Forefront TMG Slow Upload Speeds

and the pmtu discovery is enabled on the FTMG boxes?

Define 'several FTMG boxes' - are these multiple arrays and nodes or just multiple nodes on a single array?
Is Service pack 1 deployed?
Are you using 2008 sp2 or 2008 R2?

What FTMG clients are you using? SecureNAT? Web Proxy? FTMG firewall client?

If you disable the web proxy filter on the outbound rules, does the upload speed improve?
Also, are you checking for malware inspection on the rule?

HI rsweezie,

It seems that you have a wrong or bad configurations on your network cards such as dns or the default gateway so please explain more your network cards ( Internal & External ) configurations, static routes (if you have) and the DNS used on each cards, because for example if TMG is a member of your domain, then you have to modify the DNS settings as follow :

- Remove the dns settings from the external NIC and use only the internal one and thats required also a specific rule to enable DNS ports and protocols to go through TMG firewall.

Here is a very good and professional article on how you should set up your network cards:

http://www.experts-exchange.com/Microsoft/Windows_Security/A_1477-Configuring-ISA-2004-2006-Forefront-Threat-Management-Gateway-for-basic-networking-and-DNS-settings.html

Also, there are some extra step that you have to make sure from like unchecking register dns from external nic and others.

I will be waiting for your detailed configurations to troubleshoot more.

Regards,
MKhairy

Just as a pointer, and thanks for pointing at my article by the way, the issue would also manifest itself with poor download speeds or timeouts if it was just dns/basic config issues.

I am also running two similar questions for people on TechNet so will feed info in from there once the asker has responded.

Keith

Thanks for the replies.  Here are some more details:

We actually have 3 x gateways configured.  2 FTMG (standalone - non array members) and one old ISA 2006 box (which is due to be decommissioned but I've kept around for testing this issue).  I see the same problem on all 3 boxes.   To simplify things I'll give details from the ftmg box that publishes our web / mail server.

- TMG 2010 SP1 installed on 2008 r2
- Two network interfaces, "external" & "internal"
- Securenat clients
- malware checking disabled
- disabling the web proxy filter doesn't seem to make any difference

I reviewed the (very nice) article on dns configuration and I think everything is in line with the recommendations:
- Gateway on the external card points to the IP address of our router
- Internal DNS entry points to our internal dns servers - no dns configured on the external
- netbios, etc configured as per the article

My understanding is that PMTU is enabled by default on 2008 r2.  We haven't disabled it - is there something else that needs to be done to allow it to work successfully over TMG?

One other interesting point - I did some more tests by plugging my notebook into the external switch (which connects TMG and the ISP's router) and assigning it a public address.  

So the network setup there would look like this:

ISP Router ----- SWITCH -----  TMG --- Internal Web Server
   |
   |



As mentioned before, I get expected speeds to the internet.   I also tried grabbing a test file from our webserver so, in effect, going through ISA but not the

Sorry, the last one somehow posted before I was finished.  Here is the last section:

So the network setup there would look like this:

ISP Router ----- SWITCH -----  TMG --- Internal Web Server
                              |
                              |
                         NOTEBOOK

As mentioned before, I get expected speeds to the internet.   When I grab a file from our "Internal Web Server" to the notebook, I'm also getting expected speeds - in this case, because it's all local about 32 mbytes / sec.

The fact that the notebook in that situation can get good speeds to both the internet and the web server seems to indicate to me that it must be something like an MTU issue, but I've been unable to figure it out.

Also tried replacing the external switch.

Thanks again for the help.

Should be enabled by default and 'is enabled' are two different things in respect to the PMTU - worth checking the registry.
Have you captured any of the packets to see if they are being further fragmented?

From what I can find, it takes a registry entry to disable PMTU  - that entry isn't present on any of the servers.

I also did some testing with mturoute from my client computer.  I get an MTU of 1500 between it and the server from which I download a test file - also a wireshark capture isn't showing any fragmentation of the file being downloaded.   Despite everything being "fine", however, I'm still only getting about 4mbit / s.

Try connecting the TMG directly to the router and test again.

These are the registry entries
http://msdn.microsoft.com/en-us/library/ms817967.aspx

Keith - as per the article, I don't have an EnablePMTUDiscovery key defined (which means "enabled" in microsoft land).

Simon - was your final solution to bypass the proxy?


 

Correct - you have to create the key

Sorry - what I meant was not having the key means it is enabled:

"PMTU discovery is enabled by default but can be disabled by adding this value to the registry key and setting it to 0."

Yes, we bypassed the proxy, as it wasn't a requirement.

I spoke to PSS about this issue.  Apparently it's a known issue in both TMG and ISA and relates to a tcp buffer size.   They are working on a fix which they hope to have available within a week or two.  If anyone else experiences this, I'd suggest contacting PSS - as a known issue they should refund your incident.

Simon - your issue was likely the same one since disabling the proxy does solve the problem (this isn't an option in our case).