Slow internet access downstream-upstream proxy scenario

  • Article

 I came across a downstream-upstream proxy scenario recently. It was an interesting issue, when user points to upstream proxy server for proxy directly, his internet access works fine. But when he points to downstream proxy server, his internet was very slow.

TMG data packager, about which I have discussed enough in this blog, shall not need an introduction again .So we used TMG data packager to collect data on the downstream proxy server, while doing repro of the issue i.e. while trying to access a particular website, to be used for tracking problem traffic, during data analysis.

Observation from the data

Delay is due to name resolution as seen below, in the ISAtracing(this part is useful for my colleagues who read ISAtracing, for other readers its an extra piece of information)

----------------------------------------------------------------------------------------------

,yy-MM-DD T18:44:10.ms Info:Searching DNS entry for www.contoso.com"

,yy-MM-DDT18:44:10. ms, Info:Called for LookupName - www.contoso.com"

,yy-MM-DD T18:44:10. ms, Info:Didn't find hostent in cache for www.contoso.com bailing out."

,yy-MM-DD T18:44:10. ms Info:Resolving www.contoso.com"

,yy-MM-DD T18:44:21. ms, ERROR:Converting DNS err 9002(DNS_ERROR_RCODE_SERVER_FAILURE) to Winsock err 11002(WSATRY_AGAIN)"

,yy-MM-DD T18:44:21. ms, ERROR:QueryDnsCache(www.contoso.com) failed with 11002(WSATRY_AGAIN)"

,yy-MM-DD T18:44:21. ms, Info:gethosttlbyname failed witn 11002(WSATRY_AGAIN)"

,yy-MM-DD T18:44: ms, Info:ProxyGetHostByName(www.contoso.com) failed, 11002(WSATRY_AGAIN)"

2014-11-03T18:44:21. ms , Info:WPPISAPUBLIC:DNS name resolution failed. Error This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.

----------------------------------------------------------------------------------------------

After looking further in the trace, I saw following

----------------------------------------------------------------------------------------------

Noise:ISA is configured to do name resolution of requested destination host name or IP address. This is controlled by SkipNameResolutionForAccessAndRoutingRules property (no UI, COM only)"

----------------------------------------------------------------------------------------------

I looked for name resolution traffic in the network traces to see whats going on with name resolution and found

***********************************************

      TMG_suraj_demo DNS_server_demo 18:44:10.xx DNS DNS:QueryId = 0xsurajsingh01, QUERY (Standard query), Query for www.contoso.com of type Host Addr on class Internet    

      DNS_server_demo TMG_suraj_demo 18:44:21.xx DNS DNS:QueryId = 0xsurajsingh01, QUERY (Standard query), Response - Server failure       

***********************************************

So there was a delay of 11 seconds in name resolution and even result of name resolution was a failure.

Resolution

About SkipNameResolutionForAccessAndRoutingRules property, there is this articlehttps://technet.microsoft.com/en-us/library/cc302443.aspx which explains that we can bypass name resolution on TMG downstream proxy as well ,using a script. After running the script, it requires firewall service to be started,

Once we ran the script, we had no more delay in the internet access ,when clients pointed to the downstream proxy server. Obviously ,we were bypassing the name resolution process, which was causing delay in this scenario.