TMG and Microsoft Forefront TMG Control taking more than 16 minutes to start on Windows 2008 R2

Tuesday, March 30, 2010 7:26 AM

Yes, on our vSphere farm I have one TMG NLB cluster and one standalone TMG server up and running. Did you try to start this machine without network connectivity?

Tuesday, March 30, 2010 9:01 AM

0

Hi Tomek,

Thanks for the confirmation. Starting the server without network connectivity is fine which leads me to believe something isn't right after TMG is installed and the way it communicates with the network.

Is your configuration using a single NIC?

Tuesday, March 30, 2010 10:58 AM

0

Servers in a NLB farm have only one NIC, the standalone one has two. Allow all traffic from TMG to your DC and see if it helps. And check if your DC is included in Internal network.

Tuesday, March 30, 2010 11:16 AM

0

DC is def included in the internal network, however I will check that traffic from TMG and DC is open :)

Tuesday, March 30, 2010 12:40 PM

0

Hi George,

Is the TMG internal NIC highest in the bind order?

Have you disabled 'Client for Microsoft Networks' on the external NIC?

Have you disbaled DNS servers on the external NIC?

This is for ISA, but still valid for TMG:

http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html

Cheers

JJ

Jason Jones | Forefront MVP | Silversands Ltd

Tuesday, March 30, 2010 9:12 PM

0

Hi Jason,

This is a single NIC setup, domain joined TMG config.

Cheers

Wednesday, March 31, 2010 12:06 AM

0

Here is more insight into the issue. I started up my TMG and this time, was patient and waited for 20 minutes before the Windows logon screen appeared. The Event log shows GPClient took 1227 seconds to handle the notification, hence the 20 minute delay in "Applying Computer Settings"

So I then launched Services and noticed that my TMG Firewall / TMG Job Scheduler / and TMG Managed Control services were not started, even thought they are set to automatically. I was able to successfully start them manually, and whalla! everything regarding TMG is up and running again, until obviously the next server re-boot.

So the issue here like I mentioned previously seems to be network connectivity at startup in conjunction with the single Domain wide applied GPO.

I will troubleshoot further and see if I can narrow it down even further and post back.

Wednesday, March 31, 2010 1:29 AM

0

More info...

I'm thinking the issue is around the Microsoft Forefront TMG Control service taking FOREVER to startup... hmmm.

Wednesday, March 31, 2010 10:17 PM

0

So I can confirm that the Microsoft Forefront TMG Control is most likely the root cause of the start up issue;

Anyone seen this issue before?

Log Name:      System
Source:        Service Control Manager
Date:          1/04/2010 3:28:52 AM
Event ID:      7044
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:
Description:
The following service is taking more than 16 minutes to start and may have stopped responding: Microsoft Forefront TMG Control

Contact your system administrator or service vendor for approximate startup times for this service.

If you think this service might be slowing system response or logon time, talk to your system administrator about whether the service should be disabled until the problem is identified.

Sunday, April 04, 2010 11:00 PM

0

Hi Georges,

DNS resolution to your internal DCs are working properly from the TMG ?

can you try to reboot and logon locally to the TMG Server? and check if all the services are up and running? and if it takes more on less time to finish the logon process ?

regards,

Charbel Hanna

Tuesday, April 06, 2010 12:06 AM

0

There's def no issue communicating with DC's as I have setup an Active Directory Connectivity Verifier post installation. The issue occurs pre-logon screen, i.e. GP client trying to apply computer settings as opposed to post logon (user settings), so I don't think logging in locally will achieve anything.

It seems that as soon as TMG is installed, it screws up communication when the machine is starting up. This is a VM that I have re-built 3 times and have been able to reproduce this issue, post TMG installation and configuration. After the 16 minute timeout when the machine is starting up, I am able to log into the machine and startup the services manually with success.

I will most likely now re-build the TMG on a physical box and see whether I can replicate this issue.

Tuesday, April 06, 2010 9:57 PM

0

hi George any updates ? did you setup a new server or still working on the same VM?

Charbel Hanna

Tuesday, April 06, 2010 10:31 PM

0

Hi Charbel,

Installed TMG on a physical workstation as a test and this time round the server would startup with all TMG services started. The GP Client Notification sits at applying computer settings for 2 minutes vs 20 on ESX4 VM.

I'm not sure why it's taking so long on the VM and obviously timing out (not having issues with any of the other VM's in our cluster)... The only thing I can do is try and play around with different vNIC setups within VMware and potentially update the ESX host with the latest NIC drivers.

Wednesday, April 07, 2010 2:06 AM

0

Aaargh.. no luck.. Tried using the E1000 vnic and still having issues with the long startup times and TMG services not started.

Friday, April 09, 2010 6:20 AM

0

I don't think this issue is specifically related to VMWare. I've reinstalled a physical box twice with TMG and as soon as it was installed, it caused this exact problem both times.

I actually left it for more than 2 hours at the "Applying computer settings" screen and it never reached the logon screen.

Friday, April 09, 2010 8:21 AM

Moderator

0

I think its something related to Windows Server 2008 R2 and not the TMG !

If you tried Windows Server 2008 SP2, you will not face this problem.

I have seen this before and people were reporting that once they used 2008 and not R2, they never faced this issue again.

Tarek Majdalani | MS Forefront Edge Security MVP | http://www.elmajdal.net

Proposed As Answer by ElMajdalMVP, Moderator Monday, April 12, 2010 6:05 PM
Marked As Answer by George Khalil Monday, April 12, 2010 8:39 PM

Friday, April 09, 2010 5:46 PM

Answerer

0

What kind of group policies are being applied? Can you put TMG in its own OU and make sure no policies are applied?

Saturday, April 10, 2010 1:03 AM

0

In my instance, it was being used on a test domain where there were probably about 5 group policy settings in total which had been modified on the entire domain. It could not be a more standard, vanilla group policy setup. I will still try moving it into a different OU however.

One thing that is perhaps worth mentioning is that the single domain controller is running Server 2003 R2. Is there some requirement that there is a server 2008 or newer domain controller?

Otherwise I will have to look at opening a PSS case on this issue, we need to know why it won't work.

It may be also worth mentioning that it is incredibly intermittent. The hang on "applying computer settings" occurs probably every 4 out of 5 boots, the other time it actually does make it to the logon screen.

What I can't understand though is why it wouldn't eventually time out. The way group policy is implemented in Server 2008 R2 just seems flawed. It lets the system boot with no network connection at all (i.e. cable unplugged), but if it is connected, even if it can't connect to the DC or get/apply the policies for some reason, it just hangs eternally.

Saturday, April 10, 2010 1:11 AM

0

ElMajdal / Edward,

Great to know I am not the only one here... this has been driving me crazy for something so simple. I've toiled for hours each day for the last week trying different things and forced myself to NOT try and install TMG on a Windows 2008 (non R2) due to the fact that it's actually supported on R2!! However, considering I am not the only one who has dealt with this issue, I will build a Windows 2008 SP2 VM and give it a go and report back.

Keith / ElMajdal, Do you think MSFT can look into this a little more if it's a common issue on R2?

Keith, The GPO that was being applied at the Domain level affecting the TMG server was WSUS settings. I even went as far as removing the GPO, placing the TMG in a separate OU which blocked inheritance and ran into the same issue. The only other GPO being applied is the Default Domain Policy.....

Sunday, April 11, 2010 10:56 PM

0

Hi all,

i don't think that it's something related to windows 2008 R2 since i am using TMG EE on windows 2008 R2 on 2 domain joined phyiscal boxes with NLB and i am not facing the same problem.

i would like to do your setup Georges for testing are you using the Standard edition or Enterprise Edition of TMG ?

Charbel Hanna

Sunday, April 11, 2010 11:00 PM

0

Hi Charbel,

Domain/Forest Functional Level is 2008 R2. I am installing/configuring TMG Standard Edition on a Windows 2008 R2 Enterprise Server with a single NIC, with TMG being domain joined.

I am actually in the process of installing TMG on a Windows 2008 SP2 server and will relay the results.

Cheers

Monday, April 12, 2010 12:00 AM

0

So I finally got it working!!!! ElMajdal, you are correct. As much as I find it hard to believe, however installing TMG on a Windows 2008 SP2 server fixes the 20 minute startup times and failed TMG services on startup. There is a definite issue with Windows 2008 R2 and TMG.

This should be addressed by Microsoft!!

Monday, April 12, 2010 12:10 AM

0

Hey Tarek,

Have you raised this with the product group yet?

Cheers

JJ

Jason Jones | Forefront MVP | Silversands Ltd

Monday, April 12, 2010 12:33 AM

0

Just to confirm the setup I am having this issue with is Server 2008 R2 Standard and ForeFront TMG 2010 Standard, not Enterprise. The domain controller is Server 2008 R2, with the domain at that functional level.

Monday, April 12, 2010 6:04 PM

Moderator

0

Hey George,

Glad that my tip solved your issue :) and thanks for the follow up.

Seen it before and have seen it again with you as well....

Tarek Majdalani | MS Forefront Edge Security MVP | http://www.elmajdal.net

Monday, April 12, 2010 8:41 PM

0

Thanks Tarek. I would still like to get TMG working on 08R2. Can this issue be brought to the Product Team's attention, considering there are multiple cases of the exact same issue. In my case I was able to replicate it each single time, even after re-building TMG a number of times.

Tuesday, April 13, 2010 11:48 AM

Moderator

0

Hi Jason,

I'm gonna build a test lab to see if this is gonna happen again.

Definitely will contact Product Group.

Tarek Majdalani | MS Forefront Edge Security MVP | http://www.elmajdal.net

Tuesday, April 13, 2010 1:04 PM

0

I've just discovered that the problem is not just during bootup. I left the server to run for approx 3 days, and it just randomly lost all network connectivity on the internal interface. It was accessible from the Internet side but not from the LAN.

This prevented it from even being unlocked (I presume due to it trying to verify the credentials with Active Directory, and getting stuck again), then on reboot it once again hung at the Applying Computer Settings screen. Another reboot and it worked - but who knows for how long.

ForeFront TMG seems to be just flat out unstable on Server 2008 R2.

Wednesday, April 21, 2010 8:53 PM

0

New user here and I just ran into this exact problem. Running on 2008 R2 and TMG 2010 on a VM, but my setup is much simpler since it's in a WORKGROUP on a DMZ, single adapter, single IP-address and I don't even have a DNS-server specified.

It has worked fine for a month or so, but I decided to run the SCW (Security Configuration Wizard) after adding the TMG policy from TMG 2010 Tools and SDK.

So the policy definitely screwed something up here so I'm trying to figure out exactly what it is and maybe it's the same setting you apply with GPO?

Reboot takes just a few seconds and I can login on the console (not via RDP) but then I get to a "blue" desktop and it seems to wait for ages (20+ mins) but after that it acts normal but the TMG services was not automatically started, but I can start the TMG services manually quite fast.

Edited by jbb1234 Wednesday, April 21, 2010 9:37 PM

Wednesday, April 21, 2010 8:58 PM

0

I've given up on TMG and 08R2 for the time being until the issue is looked at by MSFT and have TMG running nicely on Windows 2008 SP2. No issues and I have migrated all of my previous ISA rules. It's been up and running for 2 weeks now without missing a beat and I have re-booted a couple of times since then.

Wednesday, April 21, 2010 9:06 PM

0

Thanks for the quick answer. I'll spend some time figuring out the reason in my lab and see where that leads us. I wonder if anyone did report this back to Microsoft?

Wednesday, April 21, 2010 9:14 PM

0

Except for the following:
The following service is taking more than 16 minutes to start and may have stopped responding: Microsoft Forefront TMG Control
I also get:
The following service is taking more than 16 minutes to start and may have stopped responding: SQL Server Reporting Services (ISARS)

Simply putting TMG* services into manual and then reboot made sure the server boots and desktop available in a few seconds. I do get that SQL Server Reporting Service (ISARS) hung on starting in the event log but after a few seconds it's in running state. Several reboots and it's working.

But as soon as I put TMG Control in Automatic mode instead, the boot takes ~20 mins.

I hope MS still monitor this thread.

Edited by jbb1234 Wednesday, April 21, 2010 9:36 PM Added info

Wednesday, April 21, 2010 9:40 PM

0

I hope so too, there are a number of us now reporting the exact same issue! Once it is resolved or a fix issued, I will just rebuild TMG on 08 R2 and export/import my rules.... I have spent too many days trying to get this work on 08 R2 :(

Wednesday, April 21, 2010 10:21 PM

0

I think I've found a workaround that works for me anyway.

When I put all the TMG services (except TMG Storage) in Manual, the server booted fast and I could login. And THEN starting the TMG services manually went pretty fast. So I figured that TMG must have run into the problem trying to start before something else had to start.

So I tried setting all the services in Automatic (Delayed Start) and actually, it's working much better! Sure, TMG takes a few minutes longer to start, but better than the 20 minutes I had to wait for login before.

Maybe you tried this too?

Thursday, April 22, 2010 12:17 AM

0

Just in regards to to the question about reporting this to Microsoft, I currently have a PSS case opn about this at the moment.

Frustratingly, however, the problem seemed to resolve itself when I opened the case. I was able to successfully reboot the system about 10 times without delay, without changing anything. I am waiting to see if I can reproduce it again before closing the case with PSS.

Their main suggestion so far has been to follow the instructions in this KB article:

http://support.microsoft.com/default.aspx?scid=kb;en-US;2004121

As mentioned I haven't yet done this because I wanted to make sure the problem was actually still occurring. Perhaps someone else who has a more reproducible setup at the moment could try this and see if it makes any difference?

Thursday, April 29, 2010 6:17 AM

0

@jbb1234

Your workaround's worked for me. After setting Startup Type for all TMG services (except TMG Storage) to Automatic (Delayed Start), I could log on 4 minutes after restart and all services were up and running in next 2 minutes. From 22 to 6 minutes is not bad, but I would like to see official Microsoft solution for this problem.

Aleksandar Nikolić http://powershellers.blogspot.com http://twitter.com/alexandair

Friday, May 14, 2010 10:29 AM

0

I am also experiancing the same issue.

Using Server 2008R2 in a workgroup from a fresh install with TMG 2010 Standard in a two network Edge network style.

Able to log on from the console and see that "SQL Server Reporting Service (ISARS)" and "Forefront TMG control" services are stuck in "Starting"

Additionally the "Network and Sharing Center" config is unresponsive.

Trying the delayed start workaround to see if i can avoid having to reimage the server with 2008 SP2.

What a bummer!

Friday, May 14, 2010 10:37 AM

0

That's interesting that you're finding the "SQL Server Reporting Service (ISARS)" and "Forefront TMG control" services are getting stuck starting.

The service that gets stuck on mine is the "Windows Remote Management (WS-Management)" service. I'm thinking this is either some timing issue in Server 2008, or there are potentially two separate issues here.

Friday, May 14, 2010 10:51 AM

0

OK - so with the following services in "Automatic (Delayed Start)" the machine boots normally.

Microsoft Forefront TMG Control
Microsoft Forefront TMG Firewall
Microsoft Forefront TMG Job Scheduler
Microsoft Forefront TMG Managed Control

When I go to services, I can see that "SQL Server Reporting Service (ISARS)" service has started without incident.

Network and Sharing center is responsive as expected.

Approx 2 mins after boot Microsoft Forefront TMG Control starts followed by the remaining TMG services.

Looks like Microsoft Forefront TMG Control is unhappy with something and it's causing a problem for "SQL Server Reporting Service (ISARS)"

What a pain - but it looks like I can avoid a full rebuild for now.

Friday, May 14, 2010 10:55 AM

0

I've been able to replicate this issue each time. At the end I gave up and installed TMG on Windows 2008 SP2 which has been running quite nicely now with pretty much a zero delay in starting the services up. Figured if I needed to change startup delay of my services then something is seriously wrong with R2.

Until Microsoft come out with a clear fix or workaround,n TMG will live happily on 2008 SP2 :-)

Blog: http://sharepointgeorge.com Twitter: http://twitter.com/georgekhalil

Tuesday, May 18, 2010 8:52 AM

0

Hi Edward,

I have replicated this issue on a physical server. Attempting the resolution in http://support.microsoft.com/default.aspx?scid=kb;en-US;2004121 did not solve the problem, although the verification steps do indicate a lock on the Service Control Manager database.

QueryServiceLockstatus - Success
IsLocked : True
LockOwner : .\NT Service Control Manager
LockDuration : 1090 (seconds since acquired)

I have since used the work around of delayed the Automatic Startup to get Microsoft Forefront TMG working.

Any replies from PSS or the ForeFront Product Team?

Warren

Tuesday, May 18, 2010 1:58 PM

0

Just retried my set up with Windows 2008 SP2 (non R2) and got the same odd behaviour.

So now just using the delayed start workaround.

Tuesday, May 18, 2010 6:07 PM

0

Similar issue here. Virtual system running R2 with Direct Access installed. Followed directions to overlay TMG on the direct access server. Before TMG it runs great. After TMG installed, TMG firewall services will not start automatically on reboot which basically locks down the machine.

First error in event log is: The Telephony service hung on starting.

Then: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
After starting, the service hung in a start-pending state.

TMG services depend on the two above, so they dont start.

I've rebuilt it more times then you can shake a stick at... with same results.

Friday, May 21, 2010 6:28 AM

0

Please check service dependences:

1) Navigate to HKLM\CurrentControlSet\Services\HTTP and create the following Multi-string value as below

DependOnService and enter CRYPTSVC in the Value Data field and click OK

2) sc config isactrl depend= RasMan/SSTPSVC/FwEng/ISASTG/bfe/mpssvc/HTTP

This setup fix Windows 2008 R2 + TMG 2010 startup delay

P.S. I have very long server hang-up delay when I loose HTTP service dependence from isactrl depend. list.

Proposed As Answer by Anton Karpenko Wednesday, August 25, 2010 8:38 AM

Wednesday, May 26, 2010 10:26 AM

0

Hi,

I just installed Microsft TMG 2010 on top of Windows Server 2008 with SP2 with all the critical and security updates installed to date. So far everything is fine. Hardware Specification ML 350 G4 with single CPU and 4 RAM.

When i installed TMG it is OK till the setup finishes. Once setup is over and i click OK, it directly through the BSOD. So i restarted the Server but again with the same BSOD error fwpkclnt.sys.

I tried this installation twice with fresh OS setup but no change in the result. Just to inform you that in Safe Mode it is booting well. After many restart attempts it started succesfully only once. Most of the time it fails at the time of the bootup or at the screen " with BSOD.

I would appriciate if someone can tell me the most likely cause of the problem and the owrk arround.

Thank you.

Mukhtar

Friday, June 11, 2010 9:06 AM

0

One more: I'm experiencing the same issue.

Just in case the number of people affected does any difference to the priority in PSS.

2008 R2 server, TMG Services and SQL Server Reporting Services (ISARS) doesn't start at Windows startup, not even after 20 minutes.

When setting the above mentioned TMG Services to Automatic Delayed Start, all services start - although with about 5-7 minutes delay.

I will also try to open a PSS case.

Thursday, June 17, 2010 3:51 PM

0

I have similar issues on 2008 R2. I have TMG Ent with 2 nic's one internal and external. After system reboots I get no Internet access for 15-20 minutes and the issue goes away. All services show as started, delayed start didn’t fix the problem. I can either disable and re-enable the NIC’s or restart the TMG services to resolve the issue or wait 15 – 20 minutes. This is intermittent and reproducible after OS rebuild.

I loaded 2008 SP2 and have not encountered the issue again.

Monday, June 28, 2010 8:15 PM

0

The problem is caused by not having proper configuration in system rules regarding AD connectivity. Check that in system rules you have enabled connectivity to domain controllers in site that TMG is covering, and the problem should vanish.

TMG is using system rules to try to connect to AD, and getGPO settings. If it cannot, it waits 16 minutes for timeout, and then start with cached credentials.

Monday, June 28, 2010 8:31 PM

0

While having the problem in R2 I backed up all of my settings. I then rebuilt to 08 SP2 and imported the configuration and all my problems were gone. In my case at least somthing else was going on other than the rules.

Monday, June 28, 2010 8:42 PM

0

I can confirm it's definitely not a rule issue and as I mentioned earlier in the post, the same configuration worked a charm with 08SP2. The issue is around the services starting.

Haven't reverted back to 08 R2 and I'm not sure whether SP1 has resolved the issue either.

Blog: http://sharepointgeorge.com Twitter: http://twitter.com/georgekhalil

Monday, June 28, 2010 8:42 PM

0

I would have to agree with TechGuy18, I can't personally claim that I have tested the same Forefront configuration on 2008 R2 and SP2, but this setting was the absolute first thing I checked when I had this problem and I have re-visited it numerous times. In my case, Internal and Local host are allows in Active Directory, and Enforce Strict RPC compliance is not checked. It is the same configuration that has worked for me for years with ISA 2006 on 2003 and was imported from that.

K rzystof Pietrzak_peki, if the solution is so simple, could you please enlighten us as to how this is set up, preferably with actual examples of the exact configuration pages and site(s) that are enabled?

Tuesday, July 13, 2010 12:26 AM

0

I'm running TMG SP1 on Windows 2008 R2 and am having the same problem.

There is a 16 minutes delay for TMG to start working.

But I can login just fine to the server. It's just that Network and Sharing Center hangs, the network icon has that round icon (the one used for searching network) stalled, and everything that requires auth just doesn't work.

After the 16 minutes I can use both auth and the TMG just fine.

I only noticed this problem after applying SP1. I'm not sure if it is related or not.

Following the "delayed start" workaround makes the Network Sharing Center to work just after I login, and the network icon on tray shows good connectivity (no more stalled circle). TMG now takes 3-4 minutes to start working.

Edited by ricdgr Tuesday, July 13, 2010 12:32 AM

Tuesday, July 13, 2010 12:32 AM

0

@ricdqr - Thats a bummer, I was hoping that SP1 was going to fix the problem. Do you have an array or just a single server? Either way after you reboot and are waiting for the services to start. Can you browse the internet on the local TMG box? (remove the proxy settings from your browser) That was my problem, it took 15 - 20 mins before I could access the internet locally on my TMG boxes, once I went back to 2008 SP2 instead of R2 all of my problems went away. I have yet to install SP1 for TMG as I was looking for results from others with any issues or breaks on - Server 08 SP2

Tuesday, July 13, 2010 1:02 AM

0

I'm running a single-box TMG standard.

I can't do mostly anything, because the TMG server just stays unusable until all the services are running.

But I know I can resolve names, so at least DNS is working fine.

Proxy works. My internal computers can browse the internet through the TMG. Auth on reverse proxy doesn't work. I can see the TMG Exchange form, but I can't login to Exchange for example.

I'm allowing Active Directory for TMG on System Policy btw.

It seems to be enough to only make the "Microsoft Forefront TMG Managed Control" delayed start. Then TMG will boot in ~3 minutes. Maybe adding a dependency for Microsoft Forefront TMG Managed Control to wait for Microsoft Forefront TMG Firewall speeds this up a little bit more.

Friday, July 23, 2010 12:16 PM

0

I have just installed Win 2008 R2 (and patched up to date) on a phisical DELL R200 dual homed (one for the internal network, one for the external) and then installed TMG 2010 Standard + SP1. We were not importing old ISA 2006 configurations nor weird things. We just created the rules to allow full network conectivity between localhost <-> internal and we can confirm this issue is still happening in TMG 2010 SP1. In my case 'applying computer settings' lasts for 8:15 minutes and then everything seems to work OK (all services started, they took their time but no trace of 'service failed to start' messages).

In our case, in the Event Log we can see event 1014 DNS Client Events stating that 'Name resolution for the name _ldap._tcp.dc._msdcs.MYDOMAIN.COM timed out after none of the configured DNS servers responded

I can confirm that DNS is correctly configured with internal DNS servers in the internal NIC (none configured for the external) and that they work perfectly AFTER the TMG server has finished restarting.

It seems TMG is blocking itself from accessing the internal network during the first stages of the reboot only, and thus, it is not able to reach the domain controllers to apply the configuration.

Friday, July 23, 2010 5:34 PM

0

Ditto for me. (forever to startup)

Win 2k8R2
TMG 2010 SP1
FPE 2010 RU1
Exchange Edge Transport 2010 RU4
ESX VM w/ 2 CPU, 8GB RAM

Mike Crowley
Check out My Blog!

Friday, July 23, 2010 7:49 PM

0

Try disconnecting network cables during startup. If the startup time is considerably faster, then the problem is in System Rules.

Friday, July 23, 2010 8:26 PM

0

I came across this problem when I was deploying TMG at client site. Until I have run SCW, everything was working well. Then i fired SCW, and the problem has started.

I've checked many things, and then, during waiting for "Applaying COmputer Settings", I've disconnected network cables from servers. And it helped - so the problem is with the name resolution, or AD access. I've started all services previously disabled by SCW, and still nothing. Then I've manually added anywhere to DNS and AD tab, and it started working.

Recently , I've simmilar problem at another clients TMG. Then, rolling back SCW policy just solved the problem. I've also noted that disabling IPv6 on TMG interfaces, toghether with stopping IPv6 related services, has made TMG unstable.

Saturday, July 24, 2010 2:16 PM

0

Try disconnecting network cables during startup. If the startup time is considerably faster, then the problem is in System Rules.

As it is a VM there are no network cables. But setting the abovementioned service to delayed start helped.

Mike Crowley
Check out My Blog!

Saturday, July 24, 2010 2:17 PM

0

Interesting about the IPv6. I do have it disabled via the disabledcomponents registry key. I wonder if this has any impact.

Mike Crowley
Check out My Blog!

Tuesday, July 27, 2010 12:19 PM

0

2008R2 and TMG SP1 clean install, same issue. Takes 20 mins at the applying computer settings screen. On top of that, having problems joing an EMS managed array. Not sure if that is related or not. Gonna try 2008 SP2.

Tuesday, July 27, 2010 9:01 PM

0

I just installed SP1 on my 2008 Sp2 test boxes. Some of the services that started within 2 -3 minutes are now taking longer now that the service pack is installed. Standalone Array, server 1 is the storage configuration server.

Array Server 1 - TMG Managed Control - 8 - 10 mins

Array Server 2 - TMG Job Scheduler - 8 - 10 Mins

Array Server 2 - TMG Managed Control 8 - 10 mins

The servers are still passing Internet traffic as they did with out SP1, but these 3 services now take a while longer to start. There does not seem to be a negative impact with my needs, but did notice the change. Anyone else done much testing with SP1?

Thursday, July 29, 2010 4:03 AM

Answerer

0

We saw some issues with Managed control serevice . Can you try to set the Microsoft Forefrom TMG Managed control to delayed start?

If that does not help , Call support and open a case , we may be able to offer a private fix until the next rollup is released

Bala Natarajan [MSFT]| Sr. Support Escalation Engineer | CSS Security

Friday, July 30, 2010 10:08 AM

0

I've finally been able to reduce the reboot time up to 4min 45sec (including shutdown, BIOS and BMC checks, and Windows start) in my DELL R200 with W2K8R2 + TMG2K10SP1 doing the following changes:

Update Broadcom Advanced Control Suite 3 (BACS3) (BASP_BACS_Mgnt_apps_x86_64-12.64.01) and network drivers (Broadcom win_vista_2k8_x64-14.0.0.7a) directly from the manufacturer (http://www.broadcom.com/support/ethernet_nic/netxtreme_server.php) instead of those provided by DELL.
Set the following 3 services to Automatic (Delayed Start): IsaManagedCtrl, isasched, ReportServer$ISARS
Disabling IPv6 from the external interface.
Setting binding order for the internal interface to be the first, the external to be the second one.
Setting internal DNS servers (serving private IPs) both in the external and external interfaces.

I hope this might be of help for someone. Regards.

PS: The only 'wrong' configuration (in theory) that I am using right now is the internal interface being the first in binding order. I have to give it a try and set it back to second place and see what happens. However, by now, the former config works OK for me.

Monday, August 02, 2010 12:57 PM

0

I have just changed the binding order back to the suggested configuration (external adapter first) and I have also left DNS servers blank for the external interface. A reboot (until remote desktop login was available) has taken also 4min 50seg. So, my most probable solution reads:

Update your network drivers.
Set to automatic (delayed start) the services IsaManagedCtrl, isasched and ReportServer$ISARS
Disable IPv6 for the external interface

Regards.

Proposed As Answer by Anton Karpenko Wednesday, August 25, 2010 8:38 AM

Monday, August 02, 2010 2:54 PM

0

@Bala - delayed start seemed to work on the configuration storage server for the first reboots. I have rebooted it again this morning and I am back to the best start time of 5 minutes for the service to start. The second server had no change on service start times with or with out the delayed start.

When will MS be posting a KB and or hot fix for this issue?

Monday, August 02, 2010 3:43 PM

0

Internal Adapter should be first,...not the External.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"J.A. Garc�a Barcel�" <=?utf-8?B?Si5BLiBHYXJjw61hIEJhcmNlbMOz?=> wrote in message news:dee6d997-13de-4ce9-bd5c-b6dc5b7256f4...

I have just changed the binding order back to the suggested configuration (external adapter first) and I have also left DNS servers blank for the external interface. A reboot (until remote desktop login was available) has taken also 4min 50seg. So, my most probable solution reads:

Update your network drivers.
Set to automatic (delayed start) the services IsaManagedCtrl, isasched and ReportServer$ISARS
Disable IPv6 for the external interface

Regards.

Monday, August 16, 2010 10:24 AM

0

I don't use DNS and using 1 NIC so several of the last solutions doesn't help for me.

Any news from whoever logged the case with Microsoft? What do they have to say about the issue?

--------------------------------------------------------- Windows Intune Blog - http://www.intuneblog.com

Wednesday, August 25, 2010 4:28 PM

0

I'm experiencing the same issue with my forefront tmg 2010 server. I've successfully installed forefront tmg 2010 on windows 2008 r2 on a physical machine as well as a virtual machine on a server running 2008 r2 hyper-v. Both installations have no issues. However, I've installed windows 2008 R2 with forefront TMG 2010 on an ESX 4.1 host and I'm experiencing this delayed startup. I rebuilt the VM with windows 2008 R2 and was able to reboot with no issues. It was only after installing TMG 2010 that the problem began.

Any Suggestions?

Friday, August 27, 2010 2:03 PM

0

Hey,

I am experiencing the same problem but not with TMG alone but with Forefront UAG which requires and automatically installs TMG.

After having installed UAG everything basicly works fine on Windows 2008 Standard R2 but this setup means i'm not running the latest UAG update and TMG Service Pack. The release notes for TMG Service Pack 1 specify that it is advised to also install this Service Pack on a server running UAG. After applying the Service Pack I had the same problems as mentioned by everyone in this thread and although the UAG is protected by another external firewall i'm not comfortable having the machine partially exposed because the TMG Firewall service starts a while later (Delayed Start configuration).

I have followed the steps Voljka posted and that partially solved my problem however one service hung on Starting and the other service for UAG did not start although set to automatic.

Therefore I have executed the following steps and this solved my problem completely.

1: Created a multi-string value named DependOnService below HKLM\CurrentControlSet\Services\HTTP and added CRYPTSVC in the Value Data field.

2: Executed sc config isactrl depend= RasMan/SSTPSVC/FwEng/ISASTG/bfe/mpssvc/HTTP from an Elevated Command Prompt

3: Set the Microsoft Forefront TMG Managed Control service to Automatic (Delayed Start)

4: Set the Microsoft Forefront UAG Monitoring Manager to Automatic (Delayed Start)

So I would like to thank Voljka for his information that helped me partially solve my problem and I hope others can benefit from the rest I have added.

Friday, September 03, 2010 6:12 PM

0

We're facing the same problem here running Windows Server 2008 SP2 the TMG Managed service taking up to 10 minutes to start, by using the Automatic Delay workaround it takes 5 minutes, this is still not acceptable for us. We are running TMG in a Physical server with SP1 installed. I will run some more tests.

Tuesday, September 07, 2010 6:09 PM

0

Same problem here with Windows Server 2008 R2 and TMG SP1 (standalone array with 2 members).
TMG takes about 15 minutes to start, by using the Automatic Delay workaround it takes 5 minutes but then offcourse not all services are started.

Another question, with a standalone array (with 2 members) does the; SQL Server (ISARS) and SQL Reporting Services (ISARS) run on both TMG servers or on only 1 server?

Tuesday, September 21, 2010 10:03 PM

Moderator

0

Hi All,

Software Update 1 for Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 1 is available now for download, check it here : http://www.microsoft.com/downloads/en/details.aspx?FamilyID=695d0709-0d8b-45ee-afdb-727c4428ca4d

Hopefully this would fix the issue .... Apply it and report back.

Tarek Majdalani | MS Forefront Edge Security MVP | http://www.elmajdal.net

Proposed As Answer by TechGuy18 Wednesday, September 22, 2010 3:48 PM

Wednesday, September 22, 2010 3:48 PM

0

I just installed this patch on my test servers, by the time I login and open the console the Managed Control Service is up and running!!! During installation the services are stopped, however a reboot is not required. I of course rebooted to see if the managed control issue was fixed.

Has anyone else tested this yet?

Wednesday, September 22, 2010 11:48 PM

0

I just installed this patch on my test servers, by the time I login and open the console the Managed Control Service is up and running!!! During installation the services are stopped, however a reboot is not required. I of course rebooted to see if the managed control issue was fixed.

Has anyone else tested this yet?

Yes I have and it works fine.
http://social.technet.microsoft.com/Forums/en-US/Forefrontedgesetup/thread/c7606ead-5957-4ef8-a4e9-e5aa85493581

Cheers

Thursday, September 23, 2010 10:00 PM

0

Tried this patch and still experiencing delays with this same issue.

Interestingly enough I have two 2008 R2 Servers, one does not experience this issue at all but is giving a Reporting Services Configuration error.

The second one takes less time with the patch, but is still much longer than the first.

Not sure what to make of the difference.

Friday, September 24, 2010 12:24 AM

0

I just installed this patch on my test servers, by the time I login and open the console the Managed Control Service is up and running!!! During installation the services are stopped, however a reboot is not required. I of course rebooted to see if the managed control issue was fixed.

Has anyone else tested this yet?

I should have added I am running Windows 2008 SP2. I had problems with R2 as many others reported and went back to SP2.

Monday, October 25, 2010 4:46 PM

0

nope, we are running with SU1 installed and still having the mentioned problems. Just as mentioned, Firewall Control hung together with the Report Service. I am going to try the Delayed Start resolution.

ondrej.

Saturday, October 30, 2010 3:57 PM

0

Regarding the bind order, I sure am confused at this point

Internal

External

Or

External

Internal

?

Doc

Sunday, October 31, 2010 9:16 AM

Moderator

0

Hi, Internal and then External. Check a complete guide here by Jason Jones : http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html

Tarek Majdalani | MS Forefront Edge Security MVP | http://www.elmajdal.net

Sunday, October 31, 2010 1:48 PM

0

I have read that, and there are both suggestions in this thread.

Where is the microsoft document on what it should be? And, not just a microsoft statement on what it should be, but why it should be. Seems there are multple opinions on something that should simply be a consensus.

Looking for a correct answer, not just multiple [differing] opinions from which to choose.

Doc

PS: With WS2008 R2 for my domain machine, and WS2008R2 and TMG 2010 for my firewall machine, the net does not come up with Inside and then Outside. I change them back to Outside, then Inside, and the net comes up immediately.

All other recommendations in the mentioned link are in place.

Doc

PS: Also, what I did on the TMG machine is to install Microsoft Updates to WS2008R2. Then, I installed TMG 2010, followed by TMG SP1, followed by TMG UD 1 to SP1. Then, I configured my NICs. Then, I configured TMG. With the binding order of Outside, Inside, as I said, the net (inside and outside) come up immediately. Changing the order as suggested to Inside, Outside is a problem.

Doc

Edited by Dr. Strangelove Sunday, October 31, 2010 4:38 PM even more info...

TMG and Microsoft Forefront TMG Control taking more than 16 minutes to start on Windows 2008 R2

All Replies

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support by product

Other support links

Not an IT pro?