A few months ago we published a Whitepaper detailing the steps required to securely publish Exchange to the Internet using TMG and UAG. (That document has recently been updated by the way, and th...
Updated Jul 01, 2019
Version 2.0
Blog Post
Great document.
We just found one issue during implementation:
In the "Configuring Connection Security Rules on a Windows Vista or Windows 7 Based Client" on page 29, we see how to configure the Connection Security Rule to a specific protocol/port.
Unfortunately Vista doesn't allow to configure port/protocol in the UI.
Now if somebody just continues - thinking it doesn't matter if this restriction isn't applied on the rule at the client ... but still configures the Connection Security Rule at the TMG server (on Windows Server 2008 R2) including the protocol / port - then he gets IPsec errors 4654 "No Policy configured". (IPsec rules on both machines need to be identical).
One workaround is to configure the rule in netsh - which allows configuring protocol/port. Another workaround would be to allow all ports/protocols on the server as well.
We just found one issue during implementation:
In the "Configuring Connection Security Rules on a Windows Vista or Windows 7 Based Client" on page 29, we see how to configure the Connection Security Rule to a specific protocol/port.
Unfortunately Vista doesn't allow to configure port/protocol in the UI.
Now if somebody just continues - thinking it doesn't matter if this restriction isn't applied on the rule at the client ... but still configures the Connection Security Rule at the TMG server (on Windows Server 2008 R2) including the protocol / port - then he gets IPsec errors 4654 "No Policy configured". (IPsec rules on both machines need to be identical).
One workaround is to configure the rule in netsh - which allows configuring protocol/port. Another workaround would be to allow all ports/protocols on the server as well.