Troubleshooting the TMG Firewall with Network Monitor (Part 1)

If you would like to read the next part in this article series please go to Troubleshooting the TMG Firewall with Network Monitor (Part 2).

The TMG firewall includes a number of on-the-box tools that you can use to troubleshoot a variety of different firewall scenarios, such as Web and Server publishing rules and firewall access rules. However, there will be times when you’ll want to dig in deeper and investigate what’s actually happening on the wire. When you want to know what’s happening on the wire, a good (no cost) option is to use Network Monitor 3.4. In this article series, we’ll provide an overview/recap of Network Monitor’s features and provide some examples of how to capture data as well as some Network Monitor capture scenarios that you might encounter in troubleshooting TMG.

Network protocols

As a TMG firewall admin, you already know that you really need to be aware of your network traffic profile so that you can understand the protocols that are required for you to create access and publishing rules. Unfortunately, you might not always have a clear picture of which protocols some applications are using. For example, in your business environment you might have a proprietary application that uses a custom and perhaps complex protocol that isn’t documented on the developer’s web site. Unfortunately, most networks have a number of applications where the network protocols aren’t well defined, and that means you’re probably going to have to figure out these protocols for yourself so that you can create the correct firewall rules. While the TMG firewall comes with a ton of protocols right out of the box, it obviously can’t include all possible protocols.

A good example of how you can use the TMG firewall to troubleshoot and discover network protocols can be found in this blog post.

There is a very good chance that, sooner or later, you’re going to find yourself in a situation where you need to figure out these protocols. The problem gets even more complex when client applications need to use a server that is situated outside of the corporate network and the traffic needs to traverse the TMG firewall. If you don’t have any protocol documentation from the application’s vendor, then you will have to analyze the protocols that the application uses in order to create the correct access rules on the TMG firewall.

This is only one of many examples whereby you can use Network Monitor to define network protocols and troubleshoot connectivity problems that may or may not be related to the TMG firewall. The version of Network Monitor that we are going to use in this article series is Network Monitor 3.4, which is the current version. If you don’t already have it installed, you can download it here.

For more information on Network Monitor and advancements to the application, make sure to check out the Network Monitor Team’s blog.

Step 1: Defining the problem

When you use Network Monitor for network analysis, it’s critical that you know what it is that you’re trying to find out. You need to start in a place where you have a hypothesis about what the issue might be. That might seem obvious, but it’s often overlooked. You may find that Network Monitor capture becomes difficult to interpret because you haven’t really scoped out what you think the problem is.

You need to realize that there is going to be a lot of information in the network capture, so one reason you need to have an idea of what you’re looking for is so that you can filter out the things that you know that you’re definitely not interested in. When you have clear vision of what you’re looking for in the network capture, then you can move ahead to the next step, which is configuring Network Monitor to display the information that you’re most interested in seeing.

Step 2: Configuring the tool

Network Monitor 3 enables you to capture packets and frames using either the Network Monitor interface or the command line tool, nmcap. There may be troubleshooting situations in which you will want to use Network Monitor together with other logs and sync entries to help determine the source of the problem. This is where the ISA Data Packager (which is part of the ISABPA) can be helpful, as this tool gathers Network Monitor captures from all TMG firewall network interfaces as well as from other sources. For more information on ISABPA and data packager, check out this blog post.

Before you perform a network capture from the Network Monitor console, you’ll need to make some basic configuration settings in order to get started. The figure below depicts the Network Monitor graphical interface.

Figure 1

The default settings for Network Monitor are such that it collects the following information by default:

• Traffic moving through the interface you select
• Broadcast traffic

If you want to gather all traffic and not just traffic through the interface you’ve selected, then you will need to click the P-Mode (Promiscuous Mode) button on the Select Networks frame. The Select Networks section also displays the network interfaces that are attached to the computer. This is a mandatory configuration setting, because Network Monitor needs to know from which interface(s) you’re interested in capturing data. In most cases when you’re running Network Monitor on the TMG firewall, you will want to configure Network Monitor to capture data from all interfaces on the firewall. If there are times when you aren’t interested in traffic that is moving through a specific interface(s), then you can remove the check mark from the check box for those interfaces and then click the New Capture tab (either on the toolbar or on the Recent Captures panel).

When a new Capture tab appears, you will see that the console looks similar to the one shown in the figure below.

Figure 2

When you are ready analyzing the problem that you’re troubleshooting, click the Start button on Network Monitor console’s toolbar, as shown in the above figure. Network Monitor uses a capture file that’s saved to the local hard disk when it’s performing the capture. You can define how large this file will be able to get in the Network Monitor Options dialog box. After the file reaches your specified maximum size, it will start to overwrite the earliest entries. To configure the capture file options, perform the following steps:

1. Click the Tools menu.
2. Click the Options menu item.
3. It the Options dialog box, click the Capture tab.
4. Change the file location and the buffer size and then click OK.

Figure 3

After you replicate the problem, click the Stop button to end the capture and save the file by using the option Save As from the File menu.

Figure 4

You can choose which frames to save in the Save As dialog box. You are offered the following options:

• All Captured Frames – Saves all captured frames. Saves the temporary capture file with the name you give it and then deletes the temporary file.
• Displayed Frames – Saves only the frames that are displayed, and is used when you are filtering during the capture. This option is useful if you want to save only specific types of traffic, such as SMTP traffic from the TMG firewall to a specific IP address. You can create and apply a filter and you will only see frames that belong to this filter. This will reduce the final size of the .cap file that you are saving.
• Selected Frames – Saves only the frames that you selected in the capture dialog box. You can select multiple frames using either the CTRL or Shift keys.
• Frame Range (e.g., 1,3,5-12) – Saves only the frames that you list, as in the example.

In a future article in this series, we’ll go into how to analyze a capture and how you can the different options that you’ll find on the Capture tab.

Automating the process

I think we can all agree that the UI for Network Monitor 3 is much better than Network Monitor 2, and it’s quite a bit more flexible in terms of capturing packets. However, there are likely to be times when you might want to take advantage of automation and also reduce system resource usage during a long data capture. To reduce the amount of resources that are used by Network Monitor during active capturing, you can take advantage of the Nmcap command-line tool.

Let’s take a look at an example of how you can use the Nmcap tool. In this example, let’s say you want to capture packets from all interfaces on the TMG firewall and filter the capture so that you will only see the SMTP related packets. For this scenario, you will set a maximum temporary file size of 50MB and the name of the capture file will be smtptraffic.cap. The capture process will stop when you press the X key. To accomplish this, follow these steps:

1. Click Start, enter cmd and press Enter.
2. Enter the following the command at the command prompt:

Nmcap /network * /capture smtp /file httptraffic.cap:50M /terminatewhen /keypress x

3. Press Enter.
4. Send some SMTP traffic from the computer of interest.
5. A file called smtptraffic.cap will be available in the location where you started this command, which in this case is the Network Monitor folder.

If you want to see all the that are options available to you with the Nmap command line tool, just enter nmcap /? at the command prompt. And if you want to see some scenarios in which you can use a number of the Nmcap options, then enter nmcap /example at the command prompt. Also, if you want to make it easier to use the Nmcap tool, you can head on over to Codeplex where you can find the Network Monitor Wizard.

The Network Monitor Wizard will lead you through the steps of configuring the Nmcap tool so that you can achieve exactly what you want with a convenient user interface.

Summary

Network Monitor 3.4 is a handy, easy to use tool that allows you to get a large amount of information about what’s actually happening on the wire without paying for a commercial utility. This information can be used to solve a number of TMG firewall troubleshooting problems. In this article, we took a look at a basic overview of the tool. In the subsequent articles in this series, we will show you how you can configure Network Monitor in some troubleshooting scenarios. See you then! –Deb.

If you would like to read the next part in this article series please go to Troubleshooting the TMG Firewall with Network Monitor (Part 2).