---------------
I finally managed to get TMG working on Server 2012. Steps below:
Create a Windows 2008 R2 server and install TMG in the usual way. There is no need to configure TMG at this point.
Insert your Windows Server 2012 R2 media (via Vsphere in my case) and upgrade Windows to Server 2012 - retain all settings and applications.
When the Windows 2012 upgrade has completed, run a repair on the TMG application from Programs and Features. Ignore any errors. The TMG services will not be able to start at this point.
Reboot the server.
Open Network and Sharing Center and click on Change adapter settings.
Select Properties on one of your NICs and click on Install.
Select Service and click on Add.
Select Microsoft Corporation and tick the Forefront TMG Packet Filter.
Click all the OKs. This will add the TMG filter to the other NICs. Double check then reboot the server.
The TMG services should now be started and you can now configure TMG.
Check the Windows Services and enable any required services that were disabled during the Server 2012 upgrade; e.g. SQL Server.
Edited by WasDos Monday, March 12, 2018 7:48 PM
Proposed as answer by Hamza Zuberi Sunday, August 11, 2019 5:08 PM
Monday, March 12, 2018 7:39 PM
---------------
Finally managed to crack it. The steps provided by Wasdoc are correct (thanks!), BUT they're out of sequence. I initially upgraded the OS to 2012 R2 and repaired the TMG installation. Internet services started working immediately during the final "initialization" stage. Then, as per the above steps, I rebooted (once again, clients were able to use the Internet after services started), then added the TMG Packet Filter service to the interface. At this point, all Internet services stopped working. Running TMG repair again did not help.
(EDIT: After installing TMG 2010 Standard on 2008 R2, I configured it completely, tested all the rules I might need in a production environment, installed all updates for Windows 2008 R2 as well as for TMG 2010. At this point, I made a backup of my VM's VHDX file before upgrading it to 2012 R2 for testing.)
I started from scratch again with my backup VHDX, upgraded the OS to 2012 R2 and this time round, added the packet filter service to the network adapter BEFORE repairing TMG, and then rebooted. Works like a charm. The only problems i saw were: -
1. "SQL Server (MSFW)" service was stopped and disabled. This is necessary for logging, so I simply enabled (set to Automatic startup) and started the service.
2. "Microsoft Forefront TMG Firewall" service stopped without an error a few minutes after booting, due to which Internet services stopped working on the client end. I simply restarted the service which fixed the problem. The firewall service stops after a failed attempt to start the TMG Managed Control Service. If you reboot the server/VM, you'll need to restart the service once.
3. "Microsoft Forefront TMG Managed Control" service is stopped and refuses to start. Nonetheless, all TMG services operate normally and clients are able to access the Internet. Any further changes to TMG rules and objects etc are saved and committed without any hiccups. In fact, applying changes is much faster in 2012 R2. From what I understand, unless you're running Email protection policies (spam filtering, IP blocking etc), this is really not needed.
(EDIT2: The TMG Managed Control Service is set to stop the TMG Firewall service if it fails to start itself. To resolve this issue, open the Services snap-in and in properties for the "Microsoft Forefront TMG Managed Control" service, click on the "Recovery" tab and delete the entry for "net.exe" program and the command line parameters "stop /y fwsrv" and click OK to save.
Alternate method (careful when editing the Registry!): Open Registry (Start -> Run -> Regedit), navigate to HKEY_LOCAL_MACHINE -> SYSTEM -> Current Control Set -> Services -> ISAManagedCtrl and change the data value ("net.exe stop /y fwsrv") for "FailureCommand" Value to blank.)
(EDIT 3: Just noticed while troubleshooting the Managed Control issue: Even with the above modification to the service's recovery options, if you set the Log On account for the managed control service to anything other than SYSTEM, the firewall service will stop by itself approximately 3 minutes after starting, regardless of how many times you restart it. That's even if the Managed Control service is disabled and the "TAKE NO ACTION" option is selected from the droplists.)
4. Logging works fine, but generating reports returns an error that the TMG Control service cannot be accessed. If you look up the error, it is a known one with a resolution (Rollup1 for TMG SP2), but when you go to download it, it has been discontinued. This is a serious issue for those who require detailed reporting, but personally, I have no reason to worry as most of my analysis is based on logging (using live or past option in the logging filter). The generated reports are pretty useless unless you need general stats, e.g. the top visited sites, active users, services, protocols etc. I have tried a few things (allowing the service to interact with the desktop, changing the log on account to administrator), these didn't help. I also checked to see if the recommended method of increasing the UIRpcTimeout value works, but couldn't find the parent key in either 2008 R2 or 2012 R2 (HKEY_LOCAL_MACHINE -> SOFTWARE -> MICROSOFT -> FPC -> LOGGING). FPC exists, but the sub-key "Logging" doesn't, before or after the OS upgrade. I will look into this further when I have free time and provide an update here.
Sunday, August 11, 2019 5:14 PM
Hamza Zuberi
---------------
Successfully converted the Gen1 TMG VM (Host OS: 2016, Guest OS; 2012 R2) to a Gen2 VM, all services checked, no changes in TMG functionality (TMG Managed Control service is still stopped, and Reporting is not working). Everything else is okay, as before converting. The only difference is that the newly generated VHDX is of type "dynamically expanding" whereas the original Gen1 VHDX was type "fixed".
I used the following script for the conversion. IMPORTANT: Read the full notes (especially the warnings) on this page before attempting the conversion: -
https://code.msdn.microsoft.com/ConvertVMGeneration
To fully understand the differences between Gen1 & Gen2 VMs, and for details on the three stages involved in the above script, make sure to read the related blog by the author: -
https://blogs.technet.microsoft.com/jhoward/2013/11/14/hyper-v-generation-2-virtu...achines-part-10/
Tuesday, August 13, 2019 5:41 AM
Hamza Zuberi
For now, i'm using this on the TMG server to generate and view reports on Server 2012 R2:
http://127.0.0.1:8008/Reports_ISARS/Pages/Folder.aspx
Дату EXP еще можно подвинуть, ну так лет на 5...
