Using Connectivity Verifiers in Forefront Threat Management Gateway (TMG) 2010

Introduction

Connectivity verifiers are administrator-configurable health checks that can be used to validate that a host or service is reachable or available on the network. By monitoring hosts or services, TMG firewall administrators can be alerted when a host or service is unavailable. When a connectivity verifier reports that a host or service is unavailable, by default the event will be logged and an alert triggered. The firewall administrator can then configure additional notifications, such as sending an e-mail. The administrator can also take action on the alert by starting or stopping services or running a script or program.

Connectivity verifiers are commonly used to verify the availability of infrastructure services that are essential to the stability and performance of the TMG firewall. TMG relies heavily on services such as ActiveDirectory and DNS, so in this article I’ll demonstrate how to configure connectivity verifiers to monitor these services for availability and responsiveness.

Monitoring Active Directory

To create a new connectivity verifier, open the TMG management console and highlight the Monitoring node in the navigate tree, then select the Connectivity Verifiers tab in the center console and click Create New Connectivity Verifier.


Figure 1

The New Connectivity Verifier Wizard will walk you through the steps required to configure the new connectivity verifier. When prompted, enter a descriptive name for the new verifier.


Figure 2

Enter the hostname or IP address of the domain controller you wish to monitorand then select Active Directory from the drop-down list. The verification method will automatically switch to establish a TCP connection to port: and default to LDAP on TCP port 389.


Figure 3

Review the configuration parameters and choose Finish to complete the task.


Figure 4

After you have saved and applied the changes, TMG will begin monitoring the host to verify that the ActiveDirectory service (LDAP on TCP port 389) is responding. If the service responds appropriately, TMG will indicate a healthy status with a green checkmark as shown here:


Figure 5

Monitoring DNS

To create another connectivity verifier, click the Create New Connectivity Verifier link in the Tasks pane.


Figure 6

Follow the steps outlined previously but select DNS from the drop-down list. In this case you will also need to select the DNS option from Establish a TCP connection to port: drop-down list.


Figure 7

Monitoring a Web Server

To monitor a web server, again repeat the steps outlined above, this time selecting Web (Internet) for the Group type used to categorize this connectivity verifier. The first time you create a connectivity verifier for a web server you will be prompted to enable the Allow HTTP/HTTPS requests from Forefront TMG to selected servers for connectivity verifiers system policy rule. This rule must be enabled for the connectivity verifier to work correctly.


Figure 8

When monitoring a web server, TMG will consider the service available if it receives an HTTP response 1xx, 2xx, or 3xx within the configured response time threshold. It will also consider the web server to be online if it receives an HTTP 401 (web server authentication required). Any other response code (or nor response at all) will be considered offline and the status will be reflected in the management console accordingly.

You can repeat this procedure to monitor any host or service reachable from the TMG firewall. This is not limited only to hosts or services located on the Internal network, but any perimeter networks and even the External network as well. Although you have the option of sending only a PING (ICMP echo request) to monitor connectivity to hosts, it is recommended to establish a TCP connection and/or send an HTTP GET request when possible. This ensures that the host isn’t simply responding to PING, but that the service running on the host is responding appropriately.

Connectivity Verifier Parameters

By default, a service is marked unavailable if it does not respond at all. If it does respond, but after the 5 second (5000 millisecond) timeout threshold is exceeded, it will be marked as degraded. In some instances, this threshold might be excessive. You change the default timeout threshold by right-clicking the connectivity verifier and choosing Properties, then select the Properties tab and specifying a new timeout response threshold in milliseconds.


Figure 9

Connectivity verifiers will attempt to verify host or service availability every 30 seconds by default. Changing the polling interval is not available in the GUI, unfortunately. It can, however, be modified using a script. For more information, read Setting the Refresh Rate for Connectivity Verifiers article on TechNet.

Web Farm Load Balancing and Connectivity Verifiers

When creating a load-balanced web farm, the server farm configuration wizard will automatically configure the appropriate connectivity verifiers. After specifying the hosts in the farm, the wizard will prompt for the method to use to monitor the servers in the farm. When the option to Send an HTTP/HTTPS GET request is chosen, the default URL is listed as HTTP://*/. The connectivity verifier will replace * with the hostname or IP address of each node in the farm as required.


Figure 10


Figure 11

Connectivity Verifier Alerts

When a connectivity verifier identifies a host or service this is offline or unavailable, TMG will generate a No Connectivity alert. If the service is available but the response time has exceeded the configured timeout threshold, TMG will generate a Slow Connectivity alert. Once the service is back online, TMG will generate a Connectivity Restored alert. In each instance, additional detail about the alert will be included in the Alert Information pane at the bottom of the screen when the alert is highlighted.


Figure 12

In many cases an administrator will want to be proactively notified when one of these alerts is generated, and perhaps even generate a programmatic automated response to the alert. This can be accomplished by configuring the alert definition for the specific event to take action when the event is triggered. The administrator can configure TMG to send an e-mail, run a program, report the event to the event log (enabled by default), or stop and start selected services.


Figure 13

Summary

Connectivity verifiers can save a TMG firewall administrator valuable time when troubleshooting connectivity issues. By configuring connectivity verifiers to monitor essential infrastructureservices such as ActiveDirectory and DNS, the administrator can quickly determine where to begin their troubleshooting if service is impaired.Connectivity verifiers can also provide valuable information about the health of a particular service and details about how quickly the service is responding. By configuring the properties of the alerts generated by connectivity verifiers, administrators can be notified by e-mail or take programmatic action to gather additional information in the event of a service outage.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top