traffic destined for the perimeter network?
    Toclarifythings:
    My perimeter network is 172.26.1.0/24. The VIP for the perimeter has 172.26.1.92 as ipaddress.
    Servers in theperimeteruse 172.26.1.92 as their default gateway.
    My internal network on the TMG is 172.26.3.0/24. The VIP has 172.26.3.92 as ipaddress.
    The route that i added on both TMG members was:
    route add 172.26.1.0 mask 255.255.255.0 172.26.1.92 -p

  • RELEVANCY SCORE 2.42

    DB:2.42:Vpn Tunnel To Perimeter jp



    I work with a PIX515. Terminating a VPN tunnel (L2TP/IPsec connection) on the outside interface works fine. But my goal is to terminate the tunnel on a perimeter interface. I have tried several things but I can't get it to work.

    Checking the syslog shows that the udp traffic on port 1701 reaches the interface on the perimeter network. But for some reason the firewall doesn't answer.

    Has anyone established successfully a vpn tunnel to a perimeter interface? Can anyone help me? Sample Config?

    Thank you.

    Hans

    DB:2.42:Vpn Tunnel To Perimeter jp


    Dear Yusuf

    Thanks a lot for your answer and the the link. That's right, I can terminate the tunnel on any interface as long as this interface is also connected to the "outside" world (as described in your link) but NOT when I have only one "outside" and the traffic must "flow" through the pix to the perimeter interface.

    Greetings

    Hans

  • RELEVANCY SCORE 2.42

    DB:2.42:Ep Installation Error In Traditional Perimeter Network dz


    Hello ,

    i have exactly the same error, have you managed to solve this ?

    thanks

    DB:2.42:Ep Installation Error In Traditional Perimeter Network dz

    I would have ask here.
    http://social.microsoft.com/Forums/en-US/category/dynamics/

    Thanks

  • RELEVANCY SCORE 2.42

    DB:2.42:Store Vm In Library With Scvmm On A Perimiter Network cp


    Hi
    Im trying to store a Vm on my library using SCVMM and its failing sayin.

    The virtual machine Servertemp cannot be stored to a library server because its host is on a perimeter network.
    Virtual machines cannot be transferred from hosts on perimeter networks because of security concerns. For more information about how to add a host in the perimeter network go to Virtual Machine Manager Help.
    ID: 1737

    My setup is this. Non production Test setup.
    Server host is running hyper v server R2, it is part of a workgroup.
    All Vms running are managed with SCVMM on a VM thats part of a domain thats running on another VM.
    SCVMM has a passthrough USB drive attatched to it for use as a library storing all ISO,s and templates.
    It it posible to store VM,s on my library drive or does the host need to be part of the domain.
    The host was setup as a perimiter host in SCVMM and the agent installed on the host manualy.
    Any help on this matter would be most greatfull

    Chris

  • RELEVANCY SCORE 2.42

    DB:2.42:Perimeter Host Disappers After Some Time 13


    I have a single perimeter host (2008 x64 SP2, Hyper-V) plugged into my SCVMM system using the IP address.  This works great for several weeks.Then one day, I get 'host not responding' in the SCVMM console.  Refresh fails.  Last time I re-installed the host agent and everything worked.  Now it has happened again.  What gives?

    DB:2.42:Perimeter Host Disappers After Some Time 13

    Thank you very much.  That makes sense.  I'll check that next time it happens.Take care!

  • RELEVANCY SCORE 2.42

    DB:2.42:Vmm 2012: Errors 2927 And 426 (Adding Hyper-V Hosts In A Perimeter Network) dm


    Just adding this in case anyone does a search...
    http://technet.microsoft.com/en-us/library/gg610642.aspx
    I was trying to add an external Hyper-V host. I first received error 2927 when I chose to load the VMM agent on the Hyper-V host, I tried to tie the certificate to the IP address.
    I switched to trying the process using the local computer name, at first I received error 426. To finally resolve this last one, I added the host name and IP address in c:\windows\system32\drivers\etc\hosts on the VMM server.

  • RELEVANCY SCORE 2.42

    DB:2.42:Fpe 2010 Central Management Console In Perimeter 3a


    I understand the Forefront Security Management Console does not support agents in the perimeter network, however just wanted to know if there are any way of centrally managing FPE servers located in a perimeter network. I understand the security implications
    of doing so. Thanks in advance.

    DB:2.42:Fpe 2010 Central Management Console In Perimeter 3a

    FSSMC does not have the ability to manage FPE (v 11.0). It only manages FSE (v 10.0) or Antigen (v 9.0).
    The next version of FSSMC, FPSMC, will have the ability to manage FPE and FPSP. It will also provide management of servers in your perimeter network such as Edge servers.
    http://blogs.technet.com/b/fss/archive/2010/07/21/forefront-protection-server-management-update.aspx

  • RELEVANCY SCORE 2.41

    DB:2.41:Publishing Ocs Edge 1k


    Hello,I am completely new walking into ISA (ISA 2006 Enterprise), so setting up the standard 3-leg perimeter for an OCS Edge deployment has been challenging to say the least. I would appreciate any and all help. Currently I am trying to get external IM to connect to ISA and then forward the request to the OCS Edge server. Right now, when the client computer makes a connection with ISA, the connection is being denied. From what I can tell, it's being denied due to the connection going from External Local Host instead of having the traffic forwarded from External IP of OCS Edge. I have my Non-web server publishing rule configured to allow HTTPS Server from the External network with an IP bound to the External NIC to the internal IP of the OCS Edge server which resides in the Perimeter network. There are 3 physical NICs on the ISA server. External, Perimeter, and Internal. The OCS Edge server resides in the Perimeter network. I have tried every configuration I can think of to no avail. Tried using both route/NAT relationships from External-Perimeter, Creating both access rules and server publishing rules and using either both or one or the other with every network relationship possible, tried publishing it as a web server, created a new protocol to allow inbound 5061/443 traffic, having requests appear to come from either ISA or the client, etc. I based my initial installation off of this document: http://www.isaserver.org/tutorials/OCS-2007-ISA-2006-Firewall-Design-Architecture.html however, this did not work. I have a feeling I am missing something really simple that I would appreciate having someone point out to me.

    DB:2.41:Publishing Ocs Edge 1k

    LOL - no one appreciates having to have something pointed out...... but I know what you mean :)What ip addressing scheme have you used within the perimeter? This will drive whether you will need a NAT or a route relationship with the external network.As a matter of route, I'll assume you have the supportability packs, service packs and all updates applied to the machines.Can you clarify what you meant by 'from the external network with an ip bound to the external nic to the internal ip of the OCS server?Keith

  • RELEVANCY SCORE 2.41

    DB:2.41:Rdp Not Connecting To Ftmg 7k


    I have created new rule to publish my network computer and access externally. (RDP Terminal Services) Server.
    When i try to connect externally, below are the logs.
    Closed Connection

    Log type: Firewall service

    Status: A connection was abortively closed after one of the peers sent an RST packet.

    Rule: LAN_ServersRouters

    Source: Perimeter (88.xx.xx.94:51134)

    Destination: Local Host (88.xx.xx.89:3389)

    Protocol: RDP (Terminal Services)
    Can anyone help.

    DB:2.41:Rdp Not Connecting To Ftmg 7k

    Hi,
    is RDP also activated on the TMG Server. If this is true you might have a socket conflict. You must change the RDP listener so that the listener only listens on the internal network interface. By default RDP on the TMG Server (Windows)listens to all
    local network interfaces:
    http://social.technet.microsoft.com/Forums/da-DK/Forefrontedgegeneral/thread/ef37e149-27ce-4da9-8739-cc58fdba46dcregards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

  • RELEVANCY SCORE 2.41

    DB:2.41:Fba In Sharepoint 2010 Extranet 9z


    Hi,
    I have set up a SharePoint extranet where sharepoint 2010 is set up in perimeter network and it has it own Active directory. Perimeter network AD trusts (one way) corporate network AD. Now if I setup a FBA with perimeter network will it be able to authenticate
    users of internal or corporate network.
    Ideally it should do because of one way trust. Can anyone please provide confirmation on this.

    Thanks,
    Gaurav Dixit

    DB:2.41:Fba In Sharepoint 2010 Extranet 9z

    Hi Gaurav
    I have a similar setup and if you want to authenticate users of internal network, you need to add them to your extranet site.Aryan Nava SharePoint tips blog: http://virtualizesharepoint.com

  • RELEVANCY SCORE 2.40

    DB:2.40:Convertendo Mquina Fsica Para Virtual p7


    Xará,
     
    Ajude-me neste caso por favor:
    No processo de converter um servidor físico pra virtual, logo no finalzinho do wizard, recebo esta mensagem referente a comunicação de rede:
     
    Error (3219):
    Perimeter network host apac-tis-virt1 cannot be used in physical-to-virtual or virtual-to-virtual conversions.
     
    Recommended Action:
    Specify a host located in a trusted domain, then try the operation again.
     
    Os servidores estão no mesmo domínio!
     
    Aguardo!

    DB:2.40:Convertendo Mquina Fsica Para Virtual p7

    Estou marcando este tpico como respondido para manter a organizao do frum, caso for necessrio
    tirar alguma dvida relacionada eu sugiro a abertura de um novo post!

    Abraos,

    Cleber Marques
    Microsoft MVP MCT | Charter Member: SCVMM MDOP
    Projeto MOF Brasil: Simplificando o Gerenciamento de Servios de TI
    Meu Blog
    | MOF.com.br
    | CleberMarques.com
    | CanalSystemCenter.com.br

  • RELEVANCY SCORE 2.40

    DB:2.40:Perimeter Host Problems 17


    This has been a constant problem for me in both VMM2007 and 2008. I have one host server on the DMZ (Hyper-v, not part of my domain)that I manage with VMM2008.  I follow the procedure to add the host to the perimeter network, and it does work correctly for some time.  But after a period of time the VMM server can no longer talk with the host and shows the following under the host properties: Overall Status: Needs Attention Connection Status: Not Responding Agent Status: Access Denied Virtualization service status: Unknown Virtualization service version: Up-to-date Additionally, when I attempt to do a manual refresh, I get the following response to the failed job: Error (2910) VMM does not have appropriate permissions to access the resource  on the SERVERNAME server.  (Access is denied (0x80070005)) Recommended Action Ensure that Virtual Machine Manager has the appropriate rights to perform this action. I know that I can temporarily fix the problem by uninstalling and reinstalling the vmm agent on the host server, but within a couple of weeks it will be right back to this same problem. Does anyone have any idea about what could cause this becuase I would surely appreciate having a resolution.

    DB:2.40:Perimeter Host Problems 17

    You solved my problem! The account that was created during the install is still present.  But when I looked at the properties of the account, I realized it had been created with a password expiration.  Now that I've set that password to never expire, everything is working again. Thank you very much.

  • RELEVANCY SCORE 2.40

    DB:2.40:Publishing Ftp Server Access Through Tmg 99


    I'm having a problem publishing my FTP server through TMG
    (The FTP works fine internally from the Internal Network but I cannot connect to it from outside the network)
    I have it setup as follows:
    Internal (10.44.22.10)-(route)-- Perimeter (10.46.56.9) --NAT-- External -- Cisco ASA - Internet
    The FTP Server is on the Internal network (10.44.22.10) and I have published a non-web server rule from the External network to the Internal FTP server 10.44.22.10 using the FTP Server protocol.

    I have a rule on the Cisco ASA from the public IP address of our domain name allowing FTP traffic on port 2021 through and have a NAT rule setup pointing all traffic to the TMG DMZ IP which is on the Perimeter network.
    The problem is I can see the FTP requests hitting the TMG server from the Cisco but the Source is External and the Destination is Local Host (DMZ IP of TMG) as the rule on cisco NAT's traffic to the TMG IP so the publishing rule ive setup isn't in use.

    My question is how can I set it up so the FTP requests still go through the TMG but instead of looking for a FTP server on the TMG forward requests to my Internal FTP server?

    Thanks

    DB:2.40:Publishing Ftp Server Access Through Tmg 99

    Hi,
    Please check this,
    I hope you have something missing in ASA,

    I hope this will help you.

    Thanks,Best Regards, ----Naresh Man Maharjan,Nepal---- www.msserverpro.com

  • RELEVANCY SCORE 2.40

    DB:2.40:Setting Up Perimeter Network For Edge Transport fz


    Can anyone help me or give me a step-by-step guide on setting up a perimeter network for our edge transport server - and also if possible guide on how i can give hub transport server access to edge transport and vice versa.

    DB:2.40:Setting Up Perimeter Network For Edge Transport fz

    Can anyone help me or give me a step-by-step guide on setting up a perimeter network for our edge transport server - and also if possible guide on how i can give hub transport server access to edge transport and vice versa.

  • RELEVANCY SCORE 2.40

    DB:2.40:Configure Outbound Smtp Access In Tmg. 1x


    Hi All,

    New to TMG but familar with firewalls. Hope you can assist here cause I can't seem to figure it out. Our ISP as a SMTP Smarthost that we can point to send email.

    Our TMG platform is configured as such

    Internal Network - 192.168.33.x
    Perimeter Network - 192.168.35.x
    Public-External Network - 145.6.x.x

    SMTP Rule using publish email server
    Action : Allow
    Traffic : SMTP Server
    From: Anywhere
    TO: my IPS SMTP External email address
    (*) Request to published server Requests appear to come from Froefront TMG Computer

    Networks: Internal, External, localhost, Perimeter

    TELNET VERIFICATION
    From INTERNAL or PERIMETER SERVERS
    telnet isp.fqdn.com 25
    Connecting To isp.fqdn.com ...Could not open connection to the host, on
    port 25: Connect failed

    From TMG LOCALHOST
    telnet isp.fqdn.com 25
    Connects !

    Log Error:
    Failed Connection Attempt TMGHOST 6/7/2012 7:39:22 AM
    Log type: Firewall service
    Status: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

    Rule: Allow ALL out
    Source: Internal (192.168.33.3:54731)
    Destination: External (65.6.34.24:25)
    Protocol: SMTP
    Additional information
    Number of bytes sent: 0 Number of bytes received: 0
    Processing time: 21031ms Original Client IP: 192.168.33.3

    If any other info is needed please let me know.

    Thanks all,

    DB:2.40:Configure Outbound Smtp Access In Tmg. 1x

    Just as an FYI...I was missing myperimeter to external NAT Network Rule using the default TMG gatewayIP. Once that was in place a simpleaccessrule for SMTP made it all workproperly. Thanks forthe guidance.

  • RELEVANCY SCORE 2.40

    DB:2.40:Unable To Install Workgroup Agent Manually 8p


    Hi,
    I'm having a problem here. I am not able to install a Workgroup agent manually which gave me this error when i run
    SetdpmServer
    make sure that this computer is not part of a perimeter network. DPM does not support protection of computers on a perimeter network.
    the error just stops there and nothing happens. It's weird because the protected computer has always been on the Workgroup and i was able to attach an agent manually to it and backup some files. The reason i re-install/attach the agent again is because
    error id 318 appears and there's nothing i can do about it.

    Please help..

    DB:2.40:Unable To Install Workgroup Agent Manually 8p

    can you please open the thread once you have got the data?Thanks, Praveen D [MSFT] This posting is provided AS IS with no warranties, and confers no rights.

  • RELEVANCY SCORE 2.39

    DB:2.39:Vmm 2012 Agent Certificate Issue 7s


    I installed VMM agent on Hyper-v non-domainhost on perimeter network.
    I selected default port 5895for winrm listener and 444 for BITSfile transfers.
    Port 443 is used for TS Gateway with PKI certificate.
    Regarding VMM everything is working OK.
    When I migrate VM from or to host, PKI certificate on IIS (port 443) is automatically changed with VMM security certificate, so it breaks TS Gateway settings on that server.
    I tried to add binding 444 for https transfers with VMM security certificate on IIS, but problem still exists.
    Thanks for help in advance!

    DB:2.39:Vmm 2012 Agent Certificate Issue 7s

    Thanks for an answer in right direction.
    I solved the problem by changing BITS port on VMM server in registry.

  • RELEVANCY SCORE 2.39

    DB:2.39:Owa Isues On Dmz j3


    Hello everybody,
    i have the next issue:
    i have two TMG servers and one exchange 2010, one behind the DMZ and the other behind the external network, i published a OWA site on TMG backend, then i published a OWA site in the frontend.
    When i try to access tothe owa sitewith a valid user, it appears the next message:
    Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

    When i saw the logging of the backend, i discovered the next:
    Denied Connection BACKEND 03/08/2010 04:25:55 p.m.
    Log type: Web Proxy (Reverse)
    Status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).

    Rule: Default rule
    Source: Perimeter (172.16.0.1:10091)
    Destination: Local Host (172.16.0.2:443)
    Request: GET http://190.223.187.84/owa
    Filter information: Req ID: 07d0529d; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes

    Protocol: https
    User: anonymous
    Additional information
    Client agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
    Object source: (No source information is available.)
    Cache info: 0x0
    Processing time: 1 MIME type:
    do somebody know why is happening this? thanks in advance

    DB:2.39:Owa Isues On Dmz j3

    Hi,

    Thank you for the update.

    The hosts file setting is correct. From error message 403 Forbidden, it indicates that the request failed to meet the requirements of any allow
    rules. Most likely, the request as forwarded by the upstream server does not match the rule created on the downstream server.

    Regards,Nick Gu - MSFT

  • RELEVANCY SCORE 2.39

    DB:2.39:Tmg 2010 In Standalone Array - Do I Have To Enable Nlb For The Perimeter(Dmz) Network? x9


    We are in the process of setting up 2 TMG 2010 servers in a Standalone array with NLB.
    The TMG 2010 server will be setup as a 3-leg perimeter.
    We need to have a VIP for the both the external network as well as the internal network so we have to enable NLB on both the external network as well as the internal network.
    We want the the perimeter to be available at all times, so if one the 2 TMG 2010 servers goes down the servers in the perimeter will still need to be available from both the internal as well as the external network.
    Do i understand correctly that we will then also have to enable NLB with a VIP for the perimeter network?

    DB:2.39:Tmg 2010 In Standalone Array - Do I Have To Enable Nlb For The Perimeter(Dmz) Network? x9

    Hi,
    Thank you for the post.
    Please refer to this post:
    http://social.technet.microsoft.com/Forums/en-US/Forefrontedgegeneral/thread/ecdc6739-4964-4d08-9fc1-bf6a808d31d8/
    Regards,
    Nick Gu - MSFT

  • RELEVANCY SCORE 2.39

    DB:2.39:No Wan Ip Showing For New Client 77



    I added an OnPlus appliance to a new client yesterday and when I checked in on it today, it wasn't showing an IP address for the client's Internet connection.  If I am in the OnPlus portal I cannot open a browser to any devices, I get a tunneling error.  The portal does show the devices inside the network, so it appears to be functional.

    This client has a Cisco 1811 on the perimeter of their network.  Is there some port that needs to be available for the OnPlus to function?  I haven't had this problem with other clients before but this one seems to have more perimeter security.

    Thanks.

    (note there is no WAN IP for the last client in the picture)

    DB:2.39:No Wan Ip Showing For New Client 77


    Thanks to all who replied!

    Have a good one guys!

  • RELEVANCY SCORE 2.39

    DB:2.39:Tmg Publishing Ftp Server jj


    Hi folks
    I amimplementing a 3-Leg Permieter firewall using TMG 2010 Standard. I have successfully published HTTP and HTTPS on the perimeter network but am unable to publish FTP on the perimeter network. I have a NAT relationship between the perimeter network
    and external networkand can successfully login to the FTP server. The problem arises when the client attemtps to connect to the Data Channel which generates a 425 Can't open data connection error. The FTP server adn client areoperating in PASV
    mode.
    I have tried doing this with Gene6 FTP server and also FileZilla FTP server on seperate 2003 Web Edition servers with the same result. I have also seen the TMGFTP publishing article on isa-server.org and have followed them directly but witout success.
    I have also tried changing my perimeter relationship with external to Route but TMG won't pass anything at all between the two except to HTTP and HTTPS?
    The FTP servers are serving as I can test them successfullywithin the perimeter network. Log files for bothServer and Client arebelow. You can see the server and client bothreporting the error and wonder whether it is FTP Access Filter
    related?
    Appreciate any assistance with this.
    Regards

    NimsWork

    FileZilla Log:
    (000001) 5/24/2010 14:56:36 PM - (not logged in) (222.154.248.25) Connected, sending welcome message...
    (000001) 5/24/2010 14:56:36 PM - (not logged in) (222.154.248.25) 220-FileZilla Server version 0.9.34 beta
    (000001) 5/24/2010 14:56:36 PM - (not logged in) (222.154.248.25) 220-written by Tim Kosse (Tim.Kosse@gmx.de)
    (000001) 5/24/2010 14:56:36 PM - (not logged in) (222.154.248.25) 220 Please visit
    http://sourceforge.net/projects/filezilla/
    (000001) 5/24/2010 14:56:37 PM - (not logged in) (222.154.248.25) USER ME
    (000001) 5/24/2010 14:56:37 PM - (not logged in) (222.154.248.25) 331 Password required for me
    (000001) 5/24/2010 14:56:37 PM - (not logged in) (222.154.248.25) PASS ******
    (000001) 5/24/2010 14:56:37 PM - rory (222.154.248.25) 230 Logged on
    (000001) 5/24/2010 14:56:37 PM - rory (222.154.248.25) SYST
    (000001) 5/24/2010 14:56:37 PM - rory (222.154.248.25) 215 UNIX emulated by FileZilla
    (000001) 5/24/2010 14:56:37 PM - rory (222.154.248.25) FEAT
    (000001) 5/24/2010 14:56:37 PM - rory (222.154.248.25) 211-Features:
    (000001) 5/24/2010 14:56:37 PM - rory (222.154.248.25) MDTM
    (000001) 5/24/2010 14:56:37 PM - rory (222.154.248.25) REST STREAM
    (000001) 5/24/2010 14:56:37 PM - rory (222.154.248.25) SIZE
    (000001) 5/24/2010 14:56:37 PM - rory (222.154.248.25) MLST type*;size*;modify*;
    (000001) 5/24/2010 14:56:37 PM - rory (222.154.248.25) MLSD
    (000001) 5/24/2010 14:56:37 PM - rory (222.154.248.25) UTF8
    (000001) 5/24/2010 14:56:37 PM - rory (222.154.248.25) CLNT
    (000001) 5/24/2010 14:56:37 PM - rory (222.154.248.25) MFMT
    (000001) 5/24/2010 14:56:37 PM - rory (222.154.248.25) 211 End
    (000001) 5/24/2010 14:56:37 PM - rory (222.154.248.25) PWD
    (000001) 5/24/2010 14:56:37 PM - rory (222.154.248.25) 257 / is current directory.
    (000001) 5/24/2010 14:56:37 PM - rory (222.154.248.25) TYPE A
    (000001) 5/24/2010 14:56:37 PM - rory (222.154.248.25) 200 Type set to A
    (000001) 5/24/2010 14:56:37 PM - rory (222.154.248.25) PASV
    (000001) 5/24/2010 14:56:37 PM - rory (222.154.248.25) 227 Entering Passive Mode (192,168,100,162,16,68)
    (000001) 5/24/2010 14:56:58 PM - rory (222.154.248.25) PORT 222,154,248,25,204,227
    (000001) 5/24/2010 14:56:58 PM - rory (222.154.248.25) 200 Port command successful
    (000001) 5/24/2010 14:56:58 PM - rory (222.154.248.25) LIST
    (000001) 5/24/2010 14:56:58 PM - rory (222.154.248.25) 150 Opening data channel for directory list.
    (000001) 5/24/2010 14:57:08 PM - rory (222.154.248.25) 425 Can't open data connection.
    (000001) 5/24/2010 14:58:37 PM - rory (222.154.248.25) 421 No-transfer-time exceeded. Closing control connection.
    (000001) 5/24/2010 14:58:37 PM - rory (222.154.248.25) disconnected.
    FTP Client :
    Connecting to 202.68.92.162:21
    Connected to 202.68.92.162:21 in 0.035000 seconds, Waiting for Server Response
    220-FileZilla Server version 0.9.34 beta
    220-written by Tim Kosse (Tim.Kosse@gmx.de)
    220 Please visit http://sourceforge.net/projects/filezilla/
    Host type (1): Automatic Detect
    USER ME
    331 Password required for me
    PASS (hidden)
    230 Logged on
    SYST
    215 UNIX emulated by FileZilla
    Host type (2): Unix (Standard)
    Sending FEAT command to determine what features this server supports.
    FEAT
    211-Features:
    MDTM
    REST STREAM
    SIZE
    MLST type*;size*;modify*;
    MLSD
    UTF8
    CLNT
    MFMT
    211 End
    Finished interpreting FEAT response.
    Sending the FEAT command is optional. You can disable it in the site options of the profile.
    PWD
    257 / is current directory.
    TYPE A200 Type set to A
    PASV
    227 Entering Passive Mode (202,68,92,162,39,223)
    connecting data channel to 202.68.92.162:39,223(10207)
    Failed to connect data channel to 202.68.92.162:39,223(10207)
    PORT 192,168,1,18,204,227
    200 Port command successful
    LIST
    150 Opening data channel for directory list.

    DB:2.39:Tmg Publishing Ftp Server jj

    I have now resolved my FTP publishing issue.

    I used a new Dell R300 server and installed Dell driver updates for the NIC's. However, after experiencing a few recent network failures, I updated the drivers from the NIC manufacturer and hey presto, the FTP publishing is now working as expected.

    The moral of the story for me is to check before and after driver details when doing a driver update to ensure the new driver is actually installed as advertised.

    Thanks to all who assisted. It was certainly an unusual issue but I know a bit more about the FTP protocol and the TMG FTP Access Filter now. :)

    Regards

    Nims

  • RELEVANCY SCORE 2.39

    DB:2.39:Allowing Outside Traffice To Inside On Asa xp



    I have an ASA firewall placed at the perimeter network and host in the inside network.

    I have only allowed these host to make voip calls using 3rd Party Voip service so-called Jumblo ( for info www.jumblo.com)

    Below is the config.

    access-list inside_access_in extended permit udp host 192.168.5.150 object-group DM_INLINE_NETWORK_11 object-group Jumblonat (inside) 10 192.168.5.150 255.255.255.255

    The call can be made success succefull. Perhaps the problem is that when call is placed he cannot hear the dial tone and remote client voice

    I believe that I'd to configure something on ASA, to allow the traffice from outside to inside. But I am confused

    Please Advise me.

    DB:2.39:Allowing Outside Traffice To Inside On Asa xp


    Hello NT.

    I'll try and let you know

    Really I appreciate your efforts.

  • RELEVANCY SCORE 2.39

    DB:2.39:Network Error fk


    I am running into intermittent error between my IA server and my Content Server. the error is the following:IAEXDM[DM_SESSION_E_CANT_CONNECT]error: "Could not connect to docbase (docbase name) at host (host name) because (Extended network error: 0). Network address: (INET_ADDR: family:2, port:10000, host: host name(IP Address)This prevents documents from being processed.Any ideas?????

    DB:2.39:Network Error fk

    I am running into intermittent error between my IA server and my Content Server. the error is the following:IAEXDM[DM_SESSION_E_CANT_CONNECT]error: "Could not connect to docbase (docbase name) at host (host name) because (Extended network error: 0). Network address: (INET_ADDR: family:2, port:10000, host: host name(IP Address)This prevents documents from being processed.Any ideas?????

  • RELEVANCY SCORE 2.39

    DB:2.39:Issue With Adding Perimeter Server To Scvmm mx


    I have some may be unusual environment: Server 2008 R2 with Hype-V in workgroup hosting a Server 2008 R2 with installed SCVMM Version 2.0.4271.0and joined to a domain. I want to add the hyper-v server as a perimeter server to the VMM, so I did install
    the VMM Agent (from the same ISO image as the VMM installation)to the hyper-v-Host and copied the SecurityFile.txt to the VM, then I tried to add the server as a perimeter server by specifying the FQDN, the correct encryption key (I already double
    checked and reinstalled the agent with a different key - updated the copied security file, too), but the vmm simply tells me it cannot get the credentials from the SecurityFile.txt. Is there any way to get a more detailed error message than Error (425) VMM
    was unable to import the user credentials from the security file.?

    DB:2.39:Issue With Adding Perimeter Server To Scvmm mx

    Found the problem:
    I did copy the base64-encoded content of the SecurityFile into a new created fileinstead of the file itself, because I had trouble with file access to a shared resource. The encoding of the file seem to be important. If someone from Microsoft reads
    this: you may think about fixing the import to not depend on the original file, but only on the base64-encoded content ... otherwise you could use binary files, so that nobody will even think about using the text-content.

  • RELEVANCY SCORE 2.38

    DB:2.38:Problem Publishing A Non-Web Server With Isa 2006 8p


    Hello,I run ISA Server 2006 with SP1 which has 3 network interfaces - Internal, External and Perimeter. Internal is a network with public addresses, Perimeter is a private network. Network rules are Internal to External - Route, Perimeter to External - NAT.I need to publish a RDP server which is in the Internal network to the Internet. I have done the following:1. Access rule from ISA Server (Localhost) to Internal RDP Server. Outbound RDP (Terminal Services). Applied and tested - I can open RDP session to the Internal server from ISA Server console.2. Access rule from External to ISA Server (Localhost). Outbound RDP (Terminal Services). Applied.3. Non-web server publishing rule. Properties are as follows. Traffic: RDP (Terminal Services) Server. From: Anywhere. To: Internal server IP address; Requests appear to come from the original client. Networks: External. Schedule: Always.For my test Terminal Services at the ISA Server were disabled - nothing listened to tcp:3389 before the ISA rules were configured.Everything is applied. Now I try to connect with Remote Desktop client to ISA Server external interface. I don't get connected. telnet ISA_Server_external_interface 3389 promptly (no timeout) returns Connect failed error. At the same time ISA Server monitor logs 3 successful pairs of Initiated Connection / Closed Connection events. Network sniffer shows 3 SYN packets followed by ACK-RST packets. So, the ISA Server actively refuses the connection. Why?Tried the same setup with a RDP server located inside the Perimeter network - it works fine.What could be the problem? Any ideas are appreciated.The OS is Windows Server 2003 SP2. I have other publishing rules on the same server, all of them are web servers from both Internal and Perimeter networks - they work fine. Only the non-web publishing doesn't work.Alex

    DB:2.38:Problem Publishing A Non-Web Server With Isa 2006 8p

    Hi,
     
    Thank you for your update.
     
    As we know, concept of non-web server publishing is designed for NAT relations not route relations.
     
    Please refer to: http://technet.microsoft.com/en-us/library/dd547089.aspx
     
    Regards,
     Nick Gu - MSFT

  • RELEVANCY SCORE 2.38

    DB:2.38:Re: Rectangle Values Won't Print p8


    This is the error message I am getting.

    symbol : method perimeter()
    location: class rectangle.rectangle
    System.out.println("Rectangle Perimeter: " + perimeter());
    symbol : method area()
    location: class rectangle.rectangle
    System.out.println("Rectangle Area: " + area() + "\n");
    2 errors
    BUILD FAILED (total time: 0 seconds)

    DB:2.38:Re: Rectangle Values Won't Print p8

    then be kind enough to divide the dukes between me and flounder :)

  • RELEVANCY SCORE 2.38

    DB:2.38:Scvmm 2008 - Unable To Add Host pk


    I've installed the SCVMM2008 beta ok but seem unable to add a host to it to manage. I am trying to add a Windows 2008 Hyper-V server that is a standalone server ie. it is not a member of the domain.
     
    I installed the vmm agent on the standalone host server and created the .txt file, then I chose the perimeter network option when adding a host and filled in the information. But the adding of the host fails due to authentication problems.
     
    Does anyone have any suggestions on how to do this please?

    DB:2.38:Scvmm 2008 - Unable To Add Host pk

    Scott solved this issue by switch his VMs from using internal network to external network.
     
    Note: His configuration is an all-in-one setup.
    Single 64-bit computer with Windows Server 2008 on the host, a couple VMs running Windows Server 2008 too.
    SCVMM server is installed as a VM on the host.
    The host is then added to the SCVMM (that is running as a VM on the same host) by using DMZ host type.
     
    For more information on troubleshooting add host failure and / or hosts in Needs Attention or Not Responding state, check out this post:
    http://blogs.technet.com/chengw/archive/2008/05/02/what-to-do-when-i-have-host-in-needs-attention-state-or-my-connection-status-is-not-responding.aspx
     
    Thanks,
    Cheng

  • RELEVANCY SCORE 2.38

    DB:2.38:Scvmm Self-Service Website Connecting To Perimeter Host 78


    I have several internal hosts and a single DMZ host.  Can I allow a user, via the SCVMM interface, to connect to the console of a VM hosted on a perimeter Hyper-V host?  SCVMM can administrator this perimeter host currently with no problem.  ThanksBlake

    DB:2.38:Scvmm Self-Service Website Connecting To Perimeter Host 78

    Hi Blake,Let me first explain why this works the way it does and then I will list what you can do to get it working the way you want.The Administrative Console and the Self service portal actually do have the same implementation with regard to talking to DMZ vms, however the reason you are prompted for credentials twice in the self service portal is that the self service portal first asks for user entered credentials for authenticating to SCVMM and then later asks for DMZ credentials for the vm. The Admin console however, automatically uses your windows token to authenticate you to SCVMM and then prompts you only for the DMZ credentials when connecting to the dmz vm. You can make the Self Service portal operate this exact way by enabling Single Sign On for the portal such that the currently logged on windows user will be automatically authenticated against SCVMM and you will not have to enter those credentials manually.Now since you are already authenticated to SCVMM, the logical question is why does the user need a separate set of credentials to talk to the DMZ VM if that VM is being managed by SCVMM - and the answer is they don't for all operations (Start, stop etc), however connecting to the VM console ( or connecting via remote desktop ) are special cases. The Hyper-V console connection or a remote desktop connection both run over the RPD protocol and they are designed for an authentication and performance standpoint to have the client (admin console or Internet explorer running the self service portal) connect directly over the intranet to the Host/VM in order to control the Virtual Machine. SCVMM today does not support acting as a middle man for these connections and so the already established and authenticated channel to the SCVMM server does not assist with the communication when directly controlling the VMs. At this point you are utilizing Hyper-Vs security. For non-dmz hosts SCVMM will add the self service users who have access into the hyper-v’s azman store so that those self service users can connect without getting prompted for a password, but for the DMZ machines, the self service users account is not valid. Here you must manually enter the credentials, however you can avoid having to do this repeatedly by saving the credentials once on each client as you connect.
    To enable single sign on for the self service portal, refer to this article : http://technet.microsoft.com/en-us/library/cc956040.aspx
    If you wish to go further, and prevent the second set of credential prompts as well, the way to accomplish that will be dependent on whether you are using Remote Desktop or the direct Hyper-V connection in order to connect to those machines. If you get a popup login prompt, you can try saving your credentials and as long as your local policy does not disallow delegation of saved credentials that will likely prevent further credential prompts. If you wish to do this as well and are having trouble let me know which method you are using to connect to the VM and I can help you figure out the required settings.
    -James
     

  • RELEVANCY SCORE 2.37

    DB:2.37:Publishing An Ftp Server Which Is Running On The Tmg Server - High Ports Dropped By Tmg 1s


    Help please! (This used to work in ISA 2006/Windows 2003/IIS 6)
    I have a 2 physical directory, 2 isolated local user FTP 7.5 server running ON my TMG / Windows 2008R2 / IIS 7.5 server. The server is virtualised on Hyper-V on Windows 2008 R2.
    TMG is in back firewall config with 2 NICs, domain and perimeter.
    I want 2 clients to be able access this server from defined perimeter IP addresses which are NATTED into the perimeter network.
    The FTP / user isolation is working fine on the local host and domain netowrk (if I rebind the service)
    However whenever a client from the perimeter connects the control channel on port 21 is established.
    The FTP response goes back to the client to open a data channel on a high port (above 1025)
    The returning data channel from the client is dropped by TMG.
    10.116.1.2511040Unidentified IP Traffic (TCP:1040)Denied ConnectionDefault rule0xc004000d FWX_E_POLICY_RULES_DENIEDPerimeterLocal Host-VS142-Firewall-0-

    Denied Connection
    VS142 28/01/2011 17:42:09

    Log type:
    Firewall service

    Status: The policy rules do not allow the user request.

    Rule: Default rule

    Source:
    Perimeter (xx.xx.xx.xx:62315)

    Destination:
    Local Host (10.116.1.251:1040)

    Protocol: Unidentified IP Traffic (TCP:1040)

    Additional information

    Number of bytes sent: 0 Number of bytes received:
    0 Processing time: 0ms Original Client IP: xx.xx.xx.xx

    CarolChi

    DB:2.37:Publishing An Ftp Server Which Is Running On The Tmg Server - High Ports Dropped By Tmg 1s

    I know it's not best practise but:
    It is a BACK firewall.
    There are only two FTP users, no anonymous access.
    The FTP is limited to two fixed (non-public) IP addresses on behind atrusted WAN connection in the perimeter network. It's not a public FTP site.
    It's an internal FTP site from a security point of view. It's published on a WAN connection to a known trusted network that I don't have access to.
    The reason it's running on the TMG server is that the TMG is the only server in the DMZ where the WAN router is. I don't want to build a whole new server fortwo users to collect two files once a month. There is no uploading.
    So it is not a standard FTP scenario.CarolChi

  • RELEVANCY SCORE 2.37

    DB:2.37:Edge Synchronization Deployment Questions jj


     
    Currently I have 2 Exchange 2007 SP1 Edge/Forefront servers on the perimeter network with 2 IronPort C350 boxes in front of them so inbound mail flow is IronPortEdgeExchange 2003 Organization. Outbound mail flow is the same path in reverse.
     
    Once I install the Client access servers and Hub transport servers I am wondering what will change on the Edge servers once I enable Edge Synchronization with the HT servers. I'm assuming the setting for the send and receive connectors will be overwritten.
     

    Will this affect the send connector that has the IronPort box as a smart host?

    DB:2.37:Edge Synchronization Deployment Questions jj

    Great. Thanks. I'm assuming that any transport rules I have on the Edge server will be synched with the subscribed HT servers.

  • RELEVANCY SCORE 2.37

    DB:2.37:Vmrc Alert: The Servers Security Certificate Is Invalid Error mf


    Any ideas how to resolve this? I encountered this when clicking on any of the vm of several hosts on the vmm admin console (i use vmm 2007)
     
    I have the ff Virtual Servers as host:
     
    i have the following hosted on our BIZ domain (our perimeter): vs1,2,3,9,10,11 - no problem with 1 and 2, but 3,9,10,11 encountered the error
     
    i also have the following hosted on our COM domain (our internal): vs4,8 - which works fine
     
    I'm puzzled why this happen
     
    For your feedback
     

    DB:2.37:Vmrc Alert: The Servers Security Certificate Is Invalid Error mf

    Oh.. I forgot to say that i was able to resolve it upon further research on the problem..
     
    It seems the cause is the Automatic Authentication on Virtual Server, if the authentication went to Kerberos, the authentication fails, so i set it to NTLM which solved the problem

  • RELEVANCY SCORE 2.37

    DB:2.37:Isa570 Vpn Issue - Double Split Tunneling 3z



    Hi,

    Our company uses an ISA570 as our perimeter security. We have enabled SSLVPN to provide access to network for our telecommuters. Our client has a Juniper SA6000 based VPN solution. Our personnel usually log into the Juniper VPN for their work.

    Our telecommuters however face this problem while accessing the Juniper VPN while logged into our SSL VPN. We have disabled Split Tunneling on the ISA570 so all traffic from host PC exits to internet from our VPN Gateway. Now when we connect to client VPN the traffic should go through our VPN and then proceed to client VPN and exit from client gateway. However that is not happening. Even when connected client VPN the traffic exits from our VPN Gateway. For some reason the two encapsulations are being removed at our Gateway.

    Host PC                        A Tunnel Start            B Tunnel Start                        A Tunnel End                  B Tunnel End                             Pub IP

    P                                        (P)                                ((P))                                  (P)                                    P                                               P

    Above is what we want, but below scenario is what we are getting, [ P is the packet, and () is each level of VPN encapsulation.

    Host PC                        A Tunnel Start            B Tunnel Start                        A Tunnel End                  B Tunnel End                             Pub IP

    P                                        (P)                                ((P))                                  P                      

    Please advice on a possible resolution for this issue. Is it due to some SSL VPN configuration error at our ISA570 ?

    Thanks

    DB:2.37:Isa570 Vpn Issue - Double Split Tunneling 3z


    No John, the machine has two SSL VPN Connections, first one to ISA and second one to the Juniper. However it would be connected such that first SSL VPN tunnel to ISA is established and through that traffic path the computer establishes a second SSL VPN tunnel to the Juniper. A VPN Tunnel created through another VPN Tunnel. There is no VPN tunnel between ISA570 and Juniper, SSL or IPSec, just the regular internet connection.

  • RELEVANCY SCORE 2.37

    DB:2.37:Perimeter Network P2v Fails With 2910, Scvmm Is Logging Into The Source Machine xm


    1. SCVMM 2008 running inside a Hyper-V vm.2. SCVMM is managing the physical machine which is in a workgroup.3. Source machine is in a workgroup.4. The Hyper-V server and the SCVMM vm have all Windows Updates applied.The Convert physical server option fails in Scan System with a 2910.Source machine:1. Firewall turned off.2. BITS started3. RPC started4. Volume Shadow Copy Services started5. WMI started Security log on the source machine shows:1. Special logon2. Special logon3. Logon4. LogoffWhat needs to be done to fix this and allow the P2V to work? I think the perimeter host must be added to the domain where SCVMM is. Is there anything else that needs to be done? My concern is that the error message makes me think something else is wrong.

    DB:2.37:Perimeter Network P2v Fails With 2910, Scvmm Is Logging Into The Source Machine xm

    we dont support p2v to a non domain member hosts. workaround is p2v ing to a domain joined host and then migrating the vm to the non domain joined host.for the non domain joined source; try using local credentials.Thanks, Caglar --Posting is provided AS IS with no warranties, and confers no rights.

  • RELEVANCY SCORE 2.37

    DB:2.37:Add Host To Scvmm 2008 R2 In Perimeter Network jk


    Hi,
    I have a host that is in the domain, it's trying to convert a virtual machine that is not in a domain and I read that the Agent needs to be installed in perimeter mode to get around the kerbaros authentication.
    The problem I have is that locally on the host when I try to install the agent it tells me the virtual machine manager component is not supported on this operating system. The OS is Server 2008 SP1 Core. Strangely I can however add the host in
    SCVMM 2008 R2 as a not perimeter host but I get a failure related to WinRM during the conversion.

    Does anyone have any ideas how I can add the host in perimieter mode or if its even possible? All documentation saya that the veriosn of OS the host is running is compatable
    Thanks

    Alter De Ruine

    DB:2.37:Add Host To Scvmm 2008 R2 In Perimeter Network jk

    Hi James,
    Please post the issue insystem center virtual machine managerforum :
    http://social.technet.microsoft.com/Forums/en-US/home?forum=virtualmachingmgrhypervfilter=alltypessort=lastpostdesc
    Best Regards
    Elton JiWe
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • RELEVANCY SCORE 2.37

    DB:2.37:Error Publishing Non-Web Servers ca



    I need to publish a non-web server but when I try to access the server (port 9100 and 1194) I cannot, the TMG does not match the publishing rule and goes directly to the permanent rule, so all connections and rejected.

    This is my TMG configuration:
    Perimeter: 10.0.0.1
    Inside: 10.5.5.2
    Server : 192.168.120.5 is inside and I have some routes for it.
    ports: 9100 tcp-80 , 1194 (tcp/UDP) - 1194

    All traffic enters from the perimeter, it is like an external network, so before the publishing rule I added a network rule (NAT) for that server.
    Could you help me please?
    fmartin

    DB:2.37:Error Publishing Non-Web Servers ca

    Hi,
    I try to do a telnet from both, from perimeter and form external network.This is my network topology:

    Server (192.168.120.5)-----Switch N3----(internal 10.5.5.2) -TMG-(perimeter 10.0.0.1 and external)-------router------INTERNET

    Regardsfmartin

  • RELEVANCY SCORE 2.37

    DB:2.37:Vmm 2012, Vmm 2008 R2 And Ad Trusts sj


    hello,
    Situation
    VMM does not support managing a host cluster on a perimeter network or in an AD domain that does not have a two-way trust with the VMM servers
    AD domain.

    Question: Anyone knows whether two-way trust requirement will be dropped in VMM2012? thanks

    DB:2.37:Vmm 2012, Vmm 2008 R2 And Ad Trusts sj

    Actually I think there is a change....
    It appears that 2012 will support at least a cluster in an untrusted domain... see:
    http://technet.microsoft.com/en-us/library/gg610609.aspxSteve Lithgow

  • RELEVANCY SCORE 2.37

    DB:2.37:Uag / Adfs Setup Question 8d


    Hi all,
    Will the following config cause problems:
    1. UAG server in perimeter network - UAG.MyCoExt.local
    2. ADFS server in perimeter network - ADFS.MyCoExt.local
    3. AD DS in the perimeter network - AD.MyCoExt.local
    4. Sharepoint servers in the perimeter network - SP1.MyCoExt.local
    5. Intranet Sharepoint servers in the corp network - SPInt.myco.com
    Wildcard certs issued with *.MyCo.com
    UAG portal url is https://portal.MyCo.com
    Public host name for SP site is
    https://SPSite.MyCo.com
    ADFS will be the authentication repository.
    Many thanks
    Mark.

    DB:2.37:Uag / Adfs Setup Question 8d

    I know it's only been a day since I posted this, but would really appreciate any advice on this one.
    Cheers
    Mark.

  • RELEVANCY SCORE 2.36

    DB:2.36:Single Lease Line Connecting 2 Perimeter Router 1s



    Hi all,

    I have 2Mb lease line connecting my existing perimeter router, now i want to install a redundant router in this network.

    what i want to know is: IS there any device which will connect my single 2Mb lease line connecting to both the Perimeter router.

    Thanks,

    Raj

    DB:2.36:Single Lease Line Connecting 2 Perimeter Router 1s


    Thanks Ankur,

    This is a perimeter router which connects the LAN to internet.intervlan is happening on C6509.

    We want to have redundant perimeter router with Single lease line. Ya we can also consider load balancing using redundant perimeter router.

    Thanks,

    Raj.

  • RELEVANCY SCORE 2.36

    DB:2.36:The Virtual Machine Xxx Cannot Be Stored To A Library Server Because Its Host Is On A Perimeter Network ss



    Virtual machines cannot be transferred from hosts on perimeter networks because of security concerns. For more information about how to add a host in the perimeter network go to Virtual Machine Manager Help.
    ID: 1737hi,am i getting this right?on one side i'm reading all these suggestions on *not* to add the hyper-v server in the domain and to connect through perimeter network...doing so i can't see thumbnails cause of not being connected trough domainbut now i even can't move a VM to the library cause the host is on a perimeter network???why is this?why does it have to be this hard?i really do not understand...cumarc

    DB:2.36:The Virtual Machine Xxx Cannot Be Stored To A Library Server Because Its Host Is On A Perimeter Network ss

    hi mahami,
    i find this very odd...
    it is not good practice to place the host in the domain and yet it is needed due to security reasons..
    very odd..
    i added it to the domain...
    cu
    marc

  • RELEVANCY SCORE 2.36

    DB:2.36:Publicar Aplicao kc


    Pessoal,
    Estou com alguns probleminha para publicar uma aplicação. esta aplicação esta em uma dmz e precisa ser acessada pela rede interna e tb externamente.
    Detalhes:
    Aplicação em oracle, trabalha com IIS na porta 80. para instalar a aplicação basta acessarmos via browser o nome ou ip do servidor ./install.exe, executamos esse arquivo e msm faz o download dos outros componentes, componentes este a interface grafica da aplicação, apos isso para validar a instalação ele solicita nome de usuario e senha de um operador para gerar log de quem instalou.
    O desenvolvedor do sistema me informou que o sistema so precisa da porta 80 para passar, ate ai tudo bem, consigo efetuar o download do executavel, o executavel efetua o download dos componentes e quando me pede usuarios e senha ele diz que nao consegue ecessar o servidor, ou seja nao consegue acessar o banco e validar o usuario, para concluir a instalação.
    Ja publiquei isso como web server, ja criei um protocolo tcp port 80 in.
    e nao consigo acessar.
    Somente consegui acesso quando crieiuma regra, liberando acesso de Interna para DMZ - todos users autenticados - todos protocolos outbound.
    me ajudem ai pessoal olhem alguns log apos ter criado esta ultima regra.
    Acho que esse log ficou meio bagunçado, qual melhor forma de postar os logging? hehehe
     
    Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL192.168.12.21 iexplore.exe:3:5.1   MARTE -  TCP -      -    1311 0 0 0 0x0   0x0 0x0 Firewall 13/7/2006 09:07:17 192.168.254.11 80 HTTP Initiated Connection Sistema Loja 192.168.12.21 GRUPOGIOVELLI\Administrator Internal Perimeter - -192.168.12.21 SetupMH.exe:3:5.1   MARTE -  TCP -      -    1315 0 0 0 0x0   0x0 0x0 Firewall 13/7/2006 09:07:22 192.168.254.11 80 HTTP Initiated Connection Sistema Loja 192.168.12.21 GRUPOGIOVELLI\Administrator Internal Perimeter - -192.168.12.21    MARTE -  TCP -      -    1314 0 0 0 0x0   0x0 0x0 Firewall 13/7/2006 09:07:23 192.168.12.10 1745 Unidentified IP Traffic Initiated Connection  192.168.12.21  Internal Local Host - -192.168.12.21    MARTE -  TCP -      -    1314 4000 3345 2074 0x80074e20   0x0 0x0 Firewall 13/7/2006 09:07:27 192.168.12.10 1745 Unidentified IP Traffic Closed Connection  192.168.12.21  Internal Local Host - -192.168.12.21 DeskMH.exe:3:5.1   MARTE -  TCP -      -    1319 0 0 0 0x0   0x0 0x0 Firewall 13/7/2006 09:07:34 192.168.254.11 80 HTTP Initiated Connection Sistema Loja 192.168.12.21 GRUPOGIOVELLI\Administrator Internal Perimeter - -192.168.12.21    MARTE -  TCP -      -    1318 0 0 0 0x0   0x0 0x0 Firewall 13/7/2006 09:07:36 192.168.12.10 1745 Unidentified IP Traffic Initiated Connection  192.168.12.21  Internal Local Host - -192.168.12.21 iexplore.exe:3:5.1   MARTE -  TCP -      -    1311 60109 670 252 0x80074e21   0x0 0x0 Firewall 13/7/2006 09:08:17 192.168.254.11 80 HTTP Closed Connection Sistema Loja 192.168.12.21 GRUPOGIOVELLI\Administrator Internal Perimeter - -192.168.12.21 SetupMH.exe:3:5.1   MARTE -  TCP -      -    1315 63922 19668 2459642 0x80074e25   0x0 0x0 Firewall 13/7/2006 09:08:26 192.168.254.11 80 HTTP Closed Connection Sistema Loja 192.168.12.21 GRUPOGIOVELLI\Administrator Internal Perimeter - -192.168.12.21 iexplore.exe:3:5.1   MARTE -  TCP -      -    1320 0 0 0 0x0   0x0 0x0 Firewall 13/7/2006 09:09:05 207.46.198.30 80 HTTP Initiated Connection Admin System 192.168.12.21 GRUPOGIOVELLI\Administrator Internal External - -192.168.12.21    MARTE -  UDP -      -    1033 0 0 0 0x0   0x0 0x0 Firewall 13/7/2006 09:09:07 192.168.12.10 53 DNS Initiated Connection Internal Network to DNS Server  192.168.12.21  Internal Local Host - -192.168.12.21    MARTE -  TCP -      -    1318 95000 3344 2074 0x80074e20   0x0 0x0 Firewall 13/7/2006 09:09:11 192.168.12.10 1745 Unidentified IP Traffic Closed Connection  192.168.12.21  Internal Local Host - -

    DB:2.36:Publicar Aplicao kc

    Olha os logging ai que fiz de minha makina externahttp://www.newtechsolutions.com.br/isa.jpgValeu pessoal