Microsoft Forefront Threat Management Gateway 2010

Microsoft Forefront Threat Management Gateway 2010


Note: This template has been verified to work with  ForeFront TMG 2010 SP2 Rollup 3


This template assesses the status and overall performance of a Microsoft Forefront Threat Management Gateway 2010 by using performance counters and windows service monitors.

Prerequisites: WMI access to the target server. On the Forefront server in the Forefront TGM snap-in,  you will need to allow monitoring performance counters and services from the APM server with the following parameters in the Firewall Policy menu. Create the following access rule:


    Rule: Allow;
   From: Local Host,
      APM server;
    To: Local Host,
      APM server;
   For: All users;
   Protocols: Microsoft CIFS (TCP),
      NetBios Datagram,
      NetBios Name Service,
      NetBios Session,
      RPC (all Interfaces),
      TCP-10003-OUT.

where:

  • APM serveris the IP address of your APM server;
  • TCP-10003-OUTis the manually configured protocol with the following parameters in your primary connections

Protocol: TCP;
Port range: From 10003 to 10003;
Direction: Outbound.

Credentials: Windows Administrator on the target server.

Monitored Components

Note: Components without predetermined threshold values have guidance such as "use the lowest threshold possible" or "use the highest threshold possible" to help you find a threshold appropriate for your application. For more information, see http://knowledgebase.solarwinds.com/kb/questions/2415.

Service: Microsoft Forefront TMG Control

This monitor returns the CPU and memory usage of the Microsoft Forefront TMG Control service. This service controls Forefront Threat Management Gateway services.

Service: Microsoft Forefront TMG Firewall

This monitor returns the CPU and memory usage of the Microsoft Forefront TMG Firewall service. This service provides Forefront TMG internet access protection services.

Service: Microsoft Forefront TMG Job Scheduler

This monitor returns the CPU and memory usage of the Microsoft Forefront TMG Job Scheduler service. This service runs Forefront Threat Management Gateway jobs according to specified job schedules.

Service: Microsoft Forefront TMG Managed Control

This monitor returns the CPU and memory usage of the Microsoft Forefront TMG Managed Control service. This service Controls Forefront Threat Management Gateway managed services.

Service: Microsoft Forefront TMG Storage

This monitor returns the CPU and memory usage of the Microsoft Forefront TMG Storage service. This service provides Forefront Threat Management Gateway configuration storage.

Service: AD-LDS (ISASTGCTRL)

This monitor returns the CPU and memory usage of the ISASTGCTRL service. This service provides the Active Directory LDS instance.

Firewall Packet Engine: Active Connections

This monitor shows the total number of active connections currently passing data. Use this counter to monitor general performance.

Firewall Packet Engine: Bytes/sec

This monitor shows the total throughput, in bytes per second, passing through the firewall. Each byte is counted twice; once when it enters the firewall, and once when it leaves the firewall. Use this counter to monitor general performance.

Firewall Packet Engine: Dropped Packets/sec

This monitor shows the number of packets that were denied each second. Use this to monitor general security threats. If numbers are large (more than 100), check for network configuration errors and attacks.

Firewall Packet Engine: Packets/sec

This monitor shows the number of allowed and denied packets, per second. Use this to monitor general security threats and performance. This directly impacts CPU utilization.

Firewall Packet Engine: Connections/sec

This monitor shows the number of TCP and UDP connections created, per second. Use this to monitor general security threats and performance. This directly impacts CPU utilization.

H.323 Filter: Active H.323 Calls

This monitor returns the number of H.323 calls that are currently active.

Cache: Disk Failure Rate (failures/sec)

This monitor shows the number of I/O failures, per second, since the firewall service started. An I/O failure occurs when TMG fails to read from or write to the disk cache. This value should be as low as possible.

Cache: Memory Usage Ratio Percent (%)

This monitor shows the amount of fetches from the memory cache in proportion to the total fetches from the cache.

Cache: URL Commit Rate (URL/sec)

This monitor shows the rate at which URLs are stored to the cache.

Firewall Service: DNS Cache Hits %

This monitor shows the percentage of DNS domain names serviced by the DNS cache from the total of all DNS entries that have been retrieved by the firewall service. This value should be as high as possible.

Firewall Service: Active Sessions

This monitor shows the number of active sessions for the firewall service. Use this counter to monitor general performance. By comparing this counter at both peak and off-peak times, you can construct a good picture of routine usage.

Firewall Service: Active TCP Connections

This monitor shows the number of active TCP connections currently passing data. Connections pending, or not yet established, are counted elsewhere.

Firewall Service: Active UDP Connections

This monitor shows the number of active User Datagram Protocol (UDP) connections.

Firewall Service: Available Worker Threads

This monitor shows the number of firewall service worker threads that are available or waiting in the completion port queue. Available worker threads should never remain near 0 for any length of time. If TMG keeps this at or near 0, you should scale out.

Firewall Service: Worker Threads

This monitor shows the total number of firewall service worker threads.

SOCKS Filter: Active Sessions

This monitor shows a single SOCKS session and includes the CONNECT and BIND commands for a single client.

SOCKS Filter: Pending DNS Resolutions

This monitor shows the number of pending Winsock getaddrinfo() requests. These requests resolve host DNS names and IP addresses for SOCKS connections. This monitor should be as low as possible.

Web Proxy: Active Web Sessions

This monitor indicates how many clients are currently being served by the Web Proxy filter. Monitoring this counter at both peak and off-peak times gives a good indication of server usage. The configuration setting for maximum web request connections influences this value. This counter may also be useful if you need to temporarily stop TMG services. When authentication does not take place, all of the clients from a single IP address are viewed as one session.

Web Proxy: Average Milliseconds/request

This monitor shows the mean number of milliseconds required to service a Web Proxy client request, not including requests serviced by the Secure Sockets Layer (SSL) tunnel. This counter can be monitored at peak and off-peak times to get a comprehensive picture of the rate at which client requests are being serviced. A counter with a value that is too high might indicate that the TMG computer is having difficulty in handling all requests and that requests are being delayed. This value should be as low as possible.

Web Proxy: Cache Hit Ratio (%)

This monitor determines how many Web Proxy client requests have been served using cached data (Total Cache Fetches), as a percentage of the total number of successful Web Proxy client requests to the TMG computer (Total Successful Requests). Its value gives a good indication of the effectiveness of the cache. A high counter value indicates that a high level of requests is being serviced from the cache, meaning faster response times. A zero counter value indicates that caching is not enabled. A low counter value may indicate a configuration problem. The cache size may be too small, or requests may not be cacheable.

Web Proxy: Connect Errors

This monitor shows the total number of errors that occurred while connecting.

Web Proxy: Failing Requests/sec

This monitor shows the rate of Web Proxy client requests that have been completed with some type of error. This counter can be compared with the Requests/seccounter to give an indication of how well TMG is servicing incoming Web requests. A high failure rate, as compared with the rate of incoming requests, suggests that TMG is having difficulty in coping with all incoming requests. Connection settings for incoming Web requests may be incorrectly configured, or connection bandwidth may be insufficient. This monitor should be as low as possible.

Web Proxy: Requests/sec

This monitor shows the rate of incoming requests that have been made to Web proxy. A higher value means that more TMG resources will be required to service incoming requests.

Web Proxy: Thread Pool Active Sessions

This monitor shows the number of sessions being actively serviced by thread pools.

Web Proxy: Memory Pool for HTTP Requests (%)

This monitor returns the percentage of memory available for HTTP requests. When an HTTP request is made, TMG uses memory from a pre-allocated pool. You can use the ProxyVmemAlloc3pSizeregistry value in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\ parameters registry key to modify the size of this pool.

Web Proxy: Memory Pool for SSL Requests (%)

This monitor returns the percentage of memory available for SSL requests. When an SSL request is made, TMG uses memory from a pre-allocated pool. You can use the ProxyVmemAlloc1pSizeregistry value in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\ parameters registry key to modify the size of this pool.

Web Proxy: Compression - Current Compression Ratio

This monitor returns the average size reduction of the HTTP response body as a percentage of the uncompressed body size during the sample period for HTTP responses compressed by TMG.

Web Proxy: Compression - Responses Compressed: Accumulated Ratio

This monitor shows the percentage of HTTP responses compressed by TMG out of the total number of HTTP requests handled by TMG.

Portions of this document were originally created by and are excerpted from the following sources:

Microsoft Corporation, “Technet Library,” Copyright Copyright 2012 Microsoft Corporation. 
All rights reserved. Available at
http://technet.microsoft.com/en-us/library/bb794879.aspx