![forefront tmg 2010 windows server 2012 forefront tmg 2010 windows server 2012](https://m.media-amazon.com/images/I/41lSw08PnaL._AC_SY780_.jpg)
![forefront tmg 2010 windows server 2012 forefront tmg 2010 windows server 2012](https://www.vkernel.ro/blog/wp-content/uploads/2014/09/Create-TMG-2010-Array-15.gif)
- FOREFRONT TMG 2010 WINDOWS SERVER 2012 HOW TO
- FOREFRONT TMG 2010 WINDOWS SERVER 2012 INSTALL
- FOREFRONT TMG 2010 WINDOWS SERVER 2012 PASSWORD
TMG1 tries to authenticate John Smith to a Domain Controller 3 times using the bad password.
FOREFRONT TMG 2010 WINDOWS SERVER 2012 PASSWORD
The phone is now attempting to retrieve his email using the old (incorrect) password on TMG1 since it has been load balanced to it. John recently changed his domain password but it was not changed on the phone that his administrative assistant carries. Let’s say that the CIO of Fabrikam, John Smith, has a phone which is carried by his admin assistant and has an IP addresses provisioned to it by the carrier that ends in 10. Because TMG is using NLB, this device may be serviced by any 1 of the 3 TMG Servers (depending on a few factors). Devices, such as phones, that are used for Exchange ActiveSync will sometimes get a different IP address every couple of minutes for their carrier. In my example I have 3 TMG servers that are being load balanced. What did I do wrong? Keep in mind something that I pointed out earlier which is that this value is “per TMG Server”. If TMG does its job correctly, it will stop trying to authenticate bad password attempts before the devices lock the domain accounts out.Įven after setting the lockout feature on TMG I am still getting reports of accounts being locked out in my domain. My thinking is that the local value of 3 that I am using on TMG is lower than my Domain value of 5 so I should be okay. I have just learned of the new account lockout feature on TMG and I follow the links given earlier and configure it so that the AccountLockoutThreshold value is set to 3 on each one of my TMG Servers. After some initial investigation it is found out that these devices were storing bad passwords and causing the account lockouts. My domain password policy requires users to change their passwords every 30 days. It appears that some of the Executives have devices managed by their administrative assistants. They both share the same Web Listener which uses FBA Authentication.Įverything is going fine until one day we start getting reports that accounts are being locked out. I have 2 Publishing Rules on TMG, 1 is for OWA and the other is for Exchange ActiveSync. These servers are used only for reverse proxy (Outlook Web Access and Exchange ActiveSync) so that my users can retrieve their email while on the road or at home. The 3 TMG Servers are load balanced using Microsoft’s built in Network Load Balancing (NLB). Now let’s assume also that I have 3 TMG Servers (TMG 1, TMG2, and TMG3) that sit on the edge of my network. I also require that my users change their passwords every 30 days. I would normally do this by setting the Account Lockout Threshold value in my Default Domain Policy using the Group Policy Editor. In our example I am the administrator for a domain called and I have decided that I want to set the number of bad password attempts allowed in my Fabrikam Domain to 5. Let’s look at a specific example to help you understand how the feature works and the implications of using it. There are a couple of important things to keep in mind when using this feature:ġ.) Only Web Listeners configured to use Forms Based Authentication (FBA) can be configured to use the new feature.Ģ.) The value you choose for the AccountLockoutThreshold variable is set on TMG on a “per server” basis and must be set on each TMG server One such example has been provided to us by Jan Egil Ring in the Microsoft Script Center and it is located here.
FOREFRONT TMG 2010 WINDOWS SERVER 2012 HOW TO
Fortunately for us there are examples available out there on how to do this using PowerShell. The account lockout feature can only be modified through the Forefront TMG Com Object Model. The new feature, however, is not automatically enabled after installing the Service Pack and cannot be modified using the TMG GUI. The details for the new lockout feature can be found here.
FOREFRONT TMG 2010 WINDOWS SERVER 2012 INSTALL
To enable this new feature, install SP2 which you can get here. This can cause a lot of frustration for IT departments that are trying to track down the source of the lockouts and also having to frequently unlock accounts. Devices may use the old password for Exchange ActiveSync over and over again until the domain account has been locked out. Often times, when companies require their users to change passwords at a given interval, devices will end up with a bad password stored on them. In one of my previous blogs I talked about scenarios where TMG is being used as a reverse proxy and the Account Lockout Threshold has been set in the AD domain. The account lockout feature, when used properly, will prevent TMG from trying to authenticate a user to a Domain Controller after the defined number of bad passwords has been attempted. This great new feature gives you the ability to lock accounts on TMG at the local level before accounts are actually locked out in the domain. A much needed feature was added in Service Pack 2 for Forefront TMG 2010.