ForeFront TMG Internet Access Slow at Times


I recently installed Forefront TMG on my Windows 2008 R2 server, and are having problems with the internet access on client machines. From time to time the internet access seems slow and unresponsive, one minute the internets fast and the next its very slow at loading websites.

Also visiting such sites as youtube, videos takes a few moments to load and the whole site takes a while to fully respond.

Any Ideas
Who is Participating?
Bruno PACIConnect With a Mentor IT ConsultantCommented:

As I said before you have made the common mistake in your TMG configuration :

You have declared the internal DNS (your domain controller) as a DNS server on the internal NIC of the TMG and your have the external NIC (the one connected to the internet routeur) that receives DNS servers from the routeur...

If the internal DNS server is unable to resolve external DNS names, then your TMG configuration is bad !

What probably happen is that when you TMG need to reach a web page, it at first has to resolve the URL to a IP address. For that TMG asks DNS servers to resolve that. What you probably don't know is that the dns client service on Windows is unable to know which DNS to interrogate... if your have DNS servers on one NIC and other DNS servers on another NIC the dns client service manage the DNS list as a unique list... so to resolve it will just take the first DNS server in the list and try to interrogate it. If the first DNS in the list is the internal one, and if this DNS server is not able to resolve external, the resolution will fail and after many tries ISA may use the next DNS server in the list...

That is probably what make the Internet access to seem so slow !

If your TMG server is not a member of the domain it doesn't need to resolve internal DNS names so in this case you must remove and internal DNS server on the NIC configuration. Your TMG server should only interrogate external DNS servers.

If your TMG server is a member of the AD domain, then you should modify your DNS architecture so that TMG only interrogate internal DNS server (you can go on the external NIC configuration to force DNS servers instead of using DHCP).
Then you must make things so that your internal DNS servers are able to retransmit request to external DNS server (by adding a DNS forwarder as an example).
What you can also do, and what I usually do when I install ISA or TMG, is to install "DNS Server" Windows component on the TGM server. Configure this DNS Server with no DNS zone but ONLY DNS forwarder as follow :
One conditional DNS forwarder for the DNS suffix of your internal domain that redirects request to IP addresses of internal DNS.
One unconditional DNS forwarder that redirects any other request to IP addresses of external DNS servers.
Finally, on IP configuration of the NICs of the TMG server you ONLY indicate IP address of the TMG server as the ONLY DNS server to interrogate, remove any other DNS server address.
Doing like that, when TMG has to resolve a DNS name to reach an URL, it interrogates its own DNS service. This DNS service will redirect the request to internal DNS servers if the requested DNS name is ending with the DNS suffix of the internal domain, or will redirect the DNS request to external DNS server for any other case.

By the way, you should really avoid DHCP configuration on any NIC of a TMG server... About the external NIC of the TMG you should statically configure an IP address that matches the IP range of the routeur and configure manually the gateway.

Have a good day.

Mohamed KhairyEnterprise Solutions ArchitectCommented:
Hi techLad,

Can you explain more what type of WAN connections are you used on TMG to enable Internet access to the users computers also do you have any cache rule enable?

Bruno PACIIT ConsultantCommented:

Please, describe exactly the DNS configuration of your TMG... Which DNS servers do you use on the NICs of the TMG server !?
Your problem looks like a common mistake with ISA and TMG: a lot of people indicate internal DNS servers on the internal NIC and external DNS servers (DNS if the provider) on the external NIC. That IS A MISTAKE !

Please check that on your TMG and let us know.

Have a good day.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

TechLadAuthor Commented:

Currently, the way the WAN is setup on the TMG server is via ethernet from the internet router, and ethernet from the TMG server to the domain controller. The domain controller uses Remote Routing and Access to serve that machine and the other client machines with internet access. Upon looking assuming im looking in the correct place, in the Web Access Policy section, Web Caching appears to display disabled on the rule allowing internet access.


DNS is provided by the router which there is no IP address currently set on the NIC facing the internet (External) on the TMG server, that NIC is set to automatically assisn the IP and DNS address.

Also DNS is provided by the domain controller and has an IP address set for the NIC which faces that machine (Internal).
TechLadAuthor Commented:

Would it be possible to ask for a to-do list steps to take to try and correct this problem on the TMG server as part of a domain ?

Bruno PACIConnect With a Mentor IT ConsultantCommented:

Ok, here is a method to make sure that TMG interrogate internal DNS for internal names resolution and external DNS for external names resolution:

First of all, on the TMG server, in a CMD prompt type the command IPCONFIG /ALL.
Note the IP configuration of the external NIC. Note the address, the mask and gateway, and of course the DNS servers that are given by the routeur.

Look at the DHCP range in the routeur configuration to see if there is a part of the IP subnet that is not distributed by DHCP, or check if you can add an exclusion, because the first step you need is to configure static IP address on the TMG external NIC.

Then, on the TMG server, in the server manager click on 'roles' and choose "add roles".
Check the "DNS server" role and proceed to install this component.

When the installation of DNS Server role is finished, open the DNS console (in administrative tools).
In the left part of the DNS console right-click on "conditional forwarders" and choose "New conditional forwarder".
In the "DNS domain" zone type the FQDN of your internal AD domain (ex: mydomain.local). Add the IP addresses of your internal DNS servers for your internal domain.
Click "OK".
In the left part of the DNS console, right-click on the TMG server name and choose "Properties".
In the "Forwarders" tab, add the IP addresses of the external DNS servers (IP addresses of the DNS server that your noted before on the external NIC).
In the "Interfaces" tab, verify that only the internal IP address is linked to the DNS service. If necessary uncheck the external NIC IP address so that DNS service do not listen to DNS requests coming from outside.

After that, Go on the IP configuration of the external NIC and configure a static IP address, mask and gateway, AND type and the DNS server to interrogate (and NO other).
Go on the IP configuration of the internal NIC and remove all DNS server and replace them by only !

From a CMD console on the TMG server, use the PING command to ping an internal server or computer using its FQDN name (ex: PING mycomputer.mydomain.local). Even if the PING has no response (because TMG rules may refuse ICMP traffic) you should se that the PING command has resolved the DNS name and should say something like "Pinging mycomputer.mydomain.local []"...
Now, use PING to ping an external DNS name (ex: PING Again, the PING command should have resolved the name...

The problem here is that if the DNS service on TMG is stopped, no DNS resolution can occur. I don't see any reason for the DNS service to stop without any human intervention... but you should be aware of that.

Have a good day.

TechLadAuthor Commented:

I have a few questions on the section of adding "conditional forwarders" to the DNS, is this correct or an error when I enter the details for it to pop up with a red cross in the corner. Although it does that it still allows me to continue and add the conditional forwarder.

Another question I may of miss read but on the domain controller NIC which faces the TMG server, do I put in the in the defualt gateway for the TMG server and or leave the DNS blank.

Other than that I think the problem is drawing to close, it seems alot quicker with the response to website requests than before.
Bruno PACIConnect With a Mentor IT ConsultantCommented:

Sorry for my poor english. I think I often use bad sentences hard to understand.

About conditional forwarders, when you type IP addresses of the DNS servers to which retransmit IP packets the GUI tries to make a reverse DNS resolution to find the FQDN associated with the IP you typed. If reverse DNS resolution is not working the GUI can not find the name and might show a red icon. So don't think to much about that. you'll make some tests later to ensure all is ok.

About IP settings, you don't have to change anything on the domain controller.
On the TMG server, only the external NIC should have a default gateway that points to the routeur that connects you to Internet. The internal must not have any gateway so you must leave it blank.
Again, on the TMG server IP settings, you remove any DNS server addresses on all NICs (leave blank) except on the internal NIC where you configure only one DNS server which mudt be What we want to do here is that the TMG server only interrogates its own DNS service and no other. The DNS service will be charged to transmit the request to the next DNS server using forwarders you have configured.

When you think that all is ready, take some time to test the DNS resolution like that:

1) open a CMD console on the TMG server.
2) empty the local DNS cache by typing the command IPCONFIG /FLUSHDNS
3) type the command NSLOOKUP
4) at the nslookup prompt type SERVER
5) type the FQDN of one internal computer or server and finish by a dot (example: myserver.mydomain.local.) Again, don't forget the dot at the end of the name. you should obtain the IP address of the internal computer. That validate the conditional forwarder for your internal domain.
6) type the FQDN of one external web site and finish by a dot (example: You should obtain the IP address of one of the Microsoft web servers. That validate the unconditional forwarder.

Let me know of your tests and results. Don't hesitate to join screen shots if necessary.

Have a good day.

TMG 2010 server 2008 r2
browsing is fast from the TMG server and Painfully slow with connecting from client.
i can ping from server and not from client
Bruno PACIIT ConsultantCommented:
GradySr, the current question has been closed yet.

If you have trouble or need some help you should create a new question with your own symptoms.

Have a good day.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.