Forefront TMG 2010 SP2 Rollup 5

ForeFrontA short notice for those utilizing TMG in their environment on the release of Rollup 5 for Microsoft Forefront Threat Management Gateway (TMG) 2010, Service Pack 2 (KB2954173).

Changes in this update:

  • 2963805 Account lockout alerts are not logged after you install Rollup 4 for TMG 2010 SP2
  • 2963811 FIX: The TMG Firewall service (wspsrv.exe) may crash when the DiffServ filter is enabled
  • 2963823 “1413 Invalid Index” after you enable cookie sharing across array members
  • 2963834 HTTPS traffic may not be inspected when a user accesses a site
  • 2967726 New connections are not accepted on a specific web proxy or web listener in Threat Management Gateway 2010
  • 2965004 EnableSharedCookie option doesn’t work if the Forefront TMG service runs under a specific account
  • 2932469 An incorrect value is used for IPsec Main Mode key lifetime in Threat Management Gateway 2010
  • 2966284 A zero value is always returned when an average counter of the “Forefront TMG Web Proxy” object is queried from the .NET Framework
  • 2967763 The “Const SE_VPS_VALUE = 2” setting does not work for users if the UPN is not associated with a real domain
  • 2973749 HTTP Connectivity verifiers return unexpected failures in TMG 2010

TMG support will end on April 14th, 2015 and extended support will end on April 14th, 2020.

You can request Forefront TMG SP2 RU5 directly from support here.

Forefront TMG 2010 SP2 Rollup 4

ForeFrontA short blog on the release of Rollup 4 for Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (KB2870877).

Changes in this update:

  • 2889345 Accounts are locked out beyond the AccountLockoutResetTime period in Forefront Threat Management Gateway 2010 SP2
  • 2890549 Incorrect Performance Monitor values when queried from a .NET Framework app in Forefront Threat Management Gateway 2010
  • 2890563 “URL” and “Destination Host Name” values are unreadable in the web proxy log of Forefront Threat Management Gateway 2010
  • 2891026 Firewall Service leaks memory if Malware Inspection is enabled in Forefront Threat Management Gateway 2010
  • 2888619 A password change is unsuccessful if a user’s DN attribute contains a forward slash and an Active Directory LDAP-defined special character in Forefront Threat Management Gateway 2010
  • 2863383 “Query stopped because an error occurred while it was running” when you run a non-live query in Forefront Threat Management Gateway 2010 SP2
  • 2899720 Threat Management Gateway 2010 incorrectly sends “Keep-Alive” headers when it replies to Media Player WPAD file requests
  • 2899716 Firewall service (Wspsrv.exe) crashes when a web publishing request is handled in Forefront Threat Management Gateway 2010
  • 2899713 Access to certain SSL websites may be unavailable when HTTPS Inspection is enabled in Forefront Threat Management Gateway 2010

This again shows TMG isn’t “dead” since it received it’s End-of-Life status.. yet. Note that TMG support will end on April 14th, 2015 and extended support will end on April 14th, 2020.

You can request Forefront TMG SP2 RU4 directly from support here.

Forefront TMG 2010 SP2 Rollup 3

ForeFrontA short blog on the release of Rollup 3 for Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2.

For Exchange, this Rollup fixes unexpected authentication prompts when using OWA published using Forefront Threat Management Gateway (TMG) 2010 in conjunction with RSA authentication and Forms-based Authentication (FBA). For a full list of changes, consult knowledgebase article kb2735208.

This again proves TMG isn’t “dead” since it received it’s End-of-Life status. So again, when you got TMG, don’t panic: For TMG, support will end on April 14th, 2015 and extended support will end on April 14th, 2020. You have some time to look into alternatives.

You can request Forefront TMG SP2 RU3 directly from support here.

Microsoft Exchange Conference 2012, a Summary

After being absent for over 10 years, this year the most anticipated conference for Exchange minded people took place in Orlando, Florida (US), the Microsoft Exchange Conference 2012 (MEC).

Despite not being able to attend MEC 2012, I’d like to summarize the news on Exchange 2013 from the event. Some of this information went public as part of the release of Exchange 2013 Preview, which was released in July (yes, almost 2 months ago – time flies). Some statements were new, like for example the expected release date of Exchange 2010 SP3, which is required for co-existence with Exchange 2013.

With all the social media nowadays, you can track most of the statements made at the event. Thanks to people like Jeff Guillet and Devin Ganger and people from our The UC Architects group, like  Dave Stork, Michael van Horenbeeck, Pat Richard, Serkan Varoglu and John A. Cook, who reported live from the sessions they were attending (hastag #iammec), the community was kept up to date with information as it unfolded. At each the end of the day, Tony Redmond gave a nice summary including comments on the event as a whole.

Picture shows some of people behind The UC Architects together
with Perry Clarke (GM Exchange), who you might recognize from
the Ask Perry videos. The picture is taken by Tony Redmond.

The information presented here is a summary of all the information provided through social media and is additional to the information presented at the release of Exchange 2013 Preview; you can read all about that in my Changes in Exchange 2013 Preview article. It is in no way meant to be conclusive or complete.

Ok, now on to the goodness.

Exchange 2010 Service Pack 3 is expected to be released in the first half of 2013. Not only is it required for co-existence with Exchange 2013, it also supports Windows Server 2012 as Operating System platform. Note that SP3 will require a schema update.

No word on the expected release date of the update required for Exchange 2007 to support co-existence between Exchange 2013 and Exchange 2007. Since Exchange 2007 SP3 Rollup 8 was released in August, thus after the Exchange 2013 Preview became available, I assume we have to wait for Rollup 9 (or 10?).

Ross Smith from the Exchange Team confirmed the 99% IOPS reduction claim when comparing Exchange 2013 with Exchange 2003; when compared with Exchange 2010 it’s a 50% reduction. That’s down from 1 IOPS per mailbox in Exchange 2003 to .125 IOPS in Exchange 2010 to a 0,0625 IOPS per mailbox in Exchange 2013.


Also, passive copies have around 50% reduction in IOPS, mainly due to the increased checkpoint depth (100MB) and less aggressive pre-reading of data to keep in line with the checkpoint depth (I’ll devote a separate article on this at a later date). This means when mixing active and passive copies on a Mailbox server, the passive copies play more nicely from a storage perspective. Also, because of these changes database fail-over times are down from 20 seconds in Exchange 2010 to about 10 seconds in Exchange 2013.

To validate storage for Exchange 2013, JetStress for Exchange 2013 will become available 3 months after Exchange 2013 goes RTM. When required to validate storage in the mean time, it is recommended to utilize Exchange 2010’s version of JetStress since Exchange 2010 and Exchange 2013 will have the same IO pattern.

In Exchange 2013, multiple databases per storage volume allowed, which allows for active and passive copies on the same volume. Looking at the lower IOPS requirements of Exchange 2013 ESE’s engine and the 50% lower IOPS factor of passive copies, this allows for some serious consolidation on large volumes. The number of volume copies must match the number of databases per copy.

Note that putting databases on SMB3 shares (Windows Server 2012) is not supported; putting a virtualized Exchange server on SMB3 shares is.

Besides the recommendation to embrace 7,200 RPM disks for Exchange storage, large mailbox implementations are expected to take off (100GB+, including mailbox, archive and recoverable items) in an ongoing battle to get rid of PSTs and 3rd party solutions.

Due to database accounting changes in Exchange 2013, mailboxes may see a 30% increase in size when moved from Exchange 2010 to Exchange 2013. Make sure you adjust mailbox quota settings accordingly.

Client Access
CAS 2013 will proxy client traffic to Exchange 2010 using the CAS 2010 server’s FQDN, i.e. it won’t determine or use internalURL or InternalNLBBypassUrl. You can’t configure CAS-to-CAS proxying per site; it’s an all or nothing setting. At RTM, Exchange 2013 Client Access servers won’t contain support for SSL offloading.

Health Checking
Exchange 2013 will not only check the server’s health looking at the Exchange services, but it will also check the protocols.

CAS 2013 will determine the health of legacy Exchange servers using a simple HTTP HEAD call.

Automatic Reseeding
Besides the ability to seed databases using multiple sources, which prevents the situation where multiple remote copies are seeded over WAN links from the active copy, Exchange 2013 contains a feature called Automatic Database Reseeding or just AutoReseed.

AutoReseed can be utilized to automatically reseed databases when required, e.g. after a storage failure. AutoReseed can even allocate and initialize spare disks to restore database redundancy. AutoReseed requires configuring three new properties, which are part of the DAG:

  • AutoDagVolumesRootFolderPath refers to the mount point containing all available volumes, including spare volumes;
  • AutoDagDatabasesRootFolderPath refers to the mount point containing the databases;
  • AutoDagDatabaseCopiesPerVolume sets the number of databases copies per volume.

So for example, when you’ve configured a mount point C:\Volumes (AutoDagVolumesRootFolderPath) containing mount points for databases, e.g. C:\Volumes\DB1, and mount point C:\Databases (AutoDagDatabasesRootFolderPath) with mount points to Exchange databases, e.g. C:\Databases\DB1 (where C:\Databases\DB1 maps to C:\Volumes\DB1), and DB1 contains folders for database and logfiles, AutoReseed can utilize mount points from C:\Volumes to automatically recreate and reseed databases when DB1 fails.

Site Resilience
Exchange 2013 will feature an automatic site (datacenter) fail-over using a witness server located in a 3rd well-connected site. This enables customers to automate the process of site switchovers, from primary to secondary site. This feature is optional.

This may confuse existing Exchange customers, who perhaps learned with Exchange 2007 a 3rd site for the cluster voter was not recommended, after which it shortly became an option with Exchange 2010. Then, after a while an adjusted recommendation was published not to use a 3rd site and now it’s option again,

Despite this, I think this certainly is a valuable feature. Normally, site outages and datacenter switchovers are stressful situations; if it’s preconfigured and automated, the less prone to error the switchover process is.

Exchange fellow and colleague Jaap Wesselius, who did
2 sessions on Load Balancing Exchange, was interviewed
by F5. Click the image to watch the interview.

Exchange Online
You can use Exchange 2003 with Exchange 2013 Online (when it becomes available) by utilizing an Exchange 2010 CAS server, just like today.

Safety Net
Safety Net is the new transport dumpster in Exchange 2013 and will provide similar functionality. It will also take over the functionality of Shadow Redundancy, which purpose in Exchange 2010 is to guarantee delivery of messages and accommodate for transport failure. Lagged Copy functionality is also enhanced by Safety Net, since you can activate lagged copies by activating the (lagging) copy after which Exchange 2013 will use Safety Net to make the database current. How long Safety Net will hold messages is a configurable setting.

Exchange 2013 will support Litigation Hold, Time-based Hold (rolling data, e.g. items aged X days) and In-place Hold (formerly known as Legal Hold).

Unified Messaging
The Exchange 2013 UM role has a 100 concurrent calls limit. As you probably know, in Exchange 2013 Mailbox servers are used for UM as well. Because of that, this limit will have serious consequences when you’re designing an environment using several big servers; you might be forced to distribute the workload over more, lighter servers.

Exchange 2013 and ForeFront Treat Management Gateway
Exchange 2013 will work fine in conjunction with ForeFront TMG, except for maps feature when using TMG’s Forms-Based Authentication (FBA); the only thing you need to adjust is the logoff URL. Note that despite the ForeFront TMG 2010 End-of-Life statement from Microsoft last week, people like Greg Taylor (Program Manager Exchange) emphasized customers shouldn’t avoid using or opting for TMG while it is still available.

Public Folders
Migration of Public Folders from Exchange 2007 or Exchange 2010 is a cut-over scenario, so there will be no co-existence.

When using Exchange 2013 Public Folders next to Public Folders on Exchange 2007 or Exchange 2010, you need to manually map those to related folders in Exchange 2013 using CSV file.

Emphasis was put on being able to control Public Folders and put that data in the same store is worth losing the multi-master functionality.

Exhibitor ENow Consulting held a contest
for collecting the most autographs.

Message Hygiene
Exchange 2013 will include tools to block messages in a certain character set. This is useful in scenarios where you don’t expect messages in one of the Chinese languages and you want to block (potential) spam written in one of those languages.

In-Place Archiving
The new term for Personal Archive or Online Archive is In-place Archiving.

Message Routing
Exchange 2013 won’t use least-cost routing when routing messages, but it will use it to determine if Hub sites are defined. Exchange 2013 will honor Hub site definitions, but there are to be considered legacy.

A Delivery Group is a set of transport servers responsible for delivering messages to a certain routing destination. There are several types of Delivery Groups, depending on the destination, e.g. DAG or Site. Each transport server is used in a Round-Robin fashion when delivering messages.

An MBX server and CAS server listen for incoming messages on port 25 unless co-located; then the MBX server will listen on port 2525.

More background information on message routing in Exchange 2013 also in conjunction with Exchange 2010 is to be found here.

It is no longer required to have an Enterprise license for eDiscovery; it is still required to have an Enterprise license when using Legal Hold.

Many statements were made to de-emphasize virtualizing Exchange and only use if for testing purposes. When virtualizing, the same rules apply as for Exchange 2010.

Like with earlier versions of Exchange, the ESE engine will claim memory at startup using the amount of physical ram. Configuring Dynamic Memory is therefor not only pointless but also not recommended, like I stated in an earlier post on Exchange and Dynamic Memory.

It is also emphasized that putting VMDK files on VMWare NFS disks is not a supported scenario, so I assume this is often seen in the field despite not being supported from Microsoft.

ActiveSync in Exchange 2013 will cause 65% less RPC communications over Exchange 2010.

Outlook Web Access
When using OWA 2013 in offline mode, the locally generated cache file isn’t secure; use of BitLocker is recommended. Single Sign-On in combination with OWA on Exchange 2013 redirection will be fixed post-RTM. Also, be advised that at RTM, OWA in Exchange 2013 won’t have support for Public Folders.

A portal for the Exchange community was announced, Here, people involved with Exchange can get information from within Microsoft or other sources. How this will differ from the Exchange related topics on TechNet forum is to be seen.

It is unknown if there will be a MEC in 2013; Microsoft’s director of PM for Exchange, Michael Atalla, said there will a MEC when “theres’s something  to talk about”. It is rumored that recordings of the 1st day of the conference will be made available at a later date, except for the interactive sessions.

PS: The icon accompanying this article is the Exchange 2013 logo.

Forefront TMG 2010 EOL Announcement

Today, Microsoft finally announced the discontinuing of most of it’s ForeFront products, including the retirement of products used in many Exchange deployments, ForeFront Threat Management Gateway (TMG) 2010 and ForeFront Protection for Exchange (FPE).

The products to be discontinued are:

  • ForeFront Threat Management Gateway (TMG), including Forefront TMG Web Protection Services (TMG WPS);
  • ForeFront Protection for Exchange (FPE);
  • ForeFront Protection for SharePoint (FPSP);
  • ForeFront Security for OCS (FSOCS);
  • ForeFront Protection Server Management Console (FPSMC).

This announcement is not a real surprise; rumors TMG would cease to exist circulated for months. Using this official statement companies can start adapting their strategies, when they have not already done so, when using one of the products mentioned. When companies were planning to use them in the (near) future, they need to turn to alternative solutions as well, since the these ForeFront offerings will no longer be available for purchase as of December 1st, 2012!

As it stands, mainstream support for TMG will end on April 14th, 2015; extended support for TMG will end on April 14th, 2020. Forefront Online Protection for Exchange (FOPE) will be rebranded as Exchange Online Protection.

First, the hygiene products. This is clearly a move these shift these layers of protection to “the cloud”, which has clear benefits like filtering incoming messages before they enter the organization which is also nice from a bandwidth perspective. However, that’s no solution for the many customers still requiring an on-premise solution which, for example, does store scanning; these customers are forced to tend to to 3rd parties, like McAfee or Symantec. Note that Exchange 2013 will contain basic anti-malware functionality, but I doubt this will meet any customer’s demands and certainly isn’t a very manageable solution.

Next, there’s the firewall, reverse proxy, load balancing and VPN functionality offered by TMG. Currently, many organizations use TMG to publish Exchange and as like many say and know, Exchange and TMG go very well together. For example, TMG can offer pre-authentication or SSL offloading for your Exchange boxes.These customers need to look into VPN like solutions like ForeFront UAG, which is a totally different concept and less straightforward than implementing a TMG in front of your Exchange boxes, or check for 3rd party solutions, like F5 BIG-IP with the Access Policy Manager add-on. Of course, your revised strategy and eligible solutions depend on your business requirements.

Roadmaps of ForeFront Identity Manager (FIM) and ForeFront Unified Access Gateway (UAG) remain unchanged, so publishing Exchange using UAG remains a future-proof possibility.

ForeFront TMG SP2 Rollup 1

A short blog on the ForeFront team releasing Rollup 1 for Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2.

This Rollup fixes a “Bad Request” issue when accessing OWA through Forefront TMG. For a full list of changes, consult knowledgebase article kb2649961.

Note that along the lines of products like Exchange, cumulative updates for ForeFront TMG are now also called Rollup instead of Software Update or Update.

You can request ForeFront TMG SP2 RU1 directly from support here.

Forefront Threat Management Gateway SP2

Microsoft released Service Pack 2 for Forefront Threat Management Gateway 2010, updating TMG to version 7.0.9193.500.

Here’s several highlights included in this service pack:

Kerberos Authentication
• You can now use Kerberos authentication when you deploy an array using network load balancing (NLB).

• Changes to SSL memory pool to increase Outlook performance when using Exchange online.

New Reports
• The new Site Activity report displays a report showing the data transfer between users and specific websites for any user.

Error Pages
• A new look and feel has been created for error pages.
• Error pages can be more easily customized and can include embedded objects.

You can download Forefront TMG 2010 SP2 here. Full release notes will be made available here.

ForeFront TMG SP1 Update 1 for Exchange 2010 SP1

The ForeFront team released Update 1 for Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 1.

Besides bug fixes and some added functionality, Update 1 also adds support for Exchange 2010 SP1. Because Exchange 2010 SP1 doesn’t support the get-antispamupdates cmdlet (see this post), implementing Exchange 2010 SP1 on servers in the Mail protection role (with Exchange – Edge server role – as well as ForeFront Protection for Exchange) leads to issues.

Update 1 fixes this issue. To make things confusing, the ForeFront team calls these cumulative updates Software Update or Update; what’s wrong Rollup? Be advised that the ForeFront Update page doesn’t mention the Update (yet), nor is the related knowledge base article published (kb2288910).

You can download ForeFront TMG SP1 Update 1 here. Note that currently only English is available, other languages are said to be made available soon.

Publishing Exchange 2010 with UAG & TMG

Today Microsoft released a white paper by Greg Taylor (Sr. Program Manager, Exchange Server Customer Experience Team) on publishing Exchange Server 2010 with Forefront Unified Access Gateway 2010 and Forefront Threat Management Gateway 2010.  This white paper contains information and guidance on publishing Exchange Server 2010 using Forefront UAG and  Forefront TMG. This includes information on how to choose between UAG and TMG for different scenarios as well as steps on how to configure thos products in order to publish Exchange 2010.

You can download the white paper here.

Forefront Threat Management Gateway SP1

Microsoft released Service Pack 1 for Forefront Threat Management Gateway 2010.

Here’s the list of changes included in this service pack :

New Reports
• The new User Activity report displays the sites and site categories accessed by any user.
• All Forefront TMG reports have a new look and feel.

Enhancements to URL Filtering
• You can now allow users to override the access restriction on sites blocked by URL filtering. This allows for a more flexible web access policy, in that users can decide for themselves whether to access a blocked site. This is especially useful for websites that have been incorrectly categorized.
• You can now override the categorization of a URL on the enterprise level; the override is then effective for each enterprise-joined array.
• Denial notification pages can now be customized for your organization’s needs.

Enhanced Branch Office Support
• Collocation of Forefront TMG and a domain controller on the same server, which can help reduce the total cost of ownership at branch offices.
• When installed on a computer running Windows Server 2008 R2, SP1 simplifies the deployment of BranchCache at the branch office, using Forefront TMG as the Hosted Cache server.

Support for publishing SharePoint 2010
• Forefront TMG SP1 supports secure publishing of SharePoint 2010.

You can download Forefront TMG 2010 SP1 here.