Article ID: 2591269 - View products that this article applies to.
Consider the following scenario:
In this scenario, clients may be unable to access the published web server, and it may seem that TMG is failing to establish the TCP connection to the published server. If you capture a network trace from the internal network interface, you may see the following pattern:
SYNWhen this occurs, the TMG node drops the SYN/ACK response from the published web server.
This problem may occur when the TMG server is configured to use both internal and external DNS servers and the To name resolves to the external IP address of TMG. This may cause TMG to build the wrong NLB hook rules and drop the SYN/ACK packets.
The NLB hook rules are created by using only the name in the This rule applies to this published site field and may therefore create the reverse NLB hook rules by using the wrong IP address.
To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:
(http://support.microsoft.com/kb/2555840/ )Description of Service Pack 2 for Microsoft Forefront Threat Management Gateway 2010
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
After Service Pack 2 is installed, TMG uses the name or IP address in the Computer name or IP address (required if the internal site name is different or not resolvable) field if it is configured. Otherwise, it will fallback to the name or IP address in the This rule applies to this published site field. This will make sure that the NLB hook rules are created correctly.
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/824684/ )Description of the standard terminology that is used to describe Microsoft software updates
Article ID: 2591269 - Last Review: October 31, 2011 - Revision: 2.0