locked
Forefront TMG 2010 failed to start automatically on Windows 2008R2 at server start-up. RRS feed

  • Question

  • Hello. I have following TMG setup:
    -Clean Install of Windows 2008 R2 standard
    -Install Forefront TMG 2010 standard
    -Import config from ISA 2006 standard (workgroup mode, 3 legs, ldap+radius auth, SSTP VPN)
    -Install Exchange Edge 2010
    -Install Forefront Protection for Exchange 2010

    All of that is working just fine, but: 
    =================================================================================================
    At server start-up TMG Control service timed-out and goes to stop, TMG Firewall and Job Schedule, TMG Managed Control does not start-up due to this.
    =================================================================================================
    All others services (including Exchange and FFP for Exchange) starts ok.
    TMG Control service time-out cause 30 min delay in server boot time, after what I can login through Remote Desktop and without any problem manually start TMG Control, TMG Firewall, TMG Job Schedule and TMG Managed Control Firewall. No any alarms, and all functionality works fine.
    Immediately after server startup I can login through local console, but if I late, explorer unable to start and I see no desktop until TMG failed to run.
    Again - no any indication in Event Viewer why TMG timed out. Please help.

    Monday, February 22, 2010 12:39 PM

Answers

  • Because this issue may related to the sequence of installing TMG, Exchange Edge and FSE. After you install Forefront TMG and configure an e-mail policy, if you install the Exchange Server Edge Transport Role or Forefront Security for Exchange (FSE), the ISAManagedCtrl service fails. This does not occur if you install the Edge Transport Role or FSE before installing Forefront TMG. Meanwhile, I’d like to know do you have any other error message on the event viewer?


    Nick Gu - MSFT

    Corect, the recomended order of installing is:

    1. Exchange Edge Transport
    2. Forefront Protection for Exchange
    3. TMG

    See http://technet.microsoft.com/nl-nl/library/ee207141(en-us).aspx

    Still, even when installing in this order I'm seeing a lot of people with crashing Exchange Transport service, TMG Control service or even both. I'm currently working on this issue with PSS.
    With kind regards / Met vriendelijke groet, Jetze Mellema | http://jetzemellema.blogspot.com/
    Thursday, March 4, 2010 9:18 AM
  •  

    Because this issue may related to the sequence of installing TMG, Exchange Edge and FSE. After you install Forefront TMG and configure an e-mail policy, if you install the Exchange Server Edge Transport Role or Forefront Security for Exchange (FSE), the ISAManagedCtrl service fails. This does not occur if you install the Edge Transport Role or FSE before installing Forefront TMG. Meanwhile, I’d like to know do you have any other error message on the event viewer?


    Nick Gu - MSFT

    Corect, the recomended order of installing is:

    1. Exchange Edge Transport
    2. Forefront Protection for Exchange
    3. TMG

    See http://technet.microsoft.com/nl-nl/library/ee207141(en-us).aspx

    Still, even when installing in this order I'm seeing a lot of people with crashing Exchange Transport service, TMG Control service or even both. I'm currently working on this issue with PSS.
    With kind regards / Met vriendelijke groet, Jetze Mellema | http://jetzemellema.blogspot.com/


    Case to Microsoft solve this problem:

    PROBLEM:  Issue with TMG Service is not starting automatically after restarting server.

     

    CAUSE:  Dependent services.

     

    RESOLUTION:  We applied below action to resolve the issue.

     

    Applied below registry key and command and this issue should get resolved by this.

     

    Navigate to HKLM\CurrentControlSet\Services\HTTP and create the following Multi-string value as below

    DependOnService and enter CRYPTSVC in the Value Data field and click OK

     

    sc config isactrl depend= RasMan/SSTPSVC/FwEng/ISASTG/bfe/mpssvc/HTTP

     

    We also set Exchange Transport service as Automatic (Delayed Start).

     

    • Marked as answer by Voljka Friday, May 21, 2010 6:20 AM
    Friday, May 21, 2010 6:20 AM

All replies

  • Hi,

     

    Thank you for the post.

     

    To install the Edge Transport Role or FSE after installing Forefront TMG and configuring an e-mail policy:

    At a command prompt, type:
    1.net stop isamanagedcrtl

    2.After the service stops, install the Edge Transport Role and FSE.

    3.At the command prompt, type:
       Net start isamanagedctrl

     

    Regards,


    Nick Gu - MSFT
    Monday, March 1, 2010 11:07 AM
    Moderator
  • I'm sorry, why you advice how to install Edge and FPE when I ask for help on completely another subject?
    I' m repeating: I have a problem with TMG startup. And this problem exclusively specific for automatic unattended startup.
    Manually I can start TMG without any problem, but only after server goes up completely.

    I did full uninstall of Edge, FPE and TMG. Doublecheck all known registry places for network configuration, install latest Intel drivers - 15.1.1,
    install only TMG again, and result is the same - automatic startup timed out...
    Monday, March 1, 2010 5:50 PM
  • Hi Voljka,

     

    Thank you for the update.

     

    “why you advice how to install Edge and FPE when I ask for help on completely another subject?”

    Because this issue may related to the sequence of installing TMG, Exchange Edge and FSE. After you install Forefront TMG and configure an e-mail policy, if you install the Exchange Server Edge Transport Role or Forefront Security for Exchange (FSE), the ISAManagedCtrl service fails. This does not occur if you install the Edge Transport Role or FSE before installing Forefront TMG. Meanwhile, I’d like to know do you have any other error message on the event viewer?

     

    Regards,


    Nick Gu - MSFT
    Wednesday, March 3, 2010 2:12 AM
    Moderator
  • No, I do not see any other errors. And to be clear, TMG Managed Control starts after TMG Control service, IMHO. So, if TMG control hangs and shut down, then why worried about TMG Managed Control? 
    Wednesday, March 3, 2010 9:25 AM
  • Because this issue may related to the sequence of installing TMG, Exchange Edge and FSE. After you install Forefront TMG and configure an e-mail policy, if you install the Exchange Server Edge Transport Role or Forefront Security for Exchange (FSE), the ISAManagedCtrl service fails. This does not occur if you install the Edge Transport Role or FSE before installing Forefront TMG. Meanwhile, I’d like to know do you have any other error message on the event viewer?


    Nick Gu - MSFT

    Corect, the recomended order of installing is:

    1. Exchange Edge Transport
    2. Forefront Protection for Exchange
    3. TMG

    See http://technet.microsoft.com/nl-nl/library/ee207141(en-us).aspx

    Still, even when installing in this order I'm seeing a lot of people with crashing Exchange Transport service, TMG Control service or even both. I'm currently working on this issue with PSS.
    With kind regards / Met vriendelijke groet, Jetze Mellema | http://jetzemellema.blogspot.com/
    Thursday, March 4, 2010 9:18 AM
  • You are right! After clean reinstall in mentioned (Exchange, Protection, TMG) sequence, I got it running. Still has a problem with Exchange Transport, which I avoided by setting Exchange Transport to Automatic (Delayed Start) mode.

    Any news about "even when installing in this order I'm seeing a lot of people with crashing Exchange Transport service, TMG Control service or even both."?

    Monday, March 22, 2010 7:27 PM
  •  

    Because this issue may related to the sequence of installing TMG, Exchange Edge and FSE. After you install Forefront TMG and configure an e-mail policy, if you install the Exchange Server Edge Transport Role or Forefront Security for Exchange (FSE), the ISAManagedCtrl service fails. This does not occur if you install the Edge Transport Role or FSE before installing Forefront TMG. Meanwhile, I’d like to know do you have any other error message on the event viewer?


    Nick Gu - MSFT

    Corect, the recomended order of installing is:

    1. Exchange Edge Transport
    2. Forefront Protection for Exchange
    3. TMG

    See http://technet.microsoft.com/nl-nl/library/ee207141(en-us).aspx

    Still, even when installing in this order I'm seeing a lot of people with crashing Exchange Transport service, TMG Control service or even both. I'm currently working on this issue with PSS.
    With kind regards / Met vriendelijke groet, Jetze Mellema | http://jetzemellema.blogspot.com/


    Case to Microsoft solve this problem:

    PROBLEM:  Issue with TMG Service is not starting automatically after restarting server.

     

    CAUSE:  Dependent services.

     

    RESOLUTION:  We applied below action to resolve the issue.

     

    Applied below registry key and command and this issue should get resolved by this.

     

    Navigate to HKLM\CurrentControlSet\Services\HTTP and create the following Multi-string value as below

    DependOnService and enter CRYPTSVC in the Value Data field and click OK

     

    sc config isactrl depend= RasMan/SSTPSVC/FwEng/ISASTG/bfe/mpssvc/HTTP

     

    We also set Exchange Transport service as Automatic (Delayed Start).

     

    • Marked as answer by Voljka Friday, May 21, 2010 6:20 AM
    Friday, May 21, 2010 6:20 AM
  • Thank you Voljka, excellent.
    With kind regards / Met vriendelijke groet, Jetze Mellema | http://jetzemellema.blogspot.com/
    Monday, June 14, 2010 10:02 AM
  • I'm just curious as to whether this has been, or is slated to be resolved?

    I haven't had a chance to try Voljka's solution yet, because I'm still in the 30min waiting window after a reboot, but I have not at any point had any component other than the vanilla TMG RTM product installed. I have tried both RTM and SP1 and both seem to suffer from this issue.

    The installation process was quite straightforward. I simply made sure I used Server Manager to comply to the pre-requisites as per http://technet.microsoft.com/en-au/library/dd896983.aspx, installed TMG and let the "good times" (meaning the restart ____) roll.

    Kind of a disappointing start when compared to the ISA 2006 experience. Oddly enough, when I was trialling the release candidate last year I did not have any such issues.

    Cheers,
    Lain

    Monday, July 12, 2010 7:25 AM
  • Well, this isn't quite what I expected. This is what I've done and where it's led to:

    • Install TMG (alone, as described above): -> reboot delays upwards of 30mins;
    • Applied Voljka's workaround: -> reboots back to normal (around 5mins, 1:30 of which is the hardware initialisation component);
    • Apply TMG SP1: -> reboot delays;
    • Inspect the ISACTRL registry key and notice it's dependencies have been reset, so again add the HTTP component: -> reboot delays, but shorter (11mins);
    • Inspect the eventvwr and observe that now that the "TMG Managed Control" has hung on starting approx 6.5mins after the other TMG services have successfully started, which in turn are after - but around the same time as the SQL services have started;
    • Despite the above, once the "TMG Mnaaged Control" has terminated, the failure action of "restart service" kicks in and it too starts successfully.

    So, it's a long way from perfect, but at least the downtime is only an additional 5mins instead of 25 - 30.

    There's only three services listed between the TMG Control service starting and the Managed Control service failing on timeout:

    • Microsoft Forefront TMG Job Scheduler (+3 sec)
    • Microsoft Forefront TMG Firewall (+17 sec)
    • Shell Hardware Detection (+91 sec)

    I'm not really sure if this is going to make any difference, but all I can think of trying at the moment is introducing a new dependancy for the TMG Managed Control on the Job Scheduler. Given the behaviour between SP1 and RTM is different in my case, I'm all out of ideas. (I'm discounting the Shell Hardware Detection as irrelevant in this case)

    Cheers,
    Lain

    Monday, July 12, 2010 10:40 AM
  • The above additional step of adding to the TMG Managed Control service a dependancy on the TMG Scheduled Job service appears to have resolved my issue, as that last boot was only four minutes. Admittedly, making any kind of decision after just one reboot isn't very sound, but after numerous lengthy reboots, I'm hopeful this is indeed indicative that the problem is resolved.

    Cheers,
    Lain

    Monday, July 12, 2010 10:51 AM
  • I can also confirm that there are compatibility issues with the TMG 2010 / Exchange Edge / Forefront Security 2010 for Exchange trio.

    After a lot of troubleshooting at the customer site, I did the lab and managed to isolate Forefront Security 2010 as the problems cause. Without it everything functions tip/top but with when it comes into formula things get seriously broken regardless if installed in order suggested by Microsoft documentation or after TMG installation (as TMG setup sugests.

    Customer is very unhappy as we spent almost a week now trying to bring things in order that should be normally done in a day and we also loosing a lot of time and money <button>Submit</button>basically because Microsoft is not able to ensure compatibility with itself.

    Regards,

    Dejan Foro

     

    Friday, October 22, 2010 1:00 PM