FIX: Outgoing request failures may occur when HTTPS Inspection is enabled and web server connection timeouts occur in a Forefront Threat Management Gateway 2010 environment

Article translations Article translations
Article ID: 2518684 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

When HTTPS Inspection is enabled in a Microsoft Forefront Threat Management Gateway (TMG) 2010 environment, some outgoing POST requests may be handled incorrectly without a POST body being sent to the external web server.

For example, consider the following scenario:
  • The client makes an outgoing SSL request to the web server to retrieve a webpage.
  • TMG inspects the traffic and then makes an onward connection to the web server.
  • The request is served to the client, and both the "client to TMG" and "TMG to web server" TCP connections are maintained.
  • A short time later, after the web server connection idle time is reached, the web server times out and closes the "TMG to web server" connection.
  • The closed "TMG to web server" connection is not detected by the TMG server because the connection is currently not being used.
  • The client makes a POST request to the web server by using the existing "client to TMG" connection.
  • TMG receives the request, checks the "TMG to web server" connection, and finds that the connection was closed by the web server.
  • TMG signals a connection closure to the client.

In this scenario, you expect the client to resend the request over a new connection. However, this does not occur because an Internet Explorer issue is exposed. The Internet Explorer issue is described in the following article in the Microsoft Knowledge Base:
895954 When you use Microsoft Internet Explorer or another program to perform a re-POST operation, only the header data is posted
Note In addition to the POST error, this scenario/issue TK may also cause random "Page Cannot Be Displayed" error messages for GET requests if multiple connections are timed out. This occurs because Internet Explorer retries GET requests only three times. If the three tries are all made on connections that are timed out externally by the web server, request failures may also occur.

RESOLUTION

To resolve this issue, install the software update that is described in the following article in the Microsoft Knowledge Base:
2517957 Software Update 1 Rollup 4 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1
This fix detects that the external connection was timed out by the web server and closes the associated internal client connection. This new behavior avoids the Internet Explorer issue being exposed.

After you install this software update, you must enable the new behavior by running the following script:
Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_NAME = "EnableHTTPSiConnectionTerminationNotification"
Const SE_VPS_VALUE = true

Sub SetValue()

  ' Create the root object.
  Dim root ' The FPCLib.FPC root object
  Set root = CreateObject("FPC.Root")

  'Declare the other objects needed.
  Dim array ' An FPCArray object
  Dim VendorSets ' An FPCVendorParametersSets collection
  Dim VendorSet ' An FPCVendorParametersSet object

  ' Obtain references to the array object
  ' and the network rules collection.
  Set array = root.GetContainingArray
  Set VendorSets = array.VendorParametersSets

  On Error Resume Next
  Set VendorSet = VendorSets.Item( SE_VPS_GUID )

  If Err.Number <> 0 Then
  Err.Clear

  ' Add the item
  Set VendorSet = VendorSets.Add( SE_VPS_GUID )
  CheckError
  WScript.Echo "New VendorSet added... " & VendorSet.Name

  Else
  WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)
  End If

  if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

  Err.Clear
  VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

  If Err.Number <> 0 Then
  CheckError
  Else
  VendorSets.Save false, true
  CheckError

  If Err.Number = 0 Then
  WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
  End If
  End If
  Else
  WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
  End If

End Sub

Sub CheckError()

  If Err.Number <> 0 Then
  WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
  Err.Clear
  End If

End Sub

SetValue
Note To revert to the pre-fix behavior, follow these steps:
  1. Locate the following line in the script : 
    Const SE_VPS_VALUE = true
    Change this line to the following:
    Const SE_VPS_VALUE = false
  2. Save the changed script, and then run the script on one of the TMG array members.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

REFERENCES

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 2518684 - Last Review: June 15, 2011 - Revision: 2.0
APPLIES TO
  • Microsoft Forefront Threat Management Gateway 2010 Enterprise
  • Microsoft Forefront Threat Management Gateway 2010 Standard
  • Microsoft Forefront Threat Management Gateway 2010 Service Pack 1
Keywords: 
kbexpertiseinter kbbug kbsurveynew kbqfe kbfix KB2518684

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com