Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. FIX: Both sides of a TCP connection are closed when the client or remote application half-closes the TCP connection in a Forefront Threat Management Gateway 2010 environment

FIX: Both sides of a TCP connection are closed when the client or remote application half-closes the TCP connection in a Forefront Threat Management Gateway 2010 environment

View products that this article applies to.

Symptoms

Consider the following scenario:
  • You have internal clients who are trying to access non-web-based application servers in a Microsoft Forefront Threat Management Gateway (TMG) 2010 environment.
  • The client traffic passes through an application filter in Forefront TMG that data-flows the traffic in user mode.
  • The client or the remote application server half-closes the TCP connection by sending a FIN/ACK packet. In doing this, the client or the remote application server expects the other half of the TCP connection to stay active.

In this scenario, you may notice that both sides of the TCP connection are closed immediately by the FIN/ACK packet.

↑ Back to the top

Cause

When traffic is passed through a user-mode data flow, both sockets are closed after a FIN packet is received on one of them. This prevents Forefront TMG from supporting half-closed TCP connections as supported in the kernel-mode data flow.

↑ Back to the top

Resolution

To resolve this issue, install the hotfix package that is described in the following Microsoft Knowledge Base article:
2649961 Rollup 1 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2
To enable this fix, follow these steps:
  1. Start Notepad. To do this, click Start, click Run, type notepad.exe in the Open box, and then click OK.
  2. Paste the following script to a new file in Notepad:
    set curArray = CreateObject("FPC.Root").GetContainingArray()
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "AllowHalfClosedConnection"
    Const SE_VPS_VALUE = True
    Sub SetValue()
        ' Create the root obect.
        Dim root  ' The FPCLib.FPC root object
        Set root = CreateObject("FPC.Root")
     
        'Declare the other objects needed.
        Dim array       ' An FPCArray object
        Dim VendorSets  ' An FPCVendorParametersSets collection
        Dim VendorSet   ' An FPCVendorParametersSet object
     
        ' Get references to the array object
        ' and the network rules collection.
        Set array = curArray 
        Set VendorSets = array.VendorParametersSets
     
        On Error Resume Next
        Set VendorSet = VendorSets.Item( SE_VPS_GUID )
     
        If Err.Number <> 0 Then
            Err.Clear
     
            ' Add the item
            Set VendorSet = VendorSets.Add( SE_VPS_GUID )
            CheckError
            WScript.Echo "New VendorSet added... " & VendorSet.Name
     
        Else
            WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
        End If
     
        if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
     
            Err.Clear
            VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
     
            If Err.Number <> 0 Then
                CheckError
            Else
                VendorSets.Save false, true
                CheckError
     
                If Err.Number = 0 Then
                    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
                End If
            End If
        Else
           WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
        End If
     
    End Sub
     
    Sub CheckError()
     
        If Err.Number <> 0 Then
            WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
            Err.Clear
        End If
     
    End Sub
    SetValue
  3. Save the file as AllowHalfClosedConnection.vbs, and then exit Notepad.
  4. On a Forefront TMG server, open an administrative command prompt.
  5. Move to the location to which you saved the AllowHalfClosedConnection.vbs script, and then type the following command:
    Cscript.exe AllowHalfClosedConnection.vbs
This fix lets Forefront TMG enable half-closed TCP connections in user-mode data flows.

Note To change the functionality back to the default behavior, change the following line in the script by changing the value from True to False, and then run the script:
Const SE_VPS_VALUE = True

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

References

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top

Keywords: kbnotautohotfix, kbexpertiseinter, kbbug, kbsurveynew, kbqfe, kbfix, kb

↑ Back to the top

Article Info
Article ID : 2636183
Revision : 1
Created on : 1/7/2017
Published on : 1/11/2012
Exists online : False
Views : 351