- #FOREFRONT TMG 2010 FEATURES HOW TO#
- #FOREFRONT TMG 2010 FEATURES INSTALL#
- #FOREFRONT TMG 2010 FEATURES PASSWORD#
I have 2 Publishing Rules on TMG, 1 is for OWA and the other is for Exchange ActiveSync. These servers are used only for reverse proxy (Outlook Web Access and Exchange ActiveSync) so that my users can retrieve their email while on the road or at home. The 3 TMG Servers are load balanced using Microsoft’s built in Network Load Balancing (NLB). Now let’s assume also that I have 3 TMG Servers (TMG 1, TMG2, and TMG3) that sit on the edge of my network. I also require that my users change their passwords every 30 days. I would normally do this by setting the Account Lockout Threshold value in my Default Domain Policy using the Group Policy Editor.
#FOREFRONT TMG 2010 FEATURES PASSWORD#
In our example I am the administrator for a domain called and I have decided that I want to set the number of bad password attempts allowed in my Fabrikam Domain to 5. Let’s look at a specific example to help you understand how the feature works and the implications of using it. There are a couple of important things to keep in mind when using this feature:ġ.) Only Web Listeners configured to use Forms Based Authentication (FBA) can be configured to use the new feature.Ģ.) The value you choose for the AccountLockoutThreshold variable is set on TMG on a “per server” basis and must be set on each TMG server One such example has been provided to us by Jan Egil Ring in the Microsoft Script Center and it is located here.
#FOREFRONT TMG 2010 FEATURES HOW TO#
Fortunately for us there are examples available out there on how to do this using PowerShell. The account lockout feature can only be modified through the Forefront TMG Com Object Model. The new feature, however, is not automatically enabled after installing the Service Pack and cannot be modified using the TMG GUI. The details for the new lockout feature can be found here.
#FOREFRONT TMG 2010 FEATURES INSTALL#
To enable this new feature, install SP2 which you can get here. This can cause a lot of frustration for IT departments that are trying to track down the source of the lockouts and also having to frequently unlock accounts. Devices may use the old password for Exchange ActiveSync over and over again until the domain account has been locked out. Often times, when companies require their users to change passwords at a given interval, devices will end up with a bad password stored on them. In one of my previous blogs I talked about scenarios where TMG is being used as a reverse proxy and the Account Lockout Threshold has been set in the AD domain. The account lockout feature, when used properly, will prevent TMG from trying to authenticate a user to a Domain Controller after the defined number of bad passwords has been attempted. This great new feature gives you the ability to lock accounts on TMG at the local level before accounts are actually locked out in the domain. A much needed feature was added in Service Pack 2 for Forefront TMG 2010.
0 kommentar(er)
