Forefront TMG 2010 Blocking Internet Connectivity on the LAN
After migrating to Forefront TMG 2010, it ran smoothly over the weekend without a problem, on Monday, around midday, I got an error in the alert “Concurrent TCP Connections from one IP Address Limit Exceeded”. Both my DNS servers had been blocked in this alert and as a result there was no name resolution and this no internet connectivity for my whole office. I would also got this error on ISA 2006, but it would not block internet connectivity like in the case of Forefront. I have also (in both firewalls) put both my internal DNS servers in the IP Exceptions list of the Flood Mitigation settings so as to allow the highest threshold of concurrent TCP connections allowed. The server on which I installed Forefront was different from the one running ISA, and it was also fairly new and so I don’t think there is an issue with the NICs. Kindly advise what I can do to resolve this problem
Microsoft Forefront ISA Server
Last Comment
nimocan
8/22/2022 - Mon
Suliman Abu Kharroub
Please check your Deny access rules which have on the TO tab domain name sets or URL sets, it should be applied only to http/s traffic.
and make sure you dont have not needed ports opened. mostly torrents apps causes such problems.
Its not about DNS. Please open TMG Console>Networking>Internal Networks>Right Click Property>Web proxy Tab>Click Advanced>Check Unlimited>Apply Chnages
Side note FYI: HTTPs only works with Domain Name Set and Sets based on IP#s. But HTTPS will not work with URL Sets,...only HTTP can do that. At least that was so with ISA. With TMG,...it can now decrypt the HTTPS packets, so I don't know if that means it can use URL Sets with HTTPS or not.
Thanks pwindell. In my set up I only use Domain Name Sets in my configuration both on ISA and Forefront. I don't use URL sets. Does this have an impact on the "Concurrent TCP Connections from one IP address Limit Exceeded" issue?
pwindell
I am a bit skeptical about how MS made TMG behave. I have seen TMG block all connections due to this one thing and also because of "Too many half-open connections",..in fact it seems to block everything from/to everywhere when that happens. I'm not going to claim to know all the details but it seems kind of silly for TMG to behave that way,...it is practically a built-in DoS attack. Heck, you don't need an attacker to DoS you,...TMG will DoS itself!!! Worse yet, I don't think there is a way to disable the feature if you don't want to use it. However myself,..I am still running ISA2006,..not TMG,...so I lack a bit of personal experience with TMG.
Anyway, too many TCP Connections from a particular clients can potentially mean that client is infected with something that is causing it to create an excessive amount of outbound connections. So that is something to consider.
nimocan
ASKER
Has anyone else experienced this kind of issue with TMG?
Yes there have been,...that is why I know about it happening. Anyone who just happens to be watching this thread?,...doubtful you'll get a response to that question.
nimocan
ASKER
Hi pwindell, does this mean that inspite of this known issue, Microsoft has not addressed it?
Hi pwindell, does this mean that inspite of this known issue, Microsoft has not addressed it?
I never meant it was an "official documented known issue". All I said was that I had run across the issue before,...nothing more than that.
MS is going to know about more issues with any of their products then the general public is ever going to have any idea that such an issues exists,...and they are always working on them. Solving such issues is not an instantaneous thing.
MS has just recently come out with a Rollup Patch for TMG's SP2 for things that SP2 did not cover.
and make sure you dont have not needed ports opened. mostly torrents apps causes such problems.
http://blogs.technet.com/b/isablog/archive/2009/01/12/isa-server-2006-stops-answering-requests.aspx?wa=wsignin1.0