Viewing the diagnostic log
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
You can view all logged diagnostic events by clicking the Show all button in the Filter pane, or you can view filtered logged events by defining the filter, and then clicking the Apply filter button.
Viewing logged events
When viewing diagnostic log events, the top section of the logging results pane displays a status line that includes the following:
Server
Context ID
Message contains
The status line specifies the filter properties of the events that are shown.
The following details are provided in the results pane of the Diagnostic logging tab.
| Label | Description |
|---|---|
Record |
Displays the number of the record in the sequence of the logs. |
Time |
Displays the actual date and time that the event occurred. |
Context |
For information about context, see "Filtering for events" in this document. |
Log Source |
Displays the origin of the event, such as, Firewall service or Web proxy. |
Message |
Displays a detailed description of the event that occurred. |
Analyzing diagnostic log events
The following table summarizes the events produced by diagnostic logging, and recommends actions for each event, where appropriate.
| Event ID | Message | Scenario | Action/Details |
|---|---|---|---|
30000 |
The access rule <name> allows all traffic. The packet is allowed. No further rule evaluation is needed. |
Outbound access rules |
If the message is in accordance with the required policy, no action is required. If not, check the properties of the rule that allows all traffic. |
30001 |
Forefront TMG will check only rules that are associated with the protocol <name>. |
Outbound access rules |
If the message is in accordance with the protocols you have defined on access rules, no action is required. Otherwise, check the protocol properties of existing access rules, and create new rules if required. |
30002 |
Forefront TMG is evaluating the rule <name>. |
Outbound access and publishing rules |
This message is status only, so no action is required. |
30004 |
No matching rule was found. |
Outbound access and publishing rules |
No rule in the firewall policy matches the relevant request. Check the properties of existing rules and create a new rule, if required. |
30006 |
Displays rule properties. |
Outbound access and publishing rules |
This message is status only, so no action is required. |
30007 |
The Firewall Engine is performing rule evaluation. |
Outbound access and publishing rules |
This message is status only, so no action is required. |
30008 |
The rule <name> matches the packet. The packet is allowed. |
Outbound access and publishing rules |
If the message is in accordance with the required policy, no action is required. If not, check the properties of the rule that allows all traffic. |
30009 |
The rule <name> matches the packet and may deny it. However, a rule that precedes this rule in the list of policy rules and matches the packet, will take precedence and may allow the packet. |
Outbound access and publishing rules |
Check the rule base and ordering for conflicts. The following order is recommended, from highest priority to lowest:
Server publishing rules and Web publishing rules can be placed anywhere in the rule order, after the global allow or deny rules. |
30010 |
Forefront TMG is looking for an applicable network rule. |
Network rules |
This message is status only, so no action is required. |
30011 |
The packet was sent to or from the Local Host network. Therefore, an implicit network rule with a route relationship between the source and destination is applied. |
Network rules |
This message is status only, so no action is required. Following installation, Forefront TMG defines a default network rule allowing access between the Local Host network (the Forefront TMG computer) and all networks included in the default All Networks network set. The rule is defined with a route relationship. This default rule cannot be modified. |
30012 |
The source and destination are on the same network. Therefore, an implicit network rule with a route relationship between the source and destination is applied. |
Network rules |
This message is status only, so no action is required. Traffic that passes through Forefront TMG between sources and destinations on the same network is routed. |
30013 |
No network rule was found. |
Network rules |
Create a network rule that allows traffic between networks that include the source and destination specified in the Web publishing rule. For information about creating and configuring network rules, see Planning Forefront TMG network topology and Defining network rules. |
30015 |
The network rule <name> matches the source and destination. A NAT relationship is specified. |
Network rules |
This message is status only, so no action is required. |
30016 |
The network rule <name> matches the source and destination. A route relationship is specified. |
Network rules |
This message is status only, so no action is required. |
30017 |
The packet was blocked because no matching network rule was found. |
Outbound access rules |
Create a network rule, or check the configuration of existing network rules. For information about creating and configuring network rules, see Planning Forefront TMG network topology and Defining network rules. |
30018 |
Forefront TMG is looking for a deny access rule that matches traffic from the source to the destination. |
Outbound access rules |
This message is status only, so no action is required. |
30019 |
Forefront TMG is looking for a rule that is associated with the protocol <name>. |
Outbound Access rules |
This message is status only, so no action is required. |
30020 |
The deny access rule <name> precedes the publishing rule <name> in the list of policy rules. The packet is blocked. |
Outbound access and publishing rules |
Check that the properties of the deny access rule are in accordance with requirements. In addition, check rule ordering. The following order is recommended from highest priority to lowest:
|
30022 |
The rule <name> allowed the packet. |
Outbound access and publishing rules |
If the message is in accordance with the required policy, no action is required. If not, check the properties of the rule blocking the request. In addition, check the rule ordering. |
30023 |
The request was denied because the connection limit for the rule <name> was exceeded |
Outbound access and publishing rules |
Check connection limits and modify them in accordance with requirements and best practices. If required, you can exempt specific IP addresses from limits. For Web publishing rules, connection limits are set for the specific Web listener defined for the rule. For outbound Web requests, a connection limit is set on the Web proxy properties of a specific network. Globally, you can set a limit for all types of traffic. For more information, see Deployment Recommendations for Connection Limits in ISA Server 2004, and ISA Server Network Protection: Protecting Against Floods and Attacks. |
30024 |
The rule <name> blocked the packet. |
Outbound access and publishing rules |
If the message is in accordance with the required policy, no action is required. If not, check the properties of the rule blocking the request and check rule ordering. |
30025 |
The rule <name> requires a MIME content type. |
Outbound access rules |
This message is status only, so no action is required. The rule requires a content type to determine whether traffic is allowed. Forefront TMG makes a request to the Web server to get the response content-type before evaluating the rule. |
30026 |
The rule <name> requires DNS name resolution. |
Outbound access and publishing rules |
This message is status only, so no action is required. The rule requires name resolution to determine whether traffic is allowed. |
30027 |
The rule <name> requires user authentication. |
Outbound access and publishing rules |
This message is status only, so no action is required. The rule requires client authentication to determine whether traffic is allowed. |
30028 |
Forefront TMG is loading the non-Windows user account for the user <name> and the authentication scheme <name> from the stored configuration. |
Outbound access using RADIUS authentication and Publishing rules using RADIUS or SecurID authentication. |
This message is status only, so no action is required. |
30029 |
The Web chaining rule <name> matches the packet. |
Web chaining rules |
This message is status only, so no action is required. Web chaining rules specify whether requests should be routed to the Internet or to an upstream proxy server. For more information, see Chaining Concepts in ISA Server 2006. |
30030 |
The Web chaining rule <name> requires a dial-up connection for name resolution. |
Web chaining rules |
This message is status only, so no action is required. |
30031 |
The cache rule <name> matches the Web request. |
Cache rules |
This message is status only, so no action is required. |
30032 |
The rule cannot be evaluated by the Firewall Engine because the rule applies to a specific user. |
Outbound access and publishing rules |
This message is status only, so no action is required. Evaluation of the rule is done in user mode. The Windows operating system divides the use of virtual address space into the user virtual address space (user space) that maps the current user process, and the kernel virtual address pace (kernel space) that maps the operating system code and structures. Forefront TMG uses both modes. The Firewall Engine and Windows networking components run in the kernel mode. Other components run in user mode. For more information, see ISA Server 2006 Firewall Core. |
30033 |
The user does not match the rule. |
Outbound access and publishing rules |
This message is status only, so no action is required. The rule being evaluated does not match the user making the request. |
30034 |
Forefront TMG failed to determine whether the Windows user is allowed or denied by the rule. Error code: <code number> The rule is ignored. |
Outbound access and publishing rules |
This error occurs when there are problems in trying to determine the identity of the user. Check the error code. |
30035 |
The rule <name> has parameters that cannot be evaluated by the Firewall Engine. The packet is passed to the Firewall service to complete rule evaluation. |
Outbound access and publishing rules |
This message is status only, so no action is required. Evaluation of the rule is done in user mode. |
30036 |
The protocol indicated by the destination port does not match the rule |
Outbound access and publishing rules |
This message is status only, so no action is required. The rule being evaluated is not relevant for the traffic, because the traffic port and protocol specified in the rule do not match. |
30037 |
Forefront TMG cannot determine the protocol of the packet. Therefore, the deny access rule <name> is ignored. |
Outbound access rules |
This message is status only, so no action is required. This is generated mainly by traffic on the Forefront TMG Client control channel. |
30038 |
The source port does not match the rule. |
Outbound access and publishing rules |
In an access rule, you can limit the source port range from which client traffic is accepted. This message indicates that the source port of the packet does not match the range indicated in the rule properties. |
30039 |
The rule <name> specifies a MIME content type. If the MIME content type in the response does not match the request, the request is blocked. |
Outbound access rules |
This message is status only, so no action is required. The rule requires a content type in order to determine whether traffic is allowed. Forefront TMG makes a request to the Web server in order to get the response content-type before evaluating the rule. If the MIME content matches, the traffic is allowed or denied in accordance with the action specified in the rule properties. |
30040 |
The time when the packet was sent does not match a time when the rule is applied according to its schedule. |
Outbound access and publishing rules |
On the Schedule tab of the rule properties, check when the rule is active and modify it if necessary. |
30041 |
The %4 requires name resolution. |
Outbound access and publishing rules |
This message is status only, so no action is required. It indicates that name resolution is required to complete rule evaluation. |
30042 |
%4 does not match the packet. |
Outbound access and publishing rules |
This message is status only, so no action is required. This may indicate the source or destination of the rule. |
30043 |
%4 does not match the rule. |
Outbound access rules and publishing rules |
This message is status only, so no action is required. This may indicate the source or destination of the rule. |
30044 |
The rule <name> requires name resolution for evaluation. |
Outbound access and publishing rules |
This message is status only, so no action is required. The rule requires name resolution to determine whether traffic is allowed. |
30045 |
The access rule is ignored because Forefront TMG looks only for Web publishing rules for an incoming Web request. |
Web publishing rules |
This message is status only, so no action is required. It informs you that access rules are not evaluated for Web publishing requests. |
30046 |
The access rule is ignored for this packet because inbound protocols can be used only by adding them explicitly to the rule. |
Access rules |
This message is status only, so no action is required. It is generated during rule processing. |
30047 |
Forefront TMG assumes that the allow access rule or redirecting deny access rule is the best match for HTTP. |
Access rules |
This message is status only, so no action is required. It is generated during rule processing. |
30048 |
The content type specified in the packet does not match the rule. |
Access rules |
If this action is in accordance with the required policy, no action is required. If not, check the properties of the rule to ensure that the MIME types configured in the rule are correct. |
30049 |
A content type is needed for rule matching. |
Access rules |
This message is status only, so no action is required. The rule requires a content type to determine whether traffic is allowed. Forefront TMG makes a request to the Web server to get the response content-type before evaluating the rule. |
30050 |
The rule does not match because the rule requires authentication and no user is specified in the packet. |
Outbound access rules and publishing rules |
If the rule is not intended to match the user request, no action is required. If the rule should match the request, check the properties of the rule to ensure that the user authentication requirements are configured correctly. |
30051 |
The rule <name>requires user authentication for evaluation. |
Outbound access and publishing rules |
This message is status only, so no action is required. The rule requires client authentication to determine whether traffic is allowed. |
30052 |
The destination does not match an IP address on which the listener of the server publishing rule listens. |
Server publishing rules |
Each server publishing rule is associated with an IP address and port on which requests for the published server are received. The destination requested by the client must resolve to an IP address associated with the rule. |
30053 |
The destination in the request does not match an IP address on which the Web listener specified in the Web publishing rule listens. |
Web publishing rules |
Each Web publishing rule is associated with a Web listener that specifies the network and port on which requests for the Web server published by the rule can be received. The destination specified in the URL request must resolve to an IP address in one of the networks associated with the listener. On the Listener tab of the rule properties, click the Properties tab. Then, on the Network tab of the listener properties, check the networks associated with the listener. |
30054 |
This server publishing rule was skipped for this packet. |
Server publishing rules |
This message is status only, so no action is required. |
30055 |
This Web publishing rule was skipped for this packet. |
Web publishing rules |
This message is status only, so no action is required. |
30056 |
The rule does not apply to traffic from the source IP address. |
Server publishing |
This message is status only, so no action is required. It is issued during evaluation of server publishing rules. |
30057 |
The deny access rule does not match a wildcard source. |
Access rules |
This message is status only, so no action is required. It is usually issued during processing of application filters that open secondary protocols. |
30058 |
The web publishing rule <name> is ignored because the destination <name> in the Web request does not match any of the public names specified in the Web publishing rule. |
Web publishing rules |
On the Public Name tab of the rule properties, check that the entries specified match the string that the external user specifies to reach the Microsoft Office Outlook Web Access site. |
30059 |
The Web listener that accepted the packet does not match the Web listener specified in the Web publishing rule. |
Web publishing rules |
This message is status only, so no action is required. This message is logged as each Web published rule is evaluated to verify whether it uses the Web listener on which the packet was received. |
30060 |
The reverse direction of the network rule <name>, which defines a NAT relationship, matches the source and destination IP addresses specified in the packet. The traffic is denied. |
Network rules |
This message indicates that a packet with the reverse direction cannot be forwarded because the network relationship defined for the rule is Network Address Translation (NAT) ; a NAT relationship allows traffic in one direction only. |
30061 |
The Web publishing rule <name> is ignored because the path <name> in the destination URL in the Web request does not match the path specified in the rule. |
Web publishing rules |
On the Paths tab of the rule properties, check that the paths specified match those that the external user specifies to reach the Outlook Web Access site. |
30062 |
Forefront TMG is evaluating the network rule %4. |
Network rules |
This message is status only, so no action is required. |
30063 |
The source IP address in the packet does not match the destination specified in the network rule. |
Network rules |
The network rule is not applicable for the packet. Ensure that another network rule exists to allow traffic between the required source and destination of the packet. For more information about network rules, see Planning Forefront TMG network topology and Defining network rules. |
30064 |
The source IP address in the packet does not match the source specified in the network rule. |
Network rules |
The network rule is not applicable for the packet. Ensure that another network rule exists to allow traffic between the required source and destination of the packet. |
30065 |
The destination IP address in the packet does not match the source specified in the network rule. |
Network rules |
The network rule is not applicable for the packet. Ensure that another network rule exists to allow traffic between the required source and destination of the packet. |
30066 |
The destination IP address in the packet does not match the destination specified in the network rule. |
Network rules |
The network rule is not applicable for the packet. Ensure that another network rule exists to allow traffic between the required source and destination of the packet. |
30067 |
The source and destination in the packet match the source and destination specified in the network rule, which specifies a NAT relationship. |
Network rules |
This message is status only, so no action is required. A network rule exists that allows traffic between the source and destination specified in the packet. A NAT relationship will be applied. |
30068 |
Forefront TMG is checking the reverse direction of the network rule <name>. |
Network rules |
This message is status only, so no action is required. |
30069 |
The source and destination in the packet match the source and destination specified in the network rule <name> in the reverse direction. |
Network rules |
If the network relationship is NAT (unidirectional), check that there is a network rule to allow the packet. If the network relationship is route, no action is required. |
30070 |
The source IP address in the packet does not match the source specified in the network rule. |
Network rules |
The source IP address of the packet does not match any network specified as a source in the network rule. Ensure that there is a network rule to allow the traffic between the source and destination specified in the packet. |
30072 |
The destination IP address in the packet does not match the source specified in the network rule. |
Network rules |
The destination IP address of the packet does not match any network specified as a source in the network rule. Ensure that there is a network rule to allow the traffic between the source and destination specified in the packet. |
30073 |
TCP sessions per minute was exceeded for the rule. |
Outbound access rules and publishing rules |
Forefront TMG imposes a limit on the maximum number of TCP connect requests per minute. The default is 600 per minute. To specify an exception for a specific IP address, click the General node on the Forefront TMG Management console. In the Firewall Policy pane, click Configure Flood Mitigation, and then, on the IP Exceptions tab, click Add to add the network elements you want to exempt from the default settings. For exempt IP addresses, a default of 6,000 requests per minute is set. For more information, see Deployment Recommendations for Connection Limits in ISA Server 2004, and ISA Server Network Protection: Protecting Against Floods and Attacks. |
30074 |
The source and destination in the packet match the source and destination specified in the network rule, which specifies a route relationship. |
Network rules |
This message is status only, so no action is required. |
30075 |
Forefront TMG is looking for a Web chaining rule that matches the destination <name> in the packet. |
Web chaining rules |
This message is status only, so no action is required. |
30076 |
Forefront TMG is looking for a cache rule that matches the destination <name> in the Web request. |
Cache rules |
This message is status only, so no action is required. |
30077 |
Date and time: <time> Packet context: <context ID> Log source: <source> Packet properties <properties> Source IP address <address> Source array network <network> Destination IP address <address> Destination array network <network> Description <description> |
Outbound access rules and publishing rules |
This message is status only, so no action is required. |
30078 |
Date and time: <time> Packet context: <context ID> Log source: <source>. The packet was blocked because no matching network rule was found. |
Network rules |
Create a network rule, or check the configuration of existing network rules. For information about creating and configuring network rules, see Planning Forefront TMG network topology and Defining network rules. |
30080 |
Date and time: <time> Packet context: <context ID> Log source: <source> Protocol: <name> |
Outbound access rules and publishing rules |
This message is status only, so no action is required. |
30081 |
Date and time: <time> Packet context: <context ID> Log source: <source> Application filter: <name> |
Outbound access rules and publishing rules |
This message is status only, so no action is required. |
30082 |
The packet was blocked because the maximum number of new non-TCP sessions per minute was exceeded for the matching rule. |
Outbound access rules and publishing rules |
Forefront TMG blocks requests from specific IP addresses with more than the specific limit of new non-TCP requests per minute. The default is 1,000 per minute. To specify an exception for specific IP addresses, click the General node on the Forefront TMG Management console. In the Tasks pane, click Configure Flood Mitigation Settings, and then, on the IP Exceptions tab, click Add to add network elements you want to exempt from the default settings. For more information, see Deployment Recommendations for Connection Limits in ISA Server 2004, and ISA Server Network Protection: Protecting Against Floods and Attacks. |
30083 |
The rule matches and allows the traffic. |
Outbound access and publishing rules |
This message is status only, so no action is required. |
30084 |
The action of the rule cannot be determined without evaluation by the Firewall service. |
Outbound access and publishing rules |
This message is status only, so no action is required. The request is now processed in user mode and not kernel mode. |
30085 |
The rule matches and blocks the traffic. |
Outbound access and publishing rules |
This message is status only, so no action is required. |
30087 |
The packet was blocked because no matching access rule was found. |
Access Rules |
No rule in the firewall policy matches the relevant request, so it was blocked by the default deny rule. Check the properties of existing rules and create a new rule, if necessary. |
30090 |
Forefront TMG cannot find a protocol definition that matches the destination port of the packet. |
Access Rules |
If there should be a rule matching the protocol specified in the packet, check the protocol properties of existing rules, and create a new rule with the required protocol, if necessary. |
30091 |
Date and time: <time> Packet context: <context ID> Log source: <source> Web Proxy properties: <properties> Client IP address: <address> Client port: <port> Local IP address: <address> Local port: %<port> SecureNAT client: <name> Web proxy client: <name> Inbound traffic: <property> |
Access rules |
This message is status only, so no action is required. |
30092 |
The SecureNAT client requested the destination IP address <name>. |
Access rules |
This message is status only, so no action is required. |
30093 |
Date and time: <time> Packet context: <context ID> Log source: <source> HTTP method: <name> |
Access rules |
This message is status only, so no action is required. |
30094 |
Date and time: %1 %nPacket context: <context> Log source: <source> HTTP URL: <URL> |
All rules |
This message is status only, so no action is required. |
30095 |
Date and time: <time> Packet context: <context ID> Log source: <source> HTTP Host header: <header> |
All rules |
This message is status only, so no action is required. |
30096 |
Date and time: <time> Packet context: <context ID> Log source: <source> HTTP User-Agent: <name> |
All rules |
This message is status only, so no action is required. |
30097 |
Date and time: <time> Packet context: <context ID> Log source: <source> User name: <name> |
All rules |
This message is status only, so no action is required. |
30098 |
Date and time: <time> Packet context: <context ID> Log source: <source> User namespace: <name> |
All rules |
This message is status only, so no action is required. |
30099 |
Forefront TMG will authenticate the client using <type> authentication. |
All rules |
This message is status only, so no action is required. |
30100 |
Forefront TMG will authenticate the client using Digest authentication. |
All rules |
This message is status only, so no action is required. |
30101 |
Forefront TMG will authenticate the client using Basic authentication. |
All rules |
This message is status only, so no action is required. |
30102 |
The policy rule <name> matches the inbound Web request and will deny it. |
Publishing rules |
If this action is in accordance with the desired policy, no action is required. If not, check the properties of the rule blocking the request and check the rule ordering. |
30103 |
Forefront TMG will connect to the Web server <name> on the IP address <address> and port <port>. |
Publishing rules |
If the request fails, verify that the name, IP address, and port number are correct. |
30104 |
Forefront TMG failed to connect to the Web server <name>. Error code: <code number> |
Publishing rules |
Check the details provided in event 30103 to ensure that the connection was attempted on the correct server, IP address, and port. If necessary, modify settings on the To tab of the publishing rule properties. |
30105 |
Forefront TMG is forwarding the request to the target host server for the path <name>. |
Publishing rules |
This message is status only, so no action is required. |
30106 |
Date and time: <time> Packet context: <context> Log source: <name> Target Host header: <header> |
This message is status only, so no action is required. |
|
30107 |
Date and time: <time> Packet context: <context> Log source: <name> Web response properties:<properties> Response status: <status> Response MIME content type: <type> Response Via header: <header> HTTP Server header: <header> |
This message is status only, so no action is required. |
|
30108 |
Date and time: <time> Packet context: <context> Log source: <name> Request source: <source> |
This message is status only, so no action is required. |
|
30109 |
The Web publishing rule <name> requires client authentication. |
This message is status only, so no action is required. |
|
30111 |
The packet matches the Web chaining rule <name>. |
Web chaining rules |
This message is status only, so no action is required. |
30112 |
The Web chaining rule <name> denied access. |
Web chaining rules |
If this action is in accordance with the desired policy, no action is required. If not, check the properties of the rule blocking the request and check rule ordering. |
30113 |
The Web request matches the cache rule <name>. |
Cache rules |
This message is status only, so no action is required. |
30114 |
The access rule <name> allows the Web request. |
Access rules |
This message is status only, so no action is required. |
30115 |
The access rule <name> denies the Web request. |
Access rules |
If this action is in accordance with the desired policy, no action is required. If not, check the properties of the rule blocking the request and check rule ordering. |
30116 |
The access rule <name> denied the Web request, and a custom Web page was returned to the client. |
Access rules |
If this action is in accordance with the desired policy, no action is required. If not, check the properties of the rule blocking the request and check the rule ordering. |
30117 |
A MIME content type is required. The access rule <name> should be rechecked after the response arrives. |
Access rules |
This message is status only, so no action is required. The rule requires a content type to determine whether traffic is allowed. Forefront TMG makes a request to the Web server to get the response content-type before evaluating the rule. |
30118 |
User authentication is required. The access rule <name> should be rechecked after the user is authenticated. |
Access rules |
This message is status only, so no action is required. The rule requires user authentication to determine whether traffic is allowed. Forefront TMG authenticates the user before evaluating the rule. |
30119 |
DNS name resolution is required. The access rule <name> should be rechecked after DNS name resolution is performed. |
Access rules |
This message is status only, so no action is required. The rule requires name resolution to determine whether traffic is allowed. Forefront TMG resolves the name before evaluating the rule. |
30120 |
The Web request is denied because the limit configured for the maximum number of new requests per minute was exceeded. |
Access rules |
Forefront TMG blocks requests when an access rule exceeds the default limit of 1,000 non-TCP connections per minute. Forefront TMG also blocks requests from a specific IP address if HTTP requests per minute exceed 600. You can configure specific IP addresses as exemptions to the default limits. For exempt addresses, HTTP requests per minute are limited by default to 6,000. Default limits can be modified. To configure flood mitigation settings, click the Firewall Policy node on the Forefront TMG Management console, and then, in the Tasks pane, click Configure Flood Mitigation. For more information, see Deployment Recommendations for Connection Limits in ISA Server 2004, and ISA Server Network Protection: Protecting Against Floods and Attacks. |
30121 |
The packet matches the network rule <name>, which specifies a NAT network relationship. |
Network rules |
This message is status only, so no action is required. |
30122 |
The packet matches the network rule <name>, which specifies a route network relationship. |
Network rules |
This message is status only, so no action is required. |
30123 |
Authentication failed. Error = <errorcode> |
Access rules and Web publishing rules |
Check the error code. |
30124 |
Authentication succeeded. |
Access rules and Web publishing rules |
This message is status only, so no action is required. |
30125 |
Authentication is in progress. Authentication will fail for the current request, but the client should continue to attempt to authenticate on the same connection. |
Access rules and Web publishing rules |
This message is status only, so no action is required. This message provides information about the NTLM authentication process. |
30126 |
The connected client is already authenticated. |
Access rules and Web publishing rules |
This message is status only, so no action is required. |
30127 |
There was a change in the client authentication method while authentication was in progress. Authentication failed with error: <errorcode>. |
Access rules |
This usually indicates a problem with a Web client. |
30128 |
Forefront TMG authentication Web filter is handling client authentication |
All rules |
This message is status only, so no action is required. |
30129 |
Forefront TMG cannot authenticate the client because the client's request does not contain Proxy-Authorization or Authorization headers. |
Access rules |
This may happen when Basic authentication is used and the first request is anonymous. It may also occur if there are issues with the Web client or if there is a problem with the authentication method used by the client. |
30130 |
Forefront TMG is trying to authenticate the connected client using an SSL client certificate. |
Publishing rules and Web chaining rules |
No action is required. This message is status only when the rule requires clients to authenticate by using a client certificate. |
30131 |
Authentication failed because the client did not send an SSL certificate. |
Publishing rules and Web chaining rules |
The rule is configured to require a client certificate, which was not provided. If a client certificate is not required, clear this setting on the rule properties. If a client certificate is required, ensure that clients have a relevant certificate from a commercial certification authority (CA) or from an internal CA in your organization. |
30132 |
Forefront TMG tries to authenticate a connected client. |
All rules |
This message is status only, so no action is required. |
30133 |
RADIUS authentication failed because the RADIUS Web filter is disabled. |
All rules |
To enable the RADIUS Web filter, on the Forefront TMG Management console, click the System node, right-click RADIUS Authentication Filter, and then click Enable. |
30134 |
Forms-based authentication for Outlook Web access failed because the OWA Forms-Based Web filter is disabled. |
All rules |
To enable the Forms-Based Web filter, on the Forefront TMG Management console, click the System node, right-click the Forms-Based Authentication filter, and then click Enable. |
30135 |
SecurID authentication failed because the RSA SecurID Web filter is disabled. |
All rules |
To enable the SecurID Filter, on the Forefront TMG Management console, click the System node, right-click SecurID Filter, and then click Enable. |
30136 |
Forefront TMG rejected the request with the HTTP status code <code number> and will return the following error message to the Web client <message>. |
All rules |
Check the status code and error message. |
30137 |
Forefront TMG obtained the MIME content type of the response and will use it to recheck the policy rules. |
Access rules |
This message is status only, so no action is required. The rule requires a content type to determine whether traffic is allowed. Forefront TMG made a request to the Web server to get the response content-type before evaluating the rule. |
30138 |
Forefront TMG is redirecting the request to the alternate Web site. |
Web chaining rule |
This message is status only, so no action is required. The Web chaining rule is configured to redirect the request. For more information, see Chaining Concepts in ISA Server 2006. |
30139 |
Forefront TMG is directing the request to an upstream proxy server. |
Web chaining rules |
This message is status only, so no action is required. |
30140 |
The upstream proxy server is an array. Therefore, Forefront TMG performed client-side CARP and will send the request to the array member <name>. |
Web chaining rules |
This message is status only, so no action is required. |
30141 |
Forefront TMG will send request to the upstream proxy server <name>, which is not an array. |
Web chaining rules |
This message is status only, so no action is required. |
30142 |
Forefront TMG started checking the policy rules for a Web request. |
Access rules |
This message is status only, so no action is required. |
30143 |
The connected client was not authenticated. Only policy rules that apply to all users, including anonymous users, can be evaluated for this request. If rule evaluation cannot be completed without user authentication, Forefront TMG will return a response with HTTP error 401 (Unauthorized) or 407 (Proxy Authentication Required), allowing the client to submit the request again with user credentials. |
Access rules |
This message is status only, so no action is required. |
30144 |
The connected client %4 was authenticated. |
All rules |
This message is status only, so no action is required. |
30145 |
Forefront TMG started checking Web publishing rules. |
Publishing rules |
This message is status only, so no action is required. |
30146 |
Forefront TMG will renegotiate the SSL connection with the client and request an SSL client certificate. |
Publishing rules |
This message is status only, so no action is required. |
30148 |
Forefront TMG requested an SSL client certificate, but either the client did not supply a certificate or SSL client certificate authentication failed. The request will be denied. |
Publishing rules |
If a client certificate is required, ensure that clients have a relevant certificate from a commercial CA or from an internal CA in your organization. If clients have a certificate, ensure that the client certificate is valid. The certificate must contain the private key for the account to which the certificate is mapped. |
30149 |
Forefront TMG denied the request with the following error: %4 |
All rules |
Check the error code. |
30150 |
The Web publishing rule<name> will allow the Web request. |
Publishing rules |
No action is required. |
30151 |
The request will be denied because the Web client failed authentication. |
Access rules |
Check the following:
|
30152 |
c started checking the access rules. |
Access rules |
This message is status only, so no action is required. |
30153 |
Forefront TMG requires the MIME content type of the response to complete policy rule evaluation. |
Access rules |
This message is status only, so no action is required. The rule requires a content type to determine whether traffic is allowed. Forefront TMG makes a request to the Web server to get the response content-type before evaluating the rule. |
30154 |
Forefront TMG attempted to evaluate the policy rules without resolving the name of the requested destination. Name resolution will now commence. |
Access rules |
This message is status only, so no action is required. |
30155 |
Forefront TMG started rechecking the access rules after resolving the name of the requested destination through a DNS query. |
Access rules |
This message is status only, so no action is required. |
30156 |
Forefront TMG started to check the Web chaining rules. |
Web chaining rules |
This message is status only, so no action is required. |
30157 |
Forefront TMG will assume that the destination is in the External network because the destination name cannot be resolved. Forefront TMG will recheck the access rules. |
Access rules |
Check that the destination name specified in the packet can be resolved by the Forefront TMG computer to an address inside an internal Forefront TMG network. |
30158 |
The deny access rule <name>matches the Web request. The Web request is denied. |
Access rules |
If this action is in accordance with the desired policy, no action is required. If not, check the properties of the rule blocking the request and check rule ordering. |
30159 |
Forefront TMG completed checking the policy rules for the Web request. |
Access rules |
This message is status only, so no action is required. |
30160 |
Evaluation of the access rules requires user authentication, but the connected client is anonymous. |
Access rules |
Check the following:
|
30162 |
The request will be denied because the matching access rule denies access. |
Access rules |
If this action is in accordance with the desired policy, no action is required. If not, check the properties of the rule blocking the request and check rule ordering. |
30163 |
Forefront TMG recognizes the client as a SecureNAT client and will check all rules that apply to TCP port <port number>. |
Access rules |
This message is status only, so no action is required. |
30165 |
Forefront TMG recognizes the client as a Web proxy client and will check all rules that apply to the HTTP protocol. |
Access rules |
This message is status only, so no action is required. |
30166 |
Forefront TMG recognizes the client as a Web proxy client and will check all rules that apply to the HTTPS protocol. |
Access rules |
This message is status only, so no action is required. |
30167 |
Forefront TMG failed to perform a reverse DNS lookup and will attempt to continue with the available information. Error: <error code>. |
Access rules |
Check the error code for more information. In addition, check that rule elements containing IP addresses are resolvable. |
30168 |
Forefront TMGsucceeded to perform a reverse DNS lookup. The host name is <name>. |
Access rules |
This message is status only, so no action is required. |
30169 |
Forefront TMG is performing DNS name resolution for the host name <name>. |
All rules |
This message is status only, so no action is required. |
30170 |
Forefront TMG failed to perform DNS name resolution and will attempt to continue with the available information. Error: <code>. |
All rules |
Without successful name resolution, Forefront TMG may not be able to match the packet to the rule. Check that rule elements are resolvable. |
30171 |
Forefront TMG succeeded to perform DNS name resolution for the host name <name>. |
All rules |
No action is required. |
30172 |
Forefront TMG is forwarding the Web request directly to the specified destination. |
All rules |
This message is status only, so no action is required. |
30173 |
Forefront TMG recognizes the client as a Web proxy client and will check all rules that apply to the FTP (FTP over HTTP) protocol. |
Access rules |
This message is status only, so no action is required. |
30174 |
Forefront TMG denied a request because policy rule <name> requires authentication before allowing traffic. |
All rules |
This message is status only, so no action is required. |
30500 |
Forefront TMG denied a request because policy rule <name> requires authentication before allowing traffic. |
Access rules |
Check that the client making the request is included in user groups configured for the rule. Client computers configured as SecureNAT clients only (with a default gateway pointing to Forefront TMG) cannot present authentication credentials. If you do not want to authenticate the client, check that you have a rule allowing anonymous access. |
30501 |
Forefront TMG denied a Web request because policy rule <name> requires authentication before allowing traffic. |
Access rules |
Check that the network on which requests are received is not configured with the setting "Require all users to authenticate". If this setting is enabled, all users must be authenticated for Web access, and rules are not evaluated for a request until users are authenticated successfully. |
30502 |
Traffic was denied by rule <name> after user <name>was authenticated. To configure Forefront TMG to request different credentials instead of denying a Web request, set the ReturnAuthRequiredIfAuthUserDenied COM property to True. For more information and a script for configuring this property, see https://go.microsoft.com/fwlink?LinkId=51097 |
Access rules |
When the ReturnAuthRequiredIfAuthUserDenied property is set to True, clients denied access with an initial set of credentials are given the opportunity to input alternative credentials. When the property is set to False, clients are denied access and do not receive a prompt for new credentials. In ISA Server 2004, the ReturnAuthRequiredIfAuthUserDenied property is set to True by default. In ISA Server 2006 and Forefront TMG, the default setting is False. This setting cannot be specified on the Forefront TMG Management console. Instead, set the property by using the Software Development Kit (SDK). |
30503 |
An authentication response from a domain controller took <time> seconds. A delay in the response may result in slow Web traffic. The problem may caused by an incorrect domain controller configuration, a high load on the domain controller, a current reboot of the domain controller, or a network problem. |
All rules requiring authentication |
Troubleshoot authentication issues with the domain controller. The following resources may be useful:
|
30504 |
User authentication failed. The request was denied because the password for user <name> expired. To resolve this problem, the user must request a new password in Active Directory. |
All rules requiring authentication |
Complete a reset for the user password. |
30506 |
RADIUS authentication failed because RADIUS server settings have not been configured in Forefront TMG Management. To resolve this issue, define one or more RADIUS servers. To do this, in Forefront TMG Management, click the General node. On the Tasks pane, click Define RADIUS Servers, and follow the online instructions. |
All rules requiring authentication |
Configure a RADIUS server to be used by Forefront TMG for authentication. To do this, on the Forefront TMG Management console, click the Web Access Policy node, and then in the Tasks pane, click Configure RADIUS Server Settings. For more information, see the following Microsoft TechNet resources: |
30507 |
RADIUS authentication failed because the RADIUS server <name> could not be contacted. This may happen because a deny rule blocks RADIUS traffic, the RADIUS server is unavailable, or there is a network problem. Verify that the system policy rule "Allow RADIUS authentication from Forefront TMG to trusted RADIUS servers" is enabled, and that the RADIUS server is located in the network object specified in the rule destination. |
All rules requiring authentication |
|
30508 |
RADIUS authentication failed because user <name> could not be authenticated by the RADIUS server. |
All rules requiring authentication |
Ensure that the user belongs to the user accounts to which access is permitted. If you are controlling access by means of a remote access policy in RADIUS, ensure that the user account allowed permission has dial-in permissions. |
30509 |
RADIUS authentication failed because user <name> could not respond to the challenge issued by the RADIUS. |
All rules requiring authentication |
Forefront TMG cannot respond to a challenge from the RADIUS server. Configure the RADIUS server so that it does not issue a challenge to the Forefront TMG RADIUS client. |
30510 |
Active Directory authentication failed because a domain controller could not be contacted. This may happen because Forefront TMG blocks the authentication request, the domain controller is unavailable, or there is a name resolution problem or a connectivity issue. Verify that the system policy rule "Allow access to directory services for authentication purposes" is enabled and allows traffic to the domain controller. |
All rules requiring authentication |
Check network issues by pinging the Active Directory server from another computer. Check the Windows Event viewer on the Forefront TMG computer for NetLogon problems or similar issues. On the Forefront TMG Management console, right-click the Firewall Policy node, and then click Edit System Policy. In the Configuration Groups list, click Active Directory, and then do the following:
|
30511 |
Active Directory authentication failed because the token passed is invalid. This may happen because the time of the client does not match the time of the domain controller. |
All rules requiring authentication |
Troubleshoot authentication issues with the domain controller. The following resources may be useful:
|
30512 |
Active Directory authentication failed because there was not enough memory available on the domain controller to complete the task. |
All rules requiring authentication |
Troubleshoot authentication issues with the domain controller. See the previous entry for resource links. |
30513 |
The RSA SecurID server has rejected the passcode for user <name>. |
All rules requiring authentication |
Check settings on the SecurID server. |
30514 |
The RSA SecurID server requested a new PIN for user <name>. |
All rules requiring authentication |
Forefront TMG will prompt the user for a new PIN. |
30515 |
The authentication methods required by the Forefront TMG computer and a published Web server are incompatible. Forefront TMG requires <authenticationmethod> authentication, while the Web server requires <authenticationmethod> authentication. Internet Explorer does not support two different authentication methods on same connection. To resolve this problem, either disable authentication on the Forefront TMG computer or on the Web server. Alternatively, use Basic authentication on both, and select the delegate Basic authentication option on the Forefront TMG Web listener. |
All rules requiring authentication |
To disable authentication on the Forefront TMG computer, on the Listener tab of the publishing rule, click Properties, and then on the Authentication tab of the listener properties, select No authentication in Method clients use to authenticate to Forefront TMG. To specify that Basic authentication should be used and credentials delegated to the published Web server, do the following:
Click the Authentication Delegation tab of the rule properties, and then select Basic authentication in Method used by Forefront TMG to authenticate to the published Web server. Note that modifying the listener affects all publishing rules using the listener. |
30516 |
Forefront TMG started checking the policy rules for a Web request with the target path <name>. |
This message is status only, so no action is required. |
|
30518 |
Checking for secondary inbound traffic. Packet properties: Original source IP address:<IP address> Original source array network:<name> Original destination array network: <name> |
Inbound access |
This message is status only, so no action is required. |