Overview of the TMG Firewall’s Troubleshooting Node
Of the many improvements seen in the TMG firewall over what we had in the ISA 2006 firewall, perhaps some of the most useful and “fun” are those found in the Troubleshooting node in the left pane of the TMG firewall console. However, the “fun” part of the Troubleshooting node is a bit of a two edged sword. While it’s fun to work with the tools, the events that lead you to the troubleshooting node usually mean that something has gone wrong, and that’s not usually very much fun at all.
Regardless of the fun factor, the fact is that the TMG firewall includes a number of useful troubleshooting tools that you can use right out of the box. In this article we’ll take a high level view of some of these tools, and in the future we will use these tools within the context of troubleshooting some TMG firewall issues.
You’ll find the Troubleshooting node in the left pane of the console, on the bottom of the node list. Click the Troubleshooting node to get started.
The Troubleshooting Tab
The first tab you will encounter is the Troubleshooting tab. The entries on the Troubleshooting tab provide you a collection of quick links to help you get to where you want to go. On this page you will see the following:
- Use the Best Practices Analyzer - When you click this option, the TMG Best Practices Analyzer will start. I highly recommend that all TMG firewall admins run the TMG BPA on a regular basis. It’s designed to find the most common TMG firewall configuration issues and will save you a lot of time when you’re trying to figure out whether you have the best security and performance configuration.
- View Forefront TMG Configuration Changes - When you click this option, you are taken to the Change Tracking tab where you can find information about what changes have been made to the firewall configuration over time.
- View Forefront TMG Alerts - When you click this link, it will open the Alerts tab in the TMG firewall console so that you can see any alerts that have been generated by the firewall.
- View Forefront TMG Logging - When you click this link, you will be taken to the logging area in the TMG firewall console. There you can do advanced queries on the TMG firewall logs and narrow down connectivity issues to and through the TMG firewall.
- Use the Traffic Simulator - When you click this link, you will be taken to the Traffic Simulator tab in the Troubleshooting node, where you can simulate a number of types of network traffic. This can help you determine what rule or rules might be causing connectivity issues.
- View Diagnostic Logging Events - When you click this link, you are taken to the Diagnostic Logging tab in the Troubleshooting node. Here you can query special diagnostic logging events after you enable the diagnostic logging feature in the TMG firewall console.
In the right pane of the console, you will see two interesting options that you might not have thought would be there:
- Remove Network Load Balancing Configuration - When you click this option, it will remove the NLB settings on the TMG firewall array. This is useful, because in the past you would have to run a script, which was hard to locate. Plus, you had to be aware of the script’s existence in the first place. It’s this kind of integration that makes the TMG firewall our firewall of choice over other firewalls.
- Configure E-mail Policy Configuration Integration - This option is enabled by default. When enabled, you allow the TMG firewall console to be the primary interface for configuring the Exchange Edge configuration and the Forefront for Exchange configuration. When it’s disabled, you will have to configure these technologies outside of the TMG firewall.
The Change Tracking Tab
When you click the Change Tracking tab, you can see change tracking entries. These entries describe changes that have taken place on the TMG firewall over time. While you might think this is a good way of performing change management, the TMG firewall team does not recommend that you approach the Change Tracking information in that way, because the information stored here is not in a protected space – which means that a malicious admin could potentially change the information here. Instead, think of the information in the Change Tracking tab as a way of seeing what changes were made on the TMG firewall, which might help in figuring out if someone made a change on the firewall that could lead to troubleshooting issues.
If you look at figure 4, you’ll see that several pieces of information are made available to you:
- The Date and Time of the change
- The user account that made the change
- Details of the change made
Notice the “+” sign for each of the entries. If you click that plus sign, you’ll see more information about the change made. You also have several filtering options:
- User name contains – use this if you want to filter the entries by the user who made the changes
- Entry contains – use this if you want to filter the information by strings that might be located in the change settings part of the entry
- Apply Filter – click this to apply the filter settings you created
- Show All – click this to show all the entries again after you applied a filter
In the right pane of the console, you will see that you have the Configure Change Tracking option. Click that to bring up the configuration options for Change Tracking.
In the Change Tracking dialog box, you have two options:
- Enable change tracking - Change tracking is enabled by default. If you want to disable it, you can remove the checkmark from the checkbox, as seen in figure 6. When Change Tracking is enabled, you can control how many entries you want tracked. The default is 1000. Be aware that the more entries you track, the more effect it will have on performance. The default value was determined to be the best balance of information usefulness and performance.
- Show prompt for a change description when applying configuration changes. This lets you backup the configuration before applying the change - This option is also enabled by default. When you save the firewall configuration, a dialog box will appear asking you for a comment to add to the change being made. In addition, it will ask you whether you want to backup the configuration before applying the changes to the firewall policy. If you don’t want this option, just remove the checkmark from the checkbox.
The Traffic Simulator Tab
On the Traffic Simulator tab, you have a number of options that allow you to test connectivity and match those with the rules that are currently configured on the TMG firewall. This is very helpful in troubleshooting issues with firewall rules and finding out whether any of the rules cause connections that you don’t want allowed to get past the firewall, or to help you find out why connections that you do want allowed past the firewall are not making it through.
You have a number of options on this page:
- Web access - Select this option if you want to investigate an issue with web access.
- Non-Web access - Use this option if you want to investigate an issue with non-HTTP/HTTPS connections.
- Web publishing - Use this option if you want to investigate an issue with a web publishing rule that isn’t doing what you want it to do.
- Server publishing - Use this option if you want to investigate an issue with a server publishing rule that isn’t doing what you want it to do.
Depending on the scenario, the Source Parameters options will change. In this example, we’ll select the Web access scenario. Then in the Source Parameters section, we’ll enter the source IP address of a host on the internal network. We’ll leave the Port setting as *. We’ll also configure the test so that traffic is sent from an anonymous user.
In the Destination Parameters section, we will enter the URL we want to test. In this example we’ll select http://www.microsoft.com. The Server will be the TMG firewall we are working on (it’s not an array member, so we don’t need to select from which array member we want to test from.) Also, we’ll put a checkmark in the Apply diagnostic logging to simulated traffic checkbox. This will provide us with more detailed information about the connection that is being tested.
Figure 8 shows the results of the test after we clicked the Start button. It shows that the traffic was allowed, and that the name of the rule that allowed the traffic was All Open. When you click the Additional Information “+” sign, you can see more information about the connection being tested, such as From, To, Network Rule Name, Network Relationship, Protocol, and Rule Application Filter.
Diagnostic Logging Tab
If you click the View Log button, it will take you to the Diagnostic Logging tab and show you the detailed diagnostic log entries for the connection being tested. This view gives you a very detailed account of what the TMG firewall is doing when evaluating the request.
Figure 10 shows you what appears in the right pane of the TMG firewall console. Here you can Enable Diagnostic Logging and Delete the Diagnostic Log. You would enable diagnostic logging manually if you wanted to test some other scenarios that aren’t part of the Traffic Simulator. When you are finished testing, you would disable the Diagnostic Logging, and then look at the log entries to see if you could figure out what the problem might be. Note that after you have finished your investigation, you should delete the diagnostic log in order to free up disk space.
The Connectivity Test Tab
The last tab is the Connectivity Test tab. Here you can perform basic connectivity tests from within the TMG firewall console without having to drop out of the console and open a command prompt. Options available here include:
- Destination URL - This is a URL to whichyou want to test connectivity. You can use either a FQDN or an IP address.
- Do not run pathping - This is the default option. By default, the test will only check for HTTP connectivity.
- Run basic pathping (for fast results) - This will run a short pathping test.
- Run extended pathping to detect path loss (recommend for advanced troubleshooting) - Use this option if you want to check packet loss at various routers along the path between the source and destination.
Figure 12 shows the results of the basic HTTP connectivity test. The green ball with the checkmark indicates that the connection was successful. If you click on the ball, you will see more information about the connection attempt, which is useful if the connection attempt fails.
Figure 13 shows the results of the short pathping test.
Figure 14 shows the results of the longer pathping test, along with information about packet loss across multiple routers in the path.
Troubleshooting is an important part of managing any network security solution and TMG includes tools to make troubleshooting easier for you. In this article, we went over a few of the new options available in the Troubleshooting node in the left pane of the TMG firewall console. While some of the features that are included in the Troubleshooting node were also available in updates for ISA Server 2006, there are some very useful new features, such as the connectivity test tools and the enhancements to the traffic simulator tool. Overall, these troubleshooting tools make it much easier to figure out the cause of both simple and complex connectivity issues, and help to make it possible for TMG firewall admins to solve problems much more quickly than they might if they had to drop out of the firewall console and use command line based tools. So take a little time to get to know these new troubleshooting tools, and they will save you time and effort in the long run.