When using Forefront TMG and the SCOM monitoring system we have come accross the following alert ‘The number of TCP connections allowed from a specific source IP address exceeded the configured limit’. When looking into this it usually alerts when Malware has found its way onto an end users machine and is trying to send a barrage of TCP requests. To troubleshoot this you will need to do the following:

  1. Log onto your server that hosts the Forefront TMG Console.
  2. Open up the console and go to the monitoring tab.
  3. In monitoring you should see the alert.
  4. Click on the alert and look for the IP address in the description.
  5. Use CMD to NSLookup the IP address to then find the machine name.
  6. Once you have the machine name go to the machine and run a full virus scan.
  7. Hopefully the malware is picked up by the scan and the issue is now fixed.

Hope this helps!