TMG 2010: Someone Find me Something High to Jump Off

[SYNACK]

Right, after careful consideration and several months of troubleshooting I have decided that Microsoft TMG 2010 is an abortion of of product and MS should have decided to kill the line before releasing it.

I have tried it on a 2008 R2 VM, 2008 R2 physical host, 2008 physical host and reset it up a few times. Disables all inspection rules, gave it more RAM, implemented extencive logging rules etc.

Stupidly I still can't pin down the problems 100% to the dirty TMG box as there is a switch or two in the way that are dodgey but it seems to be the prolem of TMG.

Symptoms, continuously dropping packets and choking out internet connections for single clients for up to 15 minutes despite killing off flood mitigation settings and installing every hotfix avalible.

Balmer needs to be hit with his own flying chair, removing features from products and releasing tripe like TMG. If I can finally 100% pin it down to TMG I am going to push MS to refund our Volume liscence of it.

[Domino]

BOOM - it's rubbish.

Apparently it works much better if your gateway address is the first address on it's subnet (eg. x.x.x.1 ) - so all you've gotta do is rebuild your network architecture ;-)

This terrible product caused us to remove all microsoft firewalls from edge roles, and we'd been ISA totally before that

[SYNACK]

Interesting, back to ISA for us now till we get some form of replacement or MS releases their new OS with it built in (hopefully having it built in will mean that it will actually work with the OS.

Their team must have accidentally overshot the Balmer Peak:

ballmer_peak.png

xkcd: Ballmer Peak

Unfortuantly at our cost.

[spc-rocket]

Hi SYNACK

Has there been any formal annoucement on the future of TMG? I think there were reports or rumors that this may be the last version of TMG/ISA. There's also been a lot of speculation that the product might be integrated with the server product and if so it may as simple as adding a role.

Ash.

[SYNACK]

Hi SYNACK

Has there been any formal annoucement on the future of TMG? I think there were reports or rumors that this may be the last version of TMG/ISA. There's also been a lot of speculation that the product might be integrated with the server product and if so it may as simple as adding a role.

Ash.

Still speculation but that is what I think will probably happen as above. If not I have about 0 goodwill left towards the product so they can stick it if it is not implemented in a working fashion and free. If they want me to pay more for UAG or something they can get so jumped...

[jamesfed]

Just to add my 2p - we have, use and love TMG 2010

Looks after our web filter, in trainsit AV scanning, SSTP VPN and handles the firewall for various other things.

Runs on a Hyper-V virtual machine and works a treat with an average usage of about 6GB RAM.

A few little things - have you checked the NIC drivers on your Virtual Host? Check they are up to date and consider having a play around with some of the driver settings.

[SYNACK]

Just to add my 2p - we have, use and love TMG 2010

Looks after our web filter, in trainsit AV scanning, SSTP VPN and handles the firewall for various other things.

Runs on a Hyper-V virtual machine and works a treat with an average usage of about 6GB RAM.

A few little things - have you checked the NIC drivers on your Virtual Host? Check they are up to date and consider having a play around with some of the driver settings.

Yes to all of the above, different drivers, different driver setting, tweaking synthetic buffers under Hyper-V, disabling all TCP offloading etc. etc. etc. Its weird, it seems to work for some places but be completely hapless and hopeless in others Unfourtunatly for us we are one of the latter. I have two other sites that are still working great on ISA and I have no intention of 'upgrading' them to the flakey cack that is TMG. Chances are they may work fine but I don't want to risk another disaster like the current implementation.

Interestingly this is the same place that had epic problems with a squid proxy that would not handle more than 20 SSL connections at once. I think the place is just cursed.

[sparkeh]

Oh I thought it was done and dusted that TMG 2010 was to be the last release.

Apparently MS confirmed this with Gartner is one of its reports: Deb Shinder Blog » Blog Archive » Death of TMG?

I think I also remember reading that a lot of the staff working on TMG were redeployed in MS.

edit: must admit though there doesn't seem to be any official confirmation of this from MS.

[ChrisH]

Since we are on the subject we have ISA 2006 running currently and was considering "updating" to TMG but since it doesn't seem to be held in high regard...... What are the recommended alternatives ?

[Domino]

Depends - what are you using it for?

[SYNACK]

Oh I thought it was done and dusted that TMG 2010 was to be the last release.

Apparently MS confirmed this with Gartner is one of its reports: Deb Shinder Blog » Blog Archive » Death of TMG?

It should never have been 'released'. I think that it definatly is the last release of the product line but the future of the featureset has not been determined.

[sparkeh]

It should never have been 'released'. I think that it definatly is the last release of the product line but the future of the featureset has not been determined.

I believe the current speculation is that it will be rolled into the next release of Windows Server...

[TechMonkey]

Interestingly this is the same place that had epic problems with a squid proxy that would not handle more than 20 SSL connections at once. I think the place is just cursed.

Have you checked the basement for an Indian burial ground? These things can easily be overlooked.

[SYNACK]

Have you checked the basement for an Indian burial ground? These things can easily be overlooked.

With the amount of weird BS that happens at that site I think it may be the burial ground of a tribe of witch doctors or the antichrist itself. Even the doors are evil.

[Domino]

Have you checked the basement for an Indian burial ground? These things can easily be overlooked.

Or a gateway to Hell? Both need firewalling...