Microsoft small business knowledge base

Article ID: 2518684 - Last Review: June 15, 2011 - Revision: 2.0


When HTTPS Inspection is enabled in a Microsoft Forefront Threat Management Gateway (TMG) 2010 environment, some outgoing POST requests may be handled incorrectly without a POST body being sent to the external web server.

For example, consider the following scenario:
  • The client makes an outgoing SSL request to the web server to retrieve a webpage.
  • TMG inspects the traffic and then makes an onward connection to the web server.
  • The request is served to the client, and both the "client to TMG" and "TMG to web server" TCP connections are maintained.
  • A short time later, after the web server connection idle time is reached, the web server times out and closes the "TMG to web server" connection.
  • The closed "TMG to web server" connection is not detected by the TMG server because the connection is currently not being used.
  • The client makes a POST request to the web server by using the existing "client to TMG" connection.
  • TMG receives the request, checks the "TMG to web server" connection, and finds that the connection was closed by the web server.
  • TMG signals a connection closure to the client.

In this scenario, you expect the client to resend the request over a new connection. However, this does not occur because an Internet Explorer issue is exposed. The Internet Explorer issue is described in the following article in the Microsoft Knowledge Base:
895954  ( ) When you use Microsoft Internet Explorer or another program to perform a re-POST operation, only the header data is posted
Note In addition to the POST error, this scenario/issue TK may also cause random "Page Cannot Be Displayed" error messages for GET requests if multiple connections are timed out. This occurs because Internet Explorer retries GET requests only three times. If the three tries are all made on connections that are timed out externally by the web server, request failures may also occur.


To resolve this issue, install the software update that is described in the following article in the Microsoft Knowledge Base:
2517957  ( ) Software Update 1 Rollup 4 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1
This fix detects that the external connection was timed out by the web server and closes the associated internal client connection. This new behavior avoids the Internet Explorer issue being exposed.

After you install this software update, you must enable the new behavior by running the following script:
Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_NAME = "EnableHTTPSiConnectionTerminationNotification"
Const SE_VPS_VALUE = true

Sub SetValue()

  ' Create the root object.
  Dim root ' The FPCLib.FPC root object
  Set root = CreateObject("FPC.Root")

  'Declare the other objects needed.
  Dim array ' An FPCArray object
  Dim VendorSets ' An FPCVendorParametersSets collection
  Dim VendorSet ' An FPCVendorParametersSet object

  ' Obtain references to the array object
  ' and the network rules collection.
  Set array = root.GetContainingArray
  Set VendorSets = array.VendorParametersSets

  On Error Resume Next
  Set VendorSet = VendorSets.Item( SE_VPS_GUID )

  If Err.Number <> 0 Then

  ' Add the item
  Set VendorSet = VendorSets.Add( SE_VPS_GUID )
  WScript.Echo "New VendorSet added... " & VendorSet.Name

  WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)
  End If

  if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

  VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

  If Err.Number <> 0 Then
  VendorSets.Save false, true

  If Err.Number = 0 Then
  WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
  End If
  End If
  WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
  End If

End Sub

Sub CheckError()

  If Err.Number <> 0 Then
  WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
  End If

End Sub

Note To revert to the pre-fix behavior, follow these steps:
  1. Locate the following line in the script : 
    Const SE_VPS_VALUE = true
    Change this line to the following:
    Const SE_VPS_VALUE = false
  2. Save the changed script, and then run the script on one of the TMG array members.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684  ( ) Description of the standard terminology that is used to describe Microsoft software updates

  • Microsoft Forefront Threat Management Gateway 2010 Enterprise
  • Microsoft Forefront Threat Management Gateway 2010 Standard
  • Microsoft Forefront Threat Management Gateway 2010 Service Pack 1
kbexpertiseinter kbbug kbsurveynew kbqfe kbfix KB2518684
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support