FIX: Outgoing request failures may occur when HTTPS Inspection is enabled and web server connection timeouts occur in a Forefront Threat Management Gateway 2010 environment

Symptoms

When HTTPS Inspection is enabled in a Microsoft Forefront Threat Management Gateway (TMG) 2010 environment, some outgoing POST requests may be handled incorrectly without a POST body being sent to the external web server.

For example, consider the following scenario:
  • The client makes an outgoing SSL request to the web server to retrieve a webpage.
  • TMG inspects the traffic and then makes an onward connection to the web server.
  • The request is served to the client, and both the "client to TMG" and "TMG to web server" TCP connections are maintained.
  • A short time later, after the web server connection idle time is reached, the web server times out and closes the "TMG to web server" connection.
  • The closed "TMG to web server" connection is not detected by the TMG server because the connection is currently not being used.
  • The client makes a POST request to the web server by using the existing "client to TMG" connection.
  • TMG receives the request, checks the "TMG to web server" connection, and finds that the connection was closed by the web server.
  • TMG signals a connection closure to the client.
  • 1359 An internal error occurred might be logged in the Web Proxy log.

In this scenario, you expect the client to resend the request over a new connection. However, this does not occur because an Internet Explorer issue is exposed. The Internet Explorer issue is described in the following article in the Microsoft Knowledge Base:
895954 When you use Microsoft Internet Explorer or another program to perform a re-POST operation, only the header data is posted
Note In addition to the POST error, this scenario/issue TK may also cause random "Page Cannot Be Displayed" error messages for GET requests if multiple connections are timed out. This occurs because Internet Explorer retries GET requests only three times. If the three tries are all made on connections that are timed out externally by the web server, request failures may also occur.

Resolution

To resolve this issue, install the software update that is described in the following article in the Microsoft Knowledge Base:
2517957 Software Update 1 Rollup 4 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1
This fix detects that the external connection was timed out by the web server and closes the associated internal client connection. This new behavior avoids the Internet Explorer issue being exposed.

After you install this software update, you must enable the new behavior by running the following script:
Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_NAME = "EnableHTTPSiConnectionTerminationNotification"
Const SE_VPS_VALUE = true

Sub SetValue()

' Create the root object.
Dim root ' The FPCLib.FPC root object
Set root = CreateObject("FPC.Root")

'Declare the other objects needed.
Dim array ' An FPCArray object
Dim VendorSets ' An FPCVendorParametersSets collection
Dim VendorSet ' An FPCVendorParametersSet object

' Obtain references to the array object
' and the network rules collection.
Set array = root.GetContainingArray
Set VendorSets = array.VendorParametersSets

On Error Resume Next
Set VendorSet = VendorSets.Item( SE_VPS_GUID )

If Err.Number <> 0 Then
Err.Clear

' Add the item
Set VendorSet = VendorSets.Add( SE_VPS_GUID )
CheckError
WScript.Echo "New VendorSet added... " & VendorSet.Name

Else
WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)
End If

if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

Err.Clear
VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

If Err.Number <> 0 Then
CheckError
Else
VendorSets.Save false, true
CheckError

If Err.Number = 0 Then
WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
End If
End If
Else
WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
End If

End Sub

Sub CheckError()

If Err.Number <> 0 Then
WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
Err.Clear
End If

End Sub

SetValue
Note To revert to the pre-fix behavior, follow these steps:
  1. Locate the following line in the script : 
    Const SE_VPS_VALUE = true
    Change this line to the following:
    Const SE_VPS_VALUE = false
  2. Save the changed script, and then run the script on one of the TMG array members.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Propriétés

ID d'article : 2518684 - Dernière mise à jour : 15 juin 2011 - Révision : 1

Microsoft Forefront Threat Management Gateway 2010 Enterprise, Microsoft Forefront Threat Management Gateway 2010 Standard, Microsoft Forefront Threat Management Gateway 2010 Service Pack 1

Commentaires