Exported xml of EOP IP addresses from TMG 2010 attached for anyone that may want it.

IP addresses for EOP taken from https://technet.microsoft.com/library/dn163583(v=exchg.150).aspx

EOP.Subnets

http://blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx

very disappointing to say the least – TMG 2010 is an awesome product, but there was also a lot of opportunity for improvements. (although I had heard that this was going to happen – so its not a surprise)

of course it remains to be seen how this is handled – as far as if UAG is improved far enough to it can replace TMG…. as at the moment, in my opinion, TMG is a far superior product to UAG.

Anyhoo – disappointing, but how disappointing it is will depend on how the replacement of functionality (likely in UAG v.next) is handled.

It looks like the latest update of the malware inspection rules for TMG 2010 blocks google.com, believing it is infected with JS/Blacole.BW.

It’s not as if many people use google… so we’ve got a couple a couple of calls about this so far…. and it looks like a few other people have run into it too.

http://social.technet.microsoft.com/Forums/en-GB/Forefrontedgegeneral/thread/e8eb8300-ecdd-4b23-b6df-f6ac0a67a226

So – the workaround

Open your TMG console

Navigate to firewall policy | Toolbox | network objects | Domain name sets

Edit “Sites Exempt from Malware Inspection”

add *.google.com

Done!

Interest for FEP has increased rather dramtically lately for us… which has been cool – as unlike its predessor – FCS, FEP is actually usable! 🙂

I think this is because of two reasons:

1) FEP will soon be part of the core CAL…. (August 2011) so there are many organisations that can now use FEP and not pay any more. This is obviously very compelling when org’s can immediately save hundreads of thousands, if not millions on their current anti-virus product, by swapping over to something they already own.

2) Logon times – this is the one that has impressed me. A number of clients, particularly schools, have older hardware on which they are deploying their Windows 7 SOE’s to. When using Mcaffee or Symantec on these machines – well, they’re not overly zippy. Moving from these solutions to FEP has resulted in massive improvements in boot and logon times. For example, one school – on particularly old hardware, went from a 1:47 boot up time to a 0:46 boot up time…. logon time went from 1:54 to 0:38 (and first logon went from 5:14 to 1:55)

The times above are ofcourse only indicitive of one location, with their specific hardware etc – but for those of you not running FEP – i would strongly suggest you have a look at it. Do some logon time comparisons for yourself, tell your boss that you can save them lots of cash and that the cash should be re-directed into your pay rise!

Oh and the backend management – its now OK…. still not great… but definately usable and keep in mind that FEP 2012 is also not far away…. where the management seems to be much better again (2012 is currently in beta 2 so it may get better – and hopefully not wosre!)

Im a big fan of no anti-virus on servers…. or if you must have it, only the AV component (no network rubbish) with no realtime turned on…. if you have all your endpoints protected and entry points into the network – its just not required.

For example – an Exchange server or  a Lync server….. sure use a specific antivirus product for exchange…. but not a fucking file-level anti-virus, its just completely pointless! What are you trying to achieve apart from poor performance, corrupted databases and upgrade hassles ?

Anyhoo – today i had the fun of finding out that Symantec Enpoint Protection – bluescreens UAG when trying to upgrade to SP1. Fortunately it was a virtual – so we reverted back to a previous snapshot, removed the piece of shit, which is worse than a virus, and the UAG SP1 upgrade proceeded with no issues.

So this one has been bugging me for a while… and then a client asked for it – so i had to get it sorted….

So it seems with some Cisco VPN connections, i can connect, but not send any traffic when the Cico VPN client is behind a TMG server. Give the VPN client a direct connection and its fine…. so after a bit of looking, i think i have it working…

1) Set AssumeUDPEncapsulationContextOnSendRule = 2 as per http://support.microsoft.com/kb/926179

2) Run netsh tmg set global name=BlockSecuredInDefaultState value=0 persistent on the TMG server – as per http://forums.isaserver.org/m_2002104621/mpage_1/key_/tm.htm#2002104688 (then reboot)

3) Create 2 publishing rules on the TMG server, one which reverse publishes IKE and the other NAT-T

I purchased a wildcard SSL cert today – as sooooooo many things i want to do on the corporate network now require crl’s… so i thought it be worth a little bit of money to remove the hassle of using my internal CA, publishing the crl etc.

For this, i purchased a cheapy wildcard (at $150 year) – which, for the amount of time its already saved was money well spent.

When setting up Direct Access within UAG, the group policies refused to get created, thankfully, google came to the rescue with http://terenceluk.blogspot.com/2010/09/problem-executing-generate-policy-after.html – which was dead on my issue – the cheapy cert had a comma where there shouldnt be a comma!

Anyhoo – thanks to terrance, i modified the generated ps script and away i went…. people that blog the answers to this type of thing are awesome 🙂

Recently a client bought up the slow start-up times of their TMG 2010 cluster nodes…. after they mentioned it, i had a look at a few others (internally and at clients) and noticed the same thing…. and in the event log saw that the TMG Job scheduler took a long time to start (as in 5 minutes +) – set this service to delayed start… boot times back to normal.

i noticed when logged into technet downloads today that FIM 2010 has RTM’ed….

Eval is also available from http://technet.microsoft.com/en-us/evalcenter/cc872861.aspx