5 Important Tools for Troubleshooting Forefront Threat Management Gateway TMG 2010
Beginning with Forefront Threat Management Gateway (TMG) 2010, the native management console includes some valuable troubleshooting tools. These include configuration change management, traffic simulator, connectivity testing, and low-level diagnostic logging. While all of these features make troubleshooting Forefront TMG-related issues easier, they are by no means a complete set of tools. In this article I’ll share with you my 5 favorite non-integrated utilities that I frequently take advantage of when called upon to troubleshoot issues related to Forefront TMG 2010. So, here’s a look at 5 of the most commonly used tools in my Forefront TMG 2010 troubleshooting toolbox.
Best Practices Analyzer
The Forefront TMG 2010 Best Practices Analyzer (BPA) is often the first tool I reach for when troubleshooting any kind of issue on the Forefront TMG 2010 firewall. The TMG BPA is an essential tool that allows the administrator to quickly assess the overall health of the TMG firewall and often identify and get important information that can be used to resolve those issues. The BPA allows me to quickly detect configuration issues and identify settings that don’t conform to Microsoft best practices. It also provides me with a nice sanity check to ensure that I haven’t overlooked something during my initial configuration check. Often this level set serves as an important baseline for testing as I begin to use other tools to performer deeper analysis of the firewall. All that’s required to execute a health check using the BPA is to specify a label for the scan and specify a domain controller. You can choose to perform a basic health check, which includes scanning the hardware and operating system, along with the TMG installation and configuration. Optionally you can choose to execute all tasks, which includes generating an ISAInfo report and exporting the TMG configuration. This is especially helpful for performing remote analysis of a TMG installation.
Once complete you can view the results and work to resolve any issues identified by the BPA. You can view the results broken down by critical issues, all issues, and informational items. Clicking on one of the error or warning messages provides additional details about the message along with a link to additional detailed information about how to resolve the particular error message.
The TMG Best Practices Analyzer also includes a tool called the Data Packager which is helpful for collecting additional detailed configuration information as well as collecting logging and tracing data while reproducing an issue. You’ll find the Forefront TMG Data Packager in the folder on the Start Menu with the BPA.
You can download the Microsoft Forefront TMG 2010 Best Practices Analyzer here.
At its core, Forefront TMG 2010 is a routing firewall designed to control access to and between its connected networks. The bulk of troubleshooting I have found often necessitates looking at the network traffic on the wire for clues as to why the TMG firewall is not functioning as expected. For this, a protocol analyzer is required and the tool of choice for TMG is the Microsoft Network Monitor. If you’re familiar with protocol analyzers, you may be tempted to install Wireshark, which is a popular tool and one that I use frequently. I typically use Wireshark myself for data analysis, as I’ve used this tool much longer than I have the Microsoft version. However, when you are installing the protocol analyzer on the TMG firewall itself, which is often required, I don’t recommend installing Wireshark because it is a third-party tool and has been known to cause conflicts with TMG and also miss data due to compatibility issues with TMG. In addition, you may find that TMG is unsupported with Wireshark installed, and if you open a support case to solve your issue, the Microsoft support engineer is sure to ask you to remove it.
Network Monitor has one distinct advantage over Wireshark in that it has the ability to break out network communication by process, which is tremendously helpful when looking at network traffic on the TMG firewall. Here you can see that I’ve filtered for traffic generated only by wspsrv.exe.
Be advised that a protocol analyzer is not for the faint of heart. Viewing data using a protocol analyzer is only helpful if you have a deep understanding of network communication from layer 2 to 7. Also, if you launch the Network Monitor and don’t see any network interfaces to capture on, close the window and open it again, this time running as an administrator.
You can download Microsoft Network Monitor here.
TCPView is a network diagnostic tool that is included with the Sysinternals suite of Windows utilities. It displays highly detailed information about all TCP and UDP endpoints, including local and remote addresses and ports, the calling process, the state of the connection, and the number of packets and bytes sent and received. It is similar to the native Netstat tool included with the Windows operating system, but provides additional information and more importantly displays it in an intuitive graphical user interface. I find this tool invaluable for troubleshooting port exhaustion issues that are common on heavily utilized TMG firewalls. It is also helpful for troubleshooting port conflict issues that often arise in web and server publishing scenarios.
The TCPView download also includes a command-line version that, while functionally similar to Netstat, does provide additional information. Also, TCPview is a portable executable and does not permanently install anything on the TMG firewall, so it is safe to run on a production system at any time.
You can download TCPView here.
Performance Analysis of Logs (PAL)
The native Performance Monitor (perfmon) tool included with the operating system is great for performing data collection and analysis when troubleshooting performance related issues on the TMG firewall. However, knowing specifically which objects and counters to observe, and more importantly if the information observed is within acceptable parameters, is extremely difficult even for the most experienced TMG firewall administrators. Here, the Performance Analysis of Logs (PAL) tools is invaluable. This powerful tool is designed to quickly gather the appropriate data for a given workload and generate detailed reports with intuitive output designed to highlight any thresholds that are close to or have been exceeded. You can choose to evaluate the general performance health of your TMG firewall using the system overview option, or you can gather detailed information about TMG performance using the Forefront TMG 2010 template.
Detailed, prescriptive guidance for installing and using PAL to collect data and generate reports on the Forefront TMG firewall can be found here and here. PAL requires that the Microsoft Chart Controls for .NET Framework 3.5 be installed prior to installing pal, which can be downloaded here.
You can download Performance Analysis of Logs (PAL) here.
Fiddler is a free client-side web debugging proxy that can be helpful when troubleshooting outbound web proxy requests handled by a TMG firewall as well as for troubleshooting web applications published by Forefront TMG. Although primarily designed for developers, TMG administrators will find this tool useful for peering in to the application layer communication that takes place between the client endpoint and the target web server. Often I have been successful in resolving web page rendering issues by observing where the web browser client is attempting to communicate to. For example, you’ll notice here that loading the main page at http://tmgblog.richardhicks.com/ not only retrieves content from wordpress.com, which is where the site is hosted, it also makes requests for contents from twitter.com, linkedin.com, and quantserve.com. Notice also that by highlighting an individual request and selecting the statistics tab you can obtain granular, detailed performance information for the web request, which is helpful when diagnosing slow page loading issues. Selecting the inspectors tab will provide a deep view in to the headers, authentication data, cookies, and much more. Fiddler also allows for the manipulation of client requests to be sent to the server, which is also handy for testing how the TMG firewall responds in certain scenarios.
Fiddler can be downloaded here.
When called to troubleshoot operational or performance related issues on the Forefront TMG 2010 firewall, the tools I’ve highlighted in this month’s article are some of the first utilities I reach for. This list is by no means comprehensive either. Don’t forget that native Windows tools like Perfmon, Netsh, PowerShell, NSLookup, and IPsecmon are commonly used too. In addition, the third-party Nmap port scanner has proven invaluable to me over the years to generate traffic and query remote systems in an effort to resolve connectivity issues. No doubt there are countless more utilities that make TMG troubleshooting easier too, but most TMG administrators would do well to learn the tools I’ve share here in an effort to streamline the process of troubleshooting the TMG firewall.