[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 11265
  • Last Modified:

Forefront TMG event log errors?

We just deployed our first Forefront TMG server, and for the most part it is going well.  However, I have quite of entries in my event viewer of the following:

Forefront TMG detected Windows Filtering Platform filters that may cause policy conflicts on the server <servername>. The following providers may define filters that conflict with the Forefront TMG firewall policy: unnamed provider(s).

The IP address specified for communication between this Forefront TMG computer (oldIPaddressusedfortesting) and other array members is not bound to a network adapter installed on this computer. The IP address specified for intra-array communication must be bound to a network adapter installed on the computer.

The routing table for the network adapter LAN includes IP address ranges that are not defined in the array-level network Internal, to which it is bound. As a result, packets arriving at this network adapter from the IP address ranges listed below or sent to these IP address ranges via this network adapter will be dropped as spoofed. To resolve this issue, add the missing IP address ranges to the array network. The following IP address ranges will be dropped as spoofed: External:<external IPs published for various resources such as RDP>

Forefront TMG was unable to decompress a response body from photography.shop.ebay.com because the following error occurred: The data is invalid.
. This error may occur when the available memory is insufficient, the response is corrupted due to a network problem, or the server returns an illegal response.

I apologize if these are separate issues, the messages feel quite vague to me and I'm not sure if they're related or not.  I can answer any infrastructure questions you may have - thanks!
0
sbumpas
Asked:
sbumpas
  • 16
  • 15
2 Solutions
 
Keith AlabasterCommented:
Yes they are separate questions and no, they are not vague at all apart from the first one.

Supply the outputs from an ipconfig /all and a route print from the tmg box.
0
 
sbumpasAuthor Commented:
Windows IP Configuration

   Host Name . . . . . . . . . . . . : OORT
   Primary Dns Suffix  . . . . . . . : SCLib.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : SCLib.local

PPP adapter RAS (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : RAS (Dial In) Interface
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.1.86.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter LAN:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2
   Physical Address. . . . . . . . . : 00-50-56-A9-00-17
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::c5c1:a543:90b0:1edf%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.1.254.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 285233238
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-06-D6-F3-00-50-56-A9-00-17

   DNS Servers . . . . . . . . . . . : 10.1.66.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter ICN:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #3
   Physical Address. . . . . . . . . : 00-50-56-A9-00-18
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::3937:6e00:6439:9084%14(Preferred)
   IPv4 Address. . . . . . . . . . . : 207.63.134.130(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 207.63.134.131(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 207.63.134.132(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 207.63.134.133(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 207.63.134.134(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 207.63.134.135(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 207.63.134.136(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 207.63.134.137(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 207.63.134.138(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 207.63.134.139(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 207.63.134.140(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 207.63.134.141(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 207.63.134.142(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 207.63.134.143(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 207.63.134.144(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 207.63.134.145(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 207.63.134.146(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 207.63.134.147(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 207.63.134.148(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 207.63.134.149(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 207.63.134.150(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 207.63.134.151(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   Default Gateway . . . . . . . . . : 207.63.134.129
   DHCPv6 IAID . . . . . . . . . . . : 369119318
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-06-D6-F3-00-50-56-A9-00-17

   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Comcast:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-50-56-A9-00-19
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::705c:4086:2d6e:9f61%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 70.91.213.37(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.252
   Default Gateway . . . . . . . . . : 70.91.213.38
   DHCPv6 IAID . . . . . . . . . . . : 318787670
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-06-D6-F3-00-50-56-A9-00-17

   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

===========================================================================
Interface List
 27...........................RAS (Dial In) Interface
 12...00 50 56 a9 00 17 ......vmxnet3 Ethernet Adapter #2
 14...00 50 56 a9 00 18 ......vmxnet3 Ethernet Adapter #3
 13...00 50 56 a9 00 19 ......vmxnet3 Ethernet Adapter
  1...........................Software Loopback Interface 1
 11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   207.63.134.129   207.63.134.130    276
          0.0.0.0          0.0.0.0     70.91.213.38     70.91.213.37     11
         10.1.1.0    255.255.255.0    207.63.134.10   207.63.134.130    276
         10.1.6.0    255.255.255.0       10.1.254.2       10.1.254.1    133
        10.1.26.0    255.255.255.0       10.1.254.2       10.1.254.1    133
        10.1.46.0    255.255.255.0       10.1.254.2       10.1.254.1    133
        10.1.66.0    255.255.255.0       10.1.254.2       10.1.254.1    133
        10.1.86.2  255.255.255.255         On-link         10.1.86.2    306
       10.1.254.0  255.255.255.248         On-link        10.1.254.1    261
       10.1.254.1  255.255.255.255         On-link        10.1.254.1    261
       10.1.254.7  255.255.255.255         On-link        10.1.254.1    261
    67.192.30.112  255.255.255.248   207.63.134.129       10.1.254.1    261
    67.192.30.112  255.255.255.248   207.63.134.129   207.63.134.130    276
     70.91.213.36  255.255.255.252         On-link      70.91.213.37    266
     70.91.213.37  255.255.255.255         On-link      70.91.213.37    266
     70.91.213.39  255.255.255.255         On-link      70.91.213.37    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
     207.63.134.0  255.255.255.224   207.63.134.129   207.63.134.130    148
     207.63.134.0  255.255.255.224   207.63.134.129     70.91.213.37    138
     207.63.134.4  255.255.255.255         10.1.1.4       10.1.254.1    125
     207.63.134.4  255.255.255.255         10.1.1.4     70.91.213.37    130
   207.63.134.128  255.255.255.224         On-link    207.63.134.130    276
   207.63.134.130  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.131  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.132  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.133  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.134  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.135  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.136  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.137  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.138  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.139  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.140  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.141  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.142  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.143  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.144  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.145  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.146  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.147  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.148  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.149  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.150  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.151  255.255.255.255         On-link    207.63.134.130    276
   207.63.134.159  255.255.255.255         On-link    207.63.134.130    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link        10.1.254.1    261
        224.0.0.0        240.0.0.0         On-link    207.63.134.130    276
        224.0.0.0        240.0.0.0         On-link      70.91.213.37    266
        224.0.0.0        240.0.0.0         On-link         10.1.86.2    306
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link        10.1.254.1    261
  255.255.255.255  255.255.255.255         On-link    207.63.134.130    276
  255.255.255.255  255.255.255.255         On-link      70.91.213.37    266
  255.255.255.255  255.255.255.255         On-link         10.1.86.2    306
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
        10.1.26.0    255.255.255.0       10.1.254.2     128
     207.63.134.0  255.255.255.224   207.63.134.129     128
        10.1.66.0    255.255.255.0       10.1.254.2     128
        10.1.46.0    255.255.255.0       10.1.254.2     128
         10.1.6.0    255.255.255.0       10.1.254.2     128
     207.63.134.0  255.255.255.224   207.63.134.129     128
     207.63.134.0  255.255.255.224   207.63.134.129     128
    67.192.30.112  255.255.255.248   207.63.134.129     256
     207.63.134.4  255.255.255.255         10.1.1.4     120
    67.192.30.112  255.255.255.248   207.63.134.129     256
     207.63.134.4  255.255.255.255         10.1.1.4     120
         10.1.1.0    255.255.255.0    207.63.134.10     256
          0.0.0.0          0.0.0.0     70.91.213.38       1
          0.0.0.0          0.0.0.0   207.63.134.129  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 12    261 fe80::/64                On-link
 14    261 fe80::/64                On-link
 13    261 fe80::/64                On-link
 14    261 fe80::3937:6e00:6439:9084/128
                                    On-link
 13    261 fe80::705c:4086:2d6e:9f61/128
                                    On-link
 12    261 fe80::c5c1:a543:90b0:1edf/128
                                    On-link
  1    306 ff00::/8                 On-link
 12    261 ff00::/8                 On-link
 14    261 ff00::/8                 On-link
 13    261 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
0
 
Keith AlabasterCommented:
TMG does not support IPv6 currently so not much point leaving IPv6 enabled on the box.
Only the internal nic is allowed to have a dns entry - and this should be pointing to internal DNS servers only. All other FTMG nics should be blank in respect to DNS ip addresses. The internal DNS servers use their forwarding tabs to make external dns requests.

You also have two default gateways - are you using ISP-R on the TMG box?

Why are you using an interarray nic? They ceased to be needed after ISA 2006 sp1 unless your network is SO busy the internal nics cannot cope?

Look in networking - internal - properties - addresses - in the internal address ranges, have you included the FULL subnet? For example,if you are using 10.1.0.0 as the internal network (although you appear to be using a 24 bit mask) then it would look like:
10.1.0.0 - 10.1.255.255

Any additional internally accessible networks should also be listed here and MUST include the network ID and the broadcast address.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
sbumpasAuthor Commented:
For some reason, when we disabled IPv6, client VPN stopped working.  Here's how/why we turned it back on:

http://social.technet.microsoft.com/Forums/en/ForefrontedgeVPN/thread/d033a9d1-aff6-4098-a002-e5e15ee1834c

I would love to disable IPv6, if you can help with a fix/workaround?

We are using ISP-R.

I never intentionally configured a interarray NIC - this is only Standard edition, I wasn't aware you could even do that.  Should I disable it?  if so, how?

The 10.1.1.0/24 network is on the other end of a site-to-site VPN - should it still be included in internal?  The VPN is working fine as is, but there are strange "errors" related to it in the event log:

Description: Forefront TMG cannot locate a route to the LINC remote site.
As a result, a connection cannot be established. To establish the IPsec site-to-site connection, you must update the routing table.

The local tunnel endpoint of VPN site-to-site network LINC is incorrect.
Server OORT cannot connect to the remote site using the 207.63.134.130 local tunnel endpoint.


0
 
Keith AlabasterCommented:
Fantastic - a Forefront question that is interesting as opposed to the traditional 'Please provide step by step walkthrough on ow do I install and set it up for my entire domain - Urgent' crap.

You are on TMG 2010 - so first confirm you have updated any array manager followed by array nodes with tmg 2010 sp1, update 1 and updates 1 rollups (there are 3 now).

Second, download, install and run the TMG BPA - lets see what it identifies.
0
 
sbumpasAuthor Commented:
Here's the BPA report.

I built the server in March, and installed all updates that were available at that time.  As far as I can tell, the last rollup was in February, so we should be good there.  Help -> About reveals v7.0.9027.441, but I can't correlate that to any specific rollup.
TmgBPA.EE.201105021131079774.dat.xml
0
 
Keith AlabasterCommented:
The rollups have to be applied for via the TechNet site - they are not pushed by WSUS etc.
I'll review the BPA tonight when I get home.
0
 
sbumpasAuthor Commented:
I installed the rollups by hand - I do remember installing them now that I've looked at the various download pages.

Thanks!
0
 
Keith AlabasterCommented:
PS - I note you haver attached the XML of the BPA - I cannot read that without spending a shedload of time (I'll do it if I really have to but...) preferably I need you to run the all tests option and lets see what issues it reports.
0
 
sbumpasAuthor Commented:
Here's the all test option - let me know if that's right!
TmgBPA.EE2.201105021325224235.da.xml
0
 
Keith AlabasterCommented:
As stated above, I don't want the xml, just the issues that the BPA pulled up. There are two tabs when the analyser has run - one shows the issues, the other shows the xml.
0
 
sbumpasAuthor Commented:
This was the best way I could find to export the list you're looking for - it included quite a bit of today's firewall activity, so it looks like a mess.  Hopefully I got it right this time!
TmgBPA.EE3.201105021459217721.da.htm
0
 
Keith AlabasterCommented:
Excellent. Almost my bedtime but I will look through and report back on each entry
0
 
sbumpasAuthor Commented:
I tried to fix this error:

The IP address specified for communication between this Forefront TMG computer (oldIPaddressusedfortesting) and other array members is not bound to a network adapter installed on this computer. The IP address specified for intra-array communication must be bound to a network adapter installed on the computer.

using this article:

http://social.technet.microsoft.com/Forums/en/Forefrontedgegeneral/thread/d1d2df7d-d1d6-4249-91fe-c8136d8487ad

But it did not work.  The other errors reported still stand.  Any thoughts?

Tonight I will be switch ISP-R to ISP load balancing + failover, and setting our 2nd ISP connection to 0%.  Hopefully that will be accepted?  TMG didn't complain, but I also didn't hit 'apply' yet.  the reason for this is we need certain internal servers to be published on specific IPs, which are located on the second ISP connection.  Not sure if this change affects any ideas you might have?
0
 
Keith AlabasterCommented:
Yes - I'll have something with you tomoorow morning. This week has been a nightmare at my own work so you have had to play second fiddle.
0
 
sbumpasAuthor Commented:
I tried this again:

http://social.technet.microsoft.com/Forums/en/Forefrontedgegeneral/thread/d1d2df7d-d1d6-4249-91fe-c8136d8487ad

For some reason it worked this time?  My only remaining errors are:


Description: Forefront TMG detected Windows Filtering Platform filters that may cause policy conflicts on the server OORT. The following providers may define filters that conflict with the Forefront TMG firewall policy: unnamed provider(s).


MS says you can safely ignore this (http://technet.microsoft.com/en-us/library/dd440976.aspx), but I find that less than an ideal solution.  Here's another link describing it in a bit more detail:

http://technet.microsoft.com/en-us/library/dd440976.aspx

However, if you look closely at both of those, the  provider is Microsoft Corp - mine is "unnamed provider."  The netsh command, however, yields this:

Categories:
BootTimeRuleCategory                  Microsoft Forefront Threat Management Gate
way
FirewallRuleCategory                  Microsoft Forefront Threat Management Gate
way
StealthRuleCategory                   Microsoft Forefront Threat Management Gate
way
ConSecRuleRuleCategory                Windows Firewall

Maybe that 4th option is causing this weird message?
0
 
Keith AlabasterCommented:
OK - here goes.

The Concurrent TCP Connections from One IP Address Limit Exceeded error alert was signaled 9 times.
Exactly what it says on the packet. What are these IP addresses relating to?

The Denied Connections per Minute from One IP Address Limit Exceeded error alert was signaled 1 times
Linked to the above - what is the device at this IP address?

The Non-TCP Sessions from One IP Address Limit Exceeded error alert was signaled 15 times
and again here

The secure channel to the domain controller cannot be verified
This one is a cause for concern if the box is joined to the domain. What rules do you have in place to allow the TMG and DC's to communicate in both directions?
Does the TMG System Policy allow for the traffic also?

The WFP Filter Conflict Detected error alert was signaled 8 times
This was a bug but I had thought that it had been corected with SP1, the SP1 update and the rollups. Confirm you have deployed ALL TMG updates.

A policy rule blocks FTP uploads
No issue here - just informing you that the rules that include FTP traffic have not been right-clicked, configure FTP and the check box for FTP read-only cleared.

Strict RPC compliance is enforced in an access rule that allows traffic to or from the Local Host network
Same here. Traffic between the local host and internal that use RPC do not need to be as secuer as rpc traffic elsewhere. Righjt-click rules between localhost and internal, click configure rpc and uncheck the strict rpc compliance box.

The Compression by Unsupported Method warning alert was signaled 1 times
Informational

The Compression Failure (Decompression Failed) warning alert was signaled 14 times
Informational

The Configuration error warning alert was signaled 4 times
BIG issue - read my article
http://www.experts-exchange.com/Microsoft/Windows_Security/A_1812-Error-Message-ISA-Server-detected-routes-through-the-network-adapter-LAN-that-do-not-correlate-with-the-network-to-which-this-network-adapter-belongs-How-to-fix-this.html?sfQueryTermInfo=1+30+alabast+keith+spoof

The IP Spoofing warning alert was signaled 1 times
same again

The rest are just informational - for example the dns message is as it should be (blank dns on all adaptors except the internal)
0
 
sbumpasAuthor Commented:
The Concurrent TCP Connections from One IP Address Limit Exceeded error alert was signaled 9 times.
The Denied Connections per Minute from One IP Address Limit Exceeded error alert was signaled 1 times
The Non-TCP Sessions from One IP Address Limit Exceeded error alert was signaled 15 times

These IP addresses appear to be random - sometimes it's my PC, sometimes it's our DC, often it's an anonymous wireless or kiosk user (we are a library with public internet access).  I notice they happen more often when the CPU is spiking - I have not determined the cause yet, but it is not uncommon to see CPU at 100% during the middle of the day.  Disabling NIS and IDS have no effect.

There are currently no specific rules that permit DC and TMG access, however, this error has not reappeared since I created that log.

The WFP Filter Conflict Detected error alert was signaled 8 times

I opened a ticket with MS and during the course of that call we confirmed that all appropriate rollups/SP had been installed.  Not sure why this one won't go away...

Strict RPC should be disabled for the whole internal range?  I have a rule that disables it for 1 server, which does WMI monitoring (PRTG), but the rest seem to be OK.  

the IP spoofing error was triggered by a static route placed incorrectly - that is also resolved now.

I will try adding a vCPU during our next maintenance window, although I'm hesitant to do so because we're only at 100 users.  The physical CPU is a X5540 - should be no trouble at all for such a load.  Aside from that, the only issue is the WFP Filter Conflict which MS says to ignore.
0
 
Keith AlabasterCommented:
Use Procmon from sysinternals to get detail of which process is spiking - and what it was doing at the time.

As I mentioned, the filter conflict is a known bug - although I thought it had been addressed by the updates as I no longer get it.

Yes, strict RPC can be disabled for everything that is talking directly between the internal and TMG server.

0
 
sbumpasAuthor Commented:
Good idea - procmon showed almost 70% of events going to web caching.  I disabled it, but I have to restart services during off-hours for it to take effect.  I will update tonight.
0
 
sbumpasAuthor Commented:
Still no luck - I have disabled NIS, local AV (ESET NOD32), IDS, web filter and web caching.  The CPU is still at 100% during daytime hours, due to wspsrv (according to procmon - kernel CPU sometimes reaches 550%).  

In the past, I have read that virtualization is not a good choice for "real time" applications - I'm starting to wonder if that is the issue I'm experiencing here.

Because all of the original issues have fallen by the wayside, I am awarding points and will create new questions as necessary for individual issues.  Thanks for all your assistance!
0
 
Keith AlabasterCommented:
Your call - if the questions involvement FTMG though they will likely come my way.
FTMG virtualised is not an issue as long as the host and the guests are suitably resourced.

That said, resourcing generally is vital for FTMG within the environment. For example, an FTMG server with 20GB RAM and 4 x quad processors will act awfully if there is only one poorly-specced DC that is having to resolve all the DNS name resolutions, AD group lookups etc or the bandwidth/links between FTMG and the DC's are rubbish.
0
 
sbumpasAuthor Commented:
I have been thinking quite a bit abuot that - even though I only have 150 users during peak hours, maybe the fact that I have a 50Mb connection being pounded on is causing more stress than the TMG Capacity Planner would suggest.  I am going to try an additional vCPU and 2GB more RAM (we are running standard, I believe 4GB is the limit?) before migrating to a physical.

Our DC is also a VM with a dual 10Gb uplink and an average utilization rate of 3%.  I appreciate any other suggestions you may have regarding this?
0
 
Keith AlabasterCommented:
10Gb? lol - that equals our HP c7000 blade environments so yes, I guess you qualify in meeting the spec there. How many DC's are there that share the AD/DNS load that TMG can use?
0
 
Keith AlabasterCommented:
Also, are you using a proper virtualisation platform such as Hyper-v or something else? (lol, being a Microsoft man I couldn't resist it)
0
 
sbumpasAuthor Commented:
We are using ESX 4.1U1.  The TMG host is 2x5540 with 48GB RAM and 16x2.5" 15K SAS in RAID 10.  There are 8 other VMs on this host, all single vCPU with an average host utilization rate of 20% (before TMG).
0
 
sbumpasAuthor Commented:
There is only 1 DC, it has <500 objects so i have never given much thought to adding resources.

I'm trying to imagine how an underperforming DC could cause CPU spike on a TMG server?  
0
 
sbumpasAuthor Commented:
Update - moved the TMG VM to a new host with slightly faster CPU, added another vCPU and doubled RAM from 2GB to 4GB.  With all NIS and malware scanning activated, CPU and RAM both hit 60% during 100% bandwidth utilization.  I guess i was just under the mark?

The only thing I'd like to figure out now is that WFP Filter error.  I could just disable that warning, but I would like at the very least to understand it.
0
 
Keith AlabasterCommented:
Disable it or ignore it - your choice but it IS a bug and will be fixed either in one of the anticpated updates or SP2 I guess. SP2 is on the horizon for us and after that will be made available to the general public.
0
 
sbumpasAuthor Commented:
Thanks - I'll ignore it until Sp2 hits.  I prefer to have visibility, even if that means discounting a few lines.

Thanks again for all your input!
0
 
Keith AlabasterCommented:
No sweat
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 16
  • 15
Tackle projects and never again get stuck behind a technical roadblock.
Join Now