Monthly Archives: October 2009

Hey, I know this guy! :-)

Get to know the Windows Home Server Team: Video interview with Jonas Svensson, Community Program Manager

Today the Windows Home Server Blog, tomorrow your own TV series! ;-)

Windows Server 2008 R2 ebook – Get yours now!

Thank you Charlie and Craig for writing it, and Microsoft for offering it up. Get your own copy of the Introducing Windows Server 2008 R2 ebook for free!

MS Partner Licensing Information and SKU lookup

Looking for the SKU for Microsoft Server 2008 Remote Desktop Services by chance? The US price list, in addition to the License Configurator tool are at Get there by logging into your MS Partner account and clicking on the URL in the last sentence, or from the licensing tab, then expanding “Making Licensing Choices” on the left (at least at the time I wrote this post).

Karl Palachuk is Seattle Bound!

Here’s a quick advertisement for Karl’s next Seattle visit. I’ve already bought my ticket, so I’ll see you there. – Steve

Meet Karl in Seattle on Tuesday, November 3rd

6:30 PM – 9:00 PM
Introduction to Project Management and Zero Downtime Migration Strategies

$10 discount available instantly. Just use discount code SEA200911 at checkout.

For more info, see

Register Now


Mark’s rules for TMG Firewall client (MRFTFC)

Mark Stanfill has started a great series, via his Twitter account, covering EBS rules for TMG. So good that I thought it a great idea to include them here. I’ll add to this post as he adds additional rules. Following are the first sets, plus a bonus precursor:

#EBS08 New series: Mark’s rules for TMG Firewall client (MRFTFC)

#EBS08 Never use ‘route add’ on TMG. Use the TMG getting started wizard instead. Look for startup scripts that do route adds,exclude admin

#EBS08 MRFTFC #1 – You probably don’t need th FWC. 99% of apps can get by with SNAT and web proxy

#EBS08 MRFTFC #2 – Install from Management Server (not Security): C:\Program Files\Windows Essential Business Server\bin\ISA\client

#EBS08 MRFTFC #3 You only need the FWC if you have an APP that needs it or if you want to track access by user rather than by IP.

#EBS08 MRFTFC #4 Down-level FWC from ISA 2004/6 still works, but you should update it if you use it.

New #EBS08 TMG rule 1 – never, ever use “route add” – you will corrupt the IP stack

New #EBS08 TMG rule 2 – add routes via the getting started wizard only – TMG Console -> Forefront TMG -> Tasks

New #EBS08 TMG rule 3 – Only use TMG Console to configure VPN, never RRAS Mgmt console

New #EBS08 TMG rule 4 – Never, ever,ever, ever disable IPv6 on Security Server – you will never fix anything, but you will break RRAS

New #EBS08 TMG rule 5 – Networks under TMG Console\Networking\Networks must have an interface on TMG server itself or we’ll drop traffic

New #EBS08 TMG rule 6 – deploy firewall client via gpo from MGMT server: c:\progra~1\window~3\bin\isa\client — Exclude Servers from GPO

-Additional markstan comment: It depends on the app and the environment. Use FWC if you need user auditing, don’t want to use default gateway, or know that you will have a lot of custom protocols. Undefined protocols = block for SNAT, access for FWC.
New #EBS08 TMG rule 7 – for WMI to work you must disable Enforce Strict RPC Compliance on all applicable access policies and system policies
#EBS08 TMG-if you are publishing TS 2 another server, TS 2 TMG will fail. Set the winstations regkey to 3390 on TMG,reboot cr8 access policy. Set the winstations regkey to 3390 on TMG,reboot create access policy for internal to localhost
#EBS08 TMG – Want to query RBLs 4 SMTP? Create an access rule for DNS (not dns server) from localhost to external. Not there by default.
#EBS08 TMG rule – TMG requires IPv6. Never disable via registry or uncheck from ncpa.cpl. This will lead to routing issues and application crashes. I’ve seen random blue screens, but never been able to repro.
#EBS08 TMG tip – you can copy rules via ctrl-c/ctrl-v, modify settings (like port #) to save time.
#EBS08 TMG tip – getting started wizard (for adding static routes) must be ran on Security Server itself (can’t do from mgmt)
#EBS08 TMG TIP – slow web page load/dns name resolution – use the script from
#EBS08 TMG TIP 3 updates that need additional work on Security Server – and
#EBS08 TMG Tip – TMG comes with a 1yr AV subscription. TMG Console\Update Center\Highlight ‘Malware Inspection’\Configure License details
#EBS08 TMG TIP – renew licensing for TMG – To renew, contact your Microsoft Partner or Small Business Specialist.
#EBS08 TMG -Networking\Networks\Internal\Web Browser-‘Directly access computers specified in the addresses tab’ needs to be checked
#EBS08 TMG TIP – quick TMG backup – EBSAdmin console\Security tab\highlight Network firewall\Save network firewall settings
#EBS08 TMG TIP – Native TMG backup- right-click forefront TMG (servername) in TMG Console -> Export (Back Up)… – choose the defaults.
#EBS08 TMG : Reset TMG to day1 (all ebs services published) in Admin Console\Security\Network firewall\restore default network firewall set
#EBS08 TMG – TMG has a 1 GB limit on http downloads by default
#EBS08 TMG – tmg download limts = TMG Console\Web Access Policy\Configure Malware Inspection\Inspection Settings
#EBS08 TMG – Email a daily network usage report – TMG Console\Monitoring\Reporting\Create Recurring Report Job
#EBS08 – To run IT Health Scanner w/ TMG – create allow all access rule as rule #1, disable strict rpc checking there & on system policy\AD
  – blog post: – How to run the IT Environment Health Scanner in an EBS Environment
#EBS08 – Update to blog post – – Preparation Wizard/IT Environment Health Scanner fail with DNS WMI Provider error
Not labeled TMG by Mark, but worth having in this list:
#EBS08 browser access from security server itself – you must manually configure proxy, port 8080, set exclusion for local domain
#EBS08 – security server unable to get updates? Check the proxy exclusions list first.
#EBS08 MRFTFC – Address ranges, subnets, and computer set objects should not contain the TMG server’s IPs (rare exceptions).
#EBS08 MRFTFC – OWA HTTP 500/error 12217 = disable normalization on the OWA publishing rule
#EBS08 MRFTFC OWA “Could not connect to a directory server” error = disable link translation on OWA publishing rule.
#EBS08 MRFTFC Slow or failed FTP behind TMG? Create the reg key in and restart server. (many other potential causes)
#EBS08 MRFTFC Postback errors uploading to or configuring SharePoint? Add /WebResource.axd* to the SharePoint publishing rule’s path.
#EBS08 MRFTFC to repair or uninstall/reinstall SCE Agent on Sec Server, “net stop fweng /y”, install or repair, then “net start fwsrv”