Threat Management Gateway (TMG) services do not start with event Id 21235 in the event viewer

Here’s some info on an interesting support issue I worked the other day. If you happen to
run into this one day, maybe this will help you get it resolved.

Issue: Microsoft Forefront Threat Management Gateway (TMG) services do not start. To start the services, we needed to clear NLB and reconfigure NLB.

Troubleshooting and Resolution

We checked event viewer and found following events:




Microsoft Forefront TMG Control

Failed to configure Network Load Balancing to work with
  Forefront TMG




Microsoft Forefront TMG Control

The Forefront TMG Control service was stopped gracefully

I asked the customer to check the following registry value on the problem server:


We found that this was missing from the server, so I suggested that we create this value and set it to 2:


Dword name: EnableTCPNotification

Dword Value: 2

After adding the value above we restarted the server. At this point the TMG services started without any problems.


The TMG control service depends on the NLB. It configures NLB and has a handle to NLB via the NLB service although the actual NLB filter driver resides in the kernel  mode within NDIS (Network Driver Interface specification). This means that since the TMG control service is responsible for configuring NLB through the
NLB service, if it fails to do so it can generate this event ID 21235.

In various scenarios, we have seen different event IDs generated by the TMG control service and many are directly related to NLB. Because of this we have to watch this closely as the TMG control service does lot of admin work and performs NLB configuration as well, so if it’s not able to configure NLB, or there is some
other problem with NLB, it will be reported through these events. While working on similar issues in the past, I have seen that it normally happens during the initialization of the TMG control service. In this case, the 21235 event is logged because the TMG service is doing a lookup in NLB's registry area to determine if the TCP Connection Callback is properly set to use an alternate callback. This is required when we are using NLB and if it is not set it will generate this event.

The TCP Connection Callback value is stored at the following location in the registry:


The value is named EnableTCPNotification and it should have the value 2, which is NLB_CONNECTION_CALLBACK_ALTERNATE.

For more information on the TCP connection callback object, it is explained in the following TechNet article under event ID 81:

NLB Connection Tracking and Load Balancing:

Suraj Singh | Support Escalation Engineer | Management and Security Division

Comments (0)

Skip to main content