Announcing the availability of TMG Best Practices Analyzer Version 8

I am happy to announce to the community that the next version of Forefront TMG Best Practices Analyzer Tool (TmgBPA version 8) has been released and is now publicly available. 

TmgBPA is used by TMG administrators to verify proper configuration, and to help troubleshoot TMG-related issues. TmgBPA is also used for collecting all the relevant data when an administrator requires Microsoft Product Support services. In many cases collecting all the relevant data upfront helps shorten the resolution time quite drastically.


The focus of v8 is its adaptation to Forefront TMG 2010, released in late 2009. Compared to ISA Server 2006, TMG supports many new major scenarios, including URL Filtering, ISP Redundancy, HTTPS Inspection, Anti-Malware Protection, Enhanced VoIP support, and much, much more. These new components require new configuration checks, and they also generate new logs that BPA must collect. (A list of TMG features can be found here.) 


Please note that we now support two separate tools: IsaBPA (v7), intended to run on ISA Server computers, and TmgBPA (v8), intended to run on TMG computers.


I feel obliged to mention the outstanding contribution of Alexey Doctorovich and Idan Plonsky to this release, together with a long list of contributors from the TMG product team and from the TMG Product Support Services team.


I encourage every TMG administrator to download the TmgBPA tool and give it a test-drive. The tool is available now online. Note:  The tool will require .NET 2.0 framework and above to be installed first..  We are always excited to hear feedback and you can mail your comments, requests, information about bug reports, etc. to alias.


Neta Amit

Senior Program Manager

Comments (16)
  1. Pronichkin says:

    Sorry for a typo: “main mage” -> “main page” 🙂

  2. Pronichkin says:

    Hi guys! Do you approve blog comments?

  3. Thanks for pointing out the faulty alias. The correct alias has now been corrected in the text:

  4. Anonymous says:

    New to TMG here.  Just installed the BPA latest version but it fails to update, I assume because TMG default rules are denying the connection.  I have added a proxy setting to IE to allow for Windows Updates.  I’ll check the logs to see if I can figure it out.

  5. Pronichkin says:

    Hmm. I try to post actual feedback (a rather long comment) and it doesn’t work. After pressing “Submit” I am just redirected to the blog’s main mage without any notice.

    I also tried to send you an email and received an NDR saying that your alias “isabpa” doesn’t exist.

  6. Anonymous says:

    Hi there, is this version of the tool compatible with the Forefront Threat Management Gateway (TMG) Version: 6.0.6417.100 MBE included with EBS08?

  7. Armando Valdes says:


    As Michel pointed out, after installation on a 2008 R2, BPA updates fails with error "An-error-occurred-trying-to-access-the-web". However TMG is configured to allow http and https access. Actually UAC Disabled. Can not find how to do an update manuallly.

    Thanks for your help.

  8. We're having the same problem.  Installed TMG on a fresh 2008 R2 build.  Applied our ISA2006 backup as the initial config for TMG (not sure if that matters).  We installed the TMGBPA tool and it fails to update itself (even after creating a temporary "allow all" rule for the localhost).  The error reads "An error occurred trying to access the web".  there's nothing in the event log that appears to be related to this issue.

    Any thoughts?  Is there a way to manually update?


    Also – not sure if this is relevent or not, but when we run the tool (without any updates of course), we get two critical issue back: 1) "the Secure channel to the domain controller cannot be verified" and 2) "Forefront TMG Services are not installed".  TMG Services are certainly installed though.  Not sure what's going on there.

  9. Update – I e-mailed the alias mentioned above.  The reply from MS was that "The Update feature is currently broken (a known issue, but no ETA at this time)".  At least I know that issue isn't me, now to figure out the "secure channel" issue.


  10. Jeff25 says:

    Follow-on to Darrin…it's now 25 Mar 2011 and here, at least, "the update feature is [still] currently broken". Empirically, Best Practices are a low priority in the MS's Forefront group.

    I have the same secure channel problem, too, BTW, but am inclined to dismiss it as additional evidence of incompetent coding of the BPA.

  11. Jan Kaestner says:

    I use ISABPA on ISA 2006 and this is also still not updateing itself!

  12. Steve Donnelly says:

    I don't know if anyone else is having a similar issue to that reported by Darrin above: –

    1) "the Secure channel to the domain controller cannot be verified" and 2) "Forefront TMG Services are not installed"

    I found that I was also getting this report and that the solution was to simply launch BPA with Administrator perms.

  13. paul says:

    Yes, we also get the same error message as Darrin above when TMGBPA is initially loaded i.e. "An error occurred trying to access the web".  Then the same errors concerning the DC secure channel and TMG services not being installed.

    Have also attempted to load the TMGBPA elevated using UAC and get the same errors.

  14. paul says:

    The errors concerning the DC secure channel and TMG services are found to disappear when the TMG BPA is started with a domain account that has "Domain Administrator" rights & elevated.  However this does not resolve the update issue.


  15. paul says:

    Sorry, that last reference link was pasted incorrectly.  It should be:…/59cf7d26-7511-4d24-a830-96f1b5ddaf84

    Hope this helps others?


  16. whatever says:

    Guess Microsoft doesn’t care.. this is what you can expect from their business line of products. They will leave you hanging high and dry.

Comments are closed.

Skip to main content