Alert definitions
Applies To: Forefront Threat Management Gateway (TMG)
The following table summarizes the Forefront TMG predefined alert definitions.
Alert and Event definition | Description | Additional conditions |
---|---|---|
Access to Configuration Storage server is blocked (not relevant for Forefront TMG in the Essential Business Server scenario.) |
As a result of changes made to the configuration, access to the Configuration Storage server is blocked. |
Any connection failure |
Account Name Resolution Failed (not relevant for Forefront TMG in the Essential Business Server scenario.) |
The Configuration Agent is unable to resolve the account specified for administration. |
None |
Alert action failure |
The action associated with this alert cannot complete. |
None |
Application Filter Not Registered |
The application filter is not registered on this server. |
None |
Array Member Status Verification Failed (not relevant for Forefront TMG in the Essential Business Server scenario.) |
Array member status verification failed. VPN tunnels may not be established. |
None |
Array Member Status Verification Succeeded (not relevant for Forefront TMG in the Essential Business Server scenario.) |
Forefront TMG successfully verified the array member's status. VPN tunnels can be established. |
None |
Array-Level Policy Rule Was Deleted (not relevant for Forefront TMG in the Essential Business Server scenario.) |
The enterprise policy does not permit some types of array-level policy rules. |
None |
Both ISP links are unavailable |
Both ISP links are detected to be unavailable. |
None |
Broken Reference in Cross-Array Configuration (not relevant for Forefront TMG in the Essential Business Server scenario.) |
The Forefront TMG Control service detected a reference to a rule element that does not exist in a Web publishing rule defined in an array. |
None |
CA Certificate Expired |
The imported certification authority (CA) certificate that should be used to sign cloned SSL server certificates for destination servers has expired. |
None |
CA Certificate Expiring Soon |
The certification authority (CA) certificate that should be used to sign cloned SSL server certificates for destination servers will expire in less than %1 days. |
None |
CA Certificate Failed to Sign |
Forefront TMG failed to sign a cloned SSL server certificate for a destination server using a certification authority (CA) certificate. |
None |
CA Certificate Imported Successfully |
The certification authority (CA) certificate that will be used to sign cloned SSL server certificates for destination servers was successfully imported. |
None |
CA Certificate Issuer Not Trusted |
The imported certification authority (CA) certificate that should be used to sign cloned SSL server certificates for destination servers is not trusted by the local computer. |
None |
CA Certificate Not Yet Valid |
The imported certification authority (CA) certificate that should be used to sign cloned SSL server certificates for destination servers is not yet valid. |
None |
Cache Container Initialization Error |
The cache container initialization failed, and the container is ignored. |
None |
Cache Container Recovery Complete |
The recovery of a single container is complete. |
Any |
Cache File Resize Failure |
The operation to reduce the size of the cache file failed. |
None |
Cache Initialization Failure |
The Web cache proxy is disabled because of global failure. |
None |
Cache Permissions Insufficient |
When you configure a drive for caching, a cache file (Dir1.cdat), is created in the drive:\urlcache folder. This alert definition indicates that the Network Services account does not have sufficient permissions for the root folder and the urlcache folder on one or more cache drives. Verify that the Network Services account has at least List Folder and Read permissions for the root folder, and it has Read permission for the urlcache folder on all cache drives. |
None |
Cache Restoration Completed |
The cache content restoration is complete. |
Any |
Cache Write Error |
There is a failure in writing content to the cache. |
None |
Cached Object Discarded |
During cache recovery, an object with conflicting information was detected. The object is ignored. |
None |
Certificate on Forefront TMG about to expire |
A certificate on Forefront TMG is nearing its expiration date. |
None |
Certificate on Forefront TMG invalid |
There is a validity problem with a certificate used by Forefront TMG to establish a SSL connection with a client. |
None |
Code Page Invalid |
One or more code pages are invalid, or the applicable conversion tables are not installed. |
None |
Component load failure |
There is a failure to load an extension component. |
Any component |
Compression by Unsupported Method |
A response compressed by an unsupported method (indicated in the HTTP Content-Encoding header) was received. Forefront TMG only supports GZIP compression. |
None |
Compression Failure |
Forefront TMG failed to compress the content of a response. |
None |
Compression Failure (Allocated Memory Exhausted) |
The compression filter cannot handle a response because the memory allocated for compression is in use. |
None |
Compression Failure (Decompression Failed) |
Forefront TMG was unable to decompress the content of a response. |
None |
Compression Failure (Filter Misconfiguration) |
The compression filters are configured incorrectly. Both filters must be in the same state, either enabled or disabled. |
None |
Concurrent TCP Connections from One IP Address Limit Exceeded |
The number of concurrent TCP connections allowed from an IP address is exceeded. |
None |
Configuration Agent Removed Overlapping Ranges (not relevant for Forefront TMG in the Essential Business Server scenario.) |
The Forefront TMG Configuration Agent has removed ranges from the included enterprise network, because they overlap with another array network. |
None |
Configuration changes cannot be loaded by Forefront TMG services (not relevant for Forefront TMG in the Essential Business Server scenario.) |
Forefront TMG fails to load the new configuration. When a new configuration is saved, Forefront TMG will renew its attempt to apply the changes. |
None |
Configuration Changes Overload (not relevant for Forefront TMG in the Essential Business Server scenario.) |
Continuous or excessive changes to the configuration are detected. This may indicate an attack on the Configuration Storage server. |
None |
Configuration error |
An error occurs while reading configuration information. |
None |
Configuration of SMTP Protection failed |
Forefront TMG failed to apply SMTP Protection configuration. |
None |
Configuration of SMTP Protection reapplied |
Unexpected changes found in Exchange Edge configuration. Forefront TMG reapplied SMTP Protection. configuration. |
None |
Connection Limit Exceeded |
A user or an IP address exceeds its connection limit. |
None |
Connection Limit for a Rule was Exceeded |
The number of connections per second allowed for a rule was exceeded. |
None |
Connectivity Restored |
Forefront TMG successfully re-established connectivity to the requested server. |
None |
Credentials Delegation Failure |
Forefront TMG attempts to delegate credentials, but the published Web site rejects the credentials. |
None |
Credentials Delegation Using Kerberos Constrained Delegation Failure |
Forefront TMG fails to delegate credentials when using Kerberos constrained delegation to a published Web site. |
None |
Cross-Array Link Translation Configuration Inconsistency (not relevant for Forefront TMG in the Essential Business Server scenario.) |
Cross-array link translation includes this array. However, link translation is disabled at the array level. Links to this array will not be translated and will be broken. |
None |
Definition Update Process Stopped |
The definition update process was cancelled before it completed. |
None |
Definition Updates and Telemetry Unavailable Through Local Host Network |
Definition updates and telemetric data cannot be sent through the Local Host network because the network is not enabled for Web proxy connections. For instructions, see Enabling a network to receive Web proxy requests. |
None |
Definition Updates Available |
New definition updates are available for the server. |
None |
Definition Updates Available But Could Not Be Installed |
New updates are available but cannot be installed. Check whether the evaluation period has expired. If it has, check that there is a valid license for updates. Check that the Firewall service is running. |
None |
Definition Updates Checking Failed |
The check for updates cannot be completed. |
None |
Definition Updates Installed |
Updates were installed successfully. |
None |
Definition Updating Failed |
An error occurred during definition update checking or downloading. |
None |
Denied Connections per Minute from One IP Address Limit Exceeded |
The number of denied connections per minute allowed from one IP address was exceeded. |
Denied connections per minute from one IP address limit exceeded |
DHCP Anti-Poisoning Intrusion Detection Disabled |
The DHCP anti-poisoning intrusion detection mechanism is disabled. |
None |
Dial-on-demand failure |
There was a failure to create a dial-on-demand connection, because there is no answer or the line is busy. |
None |
Different MTU sizes of ISP links |
The maximum transmission units (MTUs) of the network adapters associated with the ISP links %1 and %2 are equal to %3 and %4, respectively. The smaller MTU will be used for the both links. For best system performance, we recommend that you use network adapters of the same type for both ISP links. |
None |
Different offload capabilities of ISP links |
The offload capabilities of the network adapters associated with the ISP links are not equal and will be disabled. For best system performance, we recommend that you use network adapters of the same type for both ISP links. |
None |
DNS Intrusion |
A host name overflow, length overflow, or zone transfer attack occurs. |
All DNS intrusions |
DNS Zone Transfer Intrusion |
A zone transfer attack occurred. |
DNS zone transfer intrusions |
Event Log Failure |
There was a failure to log the event information to the system event log. This alert is disabled by default. |
None |
Fail to adjust MTU sizes |
Adjustment of the maximum transmission units (MTUs) of the network adapters associated with the ISP links %1 and %2 failed. Ascertain the MTUs of these network adapters manually and set both of them to the smaller MTU. |
None |
Firewall Communication Failure |
There was a failure in communication between the firewall client and the Forefront TMG server. |
None |
Forefront TMG Cannot Connect to the Configuration Storage server (not relevant for Forefront TMG in the Essential Business Server scenario.) |
The Configuration Storage server cannot be contacted. The local configuration was applied. |
None |
Forefront TMG Computer Restart is Required |
Configuration changes will only take affect after restarting the server. |
None |
Forefront TMG Switched Configuration Storage servers (not relevant for Forefront TMG in the Essential Business Server scenario.) |
Forefront TMG switched from one Configuration Storage server to the other due to a change in the configuration, connectivity issues, or Configuration Storage server availability. |
Any reason for switching between servers |
Forefront TMG VPN tunnel redistribution is recommended (not relevant for Forefront TMG in the Essential Business Server scenario.) |
VPN tunnels are not distributed evenly amongst all array members. |
None |
Free Disk Space Limit Exceeded |
The free disk space limit for log storage was exceeded. |
Free disk space limit exceeded |
FTP Filter Initialization Warning |
The FTP filter fails to parse the allowed FTP commands. Verify that the commands are stored in the correct format. Each command should be no more than four characters, and each command should be separated from the previous one with a space character. |
None |
Global denied packets rate limit |
The number of denied TCP and non-TCP packets per second exceeded the allowed limit. |
None |
Host ID assigned to this server is not valid (not relevant for Forefront TMG in the Essential Business Server scenario.) |
This server has the same host ID as another server. This is not a valid configuration. A valid host ID is unique to each server in the array, within the range 2–32. The Firewall service cannot start until the server is assigned a valid host ID. |
None |
HTTP Requests from One IP Address Limit Exceeded |
The number of HTTP requests per minute from one IP address exceeded the specified limit. |
HTTP requests from one IP address limit exceeded |
HTTPS Inspection Configuration Not Loaded |
The HTTPS inspection configuration settings could not be loaded. |
None |
Intra-Array Configuration Error (not relevant for Forefront TMG in the Essential Business Server scenario.) |
The Forefront TMG intra-array configuration is invalid. |
None |
Intrusion Detected |
An intrusion was attempted by an external user. |
Any intrusion |
Invalid Configuration Settings |
Configuration settings cannot be applied. |
Any failure |
Invalid CRL Found |
A client certificate was revoked due to an invalid or missing certificate revocation list (CRL). The CRL may have expired, and Forefront TMG is unable to download a valid CRL. Verify that the CRL download system policy configuration group is enabled and that there is connectivity to the CRL distribution points. |
None |
Invalid DHCP offer |
The DHCP offer IP address is not valid. |
None |
Invalid dial-on-demand credentials |
Invalid dial-on-demand credentials were detected. |
None |
Invalid network adapter configuration |
The network adapter is configured with several IP addresses that belong to several networks. This is an invalid configuration. |
None |
IP Spoofing |
The IP packet source address is not valid. |
None |
IPsec Configuration Update Failure |
IPsec traffic cannot be processed because of a configuration error. |
None |
IPsec Traffic Blocked |
IPsec configuration settings cannot be applied and the traffic is blocked. |
None |
IPsec Traffic Configuration Recovery |
A problem preventing setting of the configuration required for processing incoming IPsec traffic was resolved. |
None |
ISP link address missing |
No IP address configured on a network adapter of the Forefront TMG computer in the External network can be associated with the ISP link. |
None |
ISP link is active |
ISP link is active. |
None |
ISP link is available |
ISP link is detected to be available. |
None |
ISP link is unavailable |
ISP link is detected to be unavailable. |
None |
LDAP Server Recovered |
The connection to the LDAP server is restored. |
None |
LDAP Server Unavailable |
The LDAP server requested did not respond. |
None |
License Expired |
The expiration date of the license required to update malware definitions has passed. |
None |
License Nearing Expiration |
The expiration date of the license required to update malware definitions is approaching. |
None |
Link Translation Configuration Insecure |
The Web listener used in a Web publishing rule specifies an HTTP connection to clients, but the rule is configured with an HTTPS connection to the published server or Web farm. HTTPS links will be translated to HTTP links. |
None |
Link Translation Configuration Invalid |
One or more link translation mappings are invalid. Link translation mappings must be between 4 and 2,057 bytes. Invalid mappings are ignored. |
None |
Link Translation Redirection Unpublished Site Contains Invalid Character |
The URL of a site specified in the list of unpublished sites for link translation redirection contains one or more non-ANSI characters. |
None |
Link Translation Redirection Unpublished Site Length Invalid |
The length of the URL for a site specified in the list of unpublished sites for link translation redirection is invalid. |
None |
Local NLB Configuration Change (not relevant for Forefront TMG in the Essential Business Server scenario.) |
The Microsoft Firewall service identifies changes to the local Network Load Balancing (NLB) configuration or state. Changes to the NLB configuration or state are supported only through the Forefront TMG administrator. Any local changes will be overridden. |
None |
Log Deletion Failure |
Log deletion (attempted in accordance with configuration settings) fails. |
None |
Log Failure |
One of the service logs failed. |
Any Forefront TMG service |
Log formatting failure |
Log records cannot be stored in the designated format. |
Any Forefront TMG service |
Log Queue Store Usage Ended |
Log records in the queue were logged in the correct log format. |
None |
Log Queue Usage Started |
Log records are written to the log queue because the rate of log generation exceeds the rate of log formatting. |
None |
Log Storage Limits |
One or more of the log storage limits is reached. |
Any |
Logging Resumed |
One of the services resumed logging following a previous failure. |
Any Forefront TMG service |
Low Non-Paged Pool |
The size of the free non-paged pool fell below the system-defined minimum. |
None |
Low Non-Paged Pool Recovered |
The size of the free non-paged pool exceeds the system-defined minimum. |
None |
Malware Inspection Available Disk Space Exceeded |
The temporary storage required for malware inspection exceeded the available disk space. Requests that trigger this alert are blocked. |
None |
Malware Inspection Client Disk Space Limit Exceeded |
The disk space limit set per client was exceeded. Requests that trigger this alert are blocked. |
Any Client Limit |
Malware Inspection Content Download Timed Out |
Content passed inspection but the client did not click the Download button on the progress notification page within the allotted time. |
None |
Malware Inspection Definitions Loaded |
Definitions were loaded successfully. |
None |
Malware Inspection Definitions Not Loaded During Update |
Definitions for malware inspection could not be loaded from the new definitions folder. |
None |
Malware Inspection Definitions Not Loaded When Definitions Folder is Not Defined |
Definitions for malware inspection could not be loaded because the current definitions folder is defined. |
None |
Malware Inspection Definitions Not Loaded When Service Starts |
Definitions for malware inspection could not be loaded from the current definitions folder. |
None |
Malware Inspection Definitions Outdated |
Definitions are older than the recommended age. This may be caused by an expired license or a connection problem. |
None |
Malware Inspection Deletion of Outdated Definitions Failed |
The folder containing outdated definitions cannot be deleted. The Malware Inspection Filter will attempt to delete the folder again when the Firewall service restarts. |
None |
Malware Inspection Detected Attempted Content Theft |
A client attempted to retrieve content that it did not originally request. |
None |
Malware Inspection Disabled Globally |
Malware inspection is enabled on at least one rule, but is not enabled globally. For more information, see Configuring global malware inspection settings. |
None |
Malware Inspection Filter Detected Malware |
Malware was detected. The detected content was either removed or blocked. |
None |
Malware Inspection Progress Notification Template Not Loaded |
The template used for client progress notification for specific content types cannot be found. |
None |
Malware Inspection Storage Limit Exceeded |
The amount of disk space allocated for temporary storage of files during the malware inspection process has been exceeded. Requests that trigger this alert are blocked. |
None |
Malware Inspection Temporary Storage Folder Access Error |
The temporary storage folder cannot be accessed or does not exist. |
None |
Malware Inspection Temporary Storage Folder Created |
The temporary storage folder was successfully created. |
None |
Microsoft Update Currently Not Used |
Malware definition updates cannot be applied because the server is not configured to use Microsoft Updates. For more information, see Configuring connectivity to update sites. |
None |
Misconfigured Alert |
An alert definition contains an invalid property. |
None |
Multiple IP addresses for ISP link |
More than one IP address configured on a network adapter of the Forefront TMG computer in the External network can be associated with the ISP link. |
None |
NAT Address Selection Ambiguity |
More than one NAT IP address is specified for a network entity in a network rule. |
None |
NAT Address Selection Empty |
No NAT IP address is specified for a network entity in a network rule. |
None |
Network configuration changed |
A network configuration change that affects Forefront TMG is detected. |
Any network configuration change Adapter enabled Adapter disabled IP added or removed Network connected Network disconnected Network addresses modified |
Network Inspection System Selected Signature Set Loading Failure |
The local array is configured to use a selected signature set instead of the latest signature set retrieved by Forefront TMG, but Network Inspection System will use the latest signature set because the selected signature set could not be loaded. |
None |
Network Inspection System signature set caused Microsoft Firewall Service failure. |
The Firewall service failed to load a network inspection system signature set. In order to protect the system, the Microsoft Firewall Service will not attempt to load this signature set again. |
None |
Network Inspection System Signature Set Loading Failed |
Network Inspection System failed to load the current signature set because the current signature set file is missing or is corrupted. |
None |
Network Inspection System Signature Set Loading Succeeded |
Network Inspection System succeeded to load the current signature set. |
None |
Network Inspection System Update Required |
Network Inspection System installed a new signature set because a required Forefront TMG update has not been installed. |
None |
NIS Blocked Traffic Matching a Known Signature |
The Network Inspection System blocked traffic because it matched the signature. |
None |
NIS Blocked Traffic with Protocol Anomaly |
The Network Inspection System detected a protocol anomaly and blocked the connection. If you determine that the blocked traffic was legitimate, you may want to consider changing the protocol anomaly response to "Allow traffic". |
None |
NIS Detected Traffic Matching a known Signature |
The Network Inspection System detected traffic that matches the signature. The traffic was not blocked because the signature is set to Detect Only mode. Consider configuring this signature to Block mode. |
None |
NLB Configuration Cannot Be Removed |
Network Load Balancing configuration settings cannot be removed. |
None |
NLB configuration Failure (not relevant for Forefront TMG in the Essential Business Server scenario.) |
There is a failure to configure Network Load Balancing to work with Forefront TMG. |
None |
NLB Configuration Removed Successfully |
Network Load Balancing configuration settings removed successfully. |
None |
NLB Inconsistent Configuration Detected (not relevant for Forefront TMG in the Essential Business Server scenario.) |
Network Load Balancing inconsistency is found on some networks. Traffic might not be routed properly. |
None |
NLB is Draining and Stopping (not relevant for Forefront TMG in the Essential Business Server scenario.) |
Network Load Balancing is draining and stopping due to a request by the administrator. |
None |
NLB Possible Reduced Load Balancing Performance (not relevant for Forefront TMG in the Essential Business Server scenario.) |
Network Load Balancing performance may be impaired due to a failure to resolve a Web server name. |
None |
NLB Shutdown - Firewall Service Not Responding (not relevant for Forefront TMG in the Essential Business Server scenario.) |
Network Load Balancing on the local computer is stopped because the Firewall service has stopped responding. |
None |
NLB Shutdown - Firewall Service Stopped (not relevant for Forefront TMG in the Essential Business Server scenario.) |
Network Load Balancing on the local computer is stopped because the Firewall service is stopped. |
None |
NLB Started (not relevant for Forefront TMG in the Essential Business Server scenario.) |
Network Load Balancing on the local computer is started. |
None |
NLB Stopped - Configuration Failure (not relevant for Forefront TMG in the Essential Business Server scenario.) |
The Firewall service fails to apply Network Load Balancing configuration. NLB on the local computer will be disabled. |
None |
NLB Stopped - Network Adapter Problem (not relevant for Forefront TMG in the Essential Business Server scenario.) |
There is no suitable network adapter for Network Load Balancing on some networks. NLB on the local computer will be stopped. |
None |
NLB Stopped - NLB Integration Is Unavailable (not relevant for Forefront TMG in the Essential Business Server scenario.) |
Network Load Balancing integration cannot be configured on this server. |
None |
NLB Stopped - RRAS Service Not Responding (not relevant for Forefront TMG in the Essential Business Server scenario.) |
Network Load Balancing on the local computer is stopped because Routing and Remote Access is not responding. |
None |
NLB Stopped - VPN Static Address Pool Is Empty ((not relevant for Forefront TMG in the Essential Business Server scenario.) |
Network Load Balancing on the local computer is stopped because the VPN static address pool on this computer is empty. |
None |
NLB Stopped Manually (not relevant for Forefront TMG in the Essential Business Server scenario.) |
Network Load Balancing on the local computer is stopped manually by the administrator. |
None |
No Available Ports |
Network sockets are not created because there are no available ports. |
None |
No Connectivity |
Forefront TMG failed to establish a connection to the requested server. |
None |
Non-TCP Sessions from One IP Address Limit Exceeded |
The number of non-TCP sessions allowed from one IP address is exceeded. |
Non-TCP sessions from one IP address limit exceeded |
OS component conflict |
There is a conflict with one of the operating system components: IP network address translation (NAT) editor, Internet Connection Sharing (ICS), or Routing and Remote Access. |
Any operating system component conflict |
Oversized UDP packet |
Forefront TMG dropped a User Datagram Protocol (UDP) packet because it exceeds the maximum UDP packet size. For more information, see the Forefront TMG COM property: UdpBufferSize. |
None |
Pending DNS Requests Resource Usage Limit Exceeded |
The percentage of threads used for pending DNS requests out of the total number of available threads exceeds the system-defined maximum. |
None |
Pending DNS Requests Resource Usage Limit Within Limits |
The percentage of threads used for pending DNS requests out of the total number of available threads is now below the system-defined maximum, and connections that require DNS name resolution can be accepted. |
None |
POP Intrusion |
A POP buffer overflow is detected. |
None |
Propagate configuration change failed (not relevant for Forefront TMG in the Essential Business Server scenario.) |
A change to the configuration in the central storage cannot be propagated to the Forefront TMG computer. |
None |
Published server certificate expiration warning |
A certificate on a server published by Forefront TMG is nearing its expiration date. |
None |
Published Web Server Name Not Resolvable |
Forefront TMG cannot resolve the name of a published Web server. All requests handled by the Web published rule will be denied. |
None |
Quarantine Exit Request Discarded |
A VPN NAP client requested to exit quarantine using an invalid method. The request was discarded. |
None |
Quarantined VPN Clients Network Changes |
A user was removed from the Quarantined VPN Clients network. This alert is disabled by default. |
Quarantined user changed state |
RADIUS Server Recovered |
The connection to the RADIUS server was restored. |
None |
RADIUS Server Unavailable |
The RADIUS server requested did not respond. |
None |
Report Job Generation Failure |
An error occurred while generating a report job. |
None |
Report Summary Generation Failure |
An error is received while generating a report summary from log files. |
None |
Reporting Services - Service Initialization Failure |
This Forefront TMG server is defined as the active report server, but the following related service could not be started: service %1. This service is necessary for Forefront TMG reporting services. It is recommended that you review previous events for possible causes, and then start the service manually. |
None |
Reporting Services - Service Shutdown Failure |
This server is no longer the acting report server. However, the following related service could not be stopped: service %1. It is recommended that you stop the service manually because it is no longer required. If the service cannot be stopped, review previous events for possible causes. |
None |
Reporting Services Configuration Failure |
An error occurred while configuring SQL Server Reporting Services for Forefront TMG. |
None |
Resource Allocation Failure |
There is a resource allocation failure. For example, the system is out of memory. |
None |
Revert to Last Known Configuration Failed (not relevant for Forefront TMG in the Essential Business Server scenario.) |
The Forefront TMG Configuration Agent is unable to revert to the last known configuration. |
None |
Revert to Last Known Configuration Succeeded (not relevant for Forefront TMG in the Essential Business Server scenario.) |
The Forefront TMG Configuration Agent successfully reverted the configuration. |
None |
Routing (chaining) failure |
Forefront TMG failed to route the request to an upstream server. |
None |
Routing (chaining) recovery |
Forefront TMG resumed routing to an upstream server. |
None |
RPC Filter - Bind failure |
A remote procedure call (RPC) filter cannot use the defined port because it is already in use. |
None |
RPC Filter - connectivity changed |
Connectivity to the publishing RPC service changed. |
Any |
Server Publishing Failure |
The server publishing rule is configured incorrectly. |
Incorrect rule configuration |
Server publishing is not applicable |
The server publishing rule cannot be applied. |
Rule cannot be applied |
Server Publishing Recovery |
The server publishing rule can now be applied. |
None |
Service Initialization Failure |
There is a service initialization failure. |
Any Forefront TMG service |
Service not responding |
A Forefront TMG service terminates or stops functioning unexpectedly. |
Any Forefront TMG service |
Service Shutdown |
A service has stopped gracefully. |
Any Forefront TMG service |
Service Started |
A service started gracefully. |
Any Forefront TMG service |
SIP calls quota exceeded |
SIP calls quota exceeded, new calls will be dropped |
None |
SIP filter initialization failure |
The SIP application filter failed to initialize |
None |
SIP registration quota exceeded |
SIP registration quota exceeded, new registration requests will be dropped |
None |
Slow Connectivity |
Forefront TMG encountered a slow connection to the requested server. |
None |
SMTP filter encountered an invalid bare CR or LF |
Bare carriage return/line feed (CR/LF) may pose a security risk. The connection has been terminated. |
Bare CR/LF terminator |
SMTP filter encountered an invalid DATA terminator |
Some character combinations in DATA may pose a security risk. The connection has been terminated. |
Invalid DATA termination |
SMTP Filter event |
A SMTP command rule is violated. |
Any |
SOCKS configuration failure |
The port specified in SOCKS properties is in use by another protocol. |
None |
SSL connection failure with published server (name mismatch) |
Forefront TMG failed to establish an SSL connection with a published server. There is a name mismatch. |
None |
SSL connection failure with published server (no trust) |
Forefront TMG failed to establish an SSL connection with a published server. There is a domain trust issue. |
None |
SSL connection failure with published server (server certificate not valid) |
Forefront TMG failed to establish an SSL connection with a published server. A server certificate is not valid. |
None |
SSL connection failure with published server (unknown reason) |
Forefront TMG failed to establish an SSL connection with a published server. |
None |
SYN attack |
Forefront TMG detects a SYN attack. |
None |
TCP connections per Minute from One IP Address Limit Exceeded |
The number of TCP connections per minute allowed from one IP address was exceeded. |
None |
The Configuration Agent Has Restored Its Connection with the Configuration Storage Server (not relevant for Forefront TMG in the Essential Business Server scenario.) |
The Configuration Agent restored its connection to the Configuration Storage server. Changes made during the disconnection time were applied to the service. |
None |
The configuration was reloaded (not relevant for Forefront TMG in the Essential Business Server scenario.) |
The configuration reloaded. The Configuration Agent recovered from the error and successfully reloaded the configuration information. |
None |
The response was rejected because a compressed response was not requested |
The response was rejected because a compressed response was not requested. Forefront TMG blocked compressed HTTP responses when it did not request compression. |
None |
Total log size limit exceeded |
The log storage total size limit was exceeded. |
None |
Traffic Blocked |
A configuration failure occurred and all traffic is being blocked by the Firewalls service. |
None |
Undefined account for intra-array authentication (not relevant for Forefront TMG in the Essential Business Server scenario.) |
For intra-array authentication when array members are in a workgroup, the intra-array account must be defined and enabled. Some features, such as VPN, Cache Array Routing Protocol (CARP), and reporting, will not work unless the intra-array account is properly configured. |
None |
Unregistered event |
An unregistered event is raised. |
None |
Unresolvable remote gateway address on a VPN network |
A remote gateway address specified for a VPN site-to-site network cannot be resolved. As a result, a VPN connection cannot be established to the remote network. |
None |
Unresolvable Server Name |
A server name cannot be resolved to an IP address. |
None |
Update Center - Updates Not Installed |
Protection mechanisms did not install updates. |
None |
Update Center Required Service Not Started |
The Update Center cannot obtain updates because the Microsoft c Job Scheduler service is not started. |
None |
Upload New Configuration to Services Failed (not relevant for Forefront TMG in the Essential Business Server scenario.) |
The Forefront TMG Configuration Agent is unable to upload the configuration to the Forefront TMG services. |
None |
Upstream chaining credentials |
The upstream chaining credentials are incorrect. |
None |
URL Categorization Server Down |
URL Categorization Server Down |
None |
URL Categorization Server Paused |
URL Categorization Server Paused |
None |
URL Categorization Server Up |
URL Categorization Server Up |
None |
VPN Connection Failure |
VPN client connection attempt fails. |
None |
VPN Connection Request Policy Updated |
The connection request policy was updated. The new policy may interfere with the NPS (RADIUS) service for other RADIUS clients. |
None |
Web Farm Servers Unavailable |
A Web published rule stopped forwarding requests to a Web farm because there are currently no servers in the Web farm that can accept requests. |
None |
Web filter cannot process content larger than 4GB |
A Web filter cannot process content larger than 4GB. As a result content larger than 4GB will be blocked by the proxy. To enable processing of content larger than 4GB either disable the Web filter, or upgrade to a newer version which can process content larger than 4GB, if one exists. |
None |
Web Filter Not Registered |
The Web filter is not registered on this server. |
None |
Web Proxy Filter Bind Socket Recovery |
A problem preventing the Web Proxy filter from binding its sockets was resolved. |
None |
WFP Filter Conflict Detected |
Windows Filtering Platform (WFP) filters were detected and may cause policy conflicts. |
None |
WFP Sub-Layer Includes Unexpected Filters |
Unexpected filters are registered to the WFP sub-layers. This may indicate a malicious filter provider. |
None |
Windows NLB Is Not Installed (not relevant for Forefront TMG in the Essential Business Server scenario.) |
Network Load Balancing is not installed on this computer. NLB configuration cannot be applied or monitored. |
None |
Windows User-Based Policy in Workgroup (not relevant for Forefront TMG in the Essential Business Server scenario.) |
The applied policy contains one or more policy rules specifying Windows-based user authentication. The Forefront TMG array is in a workgroup. Windows-based user authentication cannot be applied to an array in a workgroup. |
None |
WMI Service Connection Was Lost (not relevant for Forefront TMG in the Essential Business Server scenario.) |
The connection to the Microsoft Windows Management Instrumentation (WMI) service was lost. For NLB to function properly, a continuous connection to the WMI service is required. When the Firewall service is restarted, NLB will restart. |
None |