An IPsec VPN site-to-site tunnel or a PPTP VPN site-to-site tunnel does not work if you enable integrated NLB on a Forefront TMG 2010 array

Article translations Article translations
Article ID: 980674 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

Consider the following scenario:
  • You configure an Internet Protocol Security (IPsec) VPN site-to-site tunnel or a Point-to-Point Tunneling Protocol (PPTP) VPN site-to-site connection between a Microsoft Forefront Threat Management Gateway (TMG) 2010 multiple-member array deployment and another site. And, you can successfully access resources through the tunnel.
  • You enable integrated network load balancing (NLB) on the TMG 2010 array.
  • You try to access resources in another site.
In this scenario, the IPsec tunnel does not work, and you cannot access resources on either side of the tunnel.

Note The scope of this problem is actually larger than IPsec site-to-site VPN. The problem that is described here may occur in any array-based TMG 2010 deployments for which integrated NLB is enabled when NLB WMI events such as node convergence are triggered. Site-to-site VPN that has NLB enabled is the most visible example.

CAUSE

This problem occurs because TMG 2010 incorrectly defines discretionary access control lists (DACLs) for the COM services that are exposed by TMG 2010. These DACLs prevent NLB WMI event notifications from being accepted by TMG services. Therefore, the internal NLB state of TMG is not updated, and subcomponents that depend on the NLB state, such as IPsec filter definitions, are not initialized correctly.

RESOLUTION

Service pack information

This problem is fixed in Forefront TMG 2010 Service Pack 1.

For more information about how to obtain Forefront TMG 2010 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:
981324 List of problems that are fixed in Forefront Threat Management Gateway 2010 Service Pack 1

Update information

To resolve this problem, follow these steps:
  1. Apply the update for Forefront TMG 2010 that is available from the Microsoft Download Center:

    Collapse this imageExpand this image
    Download
    Download the Update for Forefront TMG 2010 (KB 980674) package now.

    For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
    119591 How to obtain Microsoft support files from online services
    Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
  2. Restart the computer that is running Forefront TMG 2010.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Forefront TMG 2010 Service Pack 1.

Properties

Article ID: 980674 - Last Review: October 9, 2011 - Revision: 3.0
APPLIES TO
  • Microsoft Forefront Threat Management Gateway 2010 Enterprise
  • Microsoft Forefront Threat Management Gateway 2010 Standard
Keywords: 
atdownload kbexpertiseinter kbfix kbsurveynew KB980674

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com