Unsupported configurations

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

This topic summarizes common unsupported configurations and scenarios you may encounter when deploying and maintaining Forefront TMG. For each issue, possible causes are described, and solutions are suggested where applicable.

This topic is divided into these sections:

Installation issues

Array issues

ISP Redundancy issues

Network and routing issues

Dial-up issues

Load Balancing issues

VPN issues

Publishing issues

Protocol and application issues

Authentication issues

Installation issues

This section describes the following installation issues, their causes, and solutions:

  • Forefront TMG is not supported on a 32-bit operating system

  • Forefront TMG is not supported on Windows Server 2003

  • Forefront TMG is not supported on all editions of Windows Server 2008

  • Installing EMS on a Forefront TMG computer is not supported

  • In-place upgrade from ISA Server 2004/2006 to Forefront TMG is not supported

  • In-place upgrade from Windows Server 2008 SP2 to Windows Server 2008 R2 is not supported

  • Forefront TMG installed on a domain controller is not supported

  • Forefront TMG Client is not supported on Windows 2000

  • Forefront TMG does not support Firewall Client 2000

  • Workgroup deployment limitations

  • Multiple firewalls products

Forefront TMG is not supported on a 32-bit operating system

Issue: Installing Forefront TMG firewall or EMS role on a 32-bit operating system is blocked.

Cause: Forefront TMG firewall or EMS role will not install or run on a 32-bit operating system. Only the Forefront TMG Management console can be installed on a 32-bit operating system (Windows Server 2008 R2, Windows Server 2008 SP2, Windows 7, or Windows Vista SP1).

Solution: Install Forefront TMG on a 64-bit version of Windows Server 2008 SP2 or Windows Server 2008 R2. For more detailed information on installation requirements, see System requirements for Forefront TMG.

Forefront TMG is not supported on Windows Server 2003

Issue: Installing Forefront TMG or Forefront TMG EMS on Windows Server 2003 is blocked.

Cause: Forefront TMG or Forefront TMG EMS will not install or run on Windows Server 2003.

Solution: Install Forefront TMG on a 64-bit version of Windows Server 2008 SP2 or Windows Server 2008 R2. For more detailed information on installation requirements, see System requirements for Forefront TMG.

Forefront TMG is not supported on all editions of Windows Server 2008

Issue: Installing Forefront TMG or Forefront TMG EMS is not supported on all editions of Windows Server 2008.

Cause: The table below summarizes the editions of Windows Server 2008 that are supported. Note that Windows Server 2008 Foundation is licensed to run only in a physical operating system environment. It cannot run in a virtual environment.

Windows Server 2008

Core Installation

Web Edition

Foundation Edition

Standard Edition

Enterprise Edition

Datacenter Edition

Forefront TMG

No

No

No

Yes

Yes

Yes

Forefront TMG EMS

No

No

Yes

Yes

Yes

Yes

Forefront TMG Management

No

Yes

Yes

Yes

Yes

Yes

Solution: Install Forefront TMG on a 64-bit version of Windows Server 2008 SP2 or Windows Server 2008 R2 taking the above information into consideration. For more detailed information on installation requirements, see System requirements for Forefront TMG.

Installing EMS on a Forefront TMG computer is not supported

Issue: Installing an Enterprise Management Server (EMS) on a computer with Forefront TMG already installed.

Cause: Running both Forefront TMG and an EMS from the same computer is not supported.

Solution: No workaround.

In-place upgrade from ISA Server 2004/2006 to Forefront TMG is not supported

Issue: In-place upgrade from ISA Server 2004/2006 to Forefront TMG is not possible.

Cause: Forefront TMG cannot be installed on the same operating system (Windows Server 2003) on which ISA Server runs, so in-place upgrade is not possible.

Solution: Perform a migration, as follows:

  1. Export the ISA Server configuration settings and certificates.

  2. Perform a clean installation of windows Server 2008 SP2 or Windows Server 2008 R2.

  3. Install Forefront TMG.

  4. Import the configuration settings and certificates.

See Migrating from ISA Server 2004/2006 to Forefront TMG for more detailed information.

In-place upgrade from Windows Server 2008 SP2 to Windows Server 2008 R2 is not supported

Issue: Upgrading from Windows Server 2008 SP2 to Windows Server 2008 R2 is not supported.

Cause: Forefront TMG does not support upgrading to Windows 2008 R2 while Forefront TMG is installed.

Solution: Perform a migration, as follows:

  1. Export the Forefront TMG configuration and certificates.

  2. Perform a clean installation of Windows 2008 R2.

  3. Install Forefront TMG.

  4. Import the configuration and certificates.

Warning

Uninstalling Forefront TMG, and then upgrading to Windows 2008 R2, is also not supported.

Forefront TMG installed on a domain controller is not supported

Issue: Installing Forefront TMG or Forefront TMG EMS on a computer configured as an Active Directory domain controller is not supported.

Cause: This installation is blocked by the Forefront TMG installer.

Note

Installing Forefront TMG Management console on a domain controller is supported.

Solution: Virtualization offers an alternative if both Forefront TMG and a domain controller must be on the same computer. For more information, see Forefront TMG support in a virtual environment and Security Considerations with Forefront Edge Virtual Deployments (https://go.microsoft.com/fwlink/?LinkId=178740)

Forefront TMG Client is not supported on Windows 2000

Issue: Installing Forefront TMG Client is not supported on Windows 2000.

Cause: The following table summarizes the operating system support for Forefront TMG Client and other Firewall client software.

Forefront TMG Client

Firewall Client 2006

Firewall Client 2004

Firewall Client 2000

Windows 7

Yes

Yes

No

No

Windows Server 2008

Yes

Yes

No

No

Windows Vista

Yes

Yes

No

No

Windows Server 2003 SP1

Yes

Yes

Yes

Yes

Windows XP

Yes

Yes

Yes

Yes

Windows 2000

No

Yes

Yes

Yes

Solution: Install the Forefront TMG Client software on a supported operating system.

Forefront TMG does not support Firewall Client 2000

Issue: Forefront TMG does not support Firewall Client 2000.

Cause: The following table summarizes the support between Forefront TMG, ISA Server and their Clients.

Forefront TMG

ISA Server 2006

ISA Server 2004

ISA Server 2000

Forefront TMG Client

Yes

Yes

Yes

No

Firewall Client 2006

Yes

Yes

Yes

Yes

Firewall Client 2004

Yes

Yes

Yes

Yes

Firewall Client 2000

No

Yes

Yes

Yes

Solution: Deploy a supported Client. It is recommended that you use Forefront TMG Clients together with Forefront TMG for best performance and added functionality.

Workgroup deployment limitations

Issue: A number of limitations are associated with deploying Forefront TMG within a workgroup environment and not within a domain.

Cause: Certain features are not supported when Forefront TMG is deployed within a workgroup environment, as follows:

  • Forefront TMG deployed in a workgroup:

    • Domain-based user authentication cannot be applied to an array.

    • Client certificates cannot be used as primary authentication.

    • User mapping is not supported (except for PAP and SPAP).

  • Forefront TMG Clients deployed in a workgroup:

    • Automatic Web proxy detection using Active Directory Auto Discover is not possible.

    • Group policy deployment of the HTTPS inspection trusted root certification authority (CA) certificate to client computers is not possible.

  • Forefront TMG EMS deployed in a workgroup:

    • EMS replication is not supported.

For more information, see Workgroup and domain considerations.

Multiple firewall products

Installing other firewall products (such as a personal host firewall) on a Forefront TMG computer is not supported. Attempting to create a layered firewall deployment on a single server by adding additional firewall products will result in unpredictable behavior, and may cause the server to fail.

Note

A number of antivirus products may also install some firewall components, such as worm protection, which can result in unpredictable behavior.

Array issues

This section describes the following Forefront TMG array issues, their causes, and solutions:

  • An array of Forefront TMG servers with different operating systems is not supported

  • Forefront TMG and ISA Server cannot coexist in the same enterprise or array

  • Forefront TMG does not support firewall chaining

An array of Forefront TMG servers with different operating systems is not supported

Issue: An array that contains some Forefront TMG servers with Windows Server 2008 SP2 installed, and other Forefront TMG servers with Windows Server 2008 R2 installed, is not supported.

Cause: All the Forefront TMG servers in an array must have the same operating system, either Windows Server 2008 SP2 or Windows Server 2008 R2. This is especially significant when performing upgrading the array to Window Server 2008 R2.

Solution: You must build a new array and then migrate each Forefront TMG server to the new array (after each one completes the Windows Server 2008 R2 and then Forefront TMG installations).

Forefront TMG and ISA Server cannot coexist in the same enterprise or array

Issue: Forefront TMG and ISA Server cannot operate as members of the same array or enterprise.

Cause: Forefront TMG and ISA Server require different configuration schema and settings, and cannot be simultaneously controlled by a single array manager.

Solution: No workaround.

Forefront TMG does not support firewall chaining

Issue: Forefront TMG does not support firewall chaining.

Cause: Firewall chaining has been deprecated and is no longer supported by Forefront TMG.

Solution: Configure your downstream servers as SecureNAT clients of the upstream server, or use Web chaining.

ISP Redundancy issues

This section describes the following ISP Redundancy issues, their causes, and solutions:

  • ISP redundancy does not support more than two external interfaces

  • Forefront TMG does not support more than two default gateways

  • Multiple DHCP default gateways are not supported

  • ISP redundancy does not support e-mail protection

  • Protocol-based load balancing is not supported with ISP redundancy feature

ISP redundancy does not support more than two external interfaces

Issue: Forefront TMG does not support more than two external connections to Internet Service Providers (ISPs).

Cause: Forefront TMG can support only two external connections with the ISP Redundancy feature.

Solution: No workaround. There are a number of third-party products that may provide a solution. For more information, see High Availability and Load Balancing on the Windows Server System Web site (https://go.microsoft.com/fwlink/?linkid=179985).

Forefront TMG does not support more than two default gateways

Issue: No support for more than two default gateways.

Cause: Forefront TMG does not support more than two default gateways configured on the same network adapter (within different subnets), or on two different adapters (one default gateway per adapter). Using more than one default gateway is only supported for the ISP Redundancy feature.

Solution: To enable ISP redundancy, set the default gateway on each of the Forefront TMG network adapters to a different ISP. If only one network adapter is available, it is possible to set two default gateways, as long as each default gateway is in a different subnet.

Multiple DHCP default gateways are not supported

Issue: Forefront TMG does not support configuring the ISP redundancy feature when your ISPs only support DHCP-assigned addressing.

Cause: Windows Server 2008 does not support multiple default gateways in DHCP-assigned links.

Solution: Manually add both default gateways to the routing table on Forefront TMG.

ISP redundancy does not support e-mail protection

Issue: When e-mail protection using Forefront Protection for Exchange (FPE) is used in Forefront TMG, the e-mail traffic will not fail over to an alternate ISP link even if the ISP redundancy functionality is configured in Forefront TMG.

Cause: The ISP redundancy feature requires a NAT relationship with the external network in order to fail over the connection to an alternate ISP. SMTP listeners on the external NIC cannot take advantage of the ISP redundancy functionality as there is no address translation in mail traffic.

Solution: No solution. To take advantage of the ISP redundancy functionality, use the SMTP publishing feature to publish the internal SMTP servers.

Protocol-based load balancing is not supported with the ISP redundancy feature

Issue: Forefront TMG cannot distribute traffic based on the protocol that is used (for example, HTTP through one link and SMTP through the other).

Cause: Protocol-based load balancing is not supported with the ISP redundancy feature.

Solution: No workaround.

Network and Routing issues

This section describes the following network and routing issues, their causes, and solutions:

  • Forefront TMG does not support defining networks that represent remote subnets

  • Configuring intradomain communications with a NAT relationship

  • Internationalized Domain Names are not supported

  • Domain names that include wildcard characters are not supported with link translation enabled

  • Configuring Forefront TMG with a single network adapter

  • Protocol based Enhanced NAT is not supported

Forefront TMG does not support defining separate network objects that represent remote subnets

Issue: Forefront TMG does not support defining separate network objects that represent remote subnets.

Cause: When you define IP address ranges for a network, Forefront TMG checks all network adapters. When Forefront TMG finds an adapter with an IP address in the network range, it associates the network with that adapter. When a network includes remote subnets accessible by Forefront TMG through routers, the IP address of the remote subnets should be included in the network definition. If you define a separate network object for a remote subnet (instead of including it in the network definition), Forefront TMG tries to locate an adapter with an IP address of the network object, and fails. Forefront TMG assumes that the adapter is not available (disconnected or disabled), and sets network status to disconnected.

Solution: For best practice when defining your network configuration in Forefront TMG, take note of the following:

  • Include all network ranges for subnets in a network object’s properties (for example, include subnet IP addresses in the IP address range for the internal network).

  • Apply rules to specific subnets by creating subnet objects in the Toolbox, and then using these subnet objects to specify the source and destination in access rules.

Configuring intradomain communications with a NAT relationship

Issue: Forefront TMG does not support intradomain communications between networks with a network address translation (NAT) relationship.

Cause: There may be some circumstances in which you want to allow communication between domains or domain members that are separated by Forefront TMG. Typical scenarios include:

  • A Web server located in the perimeter network that is a member of the internal domain needs to contact the domain controller in the internal network.

  • Applications or servers located in the perimeter network need to be accessed by internal clients.

  • Perimeter domain controllers require a domain trust relationship to a domain in another network.

Solution: If the networks use a NAT relationship, there is no workaround. If networks have a route relationship, you can work around this issue by ensuring that all traffic to/from internal and remote subnet hosts are routed correctly through Forefront TMG.

  • Create routes on internal devices so that traffic destined for other networks is routed through Forefront TMG. This is done either on the clients themselves, where they are on the same subnet as Forefront TMG, or on the relevant router in your network infrastructure.

  • If you want to support requests from SecureNAT clients, specify the Forefront TMG interface as the default route for those clients.

Internationalized Domain Names are not supported

Issue: Forefront TMG does not support the use of IDN (Internationalized Domain Name) URLs.

Solution: No workaround.

Issue: Forefront TMG does not support the use of wildcard characters in the domain name when link translation is enabled; for example, *.microsoft.com is not permitted.

Cause: When link translation is enabled, the rule must specify an explicit public domain name. Domain names including wildcard characters are therefore not allowed.

Solution: Do one of the following:

  • Disable link translation on the Link Translation tab of the Web publishing rule properties.

  • In the Public Name tab, specify each Web site to which the rule will apply, rather than using a wildcard. For example, use www.microsoft.com and mail.microsoft.com, not *.microsoft.com.

Configuring Forefront TMG with a single network adapter

Issue: A number of issues are associated with the configuration of Forefront TMG on a computer with a single network adapter.

Cause: In single network adapter mode, Forefront TMG recognizes itself as the Local Host network, and everything else is recognized as the internal network. There is no concept of an external network.

  • Multi-network firewall policy—Application level filters operate only in the context of the Local Host network (Forefront TMG protects itself no matter what network template is applied). You can use access rules to allow non-Web protocols to and from the Forefront TMG computer only.

  • Application layer inspection—Application filtering is limited to the Web Proxy Filter and associated Web filters, which provides application layer inspection for Hypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS), and File Transfer Protocol (FTP) over HTTP for Web Proxy clients only.

  • E-mail protection—E-mail protection features are not supported. A single network adapter includes the entire network and all of its IP addresses, and this poses a problem when Forefront TMG tries to configure routing for the connectors and set their allowed remote ranges.

  • Server publishing—Server publishing is not supported. No external network context means that Forefront TMG cannot provide the NAT functionality required in a server publishing scenario.

  • Forefront TMG Clients—The Forefront TMG Client application forwards requests from Winsock to the Forefront TMG Firewall service. In a single network adapter environment with no external network context, Forefront TMG is unable to NAT or route this traffic.

  • SecureNAT clients—SecureNAT clients use Forefront TMG as a router to other networks. In a single network adapter environment this is a single-network context, so Forefront TMG is unable to NAT or route this traffic.

  • Virtual private networking—Site-to-site virtual private networks (VPNs) are not supported in a single network adapter scenario.

Solution: Redeploy Forefront TMG with at least 2 network cards using the Edge, Back Firewall or 3-leg perimeter network topology design. For more information, see the topics: Planning Forefront TMG network topology and About single network adapter topology.

Protocol based enhanced NAT is not supported

Issue: Forefront TMG cannot assign NAT IP addresses based on the protocol used (for example, HTTP traffic is assigned one IP address and SMTP another).

Cause: Protocol based enhanced NAT is not supported.

Solution: No workaround.

Dial-Up issues

This section describes the following dial-up issues, their causes, and solutions:

  • Forefront TMG overwrites Routing and Remote Access settings

  • Dial-up limitations for non-VPN connections

Forefront TMG overwrites Routing and Remote Access settings

Issue: Routing and Remote Access settings are overwritten by Forefront TMG. Demand-dial interfaces created with Routing and Remote Access are deleted.

Cause: Remote access settings must be specified using Forefront TMG Management. Any demand-dial interfaces created or modified using Routing and Remote Access that do not match networks in Forefront TMG are overwritten and deleted by Forefront TMG. Note the following limitations when creating demand-dial interfaces using the VPN Wizard:

  • Forefront TMG does not support the assignment of a persistent connection, so any persistent connections you assign in Routing and Remote Access are deleted. This may be an issue if you want a VPN connection to configure automatically when the server comes online, rather than waiting for traffic to trigger the interface to dial.

  • Forefront TMG does not allow creation of multiple VPN connections to a particular network using different metrics. Such functionality allows more than one route to a particular network, so that if a primary route goes down, a backup route with different metrics is available.

  • Forefront TMG does not allow you to disable or enable specific services or network components on a specific VPN interface.

  • You cannot configure the number of redial attempts that the VPN connection makes.

  • Forefront TMG does not allow modem demand-dial interfaces.

Solution: For more information about solutions, see Knowledge Base article KB842639 (https://go.microsoft.com/fwlink/?linkid=51103).

Dial-up limitations for non-VPN connections

Issue: Forefront TMG supports dial-up connections to the Internet or a remote network using a modem connection or a virtual private network (VPN) connection. A number of limitations are associated with a non-VPN connection:

1: You can only configure automatic dialing for a non-VPN dial-up connection on one network.

Solution: If automatic dialing is used to connect directly to the Internet, select the external network for the automatic dial-up connection. You can also configure automatic dialing to connect to a branch office, or to a specific location in your organization.

2: Forefront TMG does not support customized routes. For example, if Forefront TMG dials a non-VPN connection to a remote network that is not the default gateway, this requires a custom route to the remote network. Forefront TMG overwrites Routing and Remote Access settings with its own settings. Forefront TMG creates and controls Point-to-Point Tunneling Protocol (PPTP) over Layer Two Tunneling Protocol (L2TP) interfaces, overwriting changes made in Routing and Remote Access. If modem connections are created in Routing and Remote Access, Forefront TMG deletes them.

Solution: You can use Routing and Remote Access to add a demand-dial interface for the connection and create a static route for the connection.

3: Forefront TMG uses the local domain table (LDT) to determine whether a request is to an internal computer (in the LDT) and whether dialing out is required. There may be an issue with connections being constantly dialed if clients make a dial-up request for a URL that is not defined in the LDT.

Solution: You can control whether the dial-up connection is dialed for DNS purposes. For more information, see Knowledge Base article KB901109 (https://go.microsoft.com/fwlink/?linkid=54622).

Load balancing issues

This section describes the following load balancing issues, their causes, and solutions:

  • NLB is not supported in Forefront TMG Standard Edition

  • Load balancing is not supported with Forefront TMG Clients or ISA Firewall Clients

NLB is not supported in Forefront TMG Standard Edition

Issue: Network Load Balancing on Forefront TMG Standard Edition is not supported.

Cause: Forefront TMG Standard Edition cannot operate in a multi-server array, so integrated NLB is not possible. Consequently, multiple Standard Edition servers operating in an NLB cluster cannot be peer-aware. Management and maintenance of such a deployment is too difficult to be supportable.

Solution: No workaround. To obtain support for NLB with Forefront TMG you must use the Enterprise version.

Load balancing is not supported with Forefront TMG Clients or ISA Firewall Clients

Issue: Client machines running Forefront TMG Clients or ISA Firewall Clients may have issues connecting to an array of Forefront TMG servers with any type of load balancing configured on the related Forefront TMG network.

Cause: Load balancing (either integrated or using an external load balancer) is not supported together with Forefront TMG Clients or ISA Firewall Clients.

Solution: Instead of using a load balancer, use DNS round robin to point the clients to the Forefront TMG array member’s dedicated IP addresses.

VPN issues

This section describes the following virtual private network (VPN) issues, their causes, and solutions:

  • DHCP address allocation for VPN remote clients not supported in a Forefront TMG array

  • IP filters configured on Network Policy Server not supported

  • VPN User mapping issues

  • Outbound L2TP connections are not supported by Forefront TMG configured as an L2TP/IPsec VPN server

DHCP address allocation for VPN remote clients not supported in a Forefront TMG array

Issue: Using a Dynamic Host Configuration Protocol (DHCP) server to assign IP addresses for VPN remote clients is only available in a single server Forefront TMG array.

Cause: This option is only available in Forefront TMG Standard Edition, or in Forefront TMG Enterprise Edition with a single array member. This limitation applies when an array consists of more than one member and NLB is disabled, because there is no way to guarantee DHCP address allocation across the array members.

Solution: Use static pool address assignment whenever there are multiple array members.

IP filters configured on Network Policy Server not supported

Issue: Noncompliant computers cannot access the remediation servers when IP filters have been properly configured as part of the NPS deployment.

Cause: Forefront TMG does not support IP filters defined by Network Policy Server (NPS) policies.

Solution: To allow noncompliant NAP clients to access one or more remediation servers, create an access rule on the Forefront TMG server from the Quarantined VPN Clients network to the appropriate remediation servers.

VPN User mapping issues

Issue: Do not enable user mapping when using Challenge Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), MS-CHAP version 2, or any type of Extensible Authentication Protocol (EAP) authentication, if Forefront TMG and the Remote Authentication Dial-In User Service (RADIUS) server are in different domains, or one of them is in a workgroup. When you configure VPN remote client access, VPN client properties include the User Mapping tab. In these scenarios, user mapping is only supported for Password Authentication Protocol (PAP) and Shiva Password Authentication Protocol (SPAP) authentication methods.

Cause: You select Enable User Mapping to map VPN remote users connecting with non-Active Directory service credentials (such as a RADIUS user) to Windows accounts. This feature enables you to apply access rules that use Windows groups and users to apply to other users. When RADIUS is authenticated with CHAP, MS-CHAP, MS-CHAP version 2, or any type of EAP, the domain specified in the user mapping is used to match the VPN client to a mirrored Active Directory account. When PAP or SPAP is used, the domain name is always ignored, and the VPN client can be matched to an Active Directory account in the local domain in which Forefront TMG is a domain member, or to a local user account on the Forefront TMG computer in a workgroup configuration.

Solution: To use CHAP, MS-CHAP, MS-CHAP version 2, or EAP, make Forefront TMG a domain member.

Outbound L2TP connections are not supported by Forefront TMG configured as an L2TP/IPsec VPN server

Issue: Outbound L2TP connections are not supported when Forefront TMG is configured as a VPN server that uses the L2TP/IPsec protocol.

Cause: By default the following settings apply:

  • Network address translation (NAT) is applied to outbound traffic from the internal, VPN Clients, and Quarantine VPN Clients networks to the external network.

  • When Forefront TMG is configured as a VPN server that uses the L2TP/IPsec protocol, traffic to and from the L2TP protocol port (UDP port 1701) is secured by IPsec.

With these default settings, the outbound L2TP client request is sent from the NAT address (usually the address of the Forefront TMG external network adapter) and the external VPN server responds to this address. Forefront TMG does not forward the L2TP traffic from the external VPN server to the client because no matching IPsec policy exists.

Solution: Use PPTP for outbound VPN connections, or do not use the L2TP/IPsec protocol when Forefront TMG is configured as a VPN server.

Publishing issues

This section describes the following publishing issues, their causes, and solutions:

  • Customization of HTML form pages for additional functionality is not supported

  • Active-Directory-based Web proxy detection is not supported by firewall clients

  • Port numbers appended to host headers

  • Multiple server certificates not supported for a single SSL listener

Customization of HTML form pages for additional functionality is not supported

Issue: It is possible to customize HTML forms used on Forefront TMG for additional functionality beyond their intended usage, but such customization is not supported.

Cause: Customizing the existing functionality of Forefront TMG HTML pages (for example, changing the error messages or using a custom logo) is encouraged and supported. However, the degree that any HTML page can be customized is very extensive, so any customization to Forefront TMG HTML pages with the intention to add additional functionality, which goes beyond the scope of intended use, is not supported.

Solution: If issues arise as a result of such customization of the Forefront TMG HTML pages, the original files should be restored. For more information on what customization is supported and how to implement the changes, see the topics Customizing HTML Forms and Customizing HTML error messages.

Active-Directory-based Web proxy detection is not supported by ISA Firewall clients

Issue: ISA Firewall clients cannot automatically detect the Web proxy via Active Directory.

Cause: Active-Directory-based Web proxy detection is only supported on Forefront TMG Clients.

Note

Active-Directory-based Web proxy detection is not supported by clients in a workgroup environment; Forefront TMG Clients must be members of a domain.

Solution: No workaround.

Port numbers appended to host headers

Issue: When a publishing configuration requires redirection to a different port number, Forefront TMG appends the port number to the host header. For example:

  • If you listen for Web requests on port 81, and the Web publishing rule for www.contoso.com sends requests to domain.site.internal, which is listening on port 80, the host header sent to domain.site.internal will be www.contoso.com:81.

  • In an HTTPS-to-HTTP bridging scenario, you publish a Web site over a Secure Sockets Layer (SSL) connection; the host header is forwarded to the back-end Web server as <hostheader>:443.

This behavior may be an issue where Web applications build links that are dynamically based on the host header.

Cause: This is by design for the link translation functionality of Forefront TMG.

Solution: There are three possible solutions:

  • Add a mapping to the link translation dictionary to replace www.contoso.com:81 with www.contoso.com. In this case, the host header in the request will be changed to www.contoso.com.

  • Disable the option to forward the original host header to the server, and enable link translation (without making any addition to the dictionary). In this case, the server will build links according to the internal name. Forefront TMG will use link translation to translate all internal links to the external name (including the port number).

  • Use the script discussed in Knowledge Base article KB925287 (https://go.microsoft.com/fwlink/?LinkId=179984).

Multiple server certificates not supported for a single SSL listener

Issue: Only one SSL server certificate can be bound to a Web listener.

Cause: Windows Schannel only allows a single certificate to be associated with a network listener.

Solution: To publish multiple SSL sites using the same IP address and port (listener), where all sites published use the same domain namespace, you can use a wildcard character certificate or a SAN certificate. For example, to publish sites OWA, WebSite1, and WebSite2 at contoso.com, you can acquire a wildcard character certificate (*.contoso.com) for Forefront TMG. Note that Forefront TMG only supports wildcard character certificates that are located on the Forefront TMG itself. In an HTTPS-to-HTTPS bridging scenario, you cannot use a wildcard character certificate to authenticate to the back-end Web server.

Protocol and Application issues

This section describes the following protocol and application issues, their causes, and solutions:

  • RPC-over-HTTP traffic inspection limitations

  • Live Communications Server not supported on the Forefront TMG computer

  • Forefront TMG does not support SIP traffic from an OCS server

  • Forefront TMG does not support CNG certificates

  • HTTPS inspection limitations

  • Forefront TMG does not support range requests

  • Secure FTP support

  • FTP limitations for Web Proxy clients

  • Forefront TMG does not support Routing Protocols

  • Colocating Remote Installation Services with Forefront TMG

  • Forefront TMG support in a virtual environment

  • Forefront TMG does not support IPv6 traffic

  • WCCP, ICP and ICAP protocols are not supported in Forefront TMG

RPC over HTTP traffic inspection limitations

Issue: RPC over HTTP traffic encrypts the RPC data in HTTP and is not inspected by the RPC filter.

Cause: The RPC filter cannot inspect RPC over HTTP traffic because:

  • Forefront TMG application filters cannot be chained to each other and Web filters cannot pass traffic to application filters.

  • The RPC filter expects RPC communications to begin on the RPC endpoint mapper (TCP:135), and so it cannot protect against RPC exploits reaching an Exchange server.

Note

  1. In outbound scenarios, RPC over HTTP requests may be SSL-tunneled, so HTTP inspection cannot occur following the initial CONNECT request unless HTTPS inspection is enabled.

  2. NIS inspection still recognizes RPC within HTTP and performs behavioral and vulnerability filtering of the RPC traffic.

Solution: Deploy RPC over HTTP with these limitations in mind.

Live Communications Server not supported on the Forefront TMG computer

Issue: Running Live Communications Server on the Forefront TMG computer is not supported.

Cause: This is an untested scenario.

Solution: No workaround.

Forefront TMG does not support SIP traffic from an OCS server

Issue: Office Communicator SIP calls from an OCS server cannot pass through the Forefront TMG SIP filter.

Cause: OCS uses TLS for SIP traffic. The SIP filter in Forefront TMG cannot parse the TLS traffic.

Solution: No workaround. Solutions for OCS are provided by Security and Compliance Partners (https://go.microsoft.com/fwlink/?LinkId=179985).

Forefront TMG does not support CNG certificates

Issue: Forefront TMG does not support the use of certificates created using CNG (Certificate New Generation) based templates for Web listeners or as client certificate authentication in Web publishing or Web chaining rules.

Cause: CNG certificates are not usable by Forefront TMG.

Workaround: Create certificates using Windows 2000 or Windows 2003 templates.

HTTPS Inspection limitations

Issue: There are a number of limitations you should be aware of when enabling the HTTPS Inspection feature on Forefront TMG.

Cause: The following features are not supported:

  • Extended Validation (EV) SSL certificates.

  • Connections to external SSTP servers.

  • CNG certificates.

  • Servers that require client certificate authentication.

Solution: To bypass a limitation, you must exclude the specific site from HTTPS inspection.

Forefront TMG malware inspection does not support range requests

Issue: Forefront TMG strips off the range header when the malware inspection feature is enabled. Microsoft Update, download manager applications, Windows Media, and Adobe Reader, are examples of potentially affected client applications.

Cause: The Forefront TMG malware inspection filter is not designed to assemble a file from multiple pieces that are retrieved out of order. When malware inspection is enabled, range headers are stripped from requests before being passed by Forefront TMG to the upstream server.

Solution: To work around this limitation do one of the following:

Add the site to the Destination Exceptions list for malware inspection settings.

Create an access rule that allows traffic to the selected destinations and does not apply malware inspection.

Secure FTP support

Issue: Forefront TMG does not support secure File Transfer Protocol (FTP).

Cause: Secure FTP uses an encrypted control channel between the FTP client and server. After the FTP client and server establish an encrypted control channel, the Forefront TMG FTP filter cannot see the FTP commands and so cannot create the dynamic policy changes that are necessary to fully support FTP communications.

Solution: There is an unsupported workaround available that allows you to publish secure FTP. For more information, see Publishing Secure FTP Servers behind ISA Firewalls at the ISAserver.org Web site (https://go.microsoft.com/fwlink/?linkid=51105).

FTP limitations for Web Proxy clients

Issue: The following limitations apply:

  • Web Proxy client FTP requests are passed over HTTP, and do not allow any action that would change the content or structure of the FTP server. Therefore you cannot use FTP upload from a Web Proxy client, and only FTP downloads are supported.

  • To access FTP sites that require authentication, credentials should be specified in the address bar using the following format: ftp://username:password@FTP_Server_Name.

  • By default, Forefront TMG uses PASV mode for FTP requests.

Solution: There is no workaround for these limitations at this time. For more information about troubleshooting outgoing FTP access, see Troubleshooting Outbound FTP (https://go.microsoft.com/fwlink/?LinkId=88856).

Forefront TMG does not support routing Protocols

Issue: Forefront TMG is not a router and does not directly support routing protocols such as Border Gateway Protocol (BGP), Routing Information Protocol (RIP) or Open Shortest Path First (OSPF).

Cause: Forefront TMG has no built-in support for these dynamic routing protocols.

Solution: No workaround.

Colocating Remote Installation Services with Forefront TMG

Issue: When Forefront TMG is installed, Remote Installation Services (RIS) takes an extreme length of time to deploy an image.

Cause: RIS uses Trivial File Transfer Protocol (TFTP). Forefront TMG has a predefined protocol for TFTP, with a secondary connection defined as all User Datagram Protocol (UDP) ports, but this will only work when the Forefront TMG Client is installed on the client computer.

Solution: Use the following workaround:

  • Open the complete range of UDP ports from the client to the TFTP server.

  • Open the complete range of UDP ports from the TFTP server to the client.

Forefront TMG support in a virtual environment

Forefront TMG is supported on hardware virtualization in accordance with the following programs:

  • Microsoft Support Lifecycle.

  • Forefront TMG system requirements.

  • Microsoft Server Virtualization Validation Program (SVVP).

  • Support Policy for Microsoft software running on non-Microsoft hardware virtualization software.

For example, if a hardware virtualization platform is listed as ”validated” with the SVVP (not “under evaluation”), Forefront TMG will be supported for production use on that platform within the limits prescribed in the Microsoft Product Support Lifecycle, non-Microsoft hardware virtualization policies, and the system requirements for that product version and edition.

For hardware virtualization platforms not listed with the SVVP, Forefront TMG is supported in accordance with remaining Microsoft support policies, limited as follows:

  • Desktop virtualization, such as Microsoft Virtual PC or a similar 3rd-party product is supported for demonstration and educational use only.

  • Server Virtualization, such as Microsoft Virtual Server or a similar 3rd-party product, is supported, but not recommended for production use.

Important

Microsoft support engineers may request that a customer reproduce a reported problem on real hardware or within an SVVP-listed hardware virtualization platform, before continuing with the case. If the problem cannot be reproduced in hardware or on a SVVP-listed server virtualization product of similar class, the case may be deferred to the 3rd-party vendor product support.

Tip

For more information and best practices on edge virtualization, read Security Considerations with Forefront Edge Virtual Deployments (https://go.microsoft.com/fwlink/?LinkId=178740).

Forefront TMG does not support IPv6 traffic

Issue: IPv6 traffic is not supported by Forefront TMG (except for DirectAccess).

Cause: Filtering of IPv6 traffic is not supported, and all IPv6 traffic is blocked by default.

Solution: It is recommended that you unbind IPv6 on the Forefront TMG computer network adapters. To do so, open each network adapter’s properties, and on the Networking tab, clear the checkbox for Internet Protocol Version 6 (TCP/IPv6).

WCCP, ICP and ICAP protocols are not supported in Forefront TMG

Issue: The Web Cache Communication Protocol (WCCP), the Internet Cache Protocol (ICP), and the Internet Cache Adaption Protocol (ICAP), are not supported in Forefront TMG.

Cause: This functionality does not exist in Forefront TMG.

Solution: No workaround.

Authentication issues

This section describes the following authentication issues, their causes, and solutions:

  • NTLM authentication issues in a chained Web proxy scenario

  • Kerberos authentication issues in a chained Web proxy scenario

  • Issues with clients authenticating on both downstream and upstream servers in a chained Web proxy scenario

  • Web Proxy SSL Connections are only supported for chained proxy connections

  • Forefront TMG access rules cannot authenticate based on a computer account

  • LDAP authentication in Forefront TMG

NTLM authentication issues in a chained Web proxy scenario

Issue: You may experience problems such as unexpected delays, incomplete pages, or random authentication warning messages, when you browse the Web in a chained configuration. This can occur when the following conditions are true:

  • The downstream Forefront TMG computer is configured to require integrated (NTLM) authentication.

  • No authentication is required (anonymous) on the upstream Web proxy server.

  • Internet Explorer is the client browser.

Cause: Internet Explorer may send an extraneous NTLM authentication header on a connection that has already been authenticated using integrated authentication with the downstream Forefront TMG computer.

Solution: For details on this behavior and workarounds, see the following Knowledge Base articles:

Kerberos authentication issues in a chained Web proxy scenario

Issue: When a client tries to authenticate with the upstream server, authentication fails if the client tries to use Kerberos authentication. This can occur when the following conditions are true:

  • You configure an upstream Forefront TMG that requires Kerberos authentication.

  • You configure a downstream Forefront TMG that does not require authentication (anonymous).

Cause: When the upstream Forefront TMG requests authentication, the client computer obtains a Kerberos ticket for the downstream server. This Kerberos ticket is valid for authentication with the downstream Forefront TMG. This ticket cannot be used to authenticate with the upstream Forefront TMG. When the Kerberos ticket is presented to the upstream Forefront TMG, the upstream Forefront TMG cannot validate the ticket, causing authentication to fail.

Solution: Deploy Kerberos authentication with this limitation in mind, or configure the upstream Forefront TMG server to only use NTLM authentication (accomplished by running the script given in KB927265 (https://go.microsoft.com/fwlink/?LinkId=180368))

Issues with clients authenticating on both downstream and upstream servers in a chained Web proxy scenario

Issue: When a client tries to authenticate with the upstream Forefront TMG server, authentication fails if the client is also required to authenticate with the downstream Forefront TMG server.

Cause: Clients cannot transparently authenticate with both a downstream and an upstream Forefront TMG server. A scenario where both Forefront TMG servers require unique client authentication is not supported.

Solution: Implement one of the following solutions:

  • If unique client authentication is necessary on the downstream Forefront TMG server:
    Configure the downstream Forefront TMG server Web chaining rule to provide credentials to the upstream Forefront TMG server, or configure the upstream Forefront TMG server to allow traffic anonymously (no authentication).

  • If unique client authentication is necessary on the upstream Forefront TMG server:
    Configure the downstream Forefront TMG server to allow traffic anonymously (no authentication). To ensure caching is possible on the downstream Forefront TMG server in this scenario, run the script given in KB915025 (https://go.microsoft.com/fwlink/?LinkId=180367). Note that only integrated (NTLM) authentication is supported in this scenario (see Kerberos authentication issues in a chained Web proxy scenario).

Web Proxy SSL connections are only supported for chained proxy connections

Issue: A Web Proxy client application is not supported with the SSL Web proxy listener.

Cause: This listener is designed for use in Web-chained configuration when Basic delegation is used to prevent credentials sniffing. Web proxy clients may be configured to use and authenticate to this listener, but CERN proxy SSL connections cannot be established through it, because they cannot establish more than one SSL session on a TCP connection.

Solution: No workaround. Forefront TMG can use a client certificate to authenticate against an upstream Forefront TMG computer. In this scenario, you can define an SSL connection between a downstream Forefront TMG computer and an upstream Forefront TMG computer.

Forefront TMG access rules cannot authenticate based on a computer account

Issue: Forefront TMG access rules cannot authenticate based on a computer account; for example, allowing a specific user working from home full access from a corporate laptop, but limited access from a home computer.

Cause: Forefront TMG can only use a computer account for rule authentication under specific circumstances. Forefront TMG evaluates authentication conditions for a rule from the settings on the Users tab of that rule, and identifies the computer originating a request on the From tab. A rule is evaluated and applied if all the rule's conditions are met. Within a particular tab, a rule is applied if any of the conditions are met. For example, if the Users tab indicates that authentication is applied to three groups, a user only needs to belong to one of the groups in order for the rule to be applicable.

On the Users tab, Forefront TMG allows you to specify users, groups, and security principals to be authenticated on a rule. However, if you specify a computer account on the Users tab, only applications running under the Local System or Network Service account on the specified computer will be authenticated, when the specified computer authenticates to a domain controller using Kerberos. This can occur when the Web proxy listener of Forefront TMG is enabled for Windows Integrated authentication, and the client supports Kerberos authentication (for example Windows Update).

You specify a computer account (DomainName\ComputerName$) on the Users tab. With this setting, any service (running under the Local System account or the Network Service account) that runs a Kerberos-enabled client will be authenticated, and access allowed or denied in accordance with the rule settings. If only a domain group that is limited to user accounts is specified on the Users tab, authentication of the client application using the computer account will fail to match the rule. If a rule has both a domain user group and a computer accounts group specified, the rule can be matched for a computer account.

Solution: One workaround to differentiate remote clients by computer might be to use a VPN solution, as follows:

  1. Create an access rule from the VPN Quarantine Clients network to the destination network. The VPN Quarantine Clients network will include the home computer. Specify a more limited access policy in this rule, and optionally, add a user account. The VPN Quarantine network must be enabled, and ensure that the disconnection time is not specified (this is the default setting).

  2. Create an access rule from the VPN Clients network to the destination network. The VPN Clients network will include the corporate laptop. Specify a more permissive policy on this rule, and add user accounts as required.

For this solution to work, you must include the Quarantine solution on each of the corporate computers.

LDAP authentication in Forefront TMG

Issue: LDAP authentication is not supported for access rules.

Cause: In Forefront TMG, LDAP authentication is available only as an authentication method in Web publishing scenarios.

Solution: No workaround.