Solved

ForeFront TMG Internet Access Slow at Times

Posted on 2010-08-19
10
7,383 Views
Last Modified: 2013-12-08
Hi,

I recently installed Forefront TMG on my Windows 2008 R2 server, and are having problems with the internet access on client machines. From time to time the internet access seems slow and unresponsive, one minute the internets fast and the next its very slow at loading websites.

Also visiting such sites as youtube, videos takes a few moments to load and the whole site takes a while to fully respond.

Any Ideas
Thanks
0
Comment
Question by:TechLad
10 Comments
 
LVL 7

Expert Comment

by:Mohamed Khairy
ID: 33479793
Hi techLad,

Can you explain more what type of WAN connections are you used on TMG to enable Internet access to the users computers also do you have any cache rule enable?

Regards,
MKhairy
0
 
LVL 16

Expert Comment

by:PaciB
ID: 33483086
Hi,

Please, describe exactly the DNS configuration of your TMG... Which DNS servers do you use on the NICs of the TMG server !?
Your problem looks like a common mistake with ISA and TMG: a lot of people indicate internal DNS servers on the internal NIC and external DNS servers (DNS if the provider) on the external NIC. That IS A MISTAKE !

Please check that on your TMG and let us know.


Have a good day.
0
 

Author Comment

by:TechLad
ID: 33485219
mkhairy:

Currently, the way the WAN is setup on the TMG server is via ethernet from the internet router, and ethernet from the TMG server to the domain controller. The domain controller uses Remote Routing and Access to serve that machine and the other client machines with internet access. Upon looking assuming im looking in the correct place, in the Web Access Policy section, Web Caching appears to display disabled on the rule allowing internet access.

PaciB:

DNS is provided by the router which there is no IP address currently set on the NIC facing the internet (External) on the TMG server, that NIC is set to automatically assisn the IP and DNS address.

Also DNS is provided by the domain controller and has an IP address set for the NIC which faces that machine (Internal).
0
 
LVL 16

Accepted Solution

by:
PaciB earned 500 total points
ID: 33486313
Hi,

As I said before you have made the common mistake in your TMG configuration :

You have declared the internal DNS (your domain controller) as a DNS server on the internal NIC of the TMG and your have the external NIC (the one connected to the internet routeur) that receives DNS servers from the routeur...

If the internal DNS server is unable to resolve external DNS names, then your TMG configuration is bad !

What probably happen is that when you TMG need to reach a web page, it at first has to resolve the URL to a IP address. For that TMG asks DNS servers to resolve that. What you probably don't know is that the dns client service on Windows is unable to know which DNS to interrogate... if your have DNS servers on one NIC and other DNS servers on another NIC the dns client service manage the DNS list as a unique list... so to resolve it will just take the first DNS server in the list and try to interrogate it. If the first DNS in the list is the internal one, and if this DNS server is not able to resolve external, the resolution will fail and after many tries ISA may use the next DNS server in the list...

That is probably what make the Internet access to seem so slow !


If your TMG server is not a member of the domain it doesn't need to resolve internal DNS names so in this case you must remove and internal DNS server on the NIC configuration. Your TMG server should only interrogate external DNS servers.

If your TMG server is a member of the AD domain, then you should modify your DNS architecture so that TMG only interrogate internal DNS server (you can go on the external NIC configuration to force DNS servers instead of using DHCP).
Then you must make things so that your internal DNS servers are able to retransmit request to external DNS server (by adding a DNS forwarder as an example).
What you can also do, and what I usually do when I install ISA or TMG, is to install "DNS Server" Windows component on the TGM server. Configure this DNS Server with no DNS zone but ONLY DNS forwarder as follow :
One conditional DNS forwarder for the DNS suffix of your internal domain that redirects request to IP addresses of internal DNS.
One unconditional DNS forwarder that redirects any other request to IP addresses of external DNS servers.
Finally, on IP configuration of the NICs of the TMG server you ONLY indicate IP address of the TMG server as the ONLY DNS server to interrogate, remove any other DNS server address.
Doing like that, when TMG has to resolve a DNS name to reach an URL, it interrogates its own DNS service. This DNS service will redirect the request to internal DNS servers if the requested DNS name is ending with the DNS suffix of the internal domain, or will redirect the DNS request to external DNS server for any other case.

By the way, you should really avoid DHCP configuration on any NIC of a TMG server... About the external NIC of the TMG you should statically configure an IP address that matches the IP range of the routeur and configure manually the gateway.


Have a good day.

0
 

Author Comment

by:TechLad
ID: 33487172
PaciB:

Would it be possible to ask for a to-do list steps to take to try and correct this problem on the TMG server as part of a domain ?

Thanks,
Matt
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 16

Assisted Solution

by:PaciB
PaciB earned 500 total points
ID: 33500814
Hi,

Ok, here is a method to make sure that TMG interrogate internal DNS for internal names resolution and external DNS for external names resolution:

First of all, on the TMG server, in a CMD prompt type the command IPCONFIG /ALL.
Note the IP configuration of the external NIC. Note the address, the mask and gateway, and of course the DNS servers that are given by the routeur.

Look at the DHCP range in the routeur configuration to see if there is a part of the IP subnet that is not distributed by DHCP, or check if you can add an exclusion, because the first step you need is to configure static IP address on the TMG external NIC.


Then, on the TMG server, in the server manager click on 'roles' and choose "add roles".
Check the "DNS server" role and proceed to install this component.

When the installation of DNS Server role is finished, open the DNS console (in administrative tools).
In the left part of the DNS console right-click on "conditional forwarders" and choose "New conditional forwarder".
In the "DNS domain" zone type the FQDN of your internal AD domain (ex: mydomain.local). Add the IP addresses of your internal DNS servers for your internal domain.
Click "OK".
In the left part of the DNS console, right-click on the TMG server name and choose "Properties".
In the "Forwarders" tab, add the IP addresses of the external DNS servers (IP addresses of the DNS server that your noted before on the external NIC).
In the "Interfaces" tab, verify that only the internal IP address is linked to the DNS service. If necessary uncheck the external NIC IP address so that DNS service do not listen to DNS requests coming from outside.

After that, Go on the IP configuration of the external NIC and configure a static IP address, mask and gateway, AND type 127.0.0.1 and the DNS server to interrogate (and NO other).
Go on the IP configuration of the internal NIC and remove all DNS server and replace them by 127.0.0.1 only !

From a CMD console on the TMG server, use the PING command to ping an internal server or computer using its FQDN name (ex: PING mycomputer.mydomain.local). Even if the PING has no response (because TMG rules may refuse ICMP traffic) you should se that the PING command has resolved the DNS name and should say something like "Pinging mycomputer.mydomain.local [10.1.1.1]"...
Now, use PING to ping an external DNS name (ex: PING www.hp.com). Again, the PING command should have resolved the name...


The problem here is that if the DNS service on TMG is stopped, no DNS resolution can occur. I don't see any reason for the DNS service to stop without any human intervention... but you should be aware of that.

Have a good day.

0
 

Author Comment

by:TechLad
ID: 33544966
PaciB:

I have a few questions on the section of adding "conditional forwarders" to the DNS, is this correct or an error when I enter the details for it to pop up with a red cross in the corner. Although it does that it still allows me to continue and add the conditional forwarder.

Another question I may of miss read but on the domain controller NIC which faces the TMG server, do I put in the in the defualt gateway for the TMG server and 127.0.0.1 or leave the DNS blank.

Other than that I think the problem is drawing to close, it seems alot quicker with the response to website requests than before.
0
 
LVL 16

Assisted Solution

by:PaciB
PaciB earned 500 total points
ID: 33546670
Hi,

Sorry for my poor english. I think I often use bad sentences hard to understand.

About conditional forwarders, when you type IP addresses of the DNS servers to which retransmit IP packets the GUI tries to make a reverse DNS resolution to find the FQDN associated with the IP you typed. If reverse DNS resolution is not working the GUI can not find the name and might show a red icon. So don't think to much about that. you'll make some tests later to ensure all is ok.

About IP settings, you don't have to change anything on the domain controller.
On the TMG server, only the external NIC should have a default gateway that points to the routeur that connects you to Internet. The internal must not have any gateway so you must leave it blank.
Again, on the TMG server IP settings, you remove any DNS server addresses on all NICs (leave blank) except on the internal NIC where you configure only one DNS server which mudt be 127.0.0.1. What we want to do here is that the TMG server only interrogates its own DNS service and no other. The DNS service will be charged to transmit the request to the next DNS server using forwarders you have configured.

When you think that all is ready, take some time to test the DNS resolution like that:

1) open a CMD console on the TMG server.
2) empty the local DNS cache by typing the command IPCONFIG /FLUSHDNS
3) type the command NSLOOKUP
4) at the nslookup prompt type SERVER 127.0.0.1
5) type the FQDN of one internal computer or server and finish by a dot (example: myserver.mydomain.local.) Again, don't forget the dot at the end of the name. you should obtain the IP address of the internal computer. That validate the conditional forwarder for your internal domain.
6) type the FQDN of one external web site and finish by a dot (example: www.microsoft.com.) You should obtain the IP address of one of the Microsoft web servers. That validate the unconditional forwarder.

Let me know of your tests and results. Don't hesitate to join screen shots if necessary.

Have a good day.


0
 

Expert Comment

by:GradySr
ID: 38906952
TMG 2010 server 2008 r2
browsing is fast from the TMG server and Painfully slow with connecting from client.
i can ping www.google.com from server and not from client
0
 
LVL 16

Expert Comment

by:PaciB
ID: 38908482
GradySr, the current question has been closed yet.

If you have trouble or need some help you should create a new question with your own symptoms.

Have a good day.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
nmap scanner? 7 82
Wireshark 7 54
Nic to NIC 5 47
How computer Arp Table gets populated. 21 30
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now