Forefront TMG Firewall Service Test

Load is a factor that can break a firewall! If the Forefront TMG firewall is overloaded with sessions/connections, it may slow down request processing by the firewall. Under such circumstances, administrators will have to identify the type of connections that are causing the overload – are they TCP connections? VoIP sessions? UDP connections? – and investigate why the count of such connections/sessions are unusually high on the firewall. Sometimes, insufficient worker threads on the firewall can also seriously decapacitate the firewall, rendering the firewall unable to handle its load. Another factor that can influence firewall performance is the ability of the firewall to perform DNS resolutions for its service connections; frequent DNS resolution failures can also delay request processing by the firewall. In the event of a slowdown therefore, administrators should be able to accurately pinpoint the reason for the slowdown – is it an overload condition? Is it because not enough worker threads are free? Or is it because of error conditions such as DNS resolution failures? The Forefront TMG Firewall Service test helps administrators in this exercise!

This test monitors the firewall service of the Forefront TMG and reports the following:

  • The number active TCP, UDP connections and VoIP sessions.
  • The rate at which data is read and written to the Forefront TMG
  • The number of active worker threads and the number of worker threads that are currently available
  • The number of failed and pending DNS resolutions

This way, network administrators can keep track of the firewall service and be proactively alerted to current/potential disturbances in the performance of the service.

Target of the test : A Forefront TMG Server

Agent deploying the test : An internal agent

Outputs of the test : One set of results for the Forefront TMG that is to be monitored.

Configurable parameters for the test
Parameter Description

Test Period

How often should the test be executed.

Host

The IP address of the host for which this test is to be configured.

Port

The port at which the specified host listens to. By default, this is 1745.

IsPassive

If this parameter is set to Yes, then it means that, by default, all the Forefront TMG servers being monitored by the eG system are the passive servers of a Forefront TMG cluster. No alerts will be generated if the servers are not running. Measures will be reported as “Not applicable” by the agent if the servers are not up.

Measurement Description Measurement Unit Interpretation

Accepting TCP connections

Indicates the number of connection objects that were waiting for a TCP connection from the Forefront TMG client after a successful remote connection is established.

Number

A high value could indicate an increase in the proxy server load, due to which lesser TCP connection requests are accepted.

Active sessions

Indicates the number of active sessions for this firewall service.

Number

 

Active SIP registrations

Indicates the total number of active SIP (Session Initiation Protocol) registrations.

Number

The Session Initiation Protocol (SIP) is a signaling communications protocol, widely used for controlling multimedia communication sessions such as voice and video calls over Internet Protocol (IP) networks.

A basic VoIP call is based on Session Initiation Protocol (SIP), which is the most common protocol used today. A SIP VoIP call is carried out using User Datagram Protocol (UDP), and incorporates two protocols: Session Initiation Protocol (SIP) for call establishment and termination, and Real Time Protocol (RTP) for media (audio and/or video).

A VoIP call requires a minimum of three opened connections, one for SIP and two or more for media. Since the media ports are usually selected dynamically by the phone, the firewall needs to understand SIP in order to open and close the media connections.

In Forefront TMG, a SIP filter is provided to manage the opening and closing of the media connections automatically, based on the SIP transactions between allowed endpoints. The filter also checks quota, thus preventing DoS attacks by ensuring that only a configurable number of calls or registrations is allowed by the firewall. Accordingly, if the value of the Active SIP registrations measure is equal or close to the maximum registrations allowed by the firewall, it could imply that too many VoIP calls are passing through the firewall. When there is an overload condition, you may want to compare the value of this measure with the Active TCP connections and Active UDP connections measures to understand the type of connections/sessions that are contributing the most to the overload.

Active SIP sessions

Indicates the total number of active SIP (Session Initiation Protocol) sessions.

Number

Active TCP connections

Indicates the number of active TCP connections that are currently passing data through this firewall.

Number

The number of connections that are not established and the pending connections are not counted for this measure. A high value could indicate a TCP connection overload on the firewall.

Active UDP connections

Indicates the number of active UDP connections for this firewall.

Number

A high value could indicate a UDP connection overload on the firewall.

Data read rate

Indicates the rate at which data is read by the data pump of the Forefront TMG.

KB/sec

A consistent drop in the value of these measures could indicate a read-write slowdown on the firewall.

Data write rate

Indicates the rate at which data is written by the data pump of the Forefront TMG.

KB/sec

Failed DNS resolutions

Indicates the number of gethostbyname and gethostbyaddr application programming interface (API) calls that have failed.

Number

The API calls are used to resolve host DNS domain names and IP addresses for Firewall service connections.

Ideally, the value of this measure should be minimum. A high value can adversely impact the overall health of the firewall service.

Log queue size on disk

Indicates the size of the Forefront TMG log queue on disk.

KB

 

Pending DNS resolutions

Indicates the number of gethostbyname and gethostbyaddr API calls that are currently pending resolution.

KB

Ideally, the value of this mesure should be zero. Generally, the TMG firewall relies heavily on DNS to perform name resolution and authentication. Therefore, it is vital that name resolution be performed quickly and efficiently, especially for TMG firewalls that are joined to a domain. If the value of this measure sustains a non-zero value for a longer period, then the name resolution infrastructure should be investigated closely. These are calls used to resolve host DNS domain names and IP addresses for Firewall service connections.

Pending TCP connections

Indicates the number of pending TCP connections.

KB

Ideally, the value of this measure should be zero. If the value of this measure increases in accordance with the PendingDNS measure, then it indicates that the current workload on the firewall is high and the firewall is incapable of handling such huge workloads.

Worker threads

Indicates the total number of firewall service worker threads that are currently active.

Number

Higher the value of this measure, the busier the firewall service is. A consistent increase in the value could hint at a potential overload condition.

Connections blocked by NIS

Indicates the rate at which the connections were blocked by NIS in User mode.

Connections/sec

 

Retrieved percentage of DNS domains

Indicates the percentage of time the DNS domain name was found in the DNS cache of the firewall service.

Percent

A high value is desired for this measure.

Available worker threads

Indicates the number of Firewall service worker threads that are available or waiting in the completion port queue.

Number

The increase in the number may affect the performance of the host / applications.