Compartilhar via


Viewing the diagnostic log

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

You can view all logged diagnostic events by clicking the Show all button in the Filter pane, or you can view filtered logged events by defining the filter, and then clicking the Apply filter button.

Viewing logged events

When viewing diagnostic log events, the top section of the logging results pane displays a status line that includes the following:

  • Server

  • Context ID

  • Message contains

The status line specifies the filter properties of the events that are shown.

The following details are provided in the results pane of the Diagnostic logging tab.

Label Description

Record

Displays the number of the record in the sequence of the logs.

Time

Displays the actual date and time that the event occurred.

Context

For information about context, see "Filtering for events" in this document.

Log Source

Displays the origin of the event, such as, Firewall service or Web proxy.

Message

Displays a detailed description of the event that occurred.

Analyzing diagnostic log events

The following table summarizes the events produced by diagnostic logging, and recommends actions for each event, where appropriate.

Event ID Message Scenario Action/Details

30000

The access rule <name> allows all traffic. The packet is allowed. No further rule evaluation is needed.

Outbound access rules

If the message is in accordance with the required policy, no action is required. If not, check the properties of the rule that allows all traffic.

30001

Forefront TMG will check only rules that are associated with the protocol <name>.

Outbound access rules

If the message is in accordance with the protocols you have defined on access rules, no action is required. Otherwise, check the protocol properties of existing access rules, and create new rules if required.

30002

Forefront TMG is evaluating the rule <name>.

Outbound access and publishing rules

This message is status only, so no action is required.

30004

No matching rule was found.

Outbound access and publishing rules

No rule in the firewall policy matches the relevant request. Check the properties of existing rules and create a new rule, if required.

30006

Displays rule properties.

Outbound access and publishing rules

This message is status only, so no action is required.

30007

The Firewall Engine is performing rule evaluation.

Outbound access and publishing rules

This message is status only, so no action is required.

30008

The rule <name> matches the packet. The packet is allowed.

Outbound access and publishing rules

If the message is in accordance with the required policy, no action is required. If not, check the properties of the rule that allows all traffic.

30009

The rule <name> matches the packet and may deny it. However, a rule that precedes this rule in the list of policy rules and matches the packet, will take precedence and may allow the packet.

Outbound access and publishing rules

Check the rule base and ordering for conflicts. The following order is recommended, from highest priority to lowest:

  1. Global deny rules that deny specific access to all users.

  2. Global allow rules that allow specific access to all users.

  3. Rules that allow or deny access to specific computers.

  4. Rules that allow or deny access to specific URLs and Multipurpose Internet Mail Extensions (MIME) types.

  5. Rules that handle traffic that does not match rules that occur previously in the list of rules.

Server publishing rules and Web publishing rules can be placed anywhere in the rule order, after the global allow or deny rules.

30010

Forefront TMG is looking for an applicable network rule.

Network rules

This message is status only, so no action is required.

30011

The packet was sent to or from the Local Host network. Therefore, an implicit network rule with a route relationship between the source and destination is applied.

Network rules

This message is status only, so no action is required. Following installation, Forefront TMG defines a default network rule allowing access between the Local Host network (the Forefront TMG computer) and all networks included in the default All Networks network set. The rule is defined with a route relationship. This default rule cannot be modified.

30012

The source and destination are on the same network. Therefore, an implicit network rule with a route relationship between the source and destination is applied.

Network rules

This message is status only, so no action is required. Traffic that passes through Forefront TMG between sources and destinations on the same network is routed.

30013

No network rule was found.

Network rules

Create a network rule that allows traffic between networks that include the source and destination specified in the Web publishing rule.

For information about creating and configuring network rules, see Planning Forefront TMG network topology and Defining network rules.

30015

The network rule <name> matches the source and destination. A NAT relationship is specified.

Network rules

This message is status only, so no action is required.

30016

The network rule <name> matches the source and destination. A route relationship is specified.

Network rules

This message is status only, so no action is required.

30017

The packet was blocked because no matching network rule was found.

Outbound access rules

Create a network rule, or check the configuration of existing network rules.

For information about creating and configuring network rules, see Planning Forefront TMG network topology and Defining network rules.

30018

Forefront TMG is looking for a deny access rule that matches traffic from the source to the destination.

Outbound access rules

This message is status only, so no action is required.

30019

Forefront TMG is looking for a rule that is associated with the protocol <name>.

Outbound Access rules

This message is status only, so no action is required.

30020

The deny access rule <name> precedes the publishing rule <name> in the list of policy rules. The packet is blocked.

Outbound access and publishing rules

Check that the properties of the deny access rule are in accordance with requirements. In addition, check rule ordering. The following order is recommended from highest priority to lowest:

  1. Global deny rules that deny specific access to all users.

  2. Global allow rules that allow specific access to all users.

  3. Rules that allow or deny access to specific computers.

  4. Rules that allow or deny access to specific URLs and MIME types.

  5. Rules that handle traffic that does not match rules that occur previously in the list of rules.

  6. Server publishing rules and Web publishing rules can be placed anywhere in the rule order, after the global allow or deny rules.

30022

The rule <name> allowed the packet.

Outbound access and publishing rules

If the message is in accordance with the required policy, no action is required. If not, check the properties of the rule blocking the request. In addition, check the rule ordering.

30023

The request was denied because the connection limit for the rule <name> was exceeded

Outbound access and publishing rules

Check connection limits and modify them in accordance with requirements and best practices. If required, you can exempt specific IP addresses from limits.

For Web publishing rules, connection limits are set for the specific Web listener defined for the rule.

For outbound Web requests, a connection limit is set on the Web proxy properties of a specific network.

Globally, you can set a limit for all types of traffic.

For more information, see Deployment Recommendations for Connection Limits in ISA Server 2004, and ISA Server Network Protection: Protecting Against Floods and Attacks.

30024

The rule <name> blocked the packet.

Outbound access and publishing rules

If the message is in accordance with the required policy, no action is required. If not, check the properties of the rule blocking the request and check rule ordering.

30025

The rule <name> requires a MIME content type.

Outbound access rules

This message is status only, so no action is required. The rule requires a content type to determine whether traffic is allowed. Forefront TMG makes a request to the Web server to get the response content-type before evaluating the rule.

30026

The rule <name> requires DNS name resolution.

Outbound access and publishing rules

This message is status only, so no action is required. The rule requires name resolution to determine whether traffic is allowed.

30027

The rule <name> requires user authentication.

Outbound access and publishing rules

This message is status only, so no action is required. The rule requires client authentication to determine whether traffic is allowed.

30028

Forefront TMG is loading the non-Windows user account for the user <name> and the authentication scheme <name> from the stored configuration.

Outbound access using RADIUS authentication and Publishing rules using RADIUS or SecurID authentication.

This message is status only, so no action is required.

30029

The Web chaining rule <name> matches the packet.

Web chaining rules

This message is status only, so no action is required. Web chaining rules specify whether requests should be routed to the Internet or to an upstream proxy server. For more information, see Chaining Concepts in ISA Server 2006.

30030

The Web chaining rule <name> requires a dial-up connection for name resolution.

Web chaining rules

This message is status only, so no action is required.

30031

The cache rule <name> matches the Web request.

Cache rules

This message is status only, so no action is required.

30032

The rule cannot be evaluated by the Firewall Engine because the rule applies to a specific user.

Outbound access and publishing rules

This message is status only, so no action is required. Evaluation of the rule is done in user mode. The Windows operating system divides the use of virtual address space into the user virtual address space (user space) that maps the current user process, and the kernel virtual address pace (kernel space) that maps the operating system code and structures. Forefront TMG uses both modes. The Firewall Engine and Windows networking components run in the kernel mode. Other components run in user mode. For more information, see ISA Server 2006 Firewall Core.

30033

The user does not match the rule.

Outbound access and publishing rules

This message is status only, so no action is required. The rule being evaluated does not match the user making the request.

30034

Forefront TMG failed to determine whether the Windows user is allowed or denied by the rule. Error code: <code number> The rule is ignored.

Outbound access and publishing rules

This error occurs when there are problems in trying to determine the identity of the user. Check the error code.

30035

The rule <name> has parameters that cannot be evaluated by the Firewall Engine. The packet is passed to the Firewall service to complete rule evaluation.

Outbound access and publishing rules

This message is status only, so no action is required. Evaluation of the rule is done in user mode.

30036

The protocol indicated by the destination port does not match the rule

Outbound access and publishing rules

This message is status only, so no action is required. The rule being evaluated is not relevant for the traffic, because the traffic port and protocol specified in the rule do not match.

30037

Forefront TMG cannot determine the protocol of the packet. Therefore, the deny access rule <name> is ignored.

Outbound access rules

This message is status only, so no action is required. This is generated mainly by traffic on the Forefront TMG Client control channel.

30038

The source port does not match the rule.

Outbound access and publishing rules

In an access rule, you can limit the source port range from which client traffic is accepted. This message indicates that the source port of the packet does not match the range indicated in the rule properties.

30039

The rule <name> specifies a MIME content type. If the MIME content type in the response does not match the request, the request is blocked.

Outbound access rules

This message is status only, so no action is required. The rule requires a content type in order to determine whether traffic is allowed. Forefront TMG makes a request to the Web server in order to get the response content-type before evaluating the rule. If the MIME content matches, the traffic is allowed or denied in accordance with the action specified in the rule properties.

30040

The time when the packet was sent does not match a time when the rule is applied according to its schedule.

Outbound access and publishing rules

On the Schedule tab of the rule properties, check when the rule is active and modify it if necessary.

30041

The %4 requires name resolution.

Outbound access and publishing rules

This message is status only, so no action is required. It indicates that name resolution is required to complete rule evaluation.

30042

%4 does not match the packet.

Outbound access and publishing rules

This message is status only, so no action is required. This may indicate the source or destination of the rule.

30043

%4 does not match the rule.

Outbound access rules and publishing rules

This message is status only, so no action is required. This may indicate the source or destination of the rule.

30044

The rule <name> requires name resolution for evaluation.

Outbound access and publishing rules

This message is status only, so no action is required. The rule requires name resolution to determine whether traffic is allowed.

30045

The access rule is ignored because Forefront TMG looks only for Web publishing rules for an incoming Web request.

Web publishing rules

This message is status only, so no action is required. It informs you that access rules are not evaluated for Web publishing requests.

30046

The access rule is ignored for this packet because inbound protocols can be used only by adding them explicitly to the rule.

Access rules

This message is status only, so no action is required. It is generated during rule processing.

30047

Forefront TMG assumes that the allow access rule or redirecting deny access rule is the best match for HTTP.

Access rules

This message is status only, so no action is required. It is generated during rule processing.

30048

The content type specified in the packet does not match the rule.

Access rules

If this action is in accordance with the required policy, no action is required. If not, check the properties of the rule to ensure that the MIME types configured in the rule are correct.

30049

A content type is needed for rule matching.

Access rules

This message is status only, so no action is required. The rule requires a content type to determine whether traffic is allowed. Forefront TMG makes a request to the Web server to get the response content-type before evaluating the rule.

30050

The rule does not match because the rule requires authentication and no user is specified in the packet.

Outbound access rules and publishing rules

If the rule is not intended to match the user request, no action is required. If the rule should match the request, check the properties of the rule to ensure that the user authentication requirements are configured correctly.

30051

The rule <name>requires user authentication for evaluation.

Outbound access and publishing rules

This message is status only, so no action is required. The rule requires client authentication to determine whether traffic is allowed.

30052

The destination does not match an IP address on which the listener of the server publishing rule listens.

Server publishing rules

Each server publishing rule is associated with an IP address and port on which requests for the published server are received. The destination requested by the client must resolve to an IP address associated with the rule.

30053

The destination in the request does not match an IP address on which the Web listener specified in the Web publishing rule listens.

Web publishing rules

Each Web publishing rule is associated with a Web listener that specifies the network and port on which requests for the Web server published by the rule can be received. The destination specified in the URL request must resolve to an IP address in one of the networks associated with the listener. On the Listener tab of the rule properties, click the Properties tab. Then, on the Network tab of the listener properties, check the networks associated with the listener.

30054

This server publishing rule was skipped for this packet.

Server publishing rules

This message is status only, so no action is required.

30055

This Web publishing rule was skipped for this packet.

Web publishing rules

This message is status only, so no action is required.

30056

The rule does not apply to traffic from the source IP address.

Server publishing

This message is status only, so no action is required. It is issued during evaluation of server publishing rules.

30057

The deny access rule does not match a wildcard source.

Access rules

This message is status only, so no action is required. It is usually issued during processing of application filters that open secondary protocols.

30058

The web publishing rule <name> is ignored because the destination <name> in the Web request does not match any of the public names specified in the Web publishing rule.

Web publishing rules

On the Public Name tab of the rule properties, check that the entries specified match the string that the external user specifies to reach the Microsoft Office Outlook Web Access site.

30059

The Web listener that accepted the packet does not match the Web listener specified in the Web publishing rule.

Web publishing rules

This message is status only, so no action is required. This message is logged as each Web published rule is evaluated to verify whether it uses the Web listener on which the packet was received.

30060

The reverse direction of the network rule <name>, which defines a NAT relationship, matches the source and destination IP addresses specified in the packet. The traffic is denied.

Network rules

This message indicates that a packet with the reverse direction cannot be forwarded because the network relationship defined for the rule is Network Address Translation (NAT) ; a NAT relationship allows traffic in one direction only.

30061

The Web publishing rule <name> is ignored because the path <name> in the destination URL in the Web request does not match the path specified in the rule.

Web publishing rules

On the Paths tab of the rule properties, check that the paths specified match those that the external user specifies to reach the Outlook Web Access site.

30062

Forefront TMG is evaluating the network rule %4.

Network rules

This message is status only, so no action is required.

30063

The source IP address in the packet does not match the destination specified in the network rule.

Network rules

The network rule is not applicable for the packet. Ensure that another network rule exists to allow traffic between the required source and destination of the packet. For more information about network rules, see Planning Forefront TMG network topology and Defining network rules.

30064

The source IP address in the packet does not match the source specified in the network rule.

Network rules

The network rule is not applicable for the packet. Ensure that another network rule exists to allow traffic between the required source and destination of the packet.

30065

The destination IP address in the packet does not match the source specified in the network rule.

Network rules

The network rule is not applicable for the packet. Ensure that another network rule exists to allow traffic between the required source and destination of the packet.

30066

The destination IP address in the packet does not match the destination specified in the network rule.

Network rules

The network rule is not applicable for the packet. Ensure that another network rule exists to allow traffic between the required source and destination of the packet.

30067

The source and destination in the packet match the source and destination specified in the network rule, which specifies a NAT relationship.

Network rules

This message is status only, so no action is required. A network rule exists that allows traffic between the source and destination specified in the packet. A NAT relationship will be applied.

30068

Forefront TMG is checking the reverse direction of the network rule <name>.

Network rules

This message is status only, so no action is required.

30069

The source and destination in the packet match the source and destination specified in the network rule <name> in the reverse direction.

Network rules

If the network relationship is NAT (unidirectional), check that there is a network rule to allow the packet. If the network relationship is route, no action is required.

30070

The source IP address in the packet does not match the source specified in the network rule.

Network rules

The source IP address of the packet does not match any network specified as a source in the network rule. Ensure that there is a network rule to allow the traffic between the source and destination specified in the packet.

30072

The destination IP address in the packet does not match the source specified in the network rule.

Network rules

The destination IP address of the packet does not match any network specified as a source in the network rule. Ensure that there is a network rule to allow the traffic between the source and destination specified in the packet.

30073

TCP sessions per minute was exceeded for the rule.

Outbound access rules and publishing rules

Forefront TMG imposes a limit on the maximum number of TCP connect requests per minute. The default is 600 per minute. To specify an exception for a specific IP address, click the General node on the Forefront TMG Management console. In the Firewall Policy pane, click Configure Flood Mitigation, and then, on the IP Exceptions tab, click Add to add the network elements you want to exempt from the default settings. For exempt IP addresses, a default of 6,000 requests per minute is set. For more information, see Deployment Recommendations for Connection Limits in ISA Server 2004, and ISA Server Network Protection: Protecting Against Floods and Attacks.

30074

The source and destination in the packet match the source and destination specified in the network rule, which specifies a route relationship.

Network rules

This message is status only, so no action is required.

30075

Forefront TMG is looking for a Web chaining rule that matches the destination <name> in the packet.

Web chaining rules

This message is status only, so no action is required.

30076

Forefront TMG is looking for a cache rule that matches the destination <name> in the Web request.

Cache rules

This message is status only, so no action is required.

30077

Date and time: <time> Packet context: <context ID> Log source: <source> Packet properties <properties> Source IP address <address> Source array network <network> Destination IP address <address> Destination array network <network> Description <description>

Outbound access rules and publishing rules

This message is status only, so no action is required.

30078

Date and time: <time> Packet context: <context ID> Log source: <source>. The packet was blocked because no matching network rule was found.

Network rules

Create a network rule, or check the configuration of existing network rules.

For information about creating and configuring network rules, see Planning Forefront TMG network topology and Defining network rules.

30080

Date and time: <time> Packet context: <context ID> Log source: <source> Protocol: <name>

Outbound access rules and publishing rules

This message is status only, so no action is required.

30081

Date and time: <time> Packet context: <context ID> Log source: <source> Application filter: <name>

Outbound access rules and publishing rules

This message is status only, so no action is required.

30082

The packet was blocked because the maximum number of new non-TCP sessions per minute was exceeded for the matching rule.

Outbound access rules and publishing rules

Forefront TMG blocks requests from specific IP addresses with more than the specific limit of new non-TCP requests per minute. The default is 1,000 per minute. To specify an exception for specific IP addresses, click the General node on the Forefront TMG Management console. In the Tasks pane, click Configure Flood Mitigation Settings, and then, on the IP Exceptions tab, click Add to add network elements you want to exempt from the default settings. For more information, see Deployment Recommendations for Connection Limits in ISA Server 2004, and ISA Server Network Protection: Protecting Against Floods and Attacks.

30083

The rule matches and allows the traffic.

Outbound access and publishing rules

This message is status only, so no action is required.

30084

The action of the rule cannot be determined without evaluation by the Firewall service.

Outbound access and publishing rules

This message is status only, so no action is required. The request is now processed in user mode and not kernel mode.

30085

The rule matches and blocks the traffic.

Outbound access and publishing rules

This message is status only, so no action is required.

30087

The packet was blocked because no matching access rule was found.

Access Rules

No rule in the firewall policy matches the relevant request, so it was blocked by the default deny rule. Check the properties of existing rules and create a new rule, if necessary.

30090

Forefront TMG cannot find a protocol definition that matches the destination port of the packet.

Access Rules

If there should be a rule matching the protocol specified in the packet, check the protocol properties of existing rules, and create a new rule with the required protocol, if necessary.

30091

Date and time: <time> Packet context: <context ID> Log source: <source> Web Proxy properties: <properties> Client IP address: <address> Client port: <port> Local IP address: <address> Local port: %<port> SecureNAT client: <name> Web proxy client: <name> Inbound traffic: <property>

Access rules

This message is status only, so no action is required.

30092

The SecureNAT client requested the destination IP address <name>.

Access rules

This message is status only, so no action is required.

30093

Date and time: <time> Packet context: <context ID> Log source: <source> HTTP method: <name>

Access rules

This message is status only, so no action is required.

30094

Date and time: %1 %nPacket context: <context> Log source: <source> HTTP URL: <URL>

All rules

This message is status only, so no action is required.

30095

Date and time: <time> Packet context: <context ID> Log source: <source> HTTP Host header: <header>

All rules

This message is status only, so no action is required.

30096

Date and time: <time> Packet context: <context ID> Log source: <source> HTTP User-Agent: <name>

All rules

This message is status only, so no action is required.

30097

Date and time: <time> Packet context: <context ID> Log source: <source> User name: <name>

All rules

This message is status only, so no action is required.

30098

Date and time: <time> Packet context: <context ID> Log source: <source> User namespace: <name>

All rules

This message is status only, so no action is required.

30099

Forefront TMG will authenticate the client using <type> authentication.

All rules

This message is status only, so no action is required.

30100

Forefront TMG will authenticate the client using Digest authentication.

All rules

This message is status only, so no action is required.

30101

Forefront TMG will authenticate the client using Basic authentication.

All rules

This message is status only, so no action is required.

30102

The policy rule <name> matches the inbound Web request and will deny it.

Publishing rules

If this action is in accordance with the desired policy, no action is required. If not, check the properties of the rule blocking the request and check the rule ordering.

30103

Forefront TMG will connect to the Web server <name> on the IP address <address> and port <port>.

Publishing rules

If the request fails, verify that the name, IP address, and port number are correct.

30104

Forefront TMG failed to connect to the Web server <name>. Error code: <code number>

Publishing rules

Check the details provided in event 30103 to ensure that the connection was attempted on the correct server, IP address, and port. If necessary, modify settings on the To tab of the publishing rule properties.

30105

Forefront TMG is forwarding the request to the target host server for the path <name>.

Publishing rules

This message is status only, so no action is required.

30106

Date and time: <time> Packet context: <context> Log source: <name> Target Host header: <header>

This message is status only, so no action is required.

30107

Date and time: <time> Packet context: <context> Log source: <name> Web response properties:<properties> Response status: <status> Response MIME content type: <type> Response Via header: <header> HTTP Server header: <header>

This message is status only, so no action is required.

30108

Date and time: <time> Packet context: <context> Log source: <name> Request source: <source>

This message is status only, so no action is required.

30109

The Web publishing rule <name> requires client authentication.

This message is status only, so no action is required.

30111

The packet matches the Web chaining rule <name>.

Web chaining rules

This message is status only, so no action is required.

30112

The Web chaining rule <name> denied access.

Web chaining rules

If this action is in accordance with the desired policy, no action is required. If not, check the properties of the rule blocking the request and check rule ordering.

30113

The Web request matches the cache rule <name>.

Cache rules

This message is status only, so no action is required.

30114

The access rule <name> allows the Web request.

Access rules

This message is status only, so no action is required.

30115

The access rule <name> denies the Web request.

Access rules

If this action is in accordance with the desired policy, no action is required. If not, check the properties of the rule blocking the request and check rule ordering.

30116

The access rule <name> denied the Web request, and a custom Web page was returned to the client.

Access rules

If this action is in accordance with the desired policy, no action is required. If not, check the properties of the rule blocking the request and check the rule ordering.

30117

A MIME content type is required. The access rule <name> should be rechecked after the response arrives.

Access rules

This message is status only, so no action is required. The rule requires a content type to determine whether traffic is allowed. Forefront TMG makes a request to the Web server to get the response content-type before evaluating the rule.

30118

User authentication is required. The access rule <name> should be rechecked after the user is authenticated.

Access rules

This message is status only, so no action is required. The rule requires user authentication to determine whether traffic is allowed. Forefront TMG authenticates the user before evaluating the rule.

30119

DNS name resolution is required. The access rule <name> should be rechecked after DNS name resolution is performed.

Access rules

This message is status only, so no action is required. The rule requires name resolution to determine whether traffic is allowed. Forefront TMG resolves the name before evaluating the rule.

30120

The Web request is denied because the limit configured for the maximum number of new requests per minute was exceeded.

Access rules

Forefront TMG blocks requests when an access rule exceeds the default limit of 1,000 non-TCP connections per minute.

Forefront TMG also blocks requests from a specific IP address if HTTP requests per minute exceed 600.

You can configure specific IP addresses as exemptions to the default limits. For exempt addresses, HTTP requests per minute are limited by default to 6,000. Default limits can be modified.

To configure flood mitigation settings, click the Firewall Policy node on the Forefront TMG Management console, and then, in the Tasks pane, click Configure Flood Mitigation. For more information, see Deployment Recommendations for Connection Limits in ISA Server 2004, and ISA Server Network Protection: Protecting Against Floods and Attacks.

30121

The packet matches the network rule <name>, which specifies a NAT network relationship.

Network rules

This message is status only, so no action is required.

30122

The packet matches the network rule <name>, which specifies a route network relationship.

Network rules

This message is status only, so no action is required.

30123

Authentication failed. Error = <errorcode>

Access rules and Web publishing rules

Check the error code.

30124

Authentication succeeded.

Access rules and Web publishing rules

This message is status only, so no action is required.

30125

Authentication is in progress. Authentication will fail for the current request, but the client should continue to attempt to authenticate on the same connection.

Access rules and Web publishing rules

This message is status only, so no action is required. This message provides information about the NTLM authentication process.

30126

The connected client is already authenticated.

Access rules and Web publishing rules

This message is status only, so no action is required.

30127

There was a change in the client authentication method while authentication was in progress. Authentication failed with error: <errorcode>.

Access rules

This usually indicates a problem with a Web client.

30128

Forefront TMG authentication Web filter is handling client authentication

All rules

This message is status only, so no action is required.

30129

Forefront TMG cannot authenticate the client because the client's request does not contain Proxy-Authorization or Authorization headers.

Access rules

This may happen when Basic authentication is used and the first request is anonymous. It may also occur if there are issues with the Web client or if there is a problem with the authentication method used by the client.

30130

Forefront TMG is trying to authenticate the connected client using an SSL client certificate.

Publishing rules and Web chaining rules

No action is required. This message is status only when the rule requires clients to authenticate by using a client certificate.

30131

Authentication failed because the client did not send an SSL certificate.

Publishing rules and Web chaining rules

The rule is configured to require a client certificate, which was not provided. If a client certificate is not required, clear this setting on the rule properties. If a client certificate is required, ensure that clients have a relevant certificate from a commercial certification authority (CA) or from an internal CA in your organization.

30132

Forefront TMG tries to authenticate a connected client.

All rules

This message is status only, so no action is required.

30133

RADIUS authentication failed because the RADIUS Web filter is disabled.

All rules

To enable the RADIUS Web filter, on the Forefront TMG Management console, click the System node, right-click RADIUS Authentication Filter, and then click Enable.

30134

Forms-based authentication for Outlook Web access failed because the OWA Forms-Based Web filter is disabled.

All rules

To enable the Forms-Based Web filter, on the Forefront TMG Management console, click the System node, right-click the Forms-Based Authentication filter, and then click Enable.

30135

SecurID authentication failed because the RSA SecurID Web filter is disabled.

All rules

To enable the SecurID Filter, on the Forefront TMG Management console, click the System node, right-click SecurID Filter, and then click Enable.

30136

Forefront TMG rejected the request with the HTTP status code <code number> and will return the following error message to the Web client <message>.

All rules

Check the status code and error message.

30137

Forefront TMG obtained the MIME content type of the response and will use it to recheck the policy rules.

Access rules

This message is status only, so no action is required. The rule requires a content type to determine whether traffic is allowed. Forefront TMG made a request to the Web server to get the response content-type before evaluating the rule.

30138

Forefront TMG is redirecting the request to the alternate Web site.

Web chaining rule

This message is status only, so no action is required. The Web chaining rule is configured to redirect the request. For more information, see Chaining Concepts in ISA Server 2006.

30139

Forefront TMG is directing the request to an upstream proxy server.

Web chaining rules

This message is status only, so no action is required.

30140

The upstream proxy server is an array. Therefore, Forefront TMG performed client-side CARP and will send the request to the array member <name>.

Web chaining rules

This message is status only, so no action is required.

30141

Forefront TMG will send request to the upstream proxy server <name>, which is not an array.

Web chaining rules

This message is status only, so no action is required.

30142

Forefront TMG started checking the policy rules for a Web request.

Access rules

This message is status only, so no action is required.

30143

The connected client was not authenticated. Only policy rules that apply to all users, including anonymous users, can be evaluated for this request. If rule evaluation cannot be completed without user authentication, Forefront TMG will return a response with HTTP error 401 (Unauthorized) or 407 (Proxy Authentication Required), allowing the client to submit the request again with user credentials.

Access rules

This message is status only, so no action is required.

30144

The connected client %4 was authenticated.

All rules

This message is status only, so no action is required.

30145

Forefront TMG started checking Web publishing rules.

Publishing rules

This message is status only, so no action is required.

30146

Forefront TMG will renegotiate the SSL connection with the client and request an SSL client certificate.

Publishing rules

This message is status only, so no action is required.

30148

Forefront TMG requested an SSL client certificate, but either the client did not supply a certificate or SSL client certificate authentication failed. The request will be denied.

Publishing rules

If a client certificate is required, ensure that clients have a relevant certificate from a commercial CA or from an internal CA in your organization.

If clients have a certificate, ensure that the client certificate is valid. The certificate must contain the private key for the account to which the certificate is mapped.

30149

Forefront TMG denied the request with the following error: %4

All rules

Check the error code.

30150

The Web publishing rule<name> will allow the Web request.

Publishing rules

No action is required.

30151

The request will be denied because the Web client failed authentication.

Access rules

Check the following:

  • For rules requiring authentication, check that the client is included in user groups configured for the rule.

  • If you do not want the client to authenticate, check that you have a rule allowing anonymous access.

  • Check that the network on which requests are received is not configured with the setting "Require all users to authenticate". If this setting is enabled, all users must be authenticated for Web access, and rules are not evaluated for a request until users are authenticated successfully.

  • Client computers configured as SecureNAT clients only (with a default gateway point to Forefront TMG) are not able to present authentication credentials.

30152

c started checking the access rules.

Access rules

This message is status only, so no action is required.

30153

Forefront TMG requires the MIME content type of the response to complete policy rule evaluation.

Access rules

This message is status only, so no action is required. The rule requires a content type to determine whether traffic is allowed. Forefront TMG makes a request to the Web server to get the response content-type before evaluating the rule.

30154

Forefront TMG attempted to evaluate the policy rules without resolving the name of the requested destination. Name resolution will now commence.

Access rules

This message is status only, so no action is required.

30155

Forefront TMG started rechecking the access rules after resolving the name of the requested destination through a DNS query.

Access rules

This message is status only, so no action is required.

30156

Forefront TMG started to check the Web chaining rules.

Web chaining rules

This message is status only, so no action is required.

30157

Forefront TMG will assume that the destination is in the External network because the destination name cannot be resolved. Forefront TMG will recheck the access rules.

Access rules

Check that the destination name specified in the packet can be resolved by the Forefront TMG computer to an address inside an internal Forefront TMG network.

30158

The deny access rule <name>matches the Web request. The Web request is denied.

Access rules

If this action is in accordance with the desired policy, no action is required. If not, check the properties of the rule blocking the request and check rule ordering.

30159

Forefront TMG completed checking the policy rules for the Web request.

Access rules

This message is status only, so no action is required.

30160

Evaluation of the access rules requires user authentication, but the connected client is anonymous.

Access rules

Check the following:

  • For rules requiring authentication, check that the client is included in user groups configured for the rule. Client computers configured as SecureNAT clients only (with a default gateway pointing to Forefront TMG) cannot present authentication credentials.

  • If you do not want the client to authenticate, check that you have a rule allowing anonymous access.

  • Also, check that the network on which requests are received is not configured with the setting "Require all users to authenticate". If this setting is enabled, all users must be authenticated for Web access, and rules are not evaluated for a request until users are authenticated successfully.

30162

The request will be denied because the matching access rule denies access.

Access rules

If this action is in accordance with the desired policy, no action is required. If not, check the properties of the rule blocking the request and check rule ordering.

30163

Forefront TMG recognizes the client as a SecureNAT client and will check all rules that apply to TCP port <port number>.

Access rules

This message is status only, so no action is required.

30165

Forefront TMG recognizes the client as a Web proxy client and will check all rules that apply to the HTTP protocol.

Access rules

This message is status only, so no action is required.

30166

Forefront TMG recognizes the client as a Web proxy client and will check all rules that apply to the HTTPS protocol.

Access rules

This message is status only, so no action is required.

30167

Forefront TMG failed to perform a reverse DNS lookup and will attempt to continue with the available information. Error: <error code>.

Access rules

Check the error code for more information. In addition, check that rule elements containing IP addresses are resolvable.

30168

Forefront TMGsucceeded to perform a reverse DNS lookup. The host name is <name>.

Access rules

This message is status only, so no action is required.

30169

Forefront TMG is performing DNS name resolution for the host name <name>.

All rules

This message is status only, so no action is required.

30170

Forefront TMG failed to perform DNS name resolution and will attempt to continue with the available information. Error: <code>.

All rules

Without successful name resolution, Forefront TMG may not be able to match the packet to the rule. Check that rule elements are resolvable.

30171

Forefront TMG succeeded to perform DNS name resolution for the host name <name>.

All rules

No action is required.

30172

Forefront TMG is forwarding the Web request directly to the specified destination.

All rules

This message is status only, so no action is required.

30173

Forefront TMG recognizes the client as a Web proxy client and will check all rules that apply to the FTP (FTP over HTTP) protocol.

Access rules

This message is status only, so no action is required.

30174

Forefront TMG denied a request because policy rule <name> requires authentication before allowing traffic.

All rules

This message is status only, so no action is required.

30500

Forefront TMG denied a request because policy rule <name> requires authentication before allowing traffic.

Access rules

Check that the client making the request is included in user groups configured for the rule. Client computers configured as SecureNAT clients only (with a default gateway pointing to Forefront TMG) cannot present authentication credentials.

If you do not want to authenticate the client, check that you have a rule allowing anonymous access.

30501

Forefront TMG denied a Web request because policy rule <name> requires authentication before allowing traffic.

Access rules

Check that the network on which requests are received is not configured with the setting "Require all users to authenticate". If this setting is enabled, all users must be authenticated for Web access, and rules are not evaluated for a request until users are authenticated successfully.

30502

Traffic was denied by rule <name> after user <name>was authenticated. To configure Forefront TMG to request different credentials instead of denying a Web request, set the ReturnAuthRequiredIfAuthUserDenied COM property to True. For more information and a script for configuring this property, see https://go.microsoft.com/fwlink?LinkId=51097

Access rules

When the ReturnAuthRequiredIfAuthUserDenied property is set to True, clients denied access with an initial set of credentials are given the opportunity to input alternative credentials. When the property is set to False, clients are denied access and do not receive a prompt for new credentials.

In ISA Server 2004, the ReturnAuthRequiredIfAuthUserDenied property is set to True by default. In ISA Server 2006 and Forefront TMG, the default setting is False. This setting cannot be specified on the Forefront TMG Management console. Instead, set the property by using the Software Development Kit (SDK).

30503

An authentication response from a domain controller took <time> seconds. A delay in the response may result in slow Web traffic. The problem may caused by an incorrect domain controller configuration, a high load on the domain controller, a current reboot of the domain controller, or a network problem.

All rules requiring authentication

Troubleshoot authentication issues with the domain controller. The following resources may be useful:

30504

User authentication failed. The request was denied because the password for user <name> expired. To resolve this problem, the user must request a new password in Active Directory.

All rules requiring authentication

Complete a reset for the user password.

30506

RADIUS authentication failed because RADIUS server settings have not been configured in Forefront TMG Management. To resolve this issue, define one or more RADIUS servers. To do this, in Forefront TMG Management, click the General node. On the Tasks pane, click Define RADIUS Servers, and follow the online instructions.

All rules requiring authentication

Configure a RADIUS server to be used by Forefront TMG for authentication. To do this, on the Forefront TMG Management console, click the Web Access Policy node, and then in the Tasks pane, click Configure RADIUS Server Settings. For more information, see the following Microsoft TechNet resources:

30507

RADIUS authentication failed because the RADIUS server <name> could not be contacted. This may happen because a deny rule blocks RADIUS traffic, the RADIUS server is unavailable, or there is a network problem. Verify that the system policy rule "Allow RADIUS authentication from Forefront TMG to trusted RADIUS servers" is enabled, and that the RADIUS server is located in the network object specified in the rule destination.

All rules requiring authentication

  • Check network issues by pinging the RADIUS server from another computer.

  • Check that the same secret is specified on the RADIUS server and on the Forefront TMG computer.

  • Check that Forefront TMG is defined correctly as a RADIUS client.

  • Review event logs on the RADIUS server.

  • To verify the system policy rule, on the Forefront TMG Management console, right-click the Firewall Policy node, click Edit System Policy. In the Configuration Groups list, click RADIUS, and then do the following:

    • On the General tab, verify that the Enable this configuration group check box is selected.

    • On the From tab, verify that the specified network objects contain the RADIUS server. For example, if the default Internal network appears, then the RADIUS server should be located in the default Internal network.

30508

RADIUS authentication failed because user <name> could not be authenticated by the RADIUS server.

All rules requiring authentication

Ensure that the user belongs to the user accounts to which access is permitted. If you are controlling access by means of a remote access policy in RADIUS, ensure that the user account allowed permission has dial-in permissions.

30509

RADIUS authentication failed because user <name> could not respond to the challenge issued by the RADIUS.

All rules requiring authentication

Forefront TMG cannot respond to a challenge from the RADIUS server. Configure the RADIUS server so that it does not issue a challenge to the Forefront TMG RADIUS client.

30510

Active Directory authentication failed because a domain controller could not be contacted. This may happen because Forefront TMG blocks the authentication request, the domain controller is unavailable, or there is a name resolution problem or a connectivity issue. Verify that the system policy rule "Allow access to directory services for authentication purposes" is enabled and allows traffic to the domain controller.

All rules requiring authentication

Check network issues by pinging the Active Directory server from another computer.

Check the Windows Event viewer on the Forefront TMG computer for NetLogon problems or similar issues.

On the Forefront TMG Management console, right-click the Firewall Policy node, and then click Edit System Policy. In the Configuration Groups list, click Active Directory, and then do the following:

  • On the General tab, verify that the Enable this configuration group check box is selected.

  • On the From tab, verify that the specified network objects contain the Active Directory server. For example, if the default Internal network appears, the Active Directory server should be located in the default Internal network.

30511

Active Directory authentication failed because the token passed is invalid. This may happen because the time of the client does not match the time of the domain controller.

All rules requiring authentication

Troubleshoot authentication issues with the domain controller. The following resources may be useful:

30512

Active Directory authentication failed because there was not enough memory available on the domain controller to complete the task.

All rules requiring authentication

Troubleshoot authentication issues with the domain controller. See the previous entry for resource links.

30513

The RSA SecurID server has rejected the passcode for user <name>.

All rules requiring authentication

Check settings on the SecurID server.

30514

The RSA SecurID server requested a new PIN for user <name>.

All rules requiring authentication

Forefront TMG will prompt the user for a new PIN.

30515

The authentication methods required by the Forefront TMG computer and a published Web server are incompatible. Forefront TMG requires <authenticationmethod> authentication, while the Web server requires <authenticationmethod> authentication. Internet Explorer does not support two different authentication methods on same connection. To resolve this problem, either disable authentication on the Forefront TMG computer or on the Web server. Alternatively, use Basic authentication on both, and select the delegate Basic authentication option on the Forefront TMG Web listener.

All rules requiring authentication

To disable authentication on the Forefront TMG computer, on the Listener tab of the publishing rule, click Properties, and then on the Authentication tab of the listener properties, select No authentication in Method clients use to authenticate to Forefront TMG.

To specify that Basic authentication should be used and credentials delegated to the published Web server, do the following:

  • On the Listener tab of the publishing rule, click Properties. On the Authentication tab of the listener properties, select HTTP Authentication in Method clients use to authenticate to Forefront TMG, and then select Basic. Click OK to close the listener properties.

Click the Authentication Delegation tab of the rule properties, and then select Basic authentication in Method used by Forefront TMG to authenticate to the published Web server.

Note that modifying the listener affects all publishing rules using the listener.

30516

Forefront TMG started checking the policy rules for a Web request with the target path <name>.

This message is status only, so no action is required.

30518

Checking for secondary inbound traffic. Packet properties: Original source IP address:<IP address> Original source array network:<name> Original destination array network: <name>

Inbound access

This message is status only, so no action is required.

Concepts

Using diagnostic logging