Forefront TMG 2010 Blocking Internet Connectivity on the LAN

nimocan
nimocan used Ask the Experts™
on
After migrating to Forefront TMG 2010, it ran smoothly over the weekend without a problem, on Monday, around midday, I got an error in the alert “Concurrent TCP Connections from one IP Address Limit Exceeded”. Both my DNS servers had been blocked in this alert and as a result there was no name resolution and this no internet connectivity for my whole office. I would also got this error on ISA 2006, but it would not block internet connectivity like in the case of Forefront. I have also (in both firewalls) put both my internal DNS servers in the IP Exceptions list of the Flood Mitigation settings so as to allow the highest threshold of concurrent TCP connections allowed. The server on which I installed Forefront was different from the one running ISA, and it was also fairly new and so I don’t think there is an issue with the NICs. Kindly advise what I can do to resolve this problem
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Please check your Deny access rules which have on the TO tab domain name sets or URL sets, it should be applied only to http/s traffic.

and make sure you dont have  not needed ports opened. mostly torrents apps causes such problems.

 http://blogs.technet.com/b/isablog/archive/2009/01/12/isa-server-2006-stops-answering-requests.aspx?wa=wsignin1.0
Its not about DNS. Please open TMG Console>Networking>Internal Networks>Right Click Property>Web proxy Tab>Click Advanced>Check Unlimited>Apply Chnages

Please add AD and DNS Connection verifier on TMG. Please verify your config with this link http://microsoftguru.com.au/2010/03/08/forefront-tmg-2010-how-to-install-and-configure-forefront-tmg-2010-step-by-step/
Most Valuable Expert 2011

Commented:
Side note FYI:  HTTPs only works with Domain Name Set and Sets based on IP#s.  But HTTPS will not work with URL Sets,...only HTTP can do that.  At least that was so with ISA.  With TMG,...it can now decrypt the HTTPS packets, so I don't know if that means it can use URL Sets with HTTPS or not.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

nimocanICT Manager

Author

Commented:
Thanks pwindell. In my set up I only use Domain Name Sets in my configuration both on ISA and Forefront. I don't use URL sets. Does this have an impact on the "Concurrent TCP Connections from one IP address Limit Exceeded" issue?
Most Valuable Expert 2011

Commented:
I am a bit skeptical about how MS made TMG behave. I have seen TMG block all connections due to this one thing and also because of "Too many half-open connections",..in fact it seems to block everything from/to everywhere when that happens.  I'm not going to claim to know all the details but it seems kind of silly for TMG to behave that way,...it is practically a built-in DoS attack.   Heck, you don't need an attacker to DoS you,...TMG will DoS itself!!!  Worse yet, I don't think there is a way to disable the feature if you don't want to use it.  However myself,..I am still running ISA2006,..not TMG,...so I lack a bit of personal experience with TMG.

Anyway, too many TCP Connections from a particular clients can potentially mean that client is infected with something that is causing it to create an excessive amount of outbound connections.  So that is something to consider.  
nimocanICT Manager

Author

Commented:
Has anyone else experienced this kind of issue with TMG?
Most Valuable Expert 2011

Commented:
Yes there have been,...that is why I know about it happening.   Anyone who just happens to be watching this thread?,...doubtful you'll get a response to that question.
nimocanICT Manager

Author

Commented:
Hi pwindell, does this mean that inspite of this known issue, Microsoft has not addressed it?
ICT Manager
Commented:
After running the latest service pack for TMG, i.e. service pack 2, it is now running well. Thanks all for your comments.
Most Valuable Expert 2011

Commented:
Hi pwindell, does this mean that inspite of this known issue, Microsoft has not addressed it?

I never meant it was an "official documented known issue".  All I said was that I had run across the issue before,...nothing more than that.

MS is going to know about more issues with any of their products then the general public is ever going to have any idea that such an issues exists,...and they are always working on them.  Solving such issues is not an instantaneous thing.

MS has just recently come out with a Rollup Patch for TMG's SP2 for things that SP2 did not cover.
nimocanICT Manager

Author

Commented:
I suspect the issue was a glitch in Forefront TMG which the service pack resolved.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial