FIX: HTTP connectivity verifiers return unexpected failures in TMG 2010

View products that this article applies to.

Symptoms

HTTP connectivity verifiers in Microsoft Forefront Threat Management Gateway 2010 may return failures for websites that are actually available. Therefore, rules that use Web Publishing Load Balancing (WPLB) may be unavailable, because Threat Management Gateway incorrectly assumes that all servers in the web farm are unavailable.

You may also receive frequent "No Connectivity" messages for the verifiers in question. These messages resemble the following:

The connectivity verifier "Name_of_Verifier" reported an error when trying to connect to https://ip_host/uri. Reason: No connection.

The connectivity verifier "Name_of_Verifier" reported an error when trying to connect to https://ip_host/uri. Reason: The request has timed out.

Event IDs 10050 and 21137 are sometimes another indication of this problem.

You can monitor the status of individual connectivity verifiers in the Threat Management Gateway Microsoft Management Console (MMC) by checking the Result column under Connectivity Verifiers on the Monitoring menu.

↑ Back to the top

Cause

This problem may occur if the HTTP connectivity verifier is redirected to a different URL while it's validating the server. Typically, this may occur if one of the following conditions is true:

The destination URL is configured to redirect to a different URL. This might be either a completely different URL or a relative path under the configured URL. In this situation, both the server name and URI for the request may be updated.
The destination URL has error-handling code that redirects the request to a detailed error page URL.

In this situation, the connectivity verifier URL is updated to the redirected URL and is not refreshed on later requests.

↑ Back to the top

Resolution

To resolve this problem, install Rollup 5 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2.

↑ Back to the top

Workaround

To work around this problem, make a change to the Threat Management Gateway configuration. For example, change the description of the array, and then apply these changes. This will reapply the configuration for the connectivity verifiers.

Note This workaround is temporary, and the original condition that caused the connectivity verifier URL to be updated may recur.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

Rollup 5 for Forefront Threat Management Gateway 2010 Service Pack 2 adds support to control how the connectivity verifier handles HTTP redirects. By default, the connectivity verifier will no longer follow redirects, and it will query only the URL that is specified in the connectivity verifier configuration.

Note The following script is required only if you want to change the new default behavior.

Copy the following script to a text file, and save the file as SetConnectivityVerifierHttpRedirectProcessingOptions.vbs:

'Define the constants needed.
Const strVpsGUID = "{143F5698-103B-12D4-FF34-1F34767DEABC}"
Const strVpsPropertyName = "ConnectivityVerifierHttpRedirectProcessingOptions"
Const Error_FileNotFound = &H80070002
Set objArgs = wscript.Arguments
fInvalidParameterValue = True
if objArgs.Count > 0 then
    uIntParamValue = objArgs(0)
    fInvalidParameterValue = (uIntParamValue < 0)
end if
if objArgs.Count <> 1 or fInvalidParameterValue then
    wscript.echo "Usage: SetConnectivityVerifierHttpRedirectProcessingOptions.vbs <options>"
    wscript.echo
    wscript.echo "Exactly one nonnegative numeric parameter is accepted"
    wscript.Quit 2
end if
set objArray = CreateObject("FPC.Root").GetContainingArray()
Set objVPSet = OpenVPSet(objArray, strVpsGUID)
objVPSet.Value(strVpsPropertyName) = uIntParamValue
objArray.Save
function OpenVPSet(objParent, strVpsGUID)
    Set objVPSets = objParent.VendorParametersSets
    On Error Resume Next
    Set OpenVPSet = objVPSets.Item(strVpsGUID)
    ' Save the Err properties in case it needs to be re-raised
    errNumber      = Err.Number
    errSource      = Err.Source
    errDescription = Err.Description
    errHelpFile    = Err.HelpFile
    errHelpContext = Err.HelpContext
    
    On Error GoTo 0
    
    if errNumber = Error_FileNotFound Then
        Set OpenVPSet = objVPSets.Add(strVpsGUID)
    Elseif errNumber < 0 Then
        ' An error other than "file not found" occurred -- re-raise the error,
        ' this time not under "On Error Resume Next"
        Err.Raise errNumber, errSource, errDescription, errHelpFile, errHelpContext
    End If
end function

Select the required behavior from the following list, and then run the command at an administrative command prompt:
- Option 1: De-activate both features (revert to pre-Rollup 5 functionality)
  
  cscript.exe SetConnectivityVerifierHttpRedirectProcessingOptions.vbs 0”
- Option 2: Prevent connectivity verifiers from following HTTP redirects (Default value)
  
  cscript.exe SetConnectivityVerifierHttpRedirectProcessingOptions.vbs 1
- Option 3: Renew the connectivity verifier URL every time that a request is sent
  
  cscript.exe SetConnectivityVerifierHttpRedirectProcessingOptions.vbs 2
- Option 4: Enable both features from Options 2 and 3
  
  cscript.exe SetConnectivityVerifierHttpRedirectProcessingOptions.vbs 3