Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

An IPsec VPN site-to-site tunnel or a PPTP VPN site-to-site tunnel does not work if you enable integrated NLB on a Forefront TMG 2010 array


View products that this article applies to.

Symptoms

Consider the following scenario:
  • You configure an Internet Protocol Security (IPsec) VPN site-to-site tunnel or a Point-to-Point Tunneling Protocol (PPTP) VPN site-to-site connection between a Microsoft Forefront Threat Management Gateway (TMG) 2010 multiple-member array deployment and another site. And, you can successfully access resources through the tunnel.
  • You enable integrated network load balancing (NLB) on the TMG 2010 array.
  • You try to access resources in another site.
In this scenario, the IPsec tunnel does not work, and you cannot access resources on either side of the tunnel.

Note The scope of this problem is actually larger than IPsec site-to-site VPN. The problem that is described here may occur in any array-based TMG 2010 deployments for which integrated NLB is enabled when NLB WMI events such as node convergence are triggered. Site-to-site VPN that has NLB enabled is the most visible example.

↑ Back to the top


Cause

This problem occurs because TMG 2010 incorrectly defines discretionary access control lists (DACLs) for the COM services that are exposed by TMG 2010. These DACLs prevent NLB WMI event notifications from being accepted by TMG services. Therefore, the internal NLB state of TMG is not updated, and subcomponents that depend on the NLB state, such as IPsec filter definitions, are not initialized correctly.

↑ Back to the top


Resolution

Service pack information

This problem is fixed in Forefront TMG 2010 Service Pack 1.

For more information about how to obtain Forefront TMG 2010 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:
981324 List of problems that are fixed in Forefront Threat Management Gateway 2010 Service Pack 1

Update information

To resolve this problem, follow these steps:
  1. Apply the update for Forefront TMG 2010 that is available from the Microsoft Download Center:

    Download Download the Update for Forefront TMG 2010 (KB 980674) package now.

    For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
    119591 How to obtain Microsoft support files from online services
    Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
  2. Restart the computer that is running Forefront TMG 2010.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Forefront TMG 2010 Service Pack 1.

↑ Back to the top


Keywords: kb, kbsurveynew, kbfix, kbexpertiseinter, atdownload

↑ Back to the top

Article Info
Article ID : 980674
Revision : 2
Created on : 4/9/2020
Published on : 4/9/2020
Exists online : False
Views : 304