Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!
Forefront TMG 2010 Blocking Internet Connectivity on the LAN
After migrating to Forefront TMG 2010, it ran smoothly over the weekend without a problem, on Monday, around midday, I got an error in the alert “Concurrent TCP Connections from one IP Address Limit Exceeded”. Both my DNS servers had been blocked in this alert and as a result there was no name resolution and this no internet connectivity for my whole office. I would also got this error on ISA 2006, but it would not block internet connectivity like in the case of Forefront. I have also (in both firewalls) put both my internal DNS servers in the IP Exceptions list of the Flood Mitigation settings so as to allow the highest threshold of concurrent TCP connections allowed. The server on which I installed Forefront was different from the one running ISA, and it was also fairly new and so I don’t think there is an issue with the NICs. Kindly advise what I can do to resolve this problem
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Please check your Deny access rules which have on the TO tab domain name sets or URL sets, it should be applied only to http/s traffic.
and make sure you dont have not needed ports opened. mostly torrents apps causes such problems.
http://blogs.technet.com/b/isablog/archive/2009/01/12/isa-server-2006-stops-answering-requests.aspx?wa=wsignin1.0
and make sure you dont have not needed ports opened. mostly torrents apps causes such problems.
http://blogs.technet.com/b/isablog/archive/2009/01/12/isa-server-2006-stops-answering-requests.aspx?wa=wsignin1.0
Its not about DNS. Please open TMG Console>Networking>Interna
Please add AD and DNS Connection verifier on TMG. Please verify your config with this link http://microsoftguru.com.au/2010/03/08/forefront-tmg-2010-how-to-install-and-configure-forefront-tmg-2010-step-by-step/
Please add AD and DNS Connection verifier on TMG. Please verify your config with this link http://microsoftguru.com.au/2010/03/08/forefront-tmg-2010-how-to-install-and-configure-forefront-tmg-2010-step-by-step/
Side note FYI: HTTPs only works with Domain Name Set and Sets based on IP#s. But HTTPS will not work with URL Sets,...only HTTP can do that. At least that was so with ISA. With TMG,...it can now decrypt the HTTPS packets, so I don't know if that means it can use URL Sets with HTTPS or not.
Thanks pwindell. In my set up I only use Domain Name Sets in my configuration both on ISA and Forefront. I don't use URL sets. Does this have an impact on the "Concurrent TCP Connections from one IP address Limit Exceeded" issue?
I am a bit skeptical about how MS made TMG behave. I have seen TMG block all connections due to this one thing and also because of "Too many half-open connections",..in fact it seems to block everything from/to everywhere when that happens. I'm not going to claim to know all the details but it seems kind of silly for TMG to behave that way,...it is practically a built-in DoS attack. Heck, you don't need an attacker to DoS you,...TMG will DoS itself!!! Worse yet, I don't think there is a way to disable the feature if you don't want to use it. However myself,..I am still running ISA2006,..not TMG,...so I lack a bit of personal experience with TMG.
Anyway, too many TCP Connections from a particular clients can potentially mean that client is infected with something that is causing it to create an excessive amount of outbound connections. So that is something to consider.
Anyway, too many TCP Connections from a particular clients can potentially mean that client is infected with something that is causing it to create an excessive amount of outbound connections. So that is something to consider.
Yes there have been,...that is why I know about it happening. Anyone who just happens to be watching this thread?,...doubtful you'll get a response to that question.
After running the latest service pack for TMG, i.e. service pack 2, it is now running well. Thanks all for your comments.
Hi pwindell, does this mean that inspite of this known issue, Microsoft has not addressed it?
I never meant it was an "official documented known issue". All I said was that I had run across the issue before,...nothing more than that.
MS is going to know about more issues with any of their products then the general public is ever going to have any idea that such an issues exists,...and they are always working on them. Solving such issues is not an instantaneous thing.
MS has just recently come out with a Rollup Patch for TMG's SP2 for things that SP2 did not cover.
I never meant it was an "official documented known issue". All I said was that I had run across the issue before,...nothing more than that.
MS is going to know about more issues with any of their products then the general public is ever going to have any idea that such an issues exists,...and they are always working on them. Solving such issues is not an instantaneous thing.
MS has just recently come out with a Rollup Patch for TMG's SP2 for things that SP2 did not cover.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial