I had a similar problem when I first installed EBS and found that it was DNS resolution

that was extremely slow. It was caused by flood mitigation settings in TMG. I found that
adding the Messaging and Management servers to the exclusion list for flood mitigation
and increasing the MAX connections settings per minute per IP and MAX concurrent
UDP sessions per IP address resolved the problem. Have a look at your Flood Mitigation
settings in the Firewall policy section of TMG.

Hi,
As I said before you have made the common mistake in your TMG configuration :
You have declared the internal DNS (your domain controller) as a DNS server on the
internal NIC of the TMG and your have the external NIC (the one connected to the
internet routeur) that receives DNS servers from the routeur...
If the internal DNS server is unable to resolve external DNS names, then your TMG
configuration is bad !
What probably happen is that when you TMG need to reach a web page, it at first has to
resolve the URL to a IP address. For that TMG asks DNS servers to resolve that. What
you probably don't know is that the dns client service on Windows is unable to know
which DNS to interrogate... if your have DNS servers on one NIC and other DNS servers
on another NIC the dns client service manage the DNS list as a unique list... so to resolve
it will just take the first DNS server in the list and try to interrogate it. If the first DNS in
the list is the internal one, and if this DNS server is not able to resolve external, the
resolution will fail and after many tries ISA may use the next DNS server in the list...
That is probably what make the Internet access to seem so slow !
If your TMG server is not a member of the domain it doesn't need to resolve internal
DNS names so in this case you must remove and internal DNS server on the NIC
configuration. Your TMG server should only interrogate external DNS servers.
If your TMG server is a member of the AD domain, then you should modify your DNS
architecture so that TMG only interrogate internal DNS server (you can go on the
external NIC configuration to force DNS servers instead of using DHCP).
Then you must make things so that your internal DNS servers are able to retransmit
request to external DNS server (by adding a DNS forwarder as an example).
What you can also do, and what I usually do when I install ISA or TMG, is to install

"DNS Server" Windows component on the TGM server. Configure this DNS Server with
no DNS zone but ONLY DNS forwarder as follow :
One conditional DNS forwarder for the DNS suffix of your internal domain that redirects
request to IP addresses of internal DNS.
One unconditional DNS forwarder that redirects any other request to IP addresses of
external DNS servers.
Finally, on IP configuration of the NICs of the TMG server you ONLY indicate IP
address of the TMG server as the ONLY DNS server to interrogate, remove any other
DNS server address.
Doing like that, when TMG has to resolve a DNS name to reach an URL, it interrogates
its own DNS service. This DNS service will redirect the request to internal DNS servers
if the requested DNS name is ending with the DNS suffix of the internal domain, or will
redirect the DNS request to external DNS server for any other case.
By the way, you should really avoid DHCP configuration on any NIC of a TMG server...
About the external NIC of the TMG you should statically configure an IP address that
matches the IP range of the routeur and configure manually the gateway.
Have a good day.

Hi,
Ok, here is a method to make sure that TMG interrogate internal DNS for internal names
resolution and external DNS for external names resolution:
First of all, on the TMG server, in a CMD prompt type the command IPCONFIG /ALL.
Note the IP configuration of the external NIC. Note the address, the mask and gateway,
and of course the DNS servers that are given by the routeur.
Look at the DHCP range in the routeur configuration to see if there is a part of the IP
subnet that is not distributed by DHCP, or check if you can add an exclusion, because the
first step you need is to configure static IP address on the TMG external NIC.
Then, on the TMG server, in the server manager click on 'roles' and choose "add roles".
Check the "DNS server" role and proceed to install this component.
When the installation of DNS Server role is finished, open the DNS console (in
administrative tools).
In the left part of the DNS console right-click on "conditional forwarders" and choose
"New conditional forwarder".

In the "DNS domain" zone type the FQDN of your internal AD domain (ex:
mydomain.local). Add the IP addresses of your internal DNS servers for your internal
domain.
Click "OK".
In the left part of the DNS console, right-click on the TMG server name and choose
"Properties".
In the "Forwarders" tab, add the IP addresses of the external DNS servers (IP addresses of
the DNS server that your noted before on the external NIC).
In the "Interfaces" tab, verify that only the internal IP address is linked to the DNS
service. If necessary uncheck the external NIC IP address so that DNS service do not
listen to DNS requests coming from outside.
After that, Go on the IP configuration of the external NIC and configure a static IP
address, mask and gateway, AND type 127.0.0.1 and the DNS server to interrogate (and
NO other).
Go on the IP configuration of the internal NIC and remove all DNS server and replace
them by 127.0.0.1 only !
From a CMD console on the TMG server, use the PING command to ping an internal
server or computer using its FQDN name (ex: PING mycomputer.mydomain.local). Even
if the PING has no response (because TMG rules may refuse ICMP traffic) you should se
that the PING command has resolved the DNS name and should say something like
"Pinging mycomputer.mydomain.local [10.1.1.1]"...
Now, use PING to ping an external DNS name (ex: PING www.hp.com). Again, the
PING command should have resolved the name...
The problem here is that if the DNS service on TMG is stopped, no DNS resolution can
occur. I don't see any reason for the DNS service to stop without any human
intervention... but you should be aware of that.
Have a good day.

Hi,
Sorry for my poor english. I think I often use bad sentences hard to understand.
About conditional forwarders, when you type IP addresses of the DNS servers to which
retransmit IP packets the GUI tries to make a reverse DNS resolution to find the FQDN
associated with the IP you typed. If reverse DNS resolution is not working the GUI can
not find the name and might show a red icon. So don't think to much about that. you'll
make some tests later to ensure all is ok.

About IP settings, you don't have to change anything on the domain controller.
On the TMG server, only the external NIC should have a default gateway that points to
the routeur that connects you to Internet. The internal must not have any gateway so you
must leave it blank.
Again, on the TMG server IP settings, you remove any DNS server addresses on all NICs
(leave blank) except on the internal NIC where you configure only one DNS server which
mudt be 127.0.0.1. What we want to do here is that the TMG server only interrogates its
own DNS service and no other. The DNS service will be charged to transmit the request
to the next DNS server using forwarders you have configured.
When you think that all is ready, take some time to test the DNS resolution like that:
1) open a CMD console on the TMG server.
2) empty the local DNS cache by typing the command IPCONFIG /FLUSHDNS
3) type the command NSLOOKUP
4) at the nslookup prompt type SERVER 127.0.0.1
5) type the FQDN of one internal computer or server and finish by a dot (example:
myserver.mydomain.local.) Again, don't forget the dot at the end of the name. you should
obtain the IP address of the internal computer. That validate the conditional forwarder for
your internal domain.
6) type the FQDN of one external web site and finish by a dot (example:
www.microsoft.com.) You should obtain the IP address of one of the Microsoft web
servers. That validate the unconditional forwarder.
Let me know of your tests and results. Don't hesitate to join screen shots if necessary.
Have a good day.