FIX: Outgoing request failures may occur when HTTPS Inspection is enabled and web server connection timeouts occur in a Forefront Threat Management Gateway 2010 environment

When HTTPS Inspection is enabled in a Microsoft Forefront Threat Management Gateway (TMG) 2010 environment, some outgoing POST requests may be handled incorrectly without a POST body being sent to the external web server.

For example, consider the following scenario:
  • The client makes an outgoing SSL request to the web server to retrieve a webpage.
  • TMG inspects the traffic and then makes an onward connection to the web server.
  • The request is served to the client, and both the "client to TMG" and "TMG to web server" TCP connections are maintained.
  • A short time later, after the web server connection idle time is reached, the web server times out and closes the "TMG to web server" connection.
  • The closed "TMG to web server" connection is not detected by the TMG server because the connection is currently not being used.
  • The client makes a POST request to the web server by using the existing "client to TMG" connection.
  • TMG receives the request, checks the "TMG to web server" connection, and finds that the connection was closed by the web server.
  • TMG signals a connection closure to the client.

In this scenario, you expect the client to resend the request over a new connection. However, this does not occur because an Internet Explorer issue is exposed. The Internet Explorer issue is described in the following article in the Microsoft Knowledge Base:
895954 When you use Microsoft Internet Explorer or another program to perform a re-POST operation, only the header data is posted
Note In addition to the POST error, this scenario/issue TK may also cause random "Page Cannot Be Displayed" error messages for GET requests if multiple connections are timed out. This occurs because Internet Explorer retries GET requests only three times. If the three tries are all made on connections that are timed out externally by the web server, request failures may also occur.
To resolve this issue, install the software update that is described in the following article in the Microsoft Knowledge Base:
2517957 Software Update 1 Rollup 4 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1
This fix detects that the external connection was timed out by the web server and closes the associated internal client connection. This new behavior avoids the Internet Explorer issue being exposed.

After you install this software update, you must enable the new behavior by running the following script:
Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"Const SE_VPS_NAME = "EnableHTTPSiConnectionTerminationNotification"Const SE_VPS_VALUE = trueSub SetValue()  ' Create the root object.  Dim root ' The FPCLib.FPC root object  Set root = CreateObject("FPC.Root")  'Declare the other objects needed.  Dim array ' An FPCArray object  Dim VendorSets ' An FPCVendorParametersSets collection  Dim VendorSet ' An FPCVendorParametersSet object  ' Obtain references to the array object  ' and the network rules collection.  Set array = root.GetContainingArray  Set VendorSets = array.VendorParametersSets  On Error Resume Next  Set VendorSet = VendorSets.Item( SE_VPS_GUID )  If Err.Number <> 0 Then  Err.Clear  ' Add the item  Set VendorSet = VendorSets.Add( SE_VPS_GUID )  CheckError  WScript.Echo "New VendorSet added... " & VendorSet.Name  Else  WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)  End If  if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then  Err.Clear  VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE  If Err.Number <> 0 Then  CheckError  Else  VendorSets.Save false, true  CheckError  If Err.Number = 0 Then  WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"  End If  End If  Else  WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"  End IfEnd SubSub CheckError()  If Err.Number <> 0 Then  WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description  Err.Clear  End IfEnd SubSetValue
Note To revert to the pre-fix behavior, follow these steps:
  1. Locate the following line in the script : 
    Const SE_VPS_VALUE = true
    Change this line to the following:
    Const SE_VPS_VALUE = false
  2. Save the changed script, and then run the script on one of the TMG array members.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

TMG SSL HTTPS Inspection POST request failures

Article ID: 2518684 - Last Review: 06/15/2011 20:39:00 - Revision: 2.0

Microsoft Forefront Threat Management Gateway 2010 Enterprise, Microsoft Forefront Threat Management Gateway 2010 Standard, Microsoft Forefront Threat Management Gateway 2010 Service Pack 1

  • kbexpertiseinter kbbug kbsurveynew kbqfe kbfix KB2518684