Here’s some info on an interesting support issue I worked the other day. If you happen to run into this one day, maybe this will help you get it resolved.

Issue: Microsoft Forefront Threat Management Gateway (TMG) services do not start. To start the services,  Customer had  to clear NLB and reconfigure NLB every time issue happened.

Troubleshooting and Resolution

We checked event viewer and found following events:

Error

server1

21235

Microsoft Forefront TMG Control

Failed to configure Network Load Balancing to work with Forefront TMG

Information

server1

14181

Microsoft Forefront TMG Control

The Forefront TMG Control service was stopped gracefully

I asked the customer to check the following registry value on the problem server:

HKLM\System\CurrentControlSet\Services\WLBS\Parameters\Global\EnableTCPNotification

We found that this was missing from the server, so I suggested that we create this value and set it to 2:

HKLM\System\CurrentControlSet\Services\WLBS\Parameters\Global
Dword name: EnableTCPNotification
Dword Value: 2

After adding the value above we restarted the server. At this point the TMG services started without any problems.

Explanation:

When Integrated NLB is configured on a TMG Array, the TMG control service depends on the proper configuration of NLB.  TMG has a handle to NLB via the NLB service and is responsible for configuring NLB.  If the TMG control service fails to configure NLB, one of the events that may be generated is event ID 21235.  This would typically occur during the initialization of the TMG control service.

In this case, the 21235 event is logged because the TMG service is doing a lookup in NLB's registry area to determine if the TCP Connection Callback is properly set to use an alternate callback. This is required when we are using NLB and if it is not set it will generate this event.

The TCP Connection Callback value is stored at the following location in the registry:

HKLM\System\CurrentControlSet\Services\WLBS\Parameters\Global\

The value is named EnableTCPNotification and it should have the value 2, which is NLB_CONNECTION_CALLBACK_ALTERNATE.

For more information on the TCP connection callback object, it is explained in the following TechNet article under event ID 81:

NLB Connection Tracking and Load Balancing: http://technet.microsoft.com/en-us/library/dd363974(v=ws.10).aspx

 

Note…Thanks to Escalation Engineer Eric Detoc for discovering the details related to this Event and the associated registry value.

Author

Suraj Singh - Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team

Reviewer

Richard Barker - Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team