Link to home
Create AccountLog in
Avatar of nimocan
nimocanFlag for Kenya

asked on

Forefront TMG 2010 Blocking Internet Connectivity on the LAN

After migrating to Forefront TMG 2010, it ran smoothly over the weekend without a problem, on Monday, around midday, I got an error in the alert “Concurrent TCP Connections from one IP Address Limit Exceeded”. Both my DNS servers had been blocked in this alert and as a result there was no name resolution and this no internet connectivity for my whole office. I would also got this error on ISA 2006, but it would not block internet connectivity like in the case of Forefront. I have also (in both firewalls) put both my internal DNS servers in the IP Exceptions list of the Flood Mitigation settings so as to allow the highest threshold of concurrent TCP connections allowed. The server on which I installed Forefront was different from the one running ISA, and it was also fairly new and so I don’t think there is an issue with the NICs. Kindly advise what I can do to resolve this problem
Avatar of Suliman Abu Kharroub
Suliman Abu Kharroub
Flag of Jordan image

Please check your Deny access rules which have on the TO tab domain name sets or URL sets, it should be applied only to http/s traffic.

and make sure you dont have  not needed ports opened. mostly torrents apps causes such problems.

 http://blogs.technet.com/b/isablog/archive/2009/01/12/isa-server-2006-stops-answering-requests.aspx?wa=wsignin1.0
Its not about DNS. Please open TMG Console>Networking>Internal Networks>Right Click Property>Web proxy Tab>Click Advanced>Check Unlimited>Apply Chnages

Please add AD and DNS Connection verifier on TMG. Please verify your config with this link http://microsoftguru.com.au/2010/03/08/forefront-tmg-2010-how-to-install-and-configure-forefront-tmg-2010-step-by-step/
Side note FYI:  HTTPs only works with Domain Name Set and Sets based on IP#s.  But HTTPS will not work with URL Sets,...only HTTP can do that.  At least that was so with ISA.  With TMG,...it can now decrypt the HTTPS packets, so I don't know if that means it can use URL Sets with HTTPS or not.
Avatar of nimocan

ASKER

Thanks pwindell. In my set up I only use Domain Name Sets in my configuration both on ISA and Forefront. I don't use URL sets. Does this have an impact on the "Concurrent TCP Connections from one IP address Limit Exceeded" issue?
I am a bit skeptical about how MS made TMG behave. I have seen TMG block all connections due to this one thing and also because of "Too many half-open connections",..in fact it seems to block everything from/to everywhere when that happens.  I'm not going to claim to know all the details but it seems kind of silly for TMG to behave that way,...it is practically a built-in DoS attack.   Heck, you don't need an attacker to DoS you,...TMG will DoS itself!!!  Worse yet, I don't think there is a way to disable the feature if you don't want to use it.  However myself,..I am still running ISA2006,..not TMG,...so I lack a bit of personal experience with TMG.

Anyway, too many TCP Connections from a particular clients can potentially mean that client is infected with something that is causing it to create an excessive amount of outbound connections.  So that is something to consider.  
Avatar of nimocan

ASKER

Has anyone else experienced this kind of issue with TMG?
Yes there have been,...that is why I know about it happening.   Anyone who just happens to be watching this thread?,...doubtful you'll get a response to that question.
Avatar of nimocan

ASKER

Hi pwindell, does this mean that inspite of this known issue, Microsoft has not addressed it?
ASKER CERTIFIED SOLUTION
Avatar of nimocan
nimocan
Flag of Kenya image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Hi pwindell, does this mean that inspite of this known issue, Microsoft has not addressed it?

I never meant it was an "official documented known issue".  All I said was that I had run across the issue before,...nothing more than that.

MS is going to know about more issues with any of their products then the general public is ever going to have any idea that such an issues exists,...and they are always working on them.  Solving such issues is not an instantaneous thing.

MS has just recently come out with a Rollup Patch for TMG's SP2 for things that SP2 did not cover.
Avatar of nimocan

ASKER

I suspect the issue was a glitch in Forefront TMG which the service pack resolved.