I am in the process of migrating from ISA Server 2006 (running on W2K3 R2 SP2) to TMG 2010 SP2 (running on W2K8 R2 SP1). I am trying to do the VPN client access at this point. I was able to configure VPN for dial-up client access (actually connecting via
broadband, but they still technically call it a dial-up adapter) and it seemed to be working fantastic! I was surprised it was all too easy. I decided to monitor various points in the internal network with PING tests to ensure connectivity was fine from my
external connection to any resources in the LAN/WAN. My VPN Client could access everything I tested with low latency and browse the Internet speedily. After an hour or so, I got started getting support calls that the Internet was down and IE was not displaying
an error just a white screen. Sometimes, eventually after very long delays a web site might load, or it might finally timeout the browser, getting the browsers error screen for time out not TMG's error screen. Testing for myself and watching the traffic the
IP address of a test workstation, which I was connecting to from and internal workstation via RDP, in the Logs & Monitoring section, I started seeing the WSACONNECTIONTIMEOUT for HTTP Proxy protocol, which was associated to the Allow Web Access for All Users
Rule. The very strange thing is that the destination IP was not the internal (LAN) IP address of the NIC in the TMG Server, but was the address of the PPP Dial-In Adapter invoked when VPN Client connection was made and derived the IP Address via DHCP. I then
looked at the RRAS MMC console and noticed that the PPP RAS dial-in adapter was passing inbound and outbound traffic. The web proxy is configured via WPAD DNS record and has been in use for some time now and I verified it points to the FQDN of the internal
static IP address of the TMG NIC. But for some reason it is exhibiting this erroneous behavior. I looked at the ISA 2006 Server that is currently allowing VPN client sessions and finding the equivalent location in the RRAS MMC console (they are slightly different
between W2K8 R2 (x64) and W2K3 R2 (x86)) I see that the PPP Dial in Adapter would not be passing any data at all even though there were 7 clients connecting via VPN. I found that Roll-Up 1 to TMG 2010 SP2 is available as a hotfix but I am reluctant to apply
it since it did not address this specific problem. Additionally I noticed if I supply the IP address of the internal NIC or the FQDN of the server explicitily to the browser, IE allows end users Internet access as fast as expected without delay. Any help would
be appreciated.
↧