By default, Microsoft Forefront TMG creates a large amount of logging data for the Web proxy and Firewall service into a local Microsoft SQL 2008 SP1 Server Express instance. These log files should help Firewall Administrators create Firewall policy rules and to investigate why some legitimate traffic is not allowed or vice versa. For general information about the health of the Forefront TMG Server you can use the Forefront TMG dashboard and the Windows event logs. However, for some more advanced logging you can use the built in Diagnostic logging in Forefront TMG which collects more helpful information. If this information is not enough then you can use the more advanced tools which are all part of the well-known Microsoft Forefront Best Practices Analyser tool.
The TMG BPA comes with the following (and some more tools):
- TMG Data packager
In this article I will give you a high level overview of these tools and how to use them, but first let us start with the built in Diagnostic Logging in Forefront TMG.
You can start the Forefront TMG Diagnostic logging feature from the Troubleshooting node in the Forefront TMG Management console as shown in the following screenshot.
Figure 1: Forefront TMG Diagnostic Logging
Click Enable Diagnostic Logging to start the collection process.
Forefront TMG now starts collecting and running information from the TMG Server. You must disable the Diagnostic Logging to display the information, after you decide that the collection process has collected enough data.
As shown in the next screenshot, the Diagnostic logging process collected some more information which might be enough to help you determine the cause of a problem with Forefront TMG.
Figure 2: Analyze Forefront TMG Diagnostic Logging
Forefront TMG Data Packager
If the built in Diagnostic logging of Forefront TMG isn’t enough, you can use the Forefront TMG Data Packager which is part of the Forefront TMG Best Practices Analyzer. You will find the TMG Data Packager in the installation directory of the TMG BPA. Select the information you want to collect. We start with collecting static information. I will give you some information about the repro mode later on in this article through the use of the TMGBPAPack.
Figure 3: Forefront TMG Data Packager
It is possible to customize which information the TMG Data Packager should collect.
Figure 4: Forefront TMG Data Packager – Specify information to collect
The Start Data collection process could take some time until the TMG Data Packager has collected all the information.
Figure 5: Forefront TMG Data Packager – Collecting data
When the collection process finishes you will find a .cab file with all collected information in the directory you specified earlier on. You can now use this .cab file to archive the information or send it to Microsoft’s Product Support. Also, if you want to analyze the collected information you have to use a tool which extracts the information of the .cab file.
Figure 6: Forefront TMG Data package
As shown in the following screenshot you can see the extracted cab file. I will give you some examples about the content of the cab file in the following screenshots.
Figure 7: Content of Forefront TMG Data Packager
The TMG Data Packager collects information about the Forefront TMG Change tracking feature which contains all the information about changes in the Forefront TMG configuration.
Figure 8: Forefront TMG Change tracking extracted from the TMG Data Packager
The TMG Data Packager also collects log information about the Webproxy and Firewall Service of Forefront TMG.
Figure 9: Forefront TMG Data Packager – Firewall and Webproxy log
The next tool is ISAInfo. Most of you might be familiar with ISAInfo which is available at www.isatools.org. This website is hosted by Jim Harrison. ISAInfo in ISA Server times was a very helpful tool to collect information about your ISA Server machines. This tool is also included in the Forefront TMG Best Practices Analyzer tool.
Figure 10: Forefront TMG – ISAInfo is collecting data
Because the tool seems not to be completely redesigned to work with Forefront TMG you will get some error message popups while the ISAInfo collection process is running but you can ignore these messages.
Figure 11: Forefront TMG ISAInfo. Ignore warning message
ISAInfo creates two files. A log file with ISAInfo tools information and a XML file with the entire information about your Forefront TMG Server.
Figure 12: Forefront TMG – ISAInfo log file
The next tool is ISATRACE. Beginnig with ISA Server 2004 SP2 (if I remember correctly), Microsoft started to collect advanced ISA information in a .bin file on the local file system (ISALOG.BIN). The Forefront TMG Best Practices Analyzer contains a GUI tool which you can use to customize the amount of information which should be logged. You can find the tool in the directory named Tracing under the installation directory of the TMG BPA.
The tool allows you to select different Forefront TMG components like Firewall service, Webproxy service, Firewall Control Channel (client), User Interface and many more. It is also possible to change the default directory for the log file and the size of the ISATRACE file.
Figure 13: Forefront TMG – “ISA” Release Bits tracking
The TMGBPAPack is also part of the Forefront TMG Best Practices Analyzer. It is a command line tool very similar to the TMG Data Packager with some exceptions (the only difference I’m aware of is that this tool also collects network traffic with the help of Microsoft Netmon 3.3). If you enable the Repro Mode all network traffic will be captured into Netmon trace files.
Figure 14: Forefront TMG BPA Pack is collecting informations
If the Microsoft Network Monitor is not installed, the TMGBPAPack installs Microsoft Netmon 3.3 (the latest available version of Netmon is 3.4).
After you stopped the Netmon trace, the TMGDATAPack creates a single .cab file on the Desktop which you can extract to the local file system and there you will find one additional directory called NetworkCaptures which contains the Netmon Capture files.
Figure 15: Forefront TMG BPA Pack – collected Netmon traces
You can now use the installed version of the Microsoft Network Monitor to analyze the Netmon capture files as shown in the following screenshot.
Figure 16: Microsoft Netmon 3.3 trace of Forefront TMG traffic on the internal network interface
In this article I tried to show you how to use several helpful tools of Forefront TMG and the TMG Best Practice Analyser to collect advanced information about the Forefront TMG configuration. Also, I went through the log files generated by Forefront TMG or the underlying Windows operating system. You can use this information for documentation purposes or to analyze problems with the TMG configuration. The created data is also helpful for Microsoft if you open a case with their product support.