An IPsec VPN site-to-site tunnel or a PPTP VPN site-to-site tunnel does not work if you enable integrated NLB on a Forefront TMG 2010 array
Consider the following scenario:
- You configure an Internet Protocol Security (IPsec) VPN site-to-site tunnel or a Point-to-Point Tunneling Protocol (PPTP) VPN site-to-site connection between a Microsoft Forefront Threat Management Gateway (TMG) 2010 multiple-member array deployment and another site. And, you can successfully access resources through the tunnel.
- You enable integrated network load balancing (NLB) on the TMG 2010 array.
- You try to access resources in another site.
Note The scope of this problem is actually larger than IPsec site-to-site VPN. The problem that is described here may occur in any array-based TMG 2010 deployments for which integrated NLB is enabled when NLB WMI events such as node convergence are triggered. Site-to-site VPN that has NLB enabled is the most visible example.
This problem occurs because TMG 2010 incorrectly defines discretionary access control lists (DACLs) for the COM services that are exposed by TMG 2010. These DACLs prevent NLB WMI event notifications from being accepted by TMG services. Therefore, the internal NLB state of TMG is not updated, and subcomponents that depend on the NLB state, such as IPsec filter definitions, are not initialized correctly.
Service pack informationThis problem is fixed in Forefront TMG 2010 Service Pack 1.
For more information about how to obtain Forefront TMG 2010 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:
981324 List of problems that are fixed in Forefront Threat Management Gateway 2010 Service Pack 1
Update informationTo resolve this problem, follow these steps:
- Apply the update for Forefront TMG 2010 that is available from the Microsoft Download Center:
Download the Update for Forefront TMG 2010 (KB 980674) package now.
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:119591 How to obtain Microsoft support files from online servicesMicrosoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
- Restart the computer that is running Forefront TMG 2010.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Forefront TMG 2010 Service Pack 1.
Article ID: 980674 - Last Review: 10/09/2011 16:42:00 - Revision: 3.0
Microsoft Forefront Threat Management Gateway 2010 Enterprise, Microsoft Forefront Threat Management Gateway 2010 Standard
- atdownload kbexpertiseinter kbfix kbsurveynew KB980674