Forefront TMG Slow Upload Speeds
We have several forefront tmg servers connected to a 100mbit v-ethernet fibre connection from our ISP. Download speeds are always good (25-50mbit), but for some reason, upload speeds from computers behind the TMG firewalls are always much slower (1-5mbit).
The setup is pretty simple - a cisco router manages the connection and is connected to an unmanaged gibabit switch. The TMG servers also have their external interfaces connected to that switch. If I plug a notebook into this switch (assigning a public address and bypassing TMG) I get the upload speeds I would expect.
I've tried manually setting connection speeds, duplex, etc, on the TMG external nics but it hasn't made a difference.
Also, the tmg servers are from diferent vendors / network cards and all exhibit the same symptom, so it seems like it must be something within TMG.
Any thoughts would be greatly appreciated.
The setup is pretty simple - a cisco router manages the connection and is connected to an unmanaged gibabit switch. The TMG servers also have their external interfaces connected to that switch. If I plug a notebook into this switch (assigning a public address and bypassing TMG) I get the upload speeds I would expect.
I've tried manually setting connection speeds, duplex, etc, on the TMG external nics but it hasn't made a difference.
Also, the tmg servers are from diferent vendors / network cards and all exhibit the same symptom, so it seems like it must be something within TMG.
Any thoughts would be greatly appreciated.
and the pmtu discovery is enabled on the FTMG boxes?
Define 'several FTMG boxes' - are these multiple arrays and nodes or just multiple nodes on a single array?
Is Service pack 1 deployed?
Are you using 2008 sp2 or 2008 R2?
What FTMG clients are you using? SecureNAT? Web Proxy? FTMG firewall client?
If you disable the web proxy filter on the outbound rules, does the upload speed improve?
Also, are you checking for malware inspection on the rule?
Define 'several FTMG boxes' - are these multiple arrays and nodes or just multiple nodes on a single array?
Is Service pack 1 deployed?
Are you using 2008 sp2 or 2008 R2?
What FTMG clients are you using? SecureNAT? Web Proxy? FTMG firewall client?
If you disable the web proxy filter on the outbound rules, does the upload speed improve?
Also, are you checking for malware inspection on the rule?
HI rsweezie,
It seems that you have a wrong or bad configurations on your network cards such as dns or the default gateway so please explain more your network cards ( Internal & External ) configurations, static routes (if you have) and the DNS used on each cards, because for example if TMG is a member of your domain, then you have to modify the DNS settings as follow :
- Remove the dns settings from the external NIC and use only the internal one and thats required also a specific rule to enable DNS ports and protocols to go through TMG firewall.
Here is a very good and professional article on how you should set up your network cards:
https://www.experts-exchange.com/Microsoft/Windows_Security/A_1477-Configuring-ISA-2004-2006-Forefront-Threat-Management-Gateway-for-basic-networking-and-DNS-settings.html
Also, there are some extra step that you have to make sure from like unchecking register dns from external nic and others.
I will be waiting for your detailed configurations to troubleshoot more.
Regards,
MKhairy
It seems that you have a wrong or bad configurations on your network cards such as dns or the default gateway so please explain more your network cards ( Internal & External ) configurations, static routes (if you have) and the DNS used on each cards, because for example if TMG is a member of your domain, then you have to modify the DNS settings as follow :
- Remove the dns settings from the external NIC and use only the internal one and thats required also a specific rule to enable DNS ports and protocols to go through TMG firewall.
Here is a very good and professional article on how you should set up your network cards:
https://www.experts-exchange.com/Microsoft/Windows_Security/A_1477-Configuring-ISA-2004-2006-Forefront-Threat-Management-Gateway-for-basic-networking-and-DNS-settings.html
Also, there are some extra step that you have to make sure from like unchecking register dns from external nic and others.
I will be waiting for your detailed configurations to troubleshoot more.
Regards,
MKhairy
Just as a pointer, and thanks for pointing at my article by the way, the issue would also manifest itself with poor download speeds or timeouts if it was just dns/basic config issues.
I am also running two similar questions for people on TechNet so will feed info in from there once the asker has responded.
Keith
I am also running two similar questions for people on TechNet so will feed info in from there once the asker has responded.
Keith
Thanks for the replies. Here are some more details:
We actually have 3 x gateways configured. 2 FTMG (standalone - non array members) and one old ISA 2006 box (which is due to be decommissioned but I've kept around for testing this issue). I see the same problem on all 3 boxes. To simplify things I'll give details from the ftmg box that publishes our web / mail server.
- TMG 2010 SP1 installed on 2008 r2
- Two network interfaces, "external" & "internal"
- Securenat clients
- malware checking disabled
- disabling the web proxy filter doesn't seem to make any difference
I reviewed the (very nice) article on dns configuration and I think everything is in line with the recommendations:
- Gateway on the external card points to the IP address of our router
- Internal DNS entry points to our internal dns servers - no dns configured on the external
- netbios, etc configured as per the article
My understanding is that PMTU is enabled by default on 2008 r2. We haven't disabled it - is there something else that needs to be done to allow it to work successfully over TMG?
One other interesting point - I did some more tests by plugging my notebook into the external switch (which connects TMG and the ISP's router) and assigning it a public address.
So the network setup there would look like this:
ISP Router ----- SWITCH ----- TMG --- Internal Web Server
|
|
As mentioned before, I get expected speeds to the internet. I also tried grabbing a test file from our webserver so, in effect, going through ISA but not the
We actually have 3 x gateways configured. 2 FTMG (standalone - non array members) and one old ISA 2006 box (which is due to be decommissioned but I've kept around for testing this issue). I see the same problem on all 3 boxes. To simplify things I'll give details from the ftmg box that publishes our web / mail server.
- TMG 2010 SP1 installed on 2008 r2
- Two network interfaces, "external" & "internal"
- Securenat clients
- malware checking disabled
- disabling the web proxy filter doesn't seem to make any difference
I reviewed the (very nice) article on dns configuration and I think everything is in line with the recommendations:
- Gateway on the external card points to the IP address of our router
- Internal DNS entry points to our internal dns servers - no dns configured on the external
- netbios, etc configured as per the article
My understanding is that PMTU is enabled by default on 2008 r2. We haven't disabled it - is there something else that needs to be done to allow it to work successfully over TMG?
One other interesting point - I did some more tests by plugging my notebook into the external switch (which connects TMG and the ISP's router) and assigning it a public address.
So the network setup there would look like this:
ISP Router ----- SWITCH ----- TMG --- Internal Web Server
|
|
As mentioned before, I get expected speeds to the internet. I also tried grabbing a test file from our webserver so, in effect, going through ISA but not the
Sorry, the last one somehow posted before I was finished. Here is the last section:
So the network setup there would look like this:
ISP Router ----- SWITCH ----- TMG --- Internal Web Server
|
|
NOTEBOOK
As mentioned before, I get expected speeds to the internet. When I grab a file from our "Internal Web Server" to the notebook, I'm also getting expected speeds - in this case, because it's all local about 32 mbytes / sec.
The fact that the notebook in that situation can get good speeds to both the internet and the web server seems to indicate to me that it must be something like an MTU issue, but I've been unable to figure it out.
Also tried replacing the external switch.
Thanks again for the help.
So the network setup there would look like this:
ISP Router ----- SWITCH ----- TMG --- Internal Web Server
|
|
NOTEBOOK
As mentioned before, I get expected speeds to the internet. When I grab a file from our "Internal Web Server" to the notebook, I'm also getting expected speeds - in this case, because it's all local about 32 mbytes / sec.
The fact that the notebook in that situation can get good speeds to both the internet and the web server seems to indicate to me that it must be something like an MTU issue, but I've been unable to figure it out.
Also tried replacing the external switch.
Thanks again for the help.
Should be enabled by default and 'is enabled' are two different things in respect to the PMTU - worth checking the registry.
Have you captured any of the packets to see if they are being further fragmented?
Have you captured any of the packets to see if they are being further fragmented?
From what I can find, it takes a registry entry to disable PMTU - that entry isn't present on any of the servers.
I also did some testing with mturoute from my client computer. I get an MTU of 1500 between it and the server from which I download a test file - also a wireshark capture isn't showing any fragmentation of the file being downloaded. Despite everything being "fine", however, I'm still only getting about 4mbit / s.
I also did some testing with mturoute from my client computer. I get an MTU of 1500 between it and the server from which I download a test file - also a wireshark capture isn't showing any fragmentation of the file being downloaded. Despite everything being "fine", however, I'm still only getting about 4mbit / s.
Keith - as per the article, I don't have an EnablePMTUDiscovery key defined (which means "enabled" in microsoft land).
Simon - was your final solution to bypass the proxy?
Simon - was your final solution to bypass the proxy?
Sorry - what I meant was not having the key means it is enabled:
"PMTU discovery is enabled by default but can be disabled by adding this value to the registry key and setting it to 0."
"PMTU discovery is enabled by default but can be disabled by adding this value to the registry key and setting it to 0."
I spoke to PSS about this issue. Apparently it's a known issue in both TMG and ISA and relates to a tcp buffer size. They are working on a fix which they hope to have available within a week or two. If anyone else experiences this, I'd suggest contacting PSS - as a known issue they should refund your incident.
Simon - your issue was likely the same one since disabling the proxy does solve the problem (this isn't an option in our case).
Simon - your issue was likely the same one since disabling the proxy does solve the problem (this isn't an option in our case).
Thanks for using Experts Exchange.
Please provide your email to receive a sample view!
*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.