Solved

Forefront TMG Slow Upload Speeds

Posted on 2010-09-12
16
3,285 Views
Last Modified: 2012-05-10
We have several forefront tmg servers connected to a 100mbit v-ethernet fibre connection from our ISP.   Download speeds are always good (25-50mbit), but for some reason, upload speeds from computers behind the TMG firewalls are always much slower (1-5mbit).

The setup is pretty simple - a cisco router manages the connection and is connected to an unmanaged gibabit switch.   The TMG servers also have their external interfaces connected to that switch.   If I plug a notebook into this switch (assigning a public address and bypassing TMG) I get the upload speeds I would expect.    

I've tried manually setting connection speeds, duplex, etc, on the TMG external nics but it hasn't made a difference.  

Also, the tmg servers are from diferent vendors / network cards and all exhibit the same symptom, so it seems like it must be something within TMG.

Any thoughts would be greatly appreciated.
0
Comment
Question by:rsweezie
  • 6
  • 6
  • 2
  • +1
16 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33657135
and the pmtu discovery is enabled on the FTMG boxes?

Define 'several FTMG boxes' - are these multiple arrays and nodes or just multiple nodes on a single array?
Is Service pack 1 deployed?
Are you using 2008 sp2 or 2008 R2?

What FTMG clients are you using? SecureNAT? Web Proxy? FTMG firewall client?

If you disable the web proxy filter on the outbound rules, does the upload speed improve?
Also, are you checking for malware inspection on the rule?
0
 
LVL 7

Expert Comment

by:Mohamed Khairy
ID: 33657213
HI rsweezie,

It seems that you have a wrong or bad configurations on your network cards such as dns or the default gateway so please explain more your network cards ( Internal & External ) configurations, static routes (if you have) and the DNS used on each cards, because for example if TMG is a member of your domain, then you have to modify the DNS settings as follow :

- Remove the dns settings from the external NIC and use only the internal one and thats required also a specific rule to enable DNS ports and protocols to go through TMG firewall.

Here is a very good and professional article on how you should set up your network cards:

http://www.experts-exchange.com/Microsoft/Windows_Security/A_1477-Configuring-ISA-2004-2006-Forefront-Threat-Management-Gateway-for-basic-networking-and-DNS-settings.html

Also, there are some extra step that you have to make sure from like unchecking register dns from external nic and others.

I will be waiting for your detailed configurations to troubleshoot more.

Regards,
MKhairy
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33657222
Just as a pointer, and thanks for pointing at my article by the way, the issue would also manifest itself with poor download speeds or timeouts if it was just dns/basic config issues.

I am also running two similar questions for people on TechNet so will feed info in from there once the asker has responded.

Keith
0
 
LVL 1

Author Comment

by:rsweezie
ID: 33657384
Thanks for the replies.  Here are some more details:

We actually have 3 x gateways configured.  2 FTMG (standalone - non array members) and one old ISA 2006 box (which is due to be decommissioned but I've kept around for testing this issue).  I see the same problem on all 3 boxes.   To simplify things I'll give details from the ftmg box that publishes our web / mail server.

- TMG 2010 SP1 installed on 2008 r2
- Two network interfaces, "external" & "internal"
- Securenat clients
- malware checking disabled
- disabling the web proxy filter doesn't seem to make any difference

I reviewed the (very nice) article on dns configuration and I think everything is in line with the recommendations:
- Gateway on the external card points to the IP address of our router
- Internal DNS entry points to our internal dns servers - no dns configured on the external
- netbios, etc configured as per the article

My understanding is that PMTU is enabled by default on 2008 r2.  We haven't disabled it - is there something else that needs to be done to allow it to work successfully over TMG?

One other interesting point - I did some more tests by plugging my notebook into the external switch (which connects TMG and the ISP's router) and assigning it a public address.  

So the network setup there would look like this:

ISP Router ----- SWITCH -----  TMG --- Internal Web Server
   |
   |



As mentioned before, I get expected speeds to the internet.   I also tried grabbing a test file from our webserver so, in effect, going through ISA but not the


0
 
LVL 1

Author Comment

by:rsweezie
ID: 33657398
Sorry, the last one somehow posted before I was finished.  Here is the last section:

So the network setup there would look like this:

ISP Router ----- SWITCH -----  TMG --- Internal Web Server
                              |
                              |
                         NOTEBOOK

As mentioned before, I get expected speeds to the internet.   When I grab a file from our "Internal Web Server" to the notebook, I'm also getting expected speeds - in this case, because it's all local about 32 mbytes / sec.

The fact that the notebook in that situation can get good speeds to both the internet and the web server seems to indicate to me that it must be something like an MTU issue, but I've been unable to figure it out.

Also tried replacing the external switch.

Thanks again for the help.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33657509
Should be enabled by default and 'is enabled' are two different things in respect to the PMTU - worth checking the registry.
Have you captured any of the packets to see if they are being further fragmented?

0
 
LVL 1

Author Comment

by:rsweezie
ID: 33657717
From what I can find, it takes a registry entry to disable PMTU  - that entry isn't present on any of the servers.

I also did some testing with mturoute from my client computer.  I get an MTU of 1500 between it and the server from which I download a test file - also a wireshark capture isn't showing any fragmentation of the file being downloaded.   Despite everything being "fine", however, I'm still only getting about 4mbit / s.
0
 
LVL 7

Expert Comment

by:Mohamed Khairy
ID: 33657736
Try connecting the TMG directly to the router and test again.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33657812
0
 
LVL 10

Accepted Solution

by:
simonlimon earned 250 total points
ID: 33657813
I experienced this as well, I bypassed the proxy and upload speeds were fine.
0
 
LVL 1

Author Comment

by:rsweezie
ID: 33657865
Keith - as per the article, I don't have an EnablePMTUDiscovery key defined (which means "enabled" in microsoft land).

Simon - was your final solution to bypass the proxy?


 

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33657896
Correct - you have to create the key
0
 
LVL 1

Author Comment

by:rsweezie
ID: 33657970
Sorry - what I meant was not having the key means it is enabled:

"PMTU discovery is enabled by default but can be disabled by adding this value to the registry key and setting it to 0."

0
 
LVL 10

Expert Comment

by:simonlimon
ID: 33659947
Yes, we bypassed the proxy, as it wasn't a requirement.
0
 
LVL 1

Author Comment

by:rsweezie
ID: 33696864
I spoke to PSS about this issue.  Apparently it's a known issue in both TMG and ISA and relates to a tcp buffer size.   They are working on a fix which they hope to have available within a week or two.  If anyone else experiences this, I'd suggest contacting PSS - as a known issue they should refund your incident.

Simon - your issue was likely the same one since disabling the proxy does solve the problem (this isn't an option in our case).
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 250 total points
ID: 33699703
Not quite accurate but close enough.

Besides being the zone advisor here on EE for ISA and Forefront, I am also the Owner and Moderator of the MS TechNet ISA and Forefront Internet Access Forum on Microsoft's TechNet and MSDN.

The issue was first seen a couple of weeks ago and I escalated this to the development team at the time. If you are interested, this is a link to the TechNet Forum and the associated thread.

http://social.technet.microsoft.com/Forums/en-US/ForefrontedgeIA/thread/3871606b-6547-48dd-a79d-053bba72067b

Keith
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs What does this mean and how can one go about correcting it? In simple terms, this error message indicates t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now