Clicky

I have a TMG 2010 server that I am using to restrict access to on of our remote networks. I have a rule there to deny RDP access to the network. It is based on membership of a security group in AD. Any member of that group is an exception to the rule, and so they can bypass it and gt RDP access to the network.
I have the network specified as a certain subnet, and the restriction is working ok apart from one thing:when I update the membership of the security group, it takes a while for the user to get access.  
I have foreced replication between our DCs, but it doesn't make any difference. Usually, if they log on and off, it does take effect. But this isn't always practical.
Any ideas no forcing TMG to replicate with AD more often?

asked 12/01/2011 09:02

sherryfitzgroup's gravatar image

sherryfitzgroup ♦♦


8 Answers:
This isn't an issue with replication between the AD/TMG.

Your client presents its group membership to the TMG server (using kerberos) when it requests a connection; but your client only updates its cache of your group membership during logon ( and possible kerberos TGT renewal )
link

answered

CGretski's gravatar image

CGretski

Thanks-is there anyway we can force it to update without log off and on? I have found that it does take effect after about 10-15 mins even without log off and on
We need to add and remove people quite often to give them temporary access to certain servers.
link

answered 2011-12-02 at 07:17:16

sherryfitzgroup's gravatar image

sherryfitzgroup

Try a gpudate /force  from dos prompt.This is the fastest way to update it but it's maunal.
link

answered 2011-12-02 at 09:20:59

sherryfitzgroup's gravatar image

sherryfitzgroup

I'm not sure about TMG, but with ISA2006 the rules were based on user sets which contained AD groups.  If that's still the case then you can add their user account directly into the user set and it will take effect immediately - however that means the change is always made within TMG and not the AD.
link

answered 2011-12-02 at 11:44:54

CGretski's gravatar image

CGretski

I noticed that as a possible fix alright. It makes it more difficult to manage though.
link

answered 2011-12-02 at 12:09:47

sherryfitzgroup's gravatar image

sherryfitzgroup

you might be able to use "klist purge" to delete the cached kerberos TGT.
When the client tries to open a new connection it would have to request a new TGT (including new group membership info)

klist is part of the server resource kits though, so you'd have to get it to the client machines first.

other than that you could try moving to a non-kerberos authentication scheme - NTLM/RADIUS/LDAP would all cause the ISA to query the AD for group membership rather than relying on the client cache - but I'm not sure if you could do it in a way that would authenticate the client automatically/silently.
link

answered 2011-12-05 at 09:58:27

CGretski's gravatar image

CGretski

Thanks, I'll give it a shot. I can see that klist is built into Windows 7
link

answered 2011-12-05 at 14:17:42

sherryfitzgroup's gravatar image

sherryfitzgroup

A1 thanks-klist purge works
link

answered 2011-12-06 at 02:28:43

sherryfitzgroup's gravatar image

sherryfitzgroup

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×13
×17
×13
×1
×5

Asked: 12/01/2011 09:02

Seen: 359 times

Last updated: 12/09/2011 12:17