OpsMgr R2 by Example: the TMG MP

The TMG management pack adds support for monitoring Forefront Threat Management Gateway (TMG) with Operations Manager 2007. TMG runs only on the X64 versions of Windows Server 2008 and Windows Server 2008 R2. All versions of TMG are monitored including TMG Medium Business Edition (MBE) and Forefront TMG 2010 Enterprise and Standard editions.

How to Install the TMG MP

  1. Download the TMG management pack from the management pack catalog. The TMG Management Pack Guide is available on the same URL as the download and is labeled “OM2007_MP_TMG.DOC”
  2. Review the Management Pack Guide – cover to cover. This document spells out some important pieces of information you will need to know.
  3. Import the TMG MP (using either the Operations console or PowerShell).
  4. Deploy the OpsMgr agent to all TMG servers. Agent-less monitoring for TMG servers is not supported.
  5. Enable Agent Proxy configuration on all TMG servers. This is in the Administration node, under Administration -> Device Management -> Agent Managed. Right-click each TMG server, select Properties, click the Security tab, then check the box labeled “Allow this agent to act as a proxy and discover managed objects on other computers.” (If you have a large number of agents to enable this setting for, the TMG MP guide contains a script to automate this task.)
  6. Create a TMG_Overrides management pack to contain any overrides required for the MP.

How to Configure the TMG MP

After installing the TMG management pack, there is additional configuration and tuning to adjust management pack settings to your particular environment. Here is a list of configuration tasks for the TMG management pack:

Create groups needed for overriding targets with common requirements in your environment

As with other management packs, the groups needed for management pack tuning depend on the specifics of your deployment and the support model for your organization.

In the case of management groups monitoring TMG firewalls as well as SQL 2008 databases, there are two SQL 2008 database monitors, enabled by default, which should not be running on TMG firewalls. Resolve this issue by creating a group such as “TMG ISARS Databases”. Populate this group with the ISARS SQL database objects discovered on each TMG server. Then create overrides in each of these SQL 2008 database monitors to disable monitoring for the group you created:

  • SQL Server Full Text Search Service Monitor
  • Blocking SPIDs

Install TMG console, stage utilities, and configure security to support tasks

If the TMG console is collocated with an installation of the Operations Manager 2007 Operations console, the OpsMgr console will be able to launch the TMG console. To support this feature, add the OpsMgr operator to one of the following Forefront TMG roles:

  • Forefront TMG Administrator (Array or Enterprise Administrator in Enterprise Edition)—Allows full access to Forefront TMG monitoring and configuration.
  • Forefront TMG Auditor (Array or Enterprise Auditor in Enterprise Edition)—Allows full access to Forefront TMG monitoring, able to view Forefront TMG configuration, and able to configure logging and alerting.
  • Forefront TMG Monitoring Auditor (Array or Enterprise Monitoring Auditor in Enterprise Edition)—Allows full access to Forefront TMG monitoring only.

In addition, you should add the OpsMgr operator’s computer to either the Remote Management Computers or Enterprise Remote Management Computers Forefront TMG computer sets.

Here are two other utilities that need to be staged on the managed TMG server to be launched correctly by tasks in the console:

Create a Firewall Access Rule on the TMG firewall configuration

You must configure an access rule in Forefront TMG to allow the Forefront TMG computer to communicate with the management servers. This will be from the Local Host network to an “SCOM Set” computer set that contains all management or gateway servers on TCP port 5723. The access rule is per-array for Forefront TMG Enterprise Edition and per-server for Forefront TMG Standard Edition and TMG Medium Business Edition.

TIP: Steps to create a firewall access rule that supports monitoring, but not automatic agent install, are included in the TMG MP guide. The TMG MP guide covers only manual agent install. If you have a large number of firewalls that require installing the OpsMgr agent, consider allowing automatic agent install as follows:

  • Extend the rule created according to the TMG MP guide to include the protocols needed for automatic agent installation, and disable strict RPC checking in the rule properties.
  • Exclude the “SCOM Set” computer set from the built-in system policy for Active Directory communications.

Figure 1 illustrates an Enterprise-level rule that permits the necessary access (remember to disable strict RPC checking on this rule), as well as the edited system policy for an array that excludes the “SCOM Set” from the system policy rule.


Figure 1 – Firewall rule and system policy exceptions to support automatic OpsMgr agent installation

Install the Network Load Balancing management pack if using TMG NLB

If your TMG 2010 Enterprise Edition firewalls will be running in array configuration with NLB enabled, import the Windows Server 2008 Network Load Balancing Management Pack for Operations Manager 2007 as well as the TMG MP. While TMG does control all NLB functions on a TMG array member, the NLB MP provides a useful performance view to help you confirm that all members of an NLB team are about equally loaded.

Figure 2 charts the load distribution across nodes (received and sent packets per second) on the Internet interfaces of a three-node TMG enterprise array.

Figure 2 – Leverage the NLB management pack to confirm equal load distribution across TMG array nodes

Perform general health and configuration monitoring

General health monitoring for TMG firewall computers is implemented by watching these thirteen TMG server components, each of which has their own state view folder, as well as being exposed in columns of the top-level Firewall state view:

  • Cache State View
  • Publishing-Enabled TMG Servers State
  • E-Mail Protection State
  • Reporting State
  • HTTPS Inspection State
  • SIP State
  • ISP Redundancy State
  • URL Filtering State
  • Malware Inspection State
  • VPN State
  • Network Inspection System State
  • Web Proxy State
  • Network Load Balancing State

Performance views in the TMG MP are simplified, with the primary view being a single dashboard view named Server: Core Performance Data. This view is optimized to compare the overall CPU time and firewall service CPU time across TMG array members or individual servers.

The TMG enterprise health topology diagram validates the ADAM (Active Directory Lightweight Directory Services) instance supporting the organization’s firewall arrays, and is represented by the health of each CSS component (known in TMG as the Enterprise Management Server, or EMS) and the health of each managed firewall array. The health of each multi-node array is represented by the NLB-redundant services running on each firewall node.

Figure 3 shows the health model of a TMG enterprise with two CSS (EMS) servers and two multi-node arrays. The NLB service of the first array is expanded to the node level.

Figure 3 – Firewall services running on multiple NLB nodes are the focus of TMG enterprise monitoring

The TMG MP adds eight reports to the OpsMgr Reporting space. Two report on top alerts and events, two target TMG performance counters, and four reports on TMG configuration data from the CSS, enterprise, array, and server perspectives. The array report, when targeted at multiple arrays in the enterprise, is a useful way to audit which TMG enterprise policy is applied to each TMG array, Figure 4 is an example of this report, invoked from the Tasks area in the Monitoring space.


Figure 4 – TMG reports assist with security configuration auditing

Tuning / Alerts to look for in the TMG MP

The rules and monitors generating false (or otherwise non-actionable) alerts will vary from one environment to another. For the alert rules mentioned here, the issues do not appear immediately after importing the management pack, rather over time during normal product use.

Alert: The SQL Server Service Broker or Database Mirroring transport is disabled or not configured.

Issue: The SQL Server MP does this check on all SQL servers. Any alert generated by this rule does not apply to TMG computers.

Resolution: Created an override that disables this rule for the class Microsoft Forefront TMG Computers.

Alert: Forefront TMG Server: Web Proxy – Current Direct Fetches Avg Ms Per Request Performance Monitor

Issue: Busy TMG servers can be noisy with this rule. The default threshold of 20 seconds per request can be modified to a higher setting to reduce alert volume.

Resolution: Disabled due to false alerts which were generated from the management pack.

Alert: Forefront TMG Server: Cache – Current Cache Fetches Avg Ms Per Request Performance Monitor

Issue: Busy TMG servers can be noisy with this rule. The default threshold of 0.3 seconds per request can be modified to a higher setting to reduce alert volume.

Resolution: Disabled due to false alerts that were generated from the management pack.

Monitor: Forefront TMG Server: Configuration State Monitor

Issue: This monitor can be a source of ‘configuration churn’ in very large OpsMgr environments that are also managing large numbers of TMG servers. Each new version of the enterprise configuration triggers a new discovery for each TMG server. This is only an issue in very large environments, and is only indicated when symptoms of configuration churn are detected.

Resolution: Disabled due to high number of object discoveries that were generated from the management pack.

This entry was posted in Tuning and Configuration. Bookmark the permalink.

4 Responses to OpsMgr R2 by Example: the TMG MP

  1. Valery says:


    Very useful article, thanks!

    I have a question, please help.

    I imported the management pack and install agents on TMG servers. The TMG servers appear in the view “Microsoft Forefront Threat Management Gateway – Computer State”. But in the following view TMG servers does not appear “Microsoft Forefront Threat Management Gateway – Array State, Enterprise State”.

    What’s the problem?

    • Hi Valery:

      Recommend checking the following:

      1. You have deployed a SCOM agent also to any computers running the TMG EMS component, as well as TMG firewall components.
      2. On all TMG firewall and EMS computers, the SCOM agent is allowed to act as a proxy and discover other objects (Administration -> Device Management -> Agent Managed -> computer -> Properties -> Security).

      Hope this helps!

  2. Lizard says:

    Hi. I cannot seem to get a SCOM agent installed on my TMG server, no matter what I do. Do you have any advice or procedure for how to do this? I am running SCOM2012.

    • Hi Richard,
      Push (automatic) install of SCOM agent on TMG is not supported; manual install of SCOM agent on TMG is normally successful and presents no issues.
      Of course it is necessary to add the SCOM server(s) to the System Rules in TMG that concern SCOM.

      Hope this helps!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s