Syed Jahanzaib Personnel Blog to Share Knowledge !

May 17, 2012

Forefront TMG 2010 , Controlling High SQL Memory Usage !

Filed under: Forefront TMG 2010 Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 5:00 PM

Recently I deployed Forefront TMG 2010 in my company, and I was facing  High memory usage by sqlservr.exe which was using over 1.5 GB of memory. So I limit its usage by using following method.

Open Command Prompt on TMG server and enter the following command,

osql -E -S localhost\MSFW

Now paste the following text, (Before pasting, you can adjust the memory size like 512 means 512 MB, if you want to set 1 GB limit, you can use 1024 value.)

USE master
GO

EXEC sp_configure ‘show advanced options’, 1
RECONFIGURE WITH OVERRIDE
GO

EXEC sp_configure ‘max server memory (MB)’, 512 –configure 512MB limit, adjust it as required
GO

EXEC sp_configure ‘show advanced options’, 0
RECONFIGURE WITH OVERRIDE
GO

Now open Task Manager and see the sqlservr.exe memory usage.

.

For more info, Use the below article at Richard Hicks Blog.
http://tmgblog.richardhicks.com/

*

Regard’s

Syed Jahanzaib

March 21, 2012

TMG 2010 ISP Redundancy Fail Over Guide


Scenario: I have 2 WAN Internet Connections, and I want that if primary link fails (or looses its connectivity with the ISP/internet) TMG should automatically switch over to secondary link, and when primary link gets back online, TMG should switch back to Primary Link.

But first let’s discuss some theoretical introduction of TMG new feature called ISP Redundancy

Forefront TMG 2010 is the latest proxy/firewall server from Microsoft. It have many new exciting features which makes it very good , reliable and rich feature application.

One of the greatest (and most demanding) new features of Microsoft Forefront TMG is ISP Redundancy. With the help of this feature it is now possible to load balance the network traffic between two different ISPs . One other configuration mode is the ability to configure Microsoft Forefront TMG for ISP Failover (Which is discussed later in this article). In this case, Forefront TMG will use one ISP link as the primary connection, and if this link gets broken, TMG will automatically failover to the second configured ISP.

ISP redundancy feature utilizes multiple ISP links and provide high-availability with load balancing and failover or just failover capability to the corporate Internet. The common functionality of ISP redundancy are:

  •     Designate primary and secondary link for internet connections
  •     Balance traffic load based on percentage of total traffic per link
  •     Automatic fail over to secondary link if primary link fails

Ok Let’s Start :)

Requirements:

1) Two Separate WAN connections connected with TMG , both should be fully configured with there respective IP , gateway and DNS.

2) Static Route defined via ip route command for ISP’s DNS Server (Or any other WAN IP, to let TMG decide if the specific link unable to reach isp dns or any other wan ip defined)

In this example , we have 3 Interfaces card in TMG as following

LAN = Connected with Users Switch
WAN1 = PTCL DSL Link (Primary)
WAN2 = FIBER Optics Backup Link (Secondary)

(As shown in the image below . . .)

Open TMG console,
Goto Networking  >> ISP Redundancy
and click on Configure ISP Redundancy

(As shown in the image below . . .)

In the below example, I am using FAILOVER only mode, (But you can select Load balancing with failover capability, you can also change the mode later)

Now type the ISP1 name and select the Network adapter (After selecting the network adapter , Subnet field will auto fill up )

In next screen, it will show you the ISP1 ip scheming info like gateway , subnet , dns etc

Now type the ISP2 name and select the Network adapter (After selecting the network adapter , Subnet field will auto fill up )

In next screen, it will show you the ISP1 ip scheming info like gateway , subnet , dns etc

Now it will ask you which ISP link will act as PRIMARY ISP Connection, select your desired link

All done, It will show the final config on your screen, just select FINISH.

Now the Important Part. We Must add static route to tell TMG via route that if specific WAN link looses its connectivity , it should switch over to secondary link.

First you have to see what network interface have which code, this code will be used in route command to tell which interface rule would be applied.

open command prompt on TMG, and type
ROUTE PRINT

Now Open Network Connections , and take properties of your First ISP Interface Adapter. and you will see the interface name, like below

Now check in the route PRINT command and find the number of your first isp interface card number which name is “Microsoft Virtual Machine Bus Network Adapter #2” which in this example is 12 (it is showed in starting)

Repeat the above step and find the number of secondary ISP link, which in this example is 29

Now issue following command To add a persistent static route

route -p ADD 221.132.112.8 MASK 255.255.255.255 192.168.30.1 METRIC 1 IF 12
route -p ADD 221.132.112.9 MASK 255.255.255.255 192.168.20.1 METRIC 2 IF 29

the above command will tell TMG to go through Specific link for DNS Server status, so if primary link looses it connectivity with the internet(connectivity with the 221.132.112.8 via ISP1, ) it will switch over to ISP2 , it will periodically check primary link connectivity, as soon it restores, it will switch back to primary link.

ROUTE Command Syntax

route [-p] ADD [destination] MASK [netmask] [gateway] METRIC [metric] IF [interface]

  • P—-Makes the route persistent
  • METRIC---specifies the priority for this route. the route with the lowest metric has the highest priority.
  • IF---Specifies the interface number

TIP:

Howto Bind User/dst website to Go through Specific Link Only in TMG

If you want to bind specific user or group to go through specific link only,use the following logic

# First create user/ip/ip range entry in FIREWALL POLICY > TOOL BOX / NETWORK OBJECTS  >> computer / computer sets or address range

# Then goto  NETWORKING / NETWORK RULES and create new NETWORK RULE with following data

Network Name Rule : WAN2 Users
FROM: Your Specific Computer IP / User / IP Range
TO : External
Network Relationship : Network Address Translator (NAT)
NAT Address Selection : Use the Specified IP and then select your desired WAN link ip
Click FINISH and APPLY.

Note: As shown in the images below

Now hit APPLY button to make changes.

To test, Goto your client, and open http://www.whatismyip.com
It will show you new ip of secondary link. :D

BEFORE NETWORK RULE:  User request is routing through Default First WAN link (PTCL).

AFTER NETWORK RULE:  User request is now routing through second WAN link (FIBER).

Some Considerations and Info

To determine the availability of a particular ISP connection, TMG performs dead link detection by randomly polling one of the thirteen Internet root DNS servers on TCP port 53 (when TMG is deployed as a back firewall, make certain that TCP port 53 is open to the Internet). If the selected root DNS server responds, TMG considers the connection available. If it does not respond, TMG will poll additional root DNS servers at one minute intervals. If no replies are received after three consecutive attempts, TMG considers the connection unavailable and raises an alert. Once TMG identifies a connection as unavailable, it will wait for five minutes before attempting to poll again. Once it receives a response, TMG will continue polling at one minute intervals. When three consecutive responses have been received, TMG will consider the connection available.

In the default setting, TMG checks the status of the ISP link by trying to establish a TCP connection on port 53 (DNS zone transfer) to a list* of root DNS server on a round robin basis. If a connection can be established, TMG will consider the link active.

* Default destination addresses in TMG RC:
192.58.128.30,193.0.14.129,198.32.64.12,202.12.27.33,198.41.0.4,192.228.79.201,192.33.4.12,128.8.10.90,192.203.230.10,192.5.5.241,192.112.36.4,128.63.2.53,192.36.148.17

TMG will wait at least 3 minutes until a link is considered down

  •  A link will be considered down for at least 7 minutes (min failed time with 300 seconds + 2x OK interval with 60 seconds each)
  • A link has to be stable for at least 3 minutes once TMG will bring the link up again.

You can modify those default values by using VBS Script (mentioned in the below links)

Script to reduce link detection time:

http://aacable.wordpress.com/2012/03/27/forefront-tmg-2010-isp-redundancy-configuring-verification-of-link-status/

set root=CreateObject("FPC.Root")
set arr=root.GetContainingArray()
set ExtNet=arr.NetworkConfiguration.Networks("External")
set ISPRCfg=ExtNet.ISPRedundancyConfig
ISPRCfg.MinimalResumeTime = 30
ISPRCfg.TestIntervalLinkAvailable = 30
ISPRCfg.TestIntervalLinkUnavailable = 30
ISPRCfg.FailuresToUnavailable = 1
ISPRCfg.SuccessesToAvailable = 1
ISPRCfg.Save

 

I took help from following websites for this article , I copied some text from following websites for general information. You can find Some Good Reference for more detailed and step by step guides.

http://www.isaserver.org/tutorials/Exploring-ISP-Redundancy-Forefront-Threat-Management-Gateway-TMG-2010.html
http://www.isaserver.org/tutorials/microsoft-forefront-tmg-isp-redundancy-mode.html
http://microsoftguru.com.au/2011/04/26/ff-tmg-2010-configure-isp-redundancy-step-by-step/

Regard’s

Syed Jahanzaib

February 23, 2012

Forefront TMG 2010 installation failed “SQL Installation Error” [Solved]


Today at my company I was installing TMG 2010 on Windows 2008 R2 64bit on MS Hyper-visor VM and encounter following errors during installation related to SQL 2008  ,
Example:
# Forefront TMG Installation terminates – SQL Express 2008 Could Not Be Installed
# Error installing TMG 2010: failed to install SQL Express 2008 (reporting instance)
After some googling, I managed to resolved this problem. This is what I did:

#    Go to Control Panel   >   Uninstall Programs
#    Uninstall Microsoft SQL Server 2008
#    Uninstall Microsoft SQL Server 2008 Native Client
#    Go to C:\Program Files
#    Delete folders ‘Microsoft Forefront Threat Management Gateway‘ and ‘Microsoft SQL Server’
#    Go to C:\Program Files (x86)
#    Delete folders ‘Microsoft SQL Server’
#    Reboot your windows
#    Right click on TMG Setup and select ‘Run as Administrator‘ , and follow on the screen setup.

This time installation went smooth.

After this I installed TMG SP1 and SUP1 from

You can download SP1 from : http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=f0fd5770-7360-4916-a5be-a88a0fd76c7c

and you can download SU1 from : http://www.microsoft.com/downloads/en/details.aspx?FamilyID=695d0709-0d8b-45ee-afdb-727c4428ca4d

Afterwards, download TMG SP2 , and install it.

http://www.microsoft.com/download/en/details.aspx?id=27603

 

 

 

Forefront Remote Management Tool error
Refresh Failed. The parameter is incorrect.

If you have installed Forefront Remote Management tool to manage your tmg remotely via your workstation, and you received following error

Forefront Remote Management Tool error
Refresh Failed. The parameter is incorrect.

error

 

Make sure that you have the same level of Service packs and patches that are installed on TMG Server. Also make sure that your ip is added TMG Rmote Management Policy Section. (In Firewall System Policy)
E.g:

SU1,  SP1 , SP2  (Software Update 1, Service Pack 1, Service Pack 2)

I hope these steps will help you too :)

Regard’s

Syed Jahanzaib

The Silver is the New Black Theme Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 2,045 other followers