Solved

Forefront TMG Slow Upload Speeds

Posted on 2010-09-12
16
3,300 Views
Last Modified: 2012-05-10
We have several forefront tmg servers connected to a 100mbit v-ethernet fibre connection from our ISP.   Download speeds are always good (25-50mbit), but for some reason, upload speeds from computers behind the TMG firewalls are always much slower (1-5mbit).

The setup is pretty simple - a cisco router manages the connection and is connected to an unmanaged gibabit switch.   The TMG servers also have their external interfaces connected to that switch.   If I plug a notebook into this switch (assigning a public address and bypassing TMG) I get the upload speeds I would expect.    

I've tried manually setting connection speeds, duplex, etc, on the TMG external nics but it hasn't made a difference.  

Also, the tmg servers are from diferent vendors / network cards and all exhibit the same symptom, so it seems like it must be something within TMG.

Any thoughts would be greatly appreciated.
0
Comment
Question by:rsweezie
  • 6
  • 6
  • 2
  • +1
16 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33657135
and the pmtu discovery is enabled on the FTMG boxes?

Define 'several FTMG boxes' - are these multiple arrays and nodes or just multiple nodes on a single array?
Is Service pack 1 deployed?
Are you using 2008 sp2 or 2008 R2?

What FTMG clients are you using? SecureNAT? Web Proxy? FTMG firewall client?

If you disable the web proxy filter on the outbound rules, does the upload speed improve?
Also, are you checking for malware inspection on the rule?
0
 
LVL 7

Expert Comment

by:Mohamed Khairy
ID: 33657213
HI rsweezie,

It seems that you have a wrong or bad configurations on your network cards such as dns or the default gateway so please explain more your network cards ( Internal & External ) configurations, static routes (if you have) and the DNS used on each cards, because for example if TMG is a member of your domain, then you have to modify the DNS settings as follow :

- Remove the dns settings from the external NIC and use only the internal one and thats required also a specific rule to enable DNS ports and protocols to go through TMG firewall.

Here is a very good and professional article on how you should set up your network cards:

http://www.experts-exchange.com/Microsoft/Windows_Security/A_1477-Configuring-ISA-2004-2006-Forefront-Threat-Management-Gateway-for-basic-networking-and-DNS-settings.html

Also, there are some extra step that you have to make sure from like unchecking register dns from external nic and others.

I will be waiting for your detailed configurations to troubleshoot more.

Regards,
MKhairy
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33657222
Just as a pointer, and thanks for pointing at my article by the way, the issue would also manifest itself with poor download speeds or timeouts if it was just dns/basic config issues.

I am also running two similar questions for people on TechNet so will feed info in from there once the asker has responded.

Keith
0
 
LVL 1

Author Comment

by:rsweezie
ID: 33657384
Thanks for the replies.  Here are some more details:

We actually have 3 x gateways configured.  2 FTMG (standalone - non array members) and one old ISA 2006 box (which is due to be decommissioned but I've kept around for testing this issue).  I see the same problem on all 3 boxes.   To simplify things I'll give details from the ftmg box that publishes our web / mail server.

- TMG 2010 SP1 installed on 2008 r2
- Two network interfaces, "external" & "internal"
- Securenat clients
- malware checking disabled
- disabling the web proxy filter doesn't seem to make any difference

I reviewed the (very nice) article on dns configuration and I think everything is in line with the recommendations:
- Gateway on the external card points to the IP address of our router
- Internal DNS entry points to our internal dns servers - no dns configured on the external
- netbios, etc configured as per the article

My understanding is that PMTU is enabled by default on 2008 r2.  We haven't disabled it - is there something else that needs to be done to allow it to work successfully over TMG?

One other interesting point - I did some more tests by plugging my notebook into the external switch (which connects TMG and the ISP's router) and assigning it a public address.  

So the network setup there would look like this:

ISP Router ----- SWITCH -----  TMG --- Internal Web Server
   |
   |



As mentioned before, I get expected speeds to the internet.   I also tried grabbing a test file from our webserver so, in effect, going through ISA but not the


0
 
LVL 1

Author Comment

by:rsweezie
ID: 33657398
Sorry, the last one somehow posted before I was finished.  Here is the last section:

So the network setup there would look like this:

ISP Router ----- SWITCH -----  TMG --- Internal Web Server
                              |
                              |
                         NOTEBOOK

As mentioned before, I get expected speeds to the internet.   When I grab a file from our "Internal Web Server" to the notebook, I'm also getting expected speeds - in this case, because it's all local about 32 mbytes / sec.

The fact that the notebook in that situation can get good speeds to both the internet and the web server seems to indicate to me that it must be something like an MTU issue, but I've been unable to figure it out.

Also tried replacing the external switch.

Thanks again for the help.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33657509
Should be enabled by default and 'is enabled' are two different things in respect to the PMTU - worth checking the registry.
Have you captured any of the packets to see if they are being further fragmented?

0
 
LVL 1

Author Comment

by:rsweezie
ID: 33657717
From what I can find, it takes a registry entry to disable PMTU  - that entry isn't present on any of the servers.

I also did some testing with mturoute from my client computer.  I get an MTU of 1500 between it and the server from which I download a test file - also a wireshark capture isn't showing any fragmentation of the file being downloaded.   Despite everything being "fine", however, I'm still only getting about 4mbit / s.
0
 
LVL 7

Expert Comment

by:Mohamed Khairy
ID: 33657736
Try connecting the TMG directly to the router and test again.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33657812
0
 
LVL 10

Accepted Solution

by:
simonlimon earned 250 total points
ID: 33657813
I experienced this as well, I bypassed the proxy and upload speeds were fine.
0
 
LVL 1

Author Comment

by:rsweezie
ID: 33657865
Keith - as per the article, I don't have an EnablePMTUDiscovery key defined (which means "enabled" in microsoft land).

Simon - was your final solution to bypass the proxy?


 

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33657896
Correct - you have to create the key
0
 
LVL 1

Author Comment

by:rsweezie
ID: 33657970
Sorry - what I meant was not having the key means it is enabled:

"PMTU discovery is enabled by default but can be disabled by adding this value to the registry key and setting it to 0."

0
 
LVL 10

Expert Comment

by:simonlimon
ID: 33659947
Yes, we bypassed the proxy, as it wasn't a requirement.
0
 
LVL 1

Author Comment

by:rsweezie
ID: 33696864
I spoke to PSS about this issue.  Apparently it's a known issue in both TMG and ISA and relates to a tcp buffer size.   They are working on a fix which they hope to have available within a week or two.  If anyone else experiences this, I'd suggest contacting PSS - as a known issue they should refund your incident.

Simon - your issue was likely the same one since disabling the proxy does solve the problem (this isn't an option in our case).
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 250 total points
ID: 33699703
Not quite accurate but close enough.

Besides being the zone advisor here on EE for ISA and Forefront, I am also the Owner and Moderator of the MS TechNet ISA and Forefront Internet Access Forum on Microsoft's TechNet and MSDN.

The issue was first seen a couple of weeks ago and I escalated this to the development team at the time. If you are interested, this is a link to the TechNet Forum and the associated thread.

http://social.technet.microsoft.com/Forums/en-US/ForefrontedgeIA/thread/3871606b-6547-48dd-a79d-053bba72067b

Keith
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
WMI on TMG 2010 5 1,895
FOPE 1 day Quarantine Notifications 4 262
Web Filtering software, alternative to Bloxx/WebMarshal 4 675
TMG 2010 is not able access other network 3 193
There are three types of ISA client that can be configured - these can be individual clients or multiples of a client on each PC or server SecureNAT. A SecureNAT client for ISA server is a client machine, work station or server, that has its defa…
ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs What does this mean and how can one go about correcting it? In simple terms, this error message indicates t…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now