DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 980674 - Last Review: October 9, 2011 - Revision: 3.0

On This Page

SYMPTOMS

Consider the following scenario:
  • You configure an Internet Protocol Security (IPsec) VPN site-to-site tunnel or a Point-to-Point Tunneling Protocol (PPTP) VPN site-to-site connection between a Microsoft Forefront Threat Management Gateway (TMG) 2010 multiple-member array deployment and another site. And, you can successfully access resources through the tunnel.
  • You enable integrated network load balancing (NLB) on the TMG 2010 array.
  • You try to access resources in another site.
In this scenario, the IPsec tunnel does not work, and you cannot access resources on either side of the tunnel.

Note The scope of this problem is actually larger than IPsec site-to-site VPN. The problem that is described here may occur in any array-based TMG 2010 deployments for which integrated NLB is enabled when NLB WMI events such as node convergence are triggered. Site-to-site VPN that has NLB enabled is the most visible example.

CAUSE

This problem occurs because TMG 2010 incorrectly defines discretionary access control lists (DACLs) for the COM services that are exposed by TMG 2010. These DACLs prevent NLB WMI event notifications from being accepted by TMG services. Therefore, the internal NLB state of TMG is not updated, and subcomponents that depend on the NLB state, such as IPsec filter definitions, are not initialized correctly.

RESOLUTION

Service pack information

This problem is fixed in Forefront TMG 2010 Service Pack 1.

For more information about how to obtain Forefront TMG 2010 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:
981324  (http://support.microsoft.com/kb/981324/ ) List of problems that are fixed in Forefront Threat Management Gateway 2010 Service Pack 1

Update information

To resolve this problem, follow these steps:
  1. Apply the update for Forefront TMG 2010 that is available from the Microsoft Download Center:

    Collapse this imageExpand this image
    Download
    Download the Update for Forefront TMG 2010 (KB 980674) package now. (http://www.microsoft.com/downloads/details.aspx?FamilyID=af1e8287-072c-45a6-9d8e-37485e482fe2&displaylang=en)

    For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
    119591  (http://support.microsoft.com/kb/119591/ ) How to obtain Microsoft support files from online services
    Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
  2. Restart the computer that is running Forefront TMG 2010.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Forefront TMG 2010 Service Pack 1.

APPLIES TO
  • Microsoft Forefront Threat Management Gateway 2010 Enterprise
  • Microsoft Forefront Threat Management Gateway 2010 Standard
Keywords: 
atdownload kbexpertiseinter kbfix kbsurveynew KB980674
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support