You are currently offline, waiting for your internet to reconnect

Your browser is out-of-date

You need to update your browser to use the site.

Update to the latest version of Internet Explorer

FIX: HTTP connectivity verifiers return unexpected failures in TMG 2010

Symptoms
HTTP connectivity verifiers in Microsoft Forefront Threat Management Gateway 2010 may return failures for websites that are actually available. Therefore, rules that use Web Publishing Load Balancing (WPLB) may be unavailable, because Threat Management Gateway incorrectly assumes that all servers in the web farm are unavailable.

You may also receive frequent "No Connectivity" messages for the verifiers in question. These messages resemble the following:

The connectivity verifier "Name_of_Verifier" reported an error when trying to connect to https://ip_host/uri. Reason: No connection.

The connectivity verifier "Name_of_Verifier" reported an error when trying to connect to https://ip_host/uri. Reason: The request has timed out.

Event IDs 10050 and 21137 are sometimes another indication of this problem.

You can monitor the status of individual connectivity verifiers in the Threat Management Gateway Microsoft Management Console (MMC) by checking the Result column under Connectivity Verifiers on the Monitoring menu.
Cause
This problem may occur if the HTTP connectivity verifier is redirected to a different URL while it's validating the server. Typically, this may occur if one of the following conditions is true:
  • The destination URL is configured to redirect to a different URL. This might be either a completely different URL or a relative path under the configured URL. In this situation, both the server name and URI for the request may be updated.
  • The destination URL has error-handling code that redirects the request to a detailed error page URL.

In this situation, the connectivity verifier URL is updated to the redirected URL and is not refreshed on later requests.
Resolution
To resolve this problem, install Rollup 5 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2.
Workaround
To work around this problem, make a change to the Threat Management Gateway configuration. For example, change the description of the array, and then apply these changes. This will reapply the configuration for the connectivity verifiers.

Note This workaround is temporary, and the original condition that caused the connectivity verifier URL to be updated may recur.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
More information
Rollup 5 for Forefront Threat Management Gateway 2010 Service Pack 2 adds support to control how the connectivity verifier handles HTTP redirects. By default, the connectivity verifier will no longer follow redirects, and it will query only the URL that is specified in the connectivity verifier configuration.

Note The following script is required only if you want to change the new default behavior.
  1. Copy the following script to a text file, and save the file as SetConnectivityVerifierHttpRedirectProcessingOptions.vbs:

    'Define the constants needed.Const strVpsGUID = "{143F5698-103B-12D4-FF34-1F34767DEABC}"Const strVpsPropertyName = "ConnectivityVerifierHttpRedirectProcessingOptions"Const Error_FileNotFound = &H80070002Set objArgs = wscript.ArgumentsfInvalidParameterValue = Trueif objArgs.Count > 0 then    uIntParamValue = objArgs(0)    fInvalidParameterValue = (uIntParamValue < 0)end ifif objArgs.Count <> 1 or fInvalidParameterValue then    wscript.echo "Usage: SetConnectivityVerifierHttpRedirectProcessingOptions.vbs <options>"    wscript.echo    wscript.echo "Exactly one nonnegative numeric parameter is accepted"    wscript.Quit 2end ifset objArray = CreateObject("FPC.Root").GetContainingArray()Set objVPSet = OpenVPSet(objArray, strVpsGUID)objVPSet.Value(strVpsPropertyName) = uIntParamValueobjArray.Savefunction OpenVPSet(objParent, strVpsGUID)    Set objVPSets = objParent.VendorParametersSets    On Error Resume Next    Set OpenVPSet = objVPSets.Item(strVpsGUID)    ' Save the Err properties in case it needs to be re-raised    errNumber      = Err.Number    errSource      = Err.Source    errDescription = Err.Description    errHelpFile    = Err.HelpFile    errHelpContext = Err.HelpContext        On Error GoTo 0        if errNumber = Error_FileNotFound Then        Set OpenVPSet = objVPSets.Add(strVpsGUID)    Elseif errNumber < 0 Then        ' An error other than "file not found" occurred -- re-raise the error,        ' this time not under "On Error Resume Next"        Err.Raise errNumber, errSource, errDescription, errHelpFile, errHelpContext    End Ifend function
  2. Select the required behavior from the following list, and then run the command at an administrative command prompt:
    • Option 1: De-activate both features (revert to pre-Rollup 5 functionality)

      cscript.exe SetConnectivityVerifierHttpRedirectProcessingOptions.vbs 0”
    • Option 2: Prevent connectivity verifiers from following HTTP redirects (Default value)

      cscript.exe SetConnectivityVerifierHttpRedirectProcessingOptions.vbs 1
    • Option 3: Renew the connectivity verifier URL every time that a request is sent

      cscript.exe SetConnectivityVerifierHttpRedirectProcessingOptions.vbs 2
    • Option 4: Enable both features from Options 2 and 3

      cscript.exe SetConnectivityVerifierHttpRedirectProcessingOptions.vbs 3
References
Learn about the terminology that Microsoft uses to describe software updates.
Properties

Article ID: 2973749 - Last Review: 06/27/2014 23:18:00 - Revision: 1.0

  • Microsoft Forefront Threat Management Gateway 2010 Enterprise
  • Microsoft Forefront Threat Management Gateway 2010 Standard
  • kbqfe kbfix kbexpertiseinter kbbug kbsurveynew KB2973749
Feedback