Hi All, thanks in advance for reading.

I'm in the process of moving our web users off our old ISA 2006 perimeter firewall and onto our TMG 2010 firewall.  I am facing an issue where connection attempts to some websites (not just the first time web is used) have a 10 second delay before they connect.  

We have a fairly standard multihomed setup.  I've been through the network adapter best practices and amended the binding order to make sure the internal network is highest, but to no avail.  I've also made sure that I only have a DNS server against the internal adapter and the DNS server specified can correctly resolve external DNS entries.

I am using IE9 for this, with the proxy defined by hostname and the "automatically detect scripts" checkbox unchecked.  For testing, I've created a rule which allows my computer out without any authentication and removed the proxy settings in my IE.  This results in a bit quicker access, but still not instantaneous.  Does this maybe rule out the web proxy?

Forgot to mention, TMG version is 7.0.9193.500.

Any ideas?

Hi,

in IE hit F12 > Network > start capturing and check what exactly takes so time to load. Do you have the same on the TMG itself?

Hi,

Thank you for the post.

Does this issue occur to all the clients or some certain client? and is this delay for all the website?

Regards,

Consistently it is one of the GET requests.  It isn't always the first and it isn't always 10 seconds exactly (can be up to 20 in some cases).

This does not appear to happen on the TMG server itself.

To confirm, allowing a machine through the firewall based on its IP and then setting no proxy also resolves the issue.

thanks

John H

Hi Nick, thanks for replying :)

I haven't rolled it out, but both my machine and my laptop experience this when the proxy is set in IE.

Its more of an intermittent issue than specific sites.  sometimes a site will be quick, sometimes it won't.  Some sites just work without this delay.

See also my latest reply below for more info.  

Could this be a caching issue?

Hi,

Do you have any network device in front of TMG? Does the rule, which allows inet access, require that a user should be authenticated? If yes, then have you tied without authentication?

Hi Vasily,

We have a Cisco switch directly in front of TMG which is connected to a BT managed router.  The old ISA server is also connected to the same switch.

Yes, the rule requires authentication so that we can monitor and block sites on a per user basis.  I've added a rule at the top which allows my machines out, unauthenticated, via IP address and the delay does not occur.

thanks for your help so far.

Then delay can happen due to authentication delay, TMG waits for DC to respond. What do you have as a proxy in IE settings? Do you have auto configuration options enabled? Do you use IP as a proxy? Try to disable autoconfig and replace IP with FQDN. Then test it.

Hi Vasily,

I think I came to this conclusion as well.  The only thing different in my proxy settings to the ideal (no autoconfig) is that I was using the hostname, rather than the FQDN.  I've change it too FQDN and it seems to have improved, but I'll keep testing it to make sure.  Would you expect this to make a difference ?

I've noticed on our old ISA server against the authentication options for the proxy we have intergrated and Basic ticked, whereas on TMG we only have intergrated ticked.  Now ISA does occasionally pop up boxes asking for user credentials which is very annoying and something that TMG doesn't do, but ISA have no delays.  What authentication options should be ticked?

thanks again

John 

Alas it appears the FQDN hasn't fixed it,.  Still get the occasional wait. :(I

thanks
John

Anybody got any ideas?

I'm sure it must be configured wrong, but I'm stumped!

Hi,

In my eyes it looks like either auth issue or DNS. If FQDN didn't help use, then try to run netstat -ano during the browsing issue. It might be you have some delays we DNS response or some app can exhausted your ports. BTW, is flood mitigation enabled and does it have default settings?