Comments : 0

TMG Managed Control Service, Exchange Edge and FPE

Posted by Vishal Vasu | Posted on 16-06-2011

Category : Exchange Server, ISA Server and Forefront

Tags: , , ,

Recently I encountered TMG Managed Control Service crashing at a client site where they have been using TMG as a back-end firewall. The same server was also being used as an Exchange 2007 Edge server also running Forefront Protection for Exchange 2010. All server roles were patched with the latest updates and rollups. The connectivity between the Edge and the Hub was implemented successfully and also verified using Test-EdgeSync. TMG also showed Edge and Hub connectivity. Everything looked healthy but the IT administrator was receiving email alerts with the following:

“Email Policy could not be applied. Value does not fall within the expected range.”

Went to the services MMC and tried to start the TMG Managed Control Service manually. The service failed to start. Upon checking the event logs, I found that the Application Log showed:

 - Event ID 31309: E-mail policy configuration settings cannot be applied.
- Event ID 31308: The Forefront TMG Managed Control service failed to initialize. Error information: The type initializer for ‘Microsoft.Isa.Smtp.ExchangeRunspace’ threw an exception.
- Event ID 31307: The Forefront TMG Managed Control service was stopped gracefully.

and the System Log showed Event ID 7023: The Microsoft Forefront TMG Managed Control service terminated with the following error: %%-2146233036

The next step was to check the Edge and Hub communication and as expected it should that the sync was not working. TMG console showed everything configured and all Anti-Spam rules enabled. I had no choice but to pick up the phone and shake someone up in Microsoft technical team for an answer. Sadly, no clue from there too, but one thing that came up in the discussion was to clear all Anti-Spam settings and then give this a reboot. Long process, but to cut things short, here is the solution that worked.

For those facing this issue, open up Exchange Shell on the Edge server and run:

Get-IpBlockListEntry

This should come up with a list of entries. The next step is to remove these. Run the following command:

Get-IpBlockListEntry | RemoveIpBlockListEntry

To clear all entries, answer with an “A”. Started the service this time and the TMG Managed Control Service started successfully.

Though running the command of Get-IpBlockListEntry after 10-15 minutes showed that the list was building up once again and after 30 minutes the TMG managed Control Service crashed once again.

The only workaround that I could implement to fix this permanently was to disable the Sender Reputation Service in TMG. It has been more than a week now and the TMG Managed Control Service has not crashed once.

Comments : 40

ISA 2006 Website Block List

Posted by Vishal Vasu | Posted on 14-07-2009

Category : ISA Server and Forefront

Tags:

One of the features in ISA Server 2006 is the ability to block traffic based on URL or Domain name. This means that traffic can be blocked for a particular website from ISA Server without disrupting the general Internet access rule.

I’ve compiled some Domain Name Sets and URL Sets from the Internet and zipped them for easy availability for ISA administrators. Download the ZIP file and extract it. Under Network Objects in the Toolbox tab, right click URL Sets and click Import. Choose a single XML file from the unzipped folder of URLs. Once you have imported all XMLs, follow the same procedure for Domain Name Sets.

The next step is to create a rule which denies traffic to the websites which are listed in the XML files that we imported. Start by creating a new rule. I’ve named my rule as “Block Custom Sites”.

In the Access Rule, choose “Deny”.

Under protocols, choose HTTP and HTTPS.

Under Sources, choose Internal and VPN Clients.

Under Destinations, choose the XML lists that we imported. You can add multiple XML files.

Remember to shift the rule that we created to the top of all rules and we are done.

Comments : 0

Allowing CISCO VPN Client Traffic in ISA Server

Posted by Vishal Vasu | Posted on 01-05-2009

Category : ISA Server and Forefront

Tags: ,

I thought that this might be easy since all that may be required would be allow the IPSec and IKE Client traffic through a rule in ISA. But no it did not work.

To allow a CISCO client via IPSec/UDP to connect through an ISA 2006 firewall, I had to create custom protocol as under:

Port Number: 500
Protocol Type: UDP
Direction: Send Receive

Port Number: 4500
Protocol Type: UDP
Direction: Send Receive

Port Number: 10000
Protocol Type: UDP
Direction: Send Recieve

I added all the ports in one custom protocol defination without Secondary Connections and then added an Access Rule to allow traffic from Internal to External for the above created custom protocol. Problem solved and the connections were now possible.

Previous