Applies ToForefront Threat Management Gateway 2010 Enterprise Forefront Threat Management Gateway 2010 Standard

Symptoms

HTTP connectivity verifiers in Microsoft Forefront Threat Management Gateway 2010 may return failures for websites that are actually available. Therefore, rules that use Web Publishing Load Balancing (WPLB) may be unavailable, because Threat Management Gateway incorrectly assumes that all servers in the web farm are unavailable.You may also receive frequent "No Connectivity" messages for the verifiers in question. These messages resemble the following:

The connectivity verifier "Name_of_Verifier" reported an error when trying to connect to https://ip_host/uri. Reason: No connection.

The connectivity verifier "Name_of_Verifier" reported an error when trying to connect to https://ip_host/uri. Reason: The request has timed out.

Event IDs 10050 and 21137 are sometimes another indication of this problem.You can monitor the status of individual connectivity verifiers in the Threat Management Gateway Microsoft Management Console (MMC) by checking the Result column under Connectivity Verifiers on the Monitoring menu.

Cause

This problem may occur if the HTTP connectivity verifier is redirected to a different URL while it's validating the server. Typically, this may occur if one of the following conditions is true:

  • The destination URL is configured to redirect to a different URL. This might be either a completely different URL or a relative path under the configured URL. In this situation, both the server name and URI for the request may be updated.

  • The destination URL has error-handling code that redirects the request to a detailed error page URL.

In this situation, the connectivity verifier URL is updated to the redirected URL and is not refreshed on later requests.

Resolution

To resolve this problem, install Rollup 5 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2.

Workaround

To work around this problem, make a change to the Threat Management Gateway configuration. For example, change the description of the array, and then apply these changes. This will reapply the configuration for the connectivity verifiers.Note This workaround is temporary, and the original condition that caused the connectivity verifier URL to be updated may recur.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

Rollup 5 for Forefront Threat Management Gateway 2010 Service Pack 2 adds support to control how the connectivity verifier handles HTTP redirects. By default, the connectivity verifier will no longer follow redirects, and it will query only the URL that is specified in the connectivity verifier configuration.Note The following script is required only if you want to change the new default behavior.

  1. Copy the following script to a text file, and save the file as SetConnectivityVerifierHttpRedirectProcessingOptions.vbs:

    'Define the constants needed.Const strVpsGUID = "{143F5698-103B-12D4-FF34-1F34767DEABC}"Const strVpsPropertyName = "ConnectivityVerifierHttpRedirectProcessingOptions"Const Error_FileNotFound = &H80070002Set objArgs = wscript.ArgumentsfInvalidParameterValue = Trueif objArgs.Count > 0 then    uIntParamValue = objArgs(0)    fInvalidParameterValue = (uIntParamValue < 0)end ifif objArgs.Count <> 1 or fInvalidParameterValue then    wscript.echo "Usage: SetConnectivityVerifierHttpRedirectProcessingOptions.vbs <options>"    wscript.echo    wscript.echo "Exactly one nonnegative numeric parameter is accepted"    wscript.Quit 2end ifset objArray = CreateObject("FPC.Root").GetContainingArray()Set objVPSet = OpenVPSet(objArray, strVpsGUID)objVPSet.Value(strVpsPropertyName) = uIntParamValueobjArray.Savefunction OpenVPSet(objParent, strVpsGUID)    Set objVPSets = objParent.VendorParametersSets    On Error Resume Next    Set OpenVPSet = objVPSets.Item(strVpsGUID)    ' Save the Err properties in case it needs to be re-raised    errNumber      = Err.Number    errSource      = Err.Source    errDescription = Err.Description    errHelpFile    = Err.HelpFile    errHelpContext = Err.HelpContext    On Error GoTo 0    if errNumber = Error_FileNotFound Then        Set OpenVPSet = objVPSets.Add(strVpsGUID)    Elseif errNumber < 0 Then        ' An error other than "file not found" occurred -- re-raise the error,        ' this time not under "On Error Resume Next"        Err.Raise errNumber, errSource, errDescription, errHelpFile, errHelpContext    End Ifend function

  2. Select the required behavior from the following list, and then run the command at an administrative command prompt:

    • Option 1: De-activate both features (revert to pre-Rollup 5 functionality)

      cscript.exe SetConnectivityVerifierHttpRedirectProcessingOptions.vbs 0”

    • Option 2: Prevent connectivity verifiers from following HTTP redirects (Default value)

      cscript.exe SetConnectivityVerifierHttpRedirectProcessingOptions.vbs 1

    • Option 3: Renew the connectivity verifier URL every time that a request is sent

      cscript.exe SetConnectivityVerifierHttpRedirectProcessingOptions.vbs 2

    • Option 4: Enable both features from Options 2 and 3

      cscript.exe SetConnectivityVerifierHttpRedirectProcessingOptions.vbs 3

References

Learn about the terminology that Microsoft uses to describe software updates.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders