Select the product you need help with

FIX: The TMG remote management console does not display the status of the TMG 2010 server if certain Group Policy preferences settings are set

Article ID: 982604 - View products that this article applies to.

Expand all | Collapse all

SYMPTOMS

Consider the scenario:

You set the Authenticated without exception value for the following Group Policy preferences setting for a domain:
Computer Configuration\Administrative Templates\System\Remote Procedure Call\Restrictions for Unauthenticated RPC clients
You enable the following Group Policy preferences setting for the domain:
Computer Configuration\Administrative Templates\System\Remote Procedure Call\RPC Endpoint Mapper Client Authentication
You install Microsoft Forefront Threat Management Gateway (TMG) 2010 on a computer in the domain.
For remote management, you install Forefront TMG 2010 Management on another computer in the domain.
On TMG 2010 server, you set the system policy that enables remote management.

In this scenario, the remote management console does not display the status of the TMG 2010 server.

Back to the top | Give Feedback

CAUSE

This issue occurs because the RPC filter in TMG 2010 rejects some of the binding messages that are used by the RPC runtime when these Group Policy preferences settings are set.

Back to the top | Give Feedback

This problem is resolved in Forefront TMG 2010 Service Pack 1 (SP1).

For more information about how to obtain Forefront TMG 2010 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:

981324

(http://support.microsoft.com/kb/981324/ )

List of problems that are fixed in Forefront Threat Management Gateway 2010 Service Pack 1

How to enable this hotfix after you install Forefront TMG 2010 SP1

To enable this hotfix, run the following script:

    Dim oFPC
    Dim oFirewallFilter
    Dim oVPS

    on error resume next

    err.Clear

    Set oFPC = CreateObject("FPC.Root")

    'Get the filter admin object
    Set oFirewallFilter = oFPC.GetContainingArray.Extensions.ApplicationFilters("{E331F638-AB86-4AA5-9B6A-2B0248C7B4FB}")
    if oFirewallFilter is nothing then
	Wscript.Echo "RPC filter ({E331F638-AB86-4AA5-9B6A-2B0248C7B4FB}) is not installed in array"
	WScript.Quit
    end if

    'Get the filters vendor parameters set object
    Set oVPS = oFirewallFilter.VendorParametersSets("{E331F638-AB86-4AA5-9B6A-2B0248C7B4FB}")

    'If this vendor parameters set does not exist, create it
    If oVPS Is Nothing Then
	WScript.Echo "Adding vendor parameters set ({E331F638-AB86-4AA5-9B6A-2B0248C7B4FB})"
	err.Clear
        Set oVPS = oFirewallFilter.VendorParametersSets.Add("{E331F638-AB86-4AA5-9B6A-2B0248C7B4FB}",False)
        oFirewallFilter.VendorParametersSets.Save
    End If

    'Add the needed parameters

    oVPS.Value("AllowAuthEndpointMapper") = 1


    oVPS.Save

    'Inform the user of the result
    if err.Number <>0 then
	Wscript.Echo "Fail to set parameters. error code is:" & err.number & " Desc:" & err.description
    else
        Wscript.Echo "Paramters were successfully added"
    end if

Back to the top | Give Feedback

WORKAROUND

To work around this issue, disable the RPC filter in TMG 2010.

Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Forefront TMG 2010 Service Pack 1.

Back to the top | Give Feedback