TMG SCOM-Pack – Monitor TMG with System Center 2007 R2

  • Article

The “one stop shop” is a leading concept for a monitoring program like SCOM.

When we looked for a monitoring program for testing TMG servers internally we decided to explore MS system center 2007 R2 for this purpose, knowing that the Forefront TMG product team is developing an out-of-the-box SCOM pack, for administrators that includes a set of rules, monitors and performance counters.

New features like Enterprise Malware Protection (EMP), HTTPS Inspection and URL Filtering are now supported. 

The following post below describes deployment and configuration of a Forefront TMG SCOM pack to better monitor and evaluate Forefront TMG server functionality and performance.

Disclaimer: The information and code attached in this blog-post are not officially supported by Microsoft. They are tested to work in Forefront TMG RC test environment. Please use it in a test environment before deploying in production.

Forefront TMG SCOM-Pack deployment – SCOM Server Side

 

Let’s start with understanding the operations Console. The operations console is made up of the following parts:

clip_image002

Image 1: SCOM server main console

Click on Administration in the Navigation button, right click on Management Packs, select import management pack, browse to the location of your MP file and import it.

image

Image 2: SCOM server Administration console view

You’ll find the Forefront TMG SCOM pack in the list of packs.

clip_image006

Image 3: SCOM server Administration console view

That’s it for the SCOM server side. It’s set with the appropriate monitors and rules for your TMG servers right out of the box.

 

TMG SCOM pack deployment – Forefront TMG Side

Now let’s deal with the TMG server rule-set to allow the traffic from TMG to SCOM. There are 2 system rules that TMG Beta3 contains, allowing SCOM traffic to pass. These rules exist in the system policy rules, and you should enable them once installing the SCOM agent.

clip_image008

Image 4: Forefront TMG System policy rules view

Notes

  1. TMG does not currently support the remote installation of the SCOM agent through the SCOM server, so until this is fixed, you’ll have to install the SCOM agent from the TMG side, providing the SCOM agent installation wizard the SCOM management group and server names.
  2. You must restart TMG FW service after SCOM agent installation to allow traffic flow towards the SCOM server.
  3. It can take a few minutes to see data from the Forefront TMG server loaded in SCOM.
  4. You need SCOM 2007 R2 to import Forefront TMG SCOM pack without other SCOM packs dependencies. In case you are using an earlier version of SCOM/MOM, note that you may be required to import a few other SCOM packs that Forefront TMG SCOM pack is dependent on.

You now have completed end to end TMG - SCOM monitoring deployment.

Using the new deployed package

The first step is to click the Monitoring Navigation button on the SCOM console and look for MS Forefront TMG in the Navigation Pane. It lists built-in performance counters, TMG Server Roles and Monitors, active alerts from your TMG machines and Computer State.

clip_image010
Image 5: SCOM Left Navigation Tree showing the relevant TMG components

image

Image 6: Two of the main counters powered by TMG SCOM pack

By right-clicking on each of these graphs, you’ll get an extensive set of filtering options to display data range from minutes to weeks.

A few of the many cool options powered by the SCOM pack:

1. A diagram view of the deployed Forefront TMG servers.

2. You can add the Forefront TMG alerts view to your counter graphs, showing alerts along the timeline of the graph, as can be seen in the graph above.

3. One repository for alerts for all of your TMG and other servers in the organization.

clip_image014

Image 7: SCOM Left Navigation Tree showing the relevant TMG components

4. You can take action upon a specific event or alert like sending a mail/IM/SMS or running some command line or a script.

clip_image016
Image 8: SCOM server Administration console view

Troubleshooting connectivity issues between Forefront TMG and SCOM.

Use TMG log-viewer monitor for troubleshooting connectivity. You can monitor the traffic between TMG and the SCOM server (destined to ports 5723, 5724) and validate that it’s reaching the SCOM server.

clip_image018

Image 9: Forefront TMG log-viewer

Conclusion

This post covered deployment and configuration of a SCOM pack to better monitor and evaluate TMG’s deployed functionality and performance. However, there were some areas that were not covered but might also be useful for enhancing the monitoring requirements, which I’ll get to in my next posts:

1. Advanced tasks for extending the Forefront TMG SCOM pack capabilities, like adding rules, monitors and counters of your own.

2. Administering TMG SCOM-pack using Power Shell.

Feedback is welcome.

Author:

Gabriel Koren, Forefront TMG Test team.

Reviewers:

Noam Ilovich, Program Manager, Forefront TMG Team

Roiy Zysman, Lead, Forefront TMG test team