Forefront TMG 2009 , Controlling High SQL Memory Usage !

Filed under: Forefront TMG 2010 Related — Tags: , , — Waseem Anjum Meo@ 1:27 AM
 
 
 
 
 
 
16 Votes


Recently I deployed Forefront TMG 2010 in my company, and I was facing  High memory usage by sqlservr.exe which was using over 1.5 GB of memory. So I limit its usage by using following method.
Open Command Prompt on TMG server and enter the following command,
osql -E -S localhost\MSFW
Now paste the following text, (Before pasting, you can adjust the memory size like 512 means 512 MB, if you want to set 1 GB limit, you can use 1024 value.)
USE master
GO
EXEC sp_configure ‘show advanced options’, 1
RECONFIGURE WITH OVERRIDE
GO
EXEC sp_configure ‘max server memory (MB)’, 512 –configure 512MB limit, adjust it as required
GO
EXEC sp_configure ‘show advanced options’, 0
RECONFIGURE WITH OVERRIDE
GO
Now open Task Manager and see the sqlservr.exe memory usage.

.
For more info, Use the below article at Richard Hicks Blog.
http://tmgblog.richardhicks.com/
*
Regard’s
Syed Jahanzaib

March 17, 2009

Forefront TMG 2010 ISP Redundancy : Configuring verification of link status

Filed under: Forefront TMG 2010 Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 3:37 PM
 
 
 
 
 
 
22 Votes


Modifying dead link detection periods
Howto reduce Dead/Available Link Detection Time out Frequency: Use the following vbs file,
Copy Paste the following code in notepad, and save it as TMG.VBS and edit it as per your requirement. then double click it to run on TMG.
1
2
3
4
5
6
7
8
9
10
set root=CreateObject("FPC.Root")
set arr=root.GetContainingArray()
set ExtNet=arr.NetworkConfiguration.Networks("External")
set ISPRCfg=ExtNet.ISPRedundancyConfig
ISPRCfg.MinimalResumeTime = 10
ISPRCfg.TestIntervalLinkAvailable = 10
ISPRCfg.TestIntervalLinkUnavailable = 10
ISPRCfg.FailuresToUnavailable = 1
ISPRCfg.SuccessesToAvailable = 1
ISPRCfg.Save
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Configuring verification of link status
In the default setting, TMG checks the status of the ISP link by trying to establish a TCP connection on port 53 (DNS zone transfer) to a list* of root DNS server on a round robin basis. If a connection can be established, TMG will consider the link active.
Although, the IP addresses and the TCP port used for the verification cannot be configured directly from the management console, If you need to modify these settings, e.g. because you setup your TMG server without direct access to the internet, you can do this by using the TMG COM, through simple Visual Basic script like this one: Following script is to change the root dns entries in TMG , which are used while tracking link detection.
1
2
3
4
5
6
7
8
set root=CreateObject("FPC.Root")
set arr=root.GetContainingArray()
set ExtNet=arr.NetworkConfiguration.Networks("External")
set ISPRCfg=ExtNet.ISPRedundancyConfig
ISPRCfg.ConnectivityVerificationRemoteIpAddresses.RemoveAll()
ISPRCfg.ConnectivityVerificationRemoteIpAddresses.Add "8.8.8.8"
ISPRCfg.ConnectivityVerificationRemotePort = 53
ISPRCfg.Save</span>

Author
Philipp Sand
Microsoft CSS Forefront Security Edge Team
Reference:
http://blogs.technet.com/b/isablog/archive/2009/11/26/tmg-isp-redundancy-unleashed.aspx
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Regard’s
Waseem Anjum Meo

March 11, 2009

TMG 2010 ISP Redundancy Fail Over Guide

Filed under: Forefront TMG 2010 Related — Tags: , , , Waseem Anjum Meo1:05 PM
 
 
 
 
 
 
20 Votes


Scenario: I have 2 WAN Internet Connections, and I want that if primary link fails (or looses its connectivity with the ISP/internet) TMG should automatically switch over to secondary link, and when primary link gets back online, TMG should switch back to Primary Link.
But first let’s discuss some theoretical introduction of TMG new feature called ISP Redundancy
Forefront TMG 2010 is the latest proxy/firewall server from Microsoft. It have many new exciting features which makes it very good , reliable and rich feature application.
One of the greatest (and most demanding) new features of Microsoft Forefront TMG is ISP Redundancy. With the help of this feature it is now possible to load balance the network traffic between two different ISPs . One other configuration mode is the ability to configure Microsoft Forefront TMG for ISP Failover (Which is discussed later in this article). In this case, Forefront TMG will use one ISP link as the primary connection, and if this link gets broken, TMG will automatically failover to the second configured ISP.
ISP redundancy feature utilizes multiple ISP links and provide high-availability with load balancing and failover or just failover capability to the corporate Internet. The common functionality of ISP redundancy are:
  •     Designate primary and secondary link for internet connections
  •     Balance traffic load based on percentage of total traffic per link
  •     Automatic fail over to secondary link if primary link fails
Ok Let’s Start :)
Requirements:
1) Two Separate WAN connections connected with TMG , both should be fully configured with there respective IP , gateway and DNS.
2) Static Route defined via ip route command for ISP’s DNS Server (Or any other WAN IP, to let TMG decide if the specific link unable to reach isp dns or any other wan ip defined)
In this example , we have 3 Interfaces card in TMG as following
LAN = Connected with Users Switch
WAN1 = PTCL DSL Link (Primary)
WAN2 = FIBER Optics Backup Link (Secondary)
(As shown in the image below . . .)
Open TMG console,
Goto Networking  >> ISP Redundancy
and click on Configure ISP Redundancy
(As shown in the image below . . .)
In the below example, I am using FAILOVER only mode, (But you can select Load balancing with failover capability, you can also change the mode later)
Now type the ISP1 name and select the Network adapter (After selecting the network adapter , Subnet field will auto fill up )
In next screen, it will show you the ISP1 ip scheming info like gateway , subnet , dns etc

Now type the ISP2 name and select the Network adapter (After selecting the network adapter , Subnet field will auto fill up )

In next screen, it will show you the ISP1 ip scheming info like gateway , subnet , dns etc

Now it will ask you which ISP link will act as PRIMARY ISP Connection, select your desired link

All done, It will show the final config on your screen, just select FINISH.

Now the Important Part. We Must add static route to tell TMG via route that if specific WAN link looses its connectivity , it should switch over to secondary link.
First you have to see what network interface have which code, this code will be used in route command to tell which interface rule would be applied.
open command prompt on TMG, and type
ROUTE PRINT

Now Open Network Connections , and take properties of your First ISP Interface Adapter. and you will see the interface name, like below

Now check in the route PRINT command and find the number of your first isp interface card number which name is “Microsoft Virtual Machine Bus Network Adapter #2” which in this example is 12 (it is showed in starting)
Repeat the above step and find the number of secondary ISP link, which in this example is 29
Now issue following command To add a persistent static route
route -p ADD 221.132.112.8 MASK 255.255.255.255 192.168.30.1 METRIC 1 IF 12
route -p ADD 221.132.112.9 MASK 255.255.255.255 192.168.20.1 METRIC 2 IF 29
the above command will tell TMG to go through Specific link for DNS Server status, so if primary link looses it connectivity with the internet(connectivity with the 221.132.112.8 via ISP1, ) it will switch over to ISP2 , it will periodically check primary link connectivity, as soon it restores, it will switch back to primary link.
ROUTE Command Syntax
route [-p] ADD [destination] MASK [netmask] [gateway] METRIC [metric] IF [interface]
  • P—-Makes the route persistent
  • METRIC---specifies the priority for this route. the route with the lowest metric has the highest priority.
  • IF---Specifies the interface number
TIP:

Howto Bind User/dst website to Go through Specific Link Only in TMG

If you want to bind specific user or group to go through specific link only,use the following logic
# First create user/ip/ip range entry in FIREWALL POLICY > TOOL BOX / NETWORK OBJECTS  >> computer / computer sets or address range
# Then goto  NETWORKING / NETWORK RULES and create new NETWORK RULE with following data
Network Name Rule : WAN2 Users
FROM : Your Specific Computer IP / User / IP Range
TO : External
Network Relationship : Network Address Translator (NAT)
NAT Address Selection : Use the Specified IP and then select your desired WAN link ip
Click FINISH and APPLY.
Note: As shown in the images below








Now hit APPLY button to make changes.
To test, Goto your client, and open http://www.whatismyip.com
It will show you new ip of secondary link. :D
BEFORE NETWORK RULE:  User request is routing through Default First WAN link (PTCL).

AFTER NETWORK RULE:  User request is now routing through second WAN link (FIBER).


Some Considerations and Info

To determine the availability of a particular ISP connection, TMG performs dead link detection by randomly polling one of the thirteen Internet root DNS servers on TCP port 53 (when TMG is deployed as a back firewall, make certain that TCP port 53 is open to the Internet). If the selected root DNS server responds, TMG considers the connection available. If it does not respond, TMG will poll additional root DNS servers at one minute intervals. If no replies are received after three consecutive attempts, TMG considers the connection unavailable and raises an alert. Once TMG identifies a connection as unavailable, it will wait for five minutes before attempting to poll again. Once it receives a response, TMG will continue polling at one minute intervals. When three consecutive responses have been received, TMG will consider the connection available.
In the default setting, TMG checks the status of the ISP link by trying to establish a TCP connection on port 53 (DNS zone transfer) to a list* of root DNS server on a round robin basis. If a connection can be established, TMG will consider the link active.
* Default destination addresses in TMG RC:
192.58.128.30,193.0.14.129,198.32.64.12,202.12.27.33,198.41.0.4,192.228.79.201,192.33.4.12,128.8.10.90,192.203.230.10,192.5.5.241,192.112.36.4,128.63.2.53,192.36.148.17
TMG will wait at least 3 minutes until a link is considered down
  •  A link will be considered down for at least 7 minutes (min failed time with 300 seconds + 2x OK interval with 60 seconds each)
  • A link has to be stable for at least 3 minutes once TMG will bring the link up again.
You can modify those default values by using VBS Script (mentioned in the below links)

Script to reduce link detection time:

http://aacable.wordpress.com/2012/03/27/forefront-tmg-2010-isp-redundancy-configuring-verification-of-link-status/
1
2
3
4
5
6
7
8
9
10
set root=CreateObject("FPC.Root")
set arr=root.GetContainingArray()
set ExtNet=arr.NetworkConfiguration.Networks("External")
set ISPRCfg=ExtNet.ISPRedundancyConfig
ISPRCfg.MinimalResumeTime = 30
ISPRCfg.TestIntervalLinkAvailable = 30
ISPRCfg.TestIntervalLinkUnavailable = 30
ISPRCfg.FailuresToUnavailable = 1
ISPRCfg.SuccessesToAvailable = 1
ISPRCfg.Save

I took help from following websites for this article , I copied some text from following websites for general information. You can find Some Good Reference for more detailed and step by step guides.
http://www.isaserver.org/tutorials/Exploring-ISP-Redundancy-Forefront-Threat-Management-Gateway-TMG-2010.html
http://www.isaserver.org/tutorials/microsoft-forefront-tmg-isp-redundancy-mode.html
http://microsoftguru.com.au/2011/04/26/ff-tmg-2010-configure-isp-redundancy-step-by-step/
Regard’s
Syed Jahanzaib

February 23, 2012

Forefront TMG 2010 installation failed “SQL Installation Error” [Solved]

Filed under: Forefront TMG 2010 Related — Tags: , , , , , , , — Syed Jahanzaib / Pinochio~:) @ 5:22 PM
 
 
 
 
 
 
10 Votes


Today at my company I was installing TMG 2010 on Windows 2008 R2 64bit on MS Hyper-visor VM and encounter following errors during installation related to SQL 2008  ,
Example:
# Forefront TMG Installation terminates – SQL Express 2008 Could Not Be Installed
# Error installing TMG 2010: failed to install SQL Express 2008 (reporting instance)
After some googling, I managed to resolved this problem. This is what I did:
#    Go to Control Panel   >   Uninstall Programs
#    Uninstall Microsoft SQL Server 2008
#    Uninstall Microsoft SQL Server 2008 Native Client
#    Go to C:\Program Files
#    Delete folders ‘Microsoft Forefront Threat Management Gateway‘ and ‘Microsoft SQL Server’
#    Go to C:\Program Files (x86)
#    Delete folders ‘Microsoft SQL Server’
#    Reboot your windows
#    Right click on TMG Setup and select ‘Run as Administrator‘ , and follow on the screen setup.
This time installation went smooth.
After this I installed TMG SP1 and SUP1 from
You can download SP1 from : http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=f0fd5770-7360-4916-a5be-a88a0fd76c7c
and you can download SU1 from : http://www.microsoft.com/downloads/en/details.aspx?FamilyID=695d0709-0d8b-45ee-afdb-727c4428ca4d
Afterwards, download TMG SP2 , and install it.
http://www.microsoft.com/download/en/details.aspx?id=27603



Forefront Remote Management Tool error
Refresh Failed. The parameter is incorrect.

If you have installed Forefront Remote Management tool to manage your tmg remotely via your workstation, and you received following error
Forefront Remote Management Tool error
Refresh Failed. The parameter is incorrect.
error
Make sure that you have the same level of Service packs and patches that are installed on TMG Server. Also make sure that your ip is added TMG Rmote Management Policy Section. (In Firewall System Policy)
E.g:
SU1,  SP1 , SP2  (Software Update 1, Service Pack 1, Service Pack 2)
I hope these steps will help you too :)
Regard’s
 Waseem Anjum Meo

Comments

Post a Comment

Popular posts from this blog

DMASOFTLAB RADIUS MANAGER BILLING SYSTEM v 4.1 Finally Released

Image
DMASOFTLAB RADIUS MANAGER BILLING SYSTEM v 4.1 Finally Released  Filed under: Radius Manager — Tags: dmasoftlab radius manager new version , radius manager 4.1 — Waseem Anjum Meo @ 10:47 AM             5 Votes Finally DMA has released its new version for Radius Manager Billing System. Complete info can be found here. http://www.dmasoftlab.com/cont/revision   *** v 4.1.0 *** 2013-10-23 *** NEW FEATURES: ↓ -enhanced SMTP mailer with authentication and freely configurable port -SMS alert indicating the account is going to expire ** This was most DEMANDED   , Jz -support for BulkSMS HTTP->SMS gateway ** This was most DEMANDED   , Jz -alert type is selectable in user preferences (ACP / UCP) ** This was most DEMANDED   , Jz -enable traffic report per user in ACP even if global traffic report is disabled -service change is allowed for Hotspot MAC accounts -auto logout expired ACP sessions -FreeRadius 2.2.0 support -DOCSIS u
Read more

How To Configure Nano Station M2 As Access point

Image
Web Configuration Now that the hardware has been completely installed, it's time to configure the Bullet to act as a WiFi Access Point. Configuration is performed using your web browser by typing in  https://192.168.1.20 . You'll get a warning pop up stating that the device has presented an invalid SSL certificate due to the certificate being self-signed and not issued by a CA. This is normal so just hit accept/continue. You'll then need to log in with the default username and password of "ubnt". Configure the Wireless tab The first step is to configure the Wireless tab so the Bullet acts as a WiFi Access Point. Change the settings according to the below picture. Be sure to set the device up with WPA2 security and an appropriate WiFi password here. You can also use this tab to adjust the power output should you wish to cover a smaller area. The default channel bandwidth is 40MHz, but some older devices such as wireless printers and mobile phones cannot o
Read more