Hi everybody!!!

I have got a big trouble with my TMG, and need a help. Have already surfed the internet, but found nothing!!! and I can't believe to this. I have 8 Years experience with Microsoft Firewalls, beginning with ISA 2004 till now. And this is a first time I faced such kind of problem.

We have a not big, but at the same time not small company. Approximately 2000 workers, where 1500 of them have an internet access. Also we have 40 branches. and only 4 of branches have there own (directly connected) internet. All others connected through the central office, where I have installed 2 TMG with NLB integrated. All my 6 (two in Central office 4 in branches) TMG servers connected to EMS where from I manage them. Such configuration worked very well with Enterprise ISA 2006. But when I changed all my structure to TMG, some of the servers (usually in Central branches) blocks all connections. I even can't logon locally. If I logged on, I couldn't make an a restart computer, because it can't logoff, and can not restart  Microsoft firewall service. It just stopping. I only can make a forth restart (by power button).

No information in a log. No where.

I was looking in internet, and just found that the reason might be a lot of half-opened SYN connection. But how I can increase the minimum half-open SYN connection??? Or may be I should disable Mitigate a flood attacks at all.

Additionally

1.  I can also say that I suspicious, it happens when internet connection in some remote branches crashed, and central TMG servers or TMG servers in other branches began to block all new inbound.

2. We have newest Symantec Endpoint Protection 12 .1.3001 installed on all TMG server (with it's firewall disabled) and I have this in log file: 

"Forefront TMG detected Windows Filtering Platform filters that may cause policy conflicts on the server SRV1TMG. The following providers may define filters that conflict with the Forefront TMG firewall policy: Symantec IPS Provider,SYMANTEC CORPORATION."

3. We have DEll 410 Rack mounted server. with 16 GB RAM. 1500 internet users. In branches with there own internet no more than 40 users per TMG.

4. I have installed SP2 and Rollup 3 installed in all TMG.

5. SurfCop internet monitoring agent installed in all TMG servers. It sends all data to separate DataBase server. And working well. But has a great amount of data sending between all servers. But it was working without problems with Enterprise ISA 2006.

Please-Please-Please!!! If some one knew the reason, help me. In other case I have to roll back to ISA!!!

Thanks for everybody.

 

 

• Edited by Serg-MFBA Monday, September 23, 2013 6:49 AM

Hi,

Based on your description, I suggest you to troubleshooting follow the steps below:

1. Please confirm your basic network and DNS can normally work
2. As you mentioned, please disable Mitigate a flood attacks function and check why are there many half-opened connections, is it an attack?
3. In Symantec Protection Center console to exclude the Forefront TMG product to avoid potential compatibility issues(or casually disable SEP at all on TMG to confirm if the SEP is reason) <//span>

http://www.symantec.com/business/support/index?page=content&id=TECH93752

1. Please take Tracert to confirm where the packets are blocked
2. Please confirm DNS configuration on TMGs internal and external adapters.

Best Regards

Thanks for Your answer.

Basic Network and DNS are working well. Reverse lookup is also in place.

I have external DNS servers IP addresses on WAN adapter, and local DNS on LAN adapter.

And yesterday I installed Rollup2 on all my TMG Servers. May be KB 2705829 is the reason. (Rollup 3 was installed several month ago, but didn't help.)

If not help, then I will disable Mitigate a flood attacks function.

Hi,

If you deploy two different DNS servers on internal and external adapters. It may cause some unexpected problem.

In my opinion, I suggest to deploy Split DNS. You can refer to the link below to know more about it:

http://www.itgeared.com/articles/1020-what-is-split-brain-split-horizon-or/

 Additionally, if the kb 2705829 can fix your problem, please let us know.

Thanks for your support

Best Regards

Quan Gu

   The Split DNS is not a solution for us. Because all internal computers have only local DNS server, and our TMG (working as WEB-proxy) have to resolve web-sites names for them. Additionally TMG has to resolve the AD usernames. All authentication and access to internet in our structure set up by usernames rather than by IP.
That is why I put internal DNS server for the LAN adapter, and External DNS to WAN. And till now I have had no problem with such configuration, in spite I have read a lot about the problems it might create. In any case, in the nearest future, I will change the structure, by putting additional Front edge TMG, and only external DNS will be there, where as only internal DNS will be on my Back Firewall.

AND....

   The most interesting!!! I think..., after so long period, I came very close to the answer)))))

   After 3 days without any problems, in the early morning, when was no load at TMG servers, I have restarted one of them. And the "tricks" began. After 10 minutes, another server at Central Office blocked all connections, and a bit later another one at the branch side did the same. This means when intra-array communication is broken, server goes down!!! And it might be the reason. Because I use the same adapter for Internal and intra-array communication. And loading to internal adapter some times is high, up to 2500 active connections.
   I am very-very disappointed and happy at the same time. Should read more concerning Enterprise structure.

   Thanks  a lot for Your answers and help!

• Proposed as answer by Quan GuMicrosoft contingent staff, Moderator Wednesday, September 25, 2013 7:26 AM
• Marked as answer by Quan GuMicrosoft contingent staff, Moderator Friday, September 27, 2013 8:14 PM

I came closer to the solution. As I found out, the reason was Reporting Server. When this server became unreachable for a some moments, the other servers might block all connections too.

Who can say me:

1. How to disable Reporting? How I knew, it's impossible.

2. Maximal active connections one server can support?

3. Is it right to put remote servers (with low connection to Central office ) with Reporting Server in the same Array? Or I should split Arrays with remote servers and Central office.

Thanks.