sbumpas
asked on
Forefront TMG event log errors?
We just deployed our first Forefront TMG server, and for the most part it is going well. However, I have quite of entries in my event viewer of the following:
Forefront TMG detected Windows Filtering Platform filters that may cause policy conflicts on the server <servername>. The following providers may define filters that conflict with the Forefront TMG firewall policy: unnamed provider(s).
The IP address specified for communication between this Forefront TMG computer (oldIPaddressusedfortestin g) and other array members is not bound to a network adapter installed on this computer. The IP address specified for intra-array communication must be bound to a network adapter installed on the computer.
The routing table for the network adapter LAN includes IP address ranges that are not defined in the array-level network Internal, to which it is bound. As a result, packets arriving at this network adapter from the IP address ranges listed below or sent to these IP address ranges via this network adapter will be dropped as spoofed. To resolve this issue, add the missing IP address ranges to the array network. The following IP address ranges will be dropped as spoofed: External:<external IPs published for various resources such as RDP>
Forefront TMG was unable to decompress a response body from photography.shop.ebay.com because the following error occurred: The data is invalid.
. This error may occur when the available memory is insufficient, the response is corrupted due to a network problem, or the server returns an illegal response.
I apologize if these are separate issues, the messages feel quite vague to me and I'm not sure if they're related or not. I can answer any infrastructure questions you may have - thanks!
Forefront TMG detected Windows Filtering Platform filters that may cause policy conflicts on the server <servername>. The following providers may define filters that conflict with the Forefront TMG firewall policy: unnamed provider(s).
The IP address specified for communication between this Forefront TMG computer (oldIPaddressusedfortestin
The routing table for the network adapter LAN includes IP address ranges that are not defined in the array-level network Internal, to which it is bound. As a result, packets arriving at this network adapter from the IP address ranges listed below or sent to these IP address ranges via this network adapter will be dropped as spoofed. To resolve this issue, add the missing IP address ranges to the array network. The following IP address ranges will be dropped as spoofed: External:<external IPs published for various resources such as RDP>
Forefront TMG was unable to decompress a response body from photography.shop.ebay.com because the following error occurred: The data is invalid.
. This error may occur when the available memory is insufficient, the response is corrupted due to a network problem, or the server returns an illegal response.
I apologize if these are separate issues, the messages feel quite vague to me and I'm not sure if they're related or not. I can answer any infrastructure questions you may have - thanks!
ASKER
Windows IP Configuration
Host Name . . . . . . . . . . . . : OORT
Primary Dns Suffix . . . . . . . : SCLib.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : SCLib.local
PPP adapter RAS (Dial In) Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : RAS (Dial In) Interface
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.1.86.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter LAN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2
Physical Address. . . . . . . . . : 00-50-56-A9-00-17
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::c5c1:a543:90b0:1edf% 12(Preferr ed)
IPv4 Address. . . . . . . . . . . : 10.1.254.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 285233238
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-06-D6-F3-00 -50-56-A9- 00-17
DNS Servers . . . . . . . . . . . : 10.1.66.2
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter ICN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #3
Physical Address. . . . . . . . . : 00-50-56-A9-00-18
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::3937:6e00:6439:9084% 14(Preferr ed)
IPv4 Address. . . . . . . . . . . : 207.63.134.130(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.131(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.132(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.133(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.134(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.135(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.136(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.137(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.138(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.139(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.140(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.141(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.142(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.143(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.144(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.145(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.146(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.147(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.148(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.149(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.150(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.151(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
Default Gateway . . . . . . . . . : 207.63.134.129
DHCPv6 IAID . . . . . . . . . . . : 369119318
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-06-D6-F3-00 -50-56-A9- 00-17
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Comcast:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-A9-00-19
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::705c:4086:2d6e:9f61% 13(Preferr ed)
IPv4 Address. . . . . . . . . . . : 70.91.213.37(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 70.91.213.38
DHCPv6 IAID . . . . . . . . . . . : 318787670
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-06-D6-F3-00 -50-56-A9- 00-17
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 11:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
========================== ========== ========== ========== ========== =========
Interface List
27........................ ...RAS (Dial In) Interface
12...00 50 56 a9 00 17 ......vmxnet3 Ethernet Adapter #2
14...00 50 56 a9 00 18 ......vmxnet3 Ethernet Adapter #3
13...00 50 56 a9 00 19 ......vmxnet3 Ethernet Adapter
1......................... ..Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
========================== ========== ========== ========== ========== =========
IPv4 Route Table
========================== ========== ========== ========== ========== =========
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 207.63.134.129 207.63.134.130 276
0.0.0.0 0.0.0.0 70.91.213.38 70.91.213.37 11
10.1.1.0 255.255.255.0 207.63.134.10 207.63.134.130 276
10.1.6.0 255.255.255.0 10.1.254.2 10.1.254.1 133
10.1.26.0 255.255.255.0 10.1.254.2 10.1.254.1 133
10.1.46.0 255.255.255.0 10.1.254.2 10.1.254.1 133
10.1.66.0 255.255.255.0 10.1.254.2 10.1.254.1 133
10.1.86.2 255.255.255.255 On-link 10.1.86.2 306
10.1.254.0 255.255.255.248 On-link 10.1.254.1 261
10.1.254.1 255.255.255.255 On-link 10.1.254.1 261
10.1.254.7 255.255.255.255 On-link 10.1.254.1 261
67.192.30.112 255.255.255.248 207.63.134.129 10.1.254.1 261
67.192.30.112 255.255.255.248 207.63.134.129 207.63.134.130 276
70.91.213.36 255.255.255.252 On-link 70.91.213.37 266
70.91.213.37 255.255.255.255 On-link 70.91.213.37 266
70.91.213.39 255.255.255.255 On-link 70.91.213.37 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
207.63.134.0 255.255.255.224 207.63.134.129 207.63.134.130 148
207.63.134.0 255.255.255.224 207.63.134.129 70.91.213.37 138
207.63.134.4 255.255.255.255 10.1.1.4 10.1.254.1 125
207.63.134.4 255.255.255.255 10.1.1.4 70.91.213.37 130
207.63.134.128 255.255.255.224 On-link 207.63.134.130 276
207.63.134.130 255.255.255.255 On-link 207.63.134.130 276
207.63.134.131 255.255.255.255 On-link 207.63.134.130 276
207.63.134.132 255.255.255.255 On-link 207.63.134.130 276
207.63.134.133 255.255.255.255 On-link 207.63.134.130 276
207.63.134.134 255.255.255.255 On-link 207.63.134.130 276
207.63.134.135 255.255.255.255 On-link 207.63.134.130 276
207.63.134.136 255.255.255.255 On-link 207.63.134.130 276
207.63.134.137 255.255.255.255 On-link 207.63.134.130 276
207.63.134.138 255.255.255.255 On-link 207.63.134.130 276
207.63.134.139 255.255.255.255 On-link 207.63.134.130 276
207.63.134.140 255.255.255.255 On-link 207.63.134.130 276
207.63.134.141 255.255.255.255 On-link 207.63.134.130 276
207.63.134.142 255.255.255.255 On-link 207.63.134.130 276
207.63.134.143 255.255.255.255 On-link 207.63.134.130 276
207.63.134.144 255.255.255.255 On-link 207.63.134.130 276
207.63.134.145 255.255.255.255 On-link 207.63.134.130 276
207.63.134.146 255.255.255.255 On-link 207.63.134.130 276
207.63.134.147 255.255.255.255 On-link 207.63.134.130 276
207.63.134.148 255.255.255.255 On-link 207.63.134.130 276
207.63.134.149 255.255.255.255 On-link 207.63.134.130 276
207.63.134.150 255.255.255.255 On-link 207.63.134.130 276
207.63.134.151 255.255.255.255 On-link 207.63.134.130 276
207.63.134.159 255.255.255.255 On-link 207.63.134.130 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.1.254.1 261
224.0.0.0 240.0.0.0 On-link 207.63.134.130 276
224.0.0.0 240.0.0.0 On-link 70.91.213.37 266
224.0.0.0 240.0.0.0 On-link 10.1.86.2 306
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.1.254.1 261
255.255.255.255 255.255.255.255 On-link 207.63.134.130 276
255.255.255.255 255.255.255.255 On-link 70.91.213.37 266
255.255.255.255 255.255.255.255 On-link 10.1.86.2 306
========================== ========== ========== ========== ========== =========
Persistent Routes:
Network Address Netmask Gateway Address Metric
10.1.26.0 255.255.255.0 10.1.254.2 128
207.63.134.0 255.255.255.224 207.63.134.129 128
10.1.66.0 255.255.255.0 10.1.254.2 128
10.1.46.0 255.255.255.0 10.1.254.2 128
10.1.6.0 255.255.255.0 10.1.254.2 128
207.63.134.0 255.255.255.224 207.63.134.129 128
207.63.134.0 255.255.255.224 207.63.134.129 128
67.192.30.112 255.255.255.248 207.63.134.129 256
207.63.134.4 255.255.255.255 10.1.1.4 120
67.192.30.112 255.255.255.248 207.63.134.129 256
207.63.134.4 255.255.255.255 10.1.1.4 120
10.1.1.0 255.255.255.0 207.63.134.10 256
0.0.0.0 0.0.0.0 70.91.213.38 1
0.0.0.0 0.0.0.0 207.63.134.129 Default
========================== ========== ========== ========== ========== =========
IPv6 Route Table
========================== ========== ========== ========== ========== =========
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
12 261 fe80::/64 On-link
14 261 fe80::/64 On-link
13 261 fe80::/64 On-link
14 261 fe80::3937:6e00:6439:9084/ 128
On-link
13 261 fe80::705c:4086:2d6e:9f61/ 128
On-link
12 261 fe80::c5c1:a543:90b0:1edf/ 128
On-link
1 306 ff00::/8 On-link
12 261 ff00::/8 On-link
14 261 ff00::/8 On-link
13 261 ff00::/8 On-link
========================== ========== ========== ========== ========== =========
Persistent Routes:
None
Host Name . . . . . . . . . . . . : OORT
Primary Dns Suffix . . . . . . . : SCLib.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : SCLib.local
PPP adapter RAS (Dial In) Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : RAS (Dial In) Interface
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.1.86.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter LAN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2
Physical Address. . . . . . . . . : 00-50-56-A9-00-17
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::c5c1:a543:90b0:1edf%
IPv4 Address. . . . . . . . . . . : 10.1.254.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 285233238
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-06-D6-F3-00
DNS Servers . . . . . . . . . . . : 10.1.66.2
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter ICN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #3
Physical Address. . . . . . . . . : 00-50-56-A9-00-18
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::3937:6e00:6439:9084%
IPv4 Address. . . . . . . . . . . : 207.63.134.130(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.131(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.132(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.133(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.134(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.135(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.136(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.137(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.138(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.139(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.140(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.141(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.142(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.143(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.144(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.145(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.146(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.147(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.148(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.149(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.150(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
IPv4 Address. . . . . . . . . . . : 207.63.134.151(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.224
Default Gateway . . . . . . . . . : 207.63.134.129
DHCPv6 IAID . . . . . . . . . . . : 369119318
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-06-D6-F3-00
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Comcast:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-A9-00-19
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::705c:4086:2d6e:9f61%
IPv4 Address. . . . . . . . . . . : 70.91.213.37(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 70.91.213.38
DHCPv6 IAID . . . . . . . . . . . : 318787670
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-06-D6-F3-00
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 11:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
==========================
Interface List
27........................
12...00 50 56 a9 00 17 ......vmxnet3 Ethernet Adapter #2
14...00 50 56 a9 00 18 ......vmxnet3 Ethernet Adapter #3
13...00 50 56 a9 00 19 ......vmxnet3 Ethernet Adapter
1.........................
11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
==========================
IPv4 Route Table
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 207.63.134.129 207.63.134.130 276
0.0.0.0 0.0.0.0 70.91.213.38 70.91.213.37 11
10.1.1.0 255.255.255.0 207.63.134.10 207.63.134.130 276
10.1.6.0 255.255.255.0 10.1.254.2 10.1.254.1 133
10.1.26.0 255.255.255.0 10.1.254.2 10.1.254.1 133
10.1.46.0 255.255.255.0 10.1.254.2 10.1.254.1 133
10.1.66.0 255.255.255.0 10.1.254.2 10.1.254.1 133
10.1.86.2 255.255.255.255 On-link 10.1.86.2 306
10.1.254.0 255.255.255.248 On-link 10.1.254.1 261
10.1.254.1 255.255.255.255 On-link 10.1.254.1 261
10.1.254.7 255.255.255.255 On-link 10.1.254.1 261
67.192.30.112 255.255.255.248 207.63.134.129 10.1.254.1 261
67.192.30.112 255.255.255.248 207.63.134.129 207.63.134.130 276
70.91.213.36 255.255.255.252 On-link 70.91.213.37 266
70.91.213.37 255.255.255.255 On-link 70.91.213.37 266
70.91.213.39 255.255.255.255 On-link 70.91.213.37 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
207.63.134.0 255.255.255.224 207.63.134.129 207.63.134.130 148
207.63.134.0 255.255.255.224 207.63.134.129 70.91.213.37 138
207.63.134.4 255.255.255.255 10.1.1.4 10.1.254.1 125
207.63.134.4 255.255.255.255 10.1.1.4 70.91.213.37 130
207.63.134.128 255.255.255.224 On-link 207.63.134.130 276
207.63.134.130 255.255.255.255 On-link 207.63.134.130 276
207.63.134.131 255.255.255.255 On-link 207.63.134.130 276
207.63.134.132 255.255.255.255 On-link 207.63.134.130 276
207.63.134.133 255.255.255.255 On-link 207.63.134.130 276
207.63.134.134 255.255.255.255 On-link 207.63.134.130 276
207.63.134.135 255.255.255.255 On-link 207.63.134.130 276
207.63.134.136 255.255.255.255 On-link 207.63.134.130 276
207.63.134.137 255.255.255.255 On-link 207.63.134.130 276
207.63.134.138 255.255.255.255 On-link 207.63.134.130 276
207.63.134.139 255.255.255.255 On-link 207.63.134.130 276
207.63.134.140 255.255.255.255 On-link 207.63.134.130 276
207.63.134.141 255.255.255.255 On-link 207.63.134.130 276
207.63.134.142 255.255.255.255 On-link 207.63.134.130 276
207.63.134.143 255.255.255.255 On-link 207.63.134.130 276
207.63.134.144 255.255.255.255 On-link 207.63.134.130 276
207.63.134.145 255.255.255.255 On-link 207.63.134.130 276
207.63.134.146 255.255.255.255 On-link 207.63.134.130 276
207.63.134.147 255.255.255.255 On-link 207.63.134.130 276
207.63.134.148 255.255.255.255 On-link 207.63.134.130 276
207.63.134.149 255.255.255.255 On-link 207.63.134.130 276
207.63.134.150 255.255.255.255 On-link 207.63.134.130 276
207.63.134.151 255.255.255.255 On-link 207.63.134.130 276
207.63.134.159 255.255.255.255 On-link 207.63.134.130 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.1.254.1 261
224.0.0.0 240.0.0.0 On-link 207.63.134.130 276
224.0.0.0 240.0.0.0 On-link 70.91.213.37 266
224.0.0.0 240.0.0.0 On-link 10.1.86.2 306
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.1.254.1 261
255.255.255.255 255.255.255.255 On-link 207.63.134.130 276
255.255.255.255 255.255.255.255 On-link 70.91.213.37 266
255.255.255.255 255.255.255.255 On-link 10.1.86.2 306
==========================
Persistent Routes:
Network Address Netmask Gateway Address Metric
10.1.26.0 255.255.255.0 10.1.254.2 128
207.63.134.0 255.255.255.224 207.63.134.129 128
10.1.66.0 255.255.255.0 10.1.254.2 128
10.1.46.0 255.255.255.0 10.1.254.2 128
10.1.6.0 255.255.255.0 10.1.254.2 128
207.63.134.0 255.255.255.224 207.63.134.129 128
207.63.134.0 255.255.255.224 207.63.134.129 128
67.192.30.112 255.255.255.248 207.63.134.129 256
207.63.134.4 255.255.255.255 10.1.1.4 120
67.192.30.112 255.255.255.248 207.63.134.129 256
207.63.134.4 255.255.255.255 10.1.1.4 120
10.1.1.0 255.255.255.0 207.63.134.10 256
0.0.0.0 0.0.0.0 70.91.213.38 1
0.0.0.0 0.0.0.0 207.63.134.129 Default
==========================
IPv6 Route Table
==========================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
12 261 fe80::/64 On-link
14 261 fe80::/64 On-link
13 261 fe80::/64 On-link
14 261 fe80::3937:6e00:6439:9084/
On-link
13 261 fe80::705c:4086:2d6e:9f61/
On-link
12 261 fe80::c5c1:a543:90b0:1edf/
On-link
1 306 ff00::/8 On-link
12 261 ff00::/8 On-link
14 261 ff00::/8 On-link
13 261 ff00::/8 On-link
==========================
Persistent Routes:
None
TMG does not support IPv6 currently so not much point leaving IPv6 enabled on the box.
Only the internal nic is allowed to have a dns entry - and this should be pointing to internal DNS servers only. All other FTMG nics should be blank in respect to DNS ip addresses. The internal DNS servers use their forwarding tabs to make external dns requests.
You also have two default gateways - are you using ISP-R on the TMG box?
Why are you using an interarray nic? They ceased to be needed after ISA 2006 sp1 unless your network is SO busy the internal nics cannot cope?
Look in networking - internal - properties - addresses - in the internal address ranges, have you included the FULL subnet? For example,if you are using 10.1.0.0 as the internal network (although you appear to be using a 24 bit mask) then it would look like:
10.1.0.0 - 10.1.255.255
Any additional internally accessible networks should also be listed here and MUST include the network ID and the broadcast address.
Only the internal nic is allowed to have a dns entry - and this should be pointing to internal DNS servers only. All other FTMG nics should be blank in respect to DNS ip addresses. The internal DNS servers use their forwarding tabs to make external dns requests.
You also have two default gateways - are you using ISP-R on the TMG box?
Why are you using an interarray nic? They ceased to be needed after ISA 2006 sp1 unless your network is SO busy the internal nics cannot cope?
Look in networking - internal - properties - addresses - in the internal address ranges, have you included the FULL subnet? For example,if you are using 10.1.0.0 as the internal network (although you appear to be using a 24 bit mask) then it would look like:
10.1.0.0 - 10.1.255.255
Any additional internally accessible networks should also be listed here and MUST include the network ID and the broadcast address.
ASKER
For some reason, when we disabled IPv6, client VPN stopped working. Here's how/why we turned it back on:
http://social.technet.microsoft.com/Forums/en/ForefrontedgeVPN/thread/d033a9d1-aff6-4098-a002-e5e15ee1834c
I would love to disable IPv6, if you can help with a fix/workaround?
We are using ISP-R.
I never intentionally configured a interarray NIC - this is only Standard edition, I wasn't aware you could even do that. Should I disable it? if so, how?
The 10.1.1.0/24 network is on the other end of a site-to-site VPN - should it still be included in internal? The VPN is working fine as is, but there are strange "errors" related to it in the event log:
Description: Forefront TMG cannot locate a route to the LINC remote site.
As a result, a connection cannot be established. To establish the IPsec site-to-site connection, you must update the routing table.
The local tunnel endpoint of VPN site-to-site network LINC is incorrect.
Server OORT cannot connect to the remote site using the 207.63.134.130 local tunnel endpoint.
http://social.technet.microsoft.com/Forums/en/ForefrontedgeVPN/thread/d033a9d1-aff6-4098-a002-e5e15ee1834c
I would love to disable IPv6, if you can help with a fix/workaround?
We are using ISP-R.
I never intentionally configured a interarray NIC - this is only Standard edition, I wasn't aware you could even do that. Should I disable it? if so, how?
The 10.1.1.0/24 network is on the other end of a site-to-site VPN - should it still be included in internal? The VPN is working fine as is, but there are strange "errors" related to it in the event log:
Description: Forefront TMG cannot locate a route to the LINC remote site.
As a result, a connection cannot be established. To establish the IPsec site-to-site connection, you must update the routing table.
The local tunnel endpoint of VPN site-to-site network LINC is incorrect.
Server OORT cannot connect to the remote site using the 207.63.134.130 local tunnel endpoint.
Fantastic - a Forefront question that is interesting as opposed to the traditional 'Please provide step by step walkthrough on ow do I install and set it up for my entire domain - Urgent' crap.
You are on TMG 2010 - so first confirm you have updated any array manager followed by array nodes with tmg 2010 sp1, update 1 and updates 1 rollups (there are 3 now).
Second, download, install and run the TMG BPA - lets see what it identifies.
You are on TMG 2010 - so first confirm you have updated any array manager followed by array nodes with tmg 2010 sp1, update 1 and updates 1 rollups (there are 3 now).
Second, download, install and run the TMG BPA - lets see what it identifies.
ASKER
Here's the BPA report.
I built the server in March, and installed all updates that were available at that time. As far as I can tell, the last rollup was in February, so we should be good there. Help -> About reveals v7.0.9027.441, but I can't correlate that to any specific rollup.
TmgBPA.EE.201105021131079774.dat.xml
I built the server in March, and installed all updates that were available at that time. As far as I can tell, the last rollup was in February, so we should be good there. Help -> About reveals v7.0.9027.441, but I can't correlate that to any specific rollup.
TmgBPA.EE.201105021131079774.dat.xml
The rollups have to be applied for via the TechNet site - they are not pushed by WSUS etc.
I'll review the BPA tonight when I get home.
I'll review the BPA tonight when I get home.
ASKER
I installed the rollups by hand - I do remember installing them now that I've looked at the various download pages.
Thanks!
Thanks!
PS - I note you haver attached the XML of the BPA - I cannot read that without spending a shedload of time (I'll do it if I really have to but...) preferably I need you to run the all tests option and lets see what issues it reports.
ASKER
Here's the all test option - let me know if that's right!
TmgBPA.EE2.201105021325224235.da.xml
TmgBPA.EE2.201105021325224235.da.xml
As stated above, I don't want the xml, just the issues that the BPA pulled up. There are two tabs when the analyser has run - one shows the issues, the other shows the xml.
ASKER
This was the best way I could find to export the list you're looking for - it included quite a bit of today's firewall activity, so it looks like a mess. Hopefully I got it right this time!
TmgBPA.EE3.201105021459217721.da.htm
TmgBPA.EE3.201105021459217721.da.htm
Excellent. Almost my bedtime but I will look through and report back on each entry
ASKER
I tried to fix this error:
The IP address specified for communication between this Forefront TMG computer (oldIPaddressusedfortestin g) and other array members is not bound to a network adapter installed on this computer. The IP address specified for intra-array communication must be bound to a network adapter installed on the computer.
using this article:
http://social.technet.microsoft.com/Forums/en/Forefrontedgegeneral/thread/d1d2df7d-d1d6-4249-91fe-c8136d8487ad
But it did not work. The other errors reported still stand. Any thoughts?
Tonight I will be switch ISP-R to ISP load balancing + failover, and setting our 2nd ISP connection to 0%. Hopefully that will be accepted? TMG didn't complain, but I also didn't hit 'apply' yet. the reason for this is we need certain internal servers to be published on specific IPs, which are located on the second ISP connection. Not sure if this change affects any ideas you might have?
The IP address specified for communication between this Forefront TMG computer (oldIPaddressusedfortestin
using this article:
http://social.technet.microsoft.com/Forums/en/Forefrontedgegeneral/thread/d1d2df7d-d1d6-4249-91fe-c8136d8487ad
But it did not work. The other errors reported still stand. Any thoughts?
Tonight I will be switch ISP-R to ISP load balancing + failover, and setting our 2nd ISP connection to 0%. Hopefully that will be accepted? TMG didn't complain, but I also didn't hit 'apply' yet. the reason for this is we need certain internal servers to be published on specific IPs, which are located on the second ISP connection. Not sure if this change affects any ideas you might have?
Yes - I'll have something with you tomoorow morning. This week has been a nightmare at my own work so you have had to play second fiddle.
ASKER
I tried this again:
http://social.technet.microsoft.com/Forums/en/Forefrontedgegeneral/thread/d1d2df7d-d1d6-4249-91fe-c8136d8487ad
For some reason it worked this time? My only remaining errors are:
Description: Forefront TMG detected Windows Filtering Platform filters that may cause policy conflicts on the server OORT. The following providers may define filters that conflict with the Forefront TMG firewall policy: unnamed provider(s).
MS says you can safely ignore this (http://technet.microsoft.com/en-us/library/dd440976.aspx), but I find that less than an ideal solution. Here's another link describing it in a bit more detail:
http://technet.microsoft.com/en-us/library/dd440976.aspx
However, if you look closely at both of those, the provider is Microsoft Corp - mine is "unnamed provider." The netsh command, however, yields this:
Categories:
BootTimeRuleCategory Microsoft Forefront Threat Management Gate
way
FirewallRuleCategory Microsoft Forefront Threat Management Gate
way
StealthRuleCategory Microsoft Forefront Threat Management Gate
way
ConSecRuleRuleCategory Windows Firewall
Maybe that 4th option is causing this weird message?
http://social.technet.microsoft.com/Forums/en/Forefrontedgegeneral/thread/d1d2df7d-d1d6-4249-91fe-c8136d8487ad
For some reason it worked this time? My only remaining errors are:
Description: Forefront TMG detected Windows Filtering Platform filters that may cause policy conflicts on the server OORT. The following providers may define filters that conflict with the Forefront TMG firewall policy: unnamed provider(s).
MS says you can safely ignore this (http://technet.microsoft.com/en-us/library/dd440976.aspx), but I find that less than an ideal solution. Here's another link describing it in a bit more detail:
http://technet.microsoft.com/en-us/library/dd440976.aspx
However, if you look closely at both of those, the provider is Microsoft Corp - mine is "unnamed provider." The netsh command, however, yields this:
Categories:
BootTimeRuleCategory Microsoft Forefront Threat Management Gate
way
FirewallRuleCategory Microsoft Forefront Threat Management Gate
way
StealthRuleCategory Microsoft Forefront Threat Management Gate
way
ConSecRuleRuleCategory Windows Firewall
Maybe that 4th option is causing this weird message?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The Concurrent TCP Connections from One IP Address Limit Exceeded error alert was signaled 9 times.
The Denied Connections per Minute from One IP Address Limit Exceeded error alert was signaled 1 times
The Non-TCP Sessions from One IP Address Limit Exceeded error alert was signaled 15 times
These IP addresses appear to be random - sometimes it's my PC, sometimes it's our DC, often it's an anonymous wireless or kiosk user (we are a library with public internet access). I notice they happen more often when the CPU is spiking - I have not determined the cause yet, but it is not uncommon to see CPU at 100% during the middle of the day. Disabling NIS and IDS have no effect.
There are currently no specific rules that permit DC and TMG access, however, this error has not reappeared since I created that log.
The WFP Filter Conflict Detected error alert was signaled 8 times
I opened a ticket with MS and during the course of that call we confirmed that all appropriate rollups/SP had been installed. Not sure why this one won't go away...
Strict RPC should be disabled for the whole internal range? I have a rule that disables it for 1 server, which does WMI monitoring (PRTG), but the rest seem to be OK.
the IP spoofing error was triggered by a static route placed incorrectly - that is also resolved now.
I will try adding a vCPU during our next maintenance window, although I'm hesitant to do so because we're only at 100 users. The physical CPU is a X5540 - should be no trouble at all for such a load. Aside from that, the only issue is the WFP Filter Conflict which MS says to ignore.
The Denied Connections per Minute from One IP Address Limit Exceeded error alert was signaled 1 times
The Non-TCP Sessions from One IP Address Limit Exceeded error alert was signaled 15 times
These IP addresses appear to be random - sometimes it's my PC, sometimes it's our DC, often it's an anonymous wireless or kiosk user (we are a library with public internet access). I notice they happen more often when the CPU is spiking - I have not determined the cause yet, but it is not uncommon to see CPU at 100% during the middle of the day. Disabling NIS and IDS have no effect.
There are currently no specific rules that permit DC and TMG access, however, this error has not reappeared since I created that log.
The WFP Filter Conflict Detected error alert was signaled 8 times
I opened a ticket with MS and during the course of that call we confirmed that all appropriate rollups/SP had been installed. Not sure why this one won't go away...
Strict RPC should be disabled for the whole internal range? I have a rule that disables it for 1 server, which does WMI monitoring (PRTG), but the rest seem to be OK.
the IP spoofing error was triggered by a static route placed incorrectly - that is also resolved now.
I will try adding a vCPU during our next maintenance window, although I'm hesitant to do so because we're only at 100 users. The physical CPU is a X5540 - should be no trouble at all for such a load. Aside from that, the only issue is the WFP Filter Conflict which MS says to ignore.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Good idea - procmon showed almost 70% of events going to web caching. I disabled it, but I have to restart services during off-hours for it to take effect. I will update tonight.
ASKER
Still no luck - I have disabled NIS, local AV (ESET NOD32), IDS, web filter and web caching. The CPU is still at 100% during daytime hours, due to wspsrv (according to procmon - kernel CPU sometimes reaches 550%).
In the past, I have read that virtualization is not a good choice for "real time" applications - I'm starting to wonder if that is the issue I'm experiencing here.
Because all of the original issues have fallen by the wayside, I am awarding points and will create new questions as necessary for individual issues. Thanks for all your assistance!
In the past, I have read that virtualization is not a good choice for "real time" applications - I'm starting to wonder if that is the issue I'm experiencing here.
Because all of the original issues have fallen by the wayside, I am awarding points and will create new questions as necessary for individual issues. Thanks for all your assistance!
Your call - if the questions involvement FTMG though they will likely come my way.
FTMG virtualised is not an issue as long as the host and the guests are suitably resourced.
That said, resourcing generally is vital for FTMG within the environment. For example, an FTMG server with 20GB RAM and 4 x quad processors will act awfully if there is only one poorly-specced DC that is having to resolve all the DNS name resolutions, AD group lookups etc or the bandwidth/links between FTMG and the DC's are rubbish.
FTMG virtualised is not an issue as long as the host and the guests are suitably resourced.
That said, resourcing generally is vital for FTMG within the environment. For example, an FTMG server with 20GB RAM and 4 x quad processors will act awfully if there is only one poorly-specced DC that is having to resolve all the DNS name resolutions, AD group lookups etc or the bandwidth/links between FTMG and the DC's are rubbish.
ASKER
I have been thinking quite a bit abuot that - even though I only have 150 users during peak hours, maybe the fact that I have a 50Mb connection being pounded on is causing more stress than the TMG Capacity Planner would suggest. I am going to try an additional vCPU and 2GB more RAM (we are running standard, I believe 4GB is the limit?) before migrating to a physical.
Our DC is also a VM with a dual 10Gb uplink and an average utilization rate of 3%. I appreciate any other suggestions you may have regarding this?
Our DC is also a VM with a dual 10Gb uplink and an average utilization rate of 3%. I appreciate any other suggestions you may have regarding this?
10Gb? lol - that equals our HP c7000 blade environments so yes, I guess you qualify in meeting the spec there. How many DC's are there that share the AD/DNS load that TMG can use?
Also, are you using a proper virtualisation platform such as Hyper-v or something else? (lol, being a Microsoft man I couldn't resist it)
ASKER
We are using ESX 4.1U1. The TMG host is 2x5540 with 48GB RAM and 16x2.5" 15K SAS in RAID 10. There are 8 other VMs on this host, all single vCPU with an average host utilization rate of 20% (before TMG).
ASKER
There is only 1 DC, it has <500 objects so i have never given much thought to adding resources.
I'm trying to imagine how an underperforming DC could cause CPU spike on a TMG server?
I'm trying to imagine how an underperforming DC could cause CPU spike on a TMG server?
ASKER
Update - moved the TMG VM to a new host with slightly faster CPU, added another vCPU and doubled RAM from 2GB to 4GB. With all NIS and malware scanning activated, CPU and RAM both hit 60% during 100% bandwidth utilization. I guess i was just under the mark?
The only thing I'd like to figure out now is that WFP Filter error. I could just disable that warning, but I would like at the very least to understand it.
The only thing I'd like to figure out now is that WFP Filter error. I could just disable that warning, but I would like at the very least to understand it.
Disable it or ignore it - your choice but it IS a bug and will be fixed either in one of the anticpated updates or SP2 I guess. SP2 is on the horizon for us and after that will be made available to the general public.
ASKER
Thanks - I'll ignore it until Sp2 hits. I prefer to have visibility, even if that means discounting a few lines.
Thanks again for all your input!
Thanks again for all your input!
No sweat
Supply the outputs from an ipconfig /all and a route print from the tmg box.