Routing mania or why removing a route from the operating system doesn’t change the routing in Forefront TMG

In this blog I will describe how you work with network routes in Forefront TMG Medium Business Edition and Forefront TMG 2010. That is, routes as found in the IP routing table…

The problem

Imagine that you just installed your Forefront TMG Server (either Medium Business Edition or 2010). You run step one of the Getting Started Wizard (GSW):


You then add a route for the internal network, like this:


You finish off the wizard and go to a command prompt to verify that the route is there:


In Forefront TMG 2010 you can also view the route on the Routing tab of the Networking node in the Forefront TMG console:


Then the fun starts… You decide to remove the route as the network is no longer in use. So what do you do?

In Forefront TMG Medium Business Edition there’s no Routing tab under the Networking node, so what to do? The most obvious thing to do is to delete the route from a command prompt:


The route is gone: clip_image012

Perfect! Or?

Now you go about editing the configuration, it doesn’t really matter what you do – as long as you update the configuration in some way, it could be just changing the description of an access rule and then clicking Apply and look what’s back:


The same will happen in Forefront TMG 2010, there’s no difference if you delete the route manually.

More information

If you are curious about the reason for the route being persistent, well you may already have guessed it… It is saved in the Forefront TMG configuration storage:


The above screenshot is from my Forefront TMG 2010 machine, but the routes are stored in the same location for Forefront TMG MBE as well. Each route specified gets its own GUID under the CN “StaticRoutes”.

This means that every time the configuration is updated and applied, the whole configuration is applied to Forefront TMG MBE/2010 and if there are routes in the configuration, they are added back to the routing table in the operating system.

Now for the really important part: Don’t delete routes directly from the storage, please use the UI instead, regardless of how cumbersome it may be. It is the correct, intended and most of all - the only supported way.

The solution is described next.

The solution

In Forefront TMG 2010 the solution is to delete the route from the Routing tab using the “Delete Network Topology Route” option in the tasks pane or right-clicking the route in question and selecting “Delete”:


For Forefront TMG MBE the process is a bit more cumbersome: you need to re-run the Getting Started Wizard again, selecting the option “Configure network settings” in order to remove the route. Then select the same options as you did before and when you get to the “Local Area Network (LAN) Settings”, highlight and remove the route:


Finish the wizard and you are done!


Anders Janson, Sr Support Engineer ISA and TMG, Microsoft Customer Support and Services EMEA

Eric Detoc, Escalation Engineer
Gabriel Koren, TMG Test Team