TMG SP2 now out there

There I was, blathering away about Kerberos and SetSPN and sleeping – sleeping! – while the long-awaited-but-unnanounced TMG SP2 was released. And announced, I guess.

The documentation’s still being updated (the release notes haven’t made it up yet), but you can try it out from here:

Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2

And topically:

New Reports
• The new Site Activity report displays a report showing
the data transfer between users and specific websites for any

Error Pages
• A new look and feel has been created for
error pages.
• Error pages can be more easily customized and can include
embedded objects.

Kerberos Authentication
• You can now use
Kerberos authentication when you deploy an array using network load balancing


PSA: You really need to update your Kerberos setup documentation with SetSPN -S!


You might remember me from such posts as Kerbie Goes Bananas, and SetSPN improvements for Windows 2008. Or something.

I’m here with a public service announcement! Excitement!

It’s been long enough since Windows 2008 (and the downlevel release of SetSPN) that I feel comfortable respectfully asking you to please:

Search and Replace SetSPN -A with SetSPN -S.

In your organization, if you ever happen to run across a document that describes a procedure that looks anything like this:

SetSPN -A http/yourwebfarm DOMAIN\YourFarmAccount


  •  mail the author, or
  •  file a bug against the content, or
  •  use the Community Content feature if it’s somewhere on Technet, or
  •  mail anyone and everyone responsible for upkeep or implementation of that document

to change the SETSPN -A command to a SETSPN -S.

You may need to include a foreword describing where to get the 2008 version of SetSPN (I think I may have just spoiled it for you) if you’re still strongly a 2003/XP shop, with no newer SetSPN-toting OSs available.

Why the change?

Because it’ll hurt you less in the long run.

The original release of SetSPN was strongly account-centric. Given a Windows account, it would let you:

  • Add an SPN to that account
  • Remove an SPN from that account
  • List the SPNs associated with that account

Unfortunately, this makes it very easy to add the same SPN to multiple accounts – creating a duplicate SPN. This is a very bad thing.

The same SPN can’t easily be added more than once to the same user account, but the original tool does nothing to prevent the same SPN being added to multiple user accounts – and unfortunately, that’s exactly the situation you’re trying to avoid.


Any of

  • SETSPN -A http/farm DOMAIN\FarmUser
  • SETSPN -A http/farm DOMAIN\FarmComputer$


  • SETSPN -A http/farm DOMAIN\FarmComputer1$
  • SETSPN -A http/farm DOMAIN\FarmComputer2$


  • SETSPN -A http/farm ANYTHING followed by

breaks kerberos for http://farm.

To restate the rule: One SPN can be associated with precisely one account.

So please, use SetSPN -S

And that’s exactly what SETSPN -S is designed to prevent. SETSPN -S performs a quick check for duplicates before adding an SPN – which is the best possible time at which to catch the problem. So yay-the-Windows-2008-AD-team.

Duplicates! Gotta Catch ‘Em All 2011 Edition

If you suspect you have duplicate SPNs in your environment, well, why just suspect? Run


To be told explicitly what duplicates you have kicking around in AD (there are forestwide switches you can use too). Yep, that used to be a nasty LDIFDE export with an LDAP filter expression; much simpler now!


IRacing vs TMG 2010


About a week ago, I signed up for iRacing again, after letting my subscription lapse back in, oh, looks like 2008. Time flies!

Since then, I’ve been trying to get updates to install, but I’ve been having no luck with it – the update web page would just vanish when I ticked the updates I wanted and clicked Update.

(Actually, that’s the second symptom – at first I suspected a WPAD problem, as the update window would hang on a blank address, but after disabling proxy settings, that stopped, and I simply didn’t get the updater working.)

One full OS reinstall (well hellooo crazy/hot SSD), UAC, Windows Firewall and AV shenanigans, and a bunch of file- and security-related fiddling later, I was trawling through the IracingService log (Iracingservice.out) and noticed a bunch of network-looking errors, including a 10054 socket error.

TMG logs also noted the 10054 (connection forcibly closed by remote host), so I got to thinking: Could this be another XBL-style HTTP/TCP thing where the Web Proxy filter gets upset?

In short: yes!  Cue obligatory “see-it-works-now” screenshot:


Oooooh. Ahhhhh.

Fixing It

I used a variation on the Xbox Live HTTP technique, to disengage the Web Proxy filter from, but constrained it by source IP (just my home gaming machine) and by target IP.

Toolbox Objects:


  • RacingPod – Your client computer IP. It’s fixed, right? This can be skipped if you’re using DHCP, just specify the internal network – the Computer Set for Iracing will still “partition off” the relevant requests.

Computer Set:

  • IRacing IPs: the IP address of (ping or nslookup for the current IP). I could have used a Domain Name Set, but I didn’t want to incur possible name resolution overhead on any HTTP request that might have matched these conditions. It will break when the IP changes, but I’m OK with that for now.

Protocol Definitions:

  • Xbox HTTPTCP/80 Outbound , not based on HTTP base definition, not bound to the Web Filter . (That’s the important part). I’m reusing a protocol I created earlier for something else. See if you can guess what?

Rules (in this order)

  • Iracing Special HTTP – Access Rule,
    • Action: Allow
    • From: RacingPod
    • To: IRacing IPs
    • Protocol: Xbox HTTP (only)
  • Iracing Block Regular HTTP – Access Rule,
    • Action: Deny
    • From: RacingPod
    • To: IRacing IPs
    • Protocol: HTTP (only) – that’s regular HTTP, not the new special Xbox HTTP

These should be considered inseparable rules – move them as a single unit (shift-selecting allows you to move whole blocks of rules up and down, by the way – to quickly move these to the top, shift –select the other rules above them, and r-click Move Down that group). Put them ahead of any general Allow rules – they will only affect traffic to Iracing’s Member site, only for the HTTP protocol, and should be very, very quick to process.

See the Notes on the Xbox post for the nitty-gritty on why this works. (This’d probably also work for ISA Server 2006 and ISA 2004, if it’s a problem for them, by the way).

Caveat Racer

Threat Management Gateway probably isn’t called Fluffy Home Network And Gaming Gateway for a reason. It’s designed to mitigate possible security threats for corporate environments, not to get all UPnP-laissez-faire and cosy with strange remote hosts. But it’s kinda fun to force it to.

ISA 2000: The End Draws Near

While updating some documentation today and noticing it’s 2011 (when, exactly, did that happen?), I dug up the ISA Server 2000 Lifecycle information.

Paraphrasing the table here:

  Availability Mainstream Support Ends Extended Support Ends

Internet Security and Acceleration Server 2000 Enterprise Edition

18/03/2001 11/04/2006 12/04/2011

That’s right, kids, it expires on April 12 this year. (The date format is the *cough* correct *cough* UK/AU format above, naturally)

I have fond memories of ISA Server 2000. Actually, now I remember it, the memories were less “fond” and more around being confused by the task pane (I’m a right-click kinda guy), and the documentation, and whether packet filters were something applicable to publishing rules or not. Experience counted for a lot with it, and when it was released, it was a whole lotta new for everyone involved in using and supporting it.

ISA 2000 was where we originally derived the “two minute rule” from for ISA support (at least in Australia): When you’ve made a change, and you’re testing it, give it two minutes. (Saying that caused most type-A admin people to give it at least a minute, and a minute was usually enough for a change to percolate through the system).

I’d been a keen user of Proxy 2.0 at home and at work, on a very early cable modem implementation in Australia (see also: The Lane Cove Effect), and our geeky household upgraded through Windows 2000 betas with Proxy 2.0 patches, until finally ISA 2000 betas became available. Not too long after that, the release version was installed, glistening, on the low-spec former-work-desktop 486 we were using for routing and cheapie IIS hosting duties.

ISA 2000, you served us well. But your time is well and truly past. Bon voyage on the sea of retirement.

If you’re still using ISA 2000, and you’d like to try our new hotness, please try Forefront TMG 2010. The documentation’s better (and most ISA 2004/2006 documentation still applies), and it installs on current Windows versions. Thanks!

Autoproxy might still be broken in current Java runtimes

A customer battling automatic proxy configuration issues with ISA/TMG, and PAC/WPAD.DAT pointed me at the following bug:;jsessionid=e70c81c1a56f7d856f2e50539c708?bug_id=6887492

Which, if I’m interpreting it right, is Closed. In Connect-speak, that would mean “not being worked on”. (If it was, or is, and a newer version fixes this, please let me know).

From the TMG perspective, a possible workaround is to install the firewall client (or TMG Client as it’s known these days) on the client computer, and turn off the proxy settings at the Java level – this allows the TMG Client to transparently authenticate at the Windows Sockets (winsock) level, bypassing the proxy autodetection script entirely.

TMG Large Logging Queue: No More SQL Lockdowns?

What you say!?

The new logging system in TMG 2010 is seriously cool, and it’s designed to cope with extended instances of SQL Server going away. Extended meaning multi-hour, but depending on disk space, it could be multi-day.

Short Version

There’s a good detailed description of it here, which I’ll try to crystallize:

The most likely reason for the Firewall Service to stop, and for TMG 2010 to enter Lockdown mode, is a lack of disk space on the TMG box.

Yep. If the LLQ files can’t be created, that’s when the Firewall Service will be stopped. If SQL goes away for a few days… well, that’s okay. We got that covered*.

Long But-Not-That-Long Version

But why does that help avoid lockdown mode? More crystallization required:

The kernel-mode FWENG component is now responsible for logging. When everything’s going swimmingly, it logs to a buffer in memory.

The logs in this memory buffer are the logs that might be lost if the server experiences a hard crash – like a blue screen – and that’s why the registry key names governing it are appropriately pessimistic (both in HKLM\System\CurrentControlSet\Services):

(1) Fweng\Parameters\LogQueueMaxLossCount 
(2) Fweng\Parameters\LogQueueMaxLossTimeInSeconds

To get the FWENG buffers out to SQL Server, or MSDE/SQL Express, or text files (more on that later), the Microsoft Forefront TMG Control Service (the service name is still IsaCtrl, by the way) executes a Log Formatter.

The Log Formatter is responsible for taking the raw log information from memory or disk (we’ll get to that), transforming it into the desired output format, and storing it wherever you’ve specified. (The Firewall Service used to do that.)

If FWENG starts exceeding its thresholds – meaning that either the FWENG memory buffers fill up (1) or have remained in memory for Long Enough (2) and haven’t been pulled and stored by IsaCtrl – FWENG will start pushing its Log Queue buffers to disk instead, in .LLQ files.

When the Control service restores its connection to SQL or MSDE, and operations start succeeding again, the logs will be formatted and stored, and the LLQ files deleted as they’re dealt with.

How cool is that? SQL logging here we come!

You mentioned Text Files, but they seem kinda robust?

Well, the log formatter is responsible for transforming log queue records to text format as well, so a text formatting failure would have a similar effect to someone unplugging SQL.

But the reasons I could dream up for that failing are pretty much the same as they currently would be for text logging to fail either way – the disk is full, or very heavily fragmented, or perhaps broken, or Antivirus hasn’t been properly excluded from the path and/or process.

* – pending traffic and disk space. If you can generate 100GB of logs in an afternoon, you’re unlikely to last days before SQL comes back, aren’t ya? Unless you’ve got a billion gig to play with.

More Network Inspection System updates


A new Vuln (vulnerability) NIS definition for Outlook Express / Windows Mail MS10-030 joins the recent Expl (exploit) definition for the Sharepoint XSS issue (currently an Advisory).

The other type of signature is a Policy signature – not an exploit or a vulnerability per se, but a security feature an Administrator might want to enable.

NIS is one of the aspects of TMG 2010 I’m most speculatively excited about- imagine being able to more-or-less automatically protect a whole subnet of vulnerable machines while patches are being produced or deployed – and the MMPC have been steadily releasing definition updates that protect TMG-protected machines from known exploits since launch.

NIS updates typically coincide with a bulletin release – but recently, we’ve seen that they’ve been produced for at least one Advisory as well.

NIS updates aren’t particularly discoverable right now, though – I can’t find another way to get notifications of NIS updates other than through the TMG interface.

And NIS entries are not currently searchable in the MMPC Encyclopedia either – they’re linked directly from the definitions in the MMC above.

TmgAdConfig (aka ADConfig, ADConfigPack)

To avoid you tearing your hair out trying to find it:

The tool TMGADCONFIG.exe is included in the ADCONFIGPACK.exe download, available from this location, which extracts to the Program Files(x86)\Forefront TMG Tools\ADCONFIG folder by default.

I was chasing it down with great vengeance and furious anger cos the examples on the web indicated that the AD Marker was stored in the Configuration partition (i.e. at the root of a given domain – one setting for the domain (cue indignant “well what about site awareness!?” on my part)).

The AD Marker, incidentally, is a new method through which the Firewall Client (TMG Client) tries to detect available TMG Servers – it’s intended to be more secure than the existing WPAD.DAT/WSPAD.DAT mechanisms (though they should still work unless you turn them off).

Happily, the –? story differs from the other published works (and included .doc file), and implies much site-aware joy, so I thought I’d republish the detailed help for all of it here, for your viewing pleasure.

TmgAdConfig -?

Forefront TMG Auto-Discovery Configuration Tool
    TmgAdConfig.exe add -site <site-name> -type winsock -url <service-url> [-f]
    TmgAdConfig.exe add -default -type winsock -url <service-url> [-f]

    TmgAdConfig.exe del -site <site-name> -type winsock
    TmgAdConfig.exe del -default -type winsock

    TmgAdConfig.exe list [-default] [-site [<site-name>]]

    TmgAdConfig.exe <any-command> -help

TmgAdConfig.exe add -site My-Site -type winsock -url
    Register the given URL as the winsock proxy service for site My-Site.
TmgAdConfig.exe list -site My-Site
    Print all service markers registered for site My-Site.


TmgAdConfig add -help

Forefront TMG Auto-Discovery Configuration Tool
    Add (register) a new marker in Active Directory.

    TmgAdConfig.exe add -site <site-name> -type winsock -url <service-url> [-f]
    TmgAdConfig.exe add -default -type winsock -url <service-url> [-f]

    -site     Active Directory site associated with the new marker.
    -default  Makes the new marker the default for all sites.
    -type     Service type of the marker.
    -url      URL from which to retrieve the service configuration file.
    -f        Force overwrite if the marker already exists.

TmgAdConfig.exe add -site My-Site -type winsock -url
    Register the given URL as the winsock proxy service for site My-Site.


TmgAdConfig del -help

Forefront TMG Auto-Discovery Configuration Tool
    Remove (unregister) a marker previously registered in Active Directory.

    TmgAdConfig.exe del -site <site-name> -type winsock
    TmgAdConfig.exe del -default -type winsock

    -site     Active Directory site from which to remove the marker.
    -default  Remove the site-default marker.
    -type     Service type of the marker to remove.

TmgAdConfig.exe del -site My-Site -type winsock
    Unregister the current winsock proxy service registered for site My-Site.


TmgAdConfig list -help

Forefront TMG Auto-Discovery Configuration Tool
    List registered markers.

    TmgAdConfig.exe list [-site [<site-name>]] [-default]

    -site     List site markers (use without a value to list all sites).
    -default  List the default markers.

TmgAdConfig.exe list
    Print all registered service markers.
TmgAdConfig.exe list -default
    Print all default service markers.