Tech Blog

Ok so after enabling the lockout policies for TMG (see below) I’ve had a few issues where I’m not 100% sure if a users account is locked out in TMG or their phone is just being daft or if their AD account is locked out…

So my first thought was to monitor the traffic coming through the TMG to see if a user account is receiving blocked connections, well nothing was coming through at all (I should note when I’m not having this issue, theres loads of lovely green connections coming through this filter)!!

See:

So after some head scratching I realised TMG logs its lockouts to the event view under Application:

There’s also evidence of failed password attempts in the security section of the event viewer:

Done.

I’m guessing plenty of people out in the world of the internet use Microsoft Forefront Threat Management Gateway (TMG) 2010 with Service Pack 2 to do clever things like proxy traffic to their Exchange servers or/and their Lync servers!

Well just like them I do the same wizardry including proxying Active Sync traffic from mobile phones & ipads to our Exchange server.  Happy days, well not really.. we kept getting users (normally directors or shouty people) changing their AD passwords but forgetting to change their passwords on their mobile phones or ipads leading to the inevitable account lockout…leading to me say to the user

“Have you changed your password recently? Yes, did you say…have you also changed it on all your mobile products, I bet you havnt!?”

So after the 500th time of this happening I decided there must be a way for TMG to block the connection if the user doesnt change his/her password….so I turned to google and found this excellent solution on configuring account lockouts on the TMG itself!  Thanks Jan Egil Ring

If you don’t want to read the excellent blog link I posted above then here’s the powershell commands to implement on your TMG server for youself:

First RDP to your TMG Server,

Open PowerShell command prompt,

Type:

$FPC =  New-Object -ComObject FPC.root

Enter

$array = $FPC.GetContainingArray()

Enter

Now you need to edit YOUR TMG listener

$listener = $array.RuleElements.WebListeners | Where-Object {$_.Name -eq "WHAT EVER YOUR LISTENER IS CALLED"}

Enter

Now lets see what you have configured

$listener.properties

Enter

You should see something like the below, notice the bottom three lines:

Now lets change those bottom three lines to something more useable like 600 seconds lockout time, 3 wrong password attempts (best to be less than your normal AD lockout attempts) and enable the bugger:

$listener.Properties.AccountLockoutResetTime = 600
$listener.Properties.AccountLockoutThreshold = 3
$listener.Properties.EnableAccountLockout = $true

Enter

Finally lets save it

$listener.Save()

Enter

Now last of all lets check if the settings have saved with the line we used earlier:

$listener.properties

Enter and should look like this:

Lovely!!! Now test it by jamming your password into your phone incorrectly 3 times and check if your account is locked out in AD or just on the TMG!!

Done