September 14, 2011

Internal DNS Server does not respond when TMG is deployed as Edge Firewall

In most common deployments of Forefront TMG, you use Edge Firewall Configuration. For name resolution, you use internal DNS Servers that use forwarders to resolve external IP Addresses.
In some scenarios, I experienced DNS Server stops responding after a few minutes of use or has a discrete behavior of connectivity.

Most often, Flood mitigation is reason for this: 

To disable flood mitigation :
1. In Microsoft Forefront TMG Management Console, Click "Intrusion Prevention System" in the left pane under Server node.
2. Under "Behavioral Intrusion Detection" Tab, Open "Configure Flood Mitigation Settings"
3. Uncheck the checkbox "Mitigate flood attacks and worm propagation"

See screenshot below for help:
That should do the trick.
Still, if you do not want to compromise the security for flood mitigation, you can add ip addresses of your internal DNS Servers to "IP Exceptions" tab of same Dialogue Box.

Labels: