One of the really nice things about supporting ISA/TMG is that there are so many tools to assist us when troubleshooting an issue.  Among those tools we have at our disposal are he Web Proxy logs, Live Logging, Network traces, and ISA Tracing just to namea few. While one tool may not always pinpoint exactly where the problem lies, sometimes a combination of a few of them will help you form a clearer picture.

I recently had a case where using all of the tools at my disposal really helped in figuring out exactly what was causing the issue.

Problem

Web Proxy clients behind Forefront TMG 2010 are not able to play a WMV file that was posted on a particular external website. Windows Media player would say it was playing but there was never any video and eventually it gave you an error. “Windows Media Player cannot play the file because the server is not responding. If you entered a URL or path to play the file, verify that it is correct. If you clicked a link to play the file, the link may not be valid.”  (See Fig. 1)

 

Fig. 1

Data Analysis

The first thing I looked at was Live Logging in TMG. I set up a query for the client’s IP address and saw that TMG was allowing the connection (See Fig. 2)

Fig. 2

Since this was HTTP the next thing I wanted to look at was the Network Traces. The TMG Data Packager which is part of TMG Best Practices Analyzer will allow you to get Network Traces simultaneously from all network interfaces while reproducing the issue. For details on how to use this tool please see http://blogs.technet.com/b/yuridiogenes/archive/2009/05/07/using-isabpa-for-proactive-and-reactive-work-with-isa-server-part-2-of-2.aspx

One of the odd things that stood out was the data payload length coming to the external interface was much larger (1380 versus 50) than what was being sent to the client.

Fig. 3 below (Frame detail taken from external NIC on TMG)

Fig. 4 below (Frame detail taken from internal NIC on TMG)

This was consistent throughout the entire trace and seemed odd. Apparently TMG was getting the data but was not passing it on to the client. Why would this be? I needed to keep on looking at the data. I next pulled up the Web Proxy logs that the TMG Data Packager had captured for me. They are in XLS format so I can look at them in Excel. I sorted again by client IP and started looking at the entries. Eventually one of the columns jumped out at me. Malware Inspection Content Delivery Method was showing as “Standard Trickling”. (See Fig. 5)

Fig. 5

Since this WMV file was essentially streaming video I would have expected this to be Fast Trickling.

I went to my TMG MMC and the Web Access Policy branch, then under Malware Inspection, Content Delivery,  Content Types for Fast Trickling (See Fig. 6)

Fig. 6

I searched for application/octet-stream and it was not in there under the Selected Types (See Fig. 7)

Fig. 7

Under Available Types I added application/octet-stream, applied the changes and then tested. Now it works as expected.

Conclusion

There are many issues we come across on a daily basis where the solution is not always readily apparent. This is especially true when troubleshooting Forefront TMG and ISA Server. Thankfully there are many weapons in our troubleshooting arsenal we can call into play to help us tackle thesedifficult issues.