ForeFront TMG in a single-leg DMZ configuration

Stupid mistake, but I’ve been struggling with getting ISA/ ForeFront to work after switching off our DMZ Domain Controller.

The easy fix is… configure your primary firewall to allow domain services (Kerberos etc) between the LAN and the DMZ. Then alter your DMZ’s NIC to use a LAN DC (as opposed to the DMZ’s DC) as it’s DNS lookup. Otherwise it has no idea where anything is.

The word “why” seems to be missing.

I’ve just found an oldish link on TechCrunch:

Have read it, and still I can’t help but ask the question of “why?”. I (hypothetically) log in to Amazon and see a list of products my friends have “liked”. That’s all well and good (?), but what are the chances of that matching the reason that I’m on Amazon? Surely if it doesn’t, it’s just clutter. I go on there looking for a kettle, and find that 5 friends have all “liked” a pair of trainers. Which is absolutely no use to me. I just don’t get it. The world seems to be creating interfaces between every system just for the hell of it, with no consideration as to how useful any of it is.

Publishing Exchange 2007 with ForeFront TMG 2010.

Bit of a nightmare this- especially when having to fight the gateway firewall too.

If you have FFTMG in a single-NIC configuration, any published site seems to try and hold on to the machine’s primary IP address. This might be because I’m doing something wrong, but anyway if you try to publish on a second IP before the first is used FFTMG seems to go wrong and starts complaining about Branchcache ‘n’ stuff. So use the first IP first. Assuming you want Outlook WebApp to be secure, it’s also best to have all your public domain names and certificates first (trying to mess about with bare ‘net-facing ip address and self-signed certificates is a nightmare.  GlobalSign – – do free trials which are perfect for testing, and buying the full one from them is easy too).

So, to set up FFTMG 2010:

  1. Create an object on the gateway firewall with a relevant DMZ IP address, then NAT it to a ‘net-facing IP address;
  2. Run through the “Publish Exchange Web Client Access” wizard; half way through it will ask you to create a listener. This is where you choose the DMZ IP address to “listen” on (or just accept the default of everything) and any certificates. The listener also has authentication options, which gets really confusing as both the rule and Exchange have their own authenticaiton options too.
  3. This should work. But- in my experience- it rarely does, at which point you’ll need to start looking at both the TMG and gateway firewall logs simultaneously to see where your Outlook Web Access requests are vanishing. A 3G mobile is really handy for this sort of testing as it’s guaranteed to be using a “proper” extrenal IP address (testing with any form of LAN client can make matters more confusing because of having to try and sort out the mess of it getting to the internet via a proxy, then back in to your DMZ…. it’s just messy).

Quick way to delete internet explorer cache

Create a new desktop shortcut, then pass it this line:

C:\Windows\System32\rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351

The only thing I’m not sure about is the “4351” bit- changing this number chamges what gets deleted, but running a bing search on “ClearMyTracksByProcess” points you in the direction of Also, I think it only works on IE7 and above.

“All Watched Over by Machines of Loving Grace”

Hmmm… Just finished watching this 3-part BBC series (Adam Curits- had to download it on to iPlayer desktop to give myself a bit more time…).

Although enjoyable, overall I found it a bit disjointed (still not sure about the relevance of the Rwandan Genocide segment) and as for “This is the story of the dream that rose up in the 1990s that computers could create a new kind of stable world”- surely this dream started at M.I.T. in the late 50’s/ early 60’s? Granted, the dream might not have (been fully realised until the 1990’s but it was envisioned 30/40 years earlier (pre ARPANet).