Performance Tuning Forefront TMG 2010

Microsoft Forefront TMG 2010 has been a solid product. It has not had an update in some time, and that’s a shame.

I was reviewing my TMG server a few weeks ago in order get a bit more performance from it. The server is virtualized, and currently only gives me around 50-60mb/s throughput with all its rules. I wanted to increase this and make it more responsive in the process.

So let us proceed:

#1 Sort Rule Priority

Like most other firewalls, TMG processes rules from top to bottom. If you have a frequently accessed rule, like web browsing, for example, put this at the top. For me, this was a spam filter listening rule. TMG had connections coming in for the spam filter at the rate of 5-10 per second. I moved these to the top



The next rule you want to sort out is traffic from TMG server. I would generally add this as my second/third rule.


After this came my office outbound rulestmg2


After this came the rest of my rules which consisted of various servers/voip etc.

#2 Disabled Legacy Services

Since TMG is now discontinued, many of the services in TMG are no longer updated. It’s up to you, but you might as well disable them to recover some performance. These services are:

  • IPS
  • Spam Filtering
  • Virus and Content Filtering

Ensure each one is disabled. You might be a bit hesitant to disable these. If you check your definitions, you will find they have not been updated in some time.



#3 Remove Old Rules

Lastly, remove any old rules. We don’t tend to look at firewalls often. So this simple task often gets overlooked.

As well as removing the old rules, ensure that you make your listener rules only listen to what’s needed. This will cut down on processing time.


TMG is a great product, but now beyond its used by date. TMG will always hold a special place in my software archive as a product that could have become a great firewall appliance <3

I hope this helps.

Exchange 2013: ECP double login, error 400

After an upgrade of Exchange 2013 from CU1 to CU2 we could no longer access the ECP part of Exchange. OWA worked fine. We got a blank screen with bad request, error 400.

After a lot of searching, it looks like the upgrade for Exchange wipes out the web.config file which has all the settings for authentication on ECP.

See the following:


Be aware that this is incorrect after an upgrade. Set the authentication of basic to true again to ensure the setting is correct (note form based authentication is turned off because we use TMG).

Also make sure your internal and external url for the ECP directory is reset, as this is also wiped.

This is a known bug. See KB2871485.

Publishing Exchange 2013 OWA using Threat Management Gateway 2010 (TMG)

It still makes me sad that TMG has been retired and superseded with UAG (URGH!). That’s a whole other blog post though.

One thing that is not explained with publishing Exchange 2013 OWA with TMG is the security settings. Recently, I have been deploying an multi-tenancy solution involving single signon between Sharepoint 2013, Exchange 2013 and Remote Desktop Gateway. One of the issues is many of these products have issues with TMG 2010 out of the box, and require slight tweaking.

Today I will focus on Exchange 2013.

Go through the default wizard in TMG 2010 for publishing Exchange 2010 OWA (Web Access). You want to make sure that the Authentication Delegation is set to basic.


On your Exchange server, login in to the admin centre (ECP) and go to servers->virtual directories. Select the OWA virtual directory and change the authentication to basic.


You should also do this with your ECP virtual directory.

If you don’t set these virtual directories, you will need to login twice. When TMG authenticates, it will send you to the OWA login. Not a good look.

I also suggest reading the following link about setting the log off page in TMG.

Microsoft UAG 2010 SP3

Microsoft has released UAG SP3.

Here are the highlights

  • New support for publishing Exchange Server 2013
  • New support for publishing SharePoint Server 2013 (including support for host-named site collections)
  • Additional platform support for Windows 8 clients, including Windows RT
    • Users can use Internet Explorer 10 (both Modern and Desktop apps)
    • Users can use the built-in Windows 8 Mail app to connect to published Exchange servers
    • Users can use the Windows 8 Remote Desktop Connection (RDC) 8.0 client to connect to published resources
    • Support for Windows Phone 8 client devices
    • Additional support for the RDC 8.0 client running on Windows 7 SP1 and Windows Server 2008 R2 SP1
    • New support for Office 2013 client applications: Outlook, PowerPoint, Word, and Excel
    • Various bug fixes (see details in the SP3 KB article by following the link below)

This is a highly anticipated release as there is no real way to publish Server 2012 remote apps and Exchange 2013.

Here are the steps to install UAG SP3.

  1. If you have TMG 2010 SP1 installed, install SP2
  2. If you have UAG 2010 SP1 installed, ensure that UAG SP1 Update Rollup 1 is installed
  3. Install UAG 2010 SP2
  4. Install UAG 2010 SP3

For detailed information (Installing on load balancing array etc), please see this Microsoft link.

Exchange 2010 SP2 with TMG / Forefront installed

SP2 has been out now for Exchange 2010 for a little while. I’ve experienced many issues over the time I’ve supported Exchange 2010 since RTM. The first RTM didn’t play very nice with Forefront Protection at all.

Here are some steps to sucucessfully install this on a server running TMG 2010 and Forefront Protection.

1) Make sure you have a good backup
2) Stop the TMG Managed Control service and any backup agents. This is a requirement of the Exchange setup. Note: there is no problem doing this remotely.
3) Install SP2
4) If you have any issues with services, reboot and you should be fine.

The install all went smoothly.