Home > Forefront TMG 2010, Threat Management Gateway > Forefront TMG 2010 Configuration Change Tracking Description Quick Tip

Forefront TMG 2010 Configuration Change Tracking Description Quick Tip

December 5, 2012

Configuration change tracking is an important tool that can be leveraged by Forefront TMG 2010 firewall administrators to audit changes made to the policy and configuration of TMG. This feature originally appeared with ISA 2006 SP1 and was optionally enabled by the administrator. Beginning with Forefront TMG 2010 this feature is now enabled by default. When applying changes made to TMG, the administrator is prompted to enter a description of the change which is included in the change tracking log.

Forefront TMG 2010 Change Tracking Description Prompt

If you check the box Do not show this prompt again you will, of course, not be prompted to enter descriptions for applied changes in the future. If you later decide you’d like to have this feature back, highlight the Troubleshooting node in the navigation tree and select the Change Tracking tab in the main window. In the Tasks pane click Configure Change Tracking and check the box next to Show prompt for a change description when applying configuration changes.

Forefront TMG 2010 Change Tracking Description Prompt

  1. vmPete
    December 5, 2012 at 2:14 pm

    I’ve ultimately decided to leave this on. Yeah, it can be a little bit of a headache sometimes, but what I found is that comments allow me to provide context around the change, not just the change itself

  2. December 6, 2012 at 5:45 pm

    Good idea. There’s obviously detailed information entered in the change tracking log when you save and apply changes, but it can sometimes be helpful to add a note too. Often administrators will add help desk request or change management authorization numbers for future reference.

  3. Mauro
    January 25, 2013 at 5:26 am

    hello Richard, I have a question, we have 14 TMG Proxy servers and each one have one Public IP and one private IP (over the same subnet).
    This server group provide services to 300.000 users (20.000 users concurrent aprox) and if I estimate that each user have 20 o 30 sessions, the group of servers will be full.

  4. January 25, 2013 at 2:34 pm

    Sounds like a very busy array! I’m not certain what your question is however. 😉

  5. Mauro
    January 28, 2013 at 6:47 am

    My question is how many connections (sessions) support each TMG Proxy (with one Public IP and one Private IP). If I have 20.000 concurrent users, and each user have 20 sessions (browsers, skype, googleDrive, etc), the server will be full and reject new sessions? We have problems, for example with browsers that lost coonections and restart the browser and it is online again. (sorry for my english)

  6. January 28, 2013 at 8:39 pm

    Standard answer here…it depends. 😉 As you are no doubt aware, concurrent users do not equal concurrent connections! On a very heavily loaded system like you describe, you could very well encounter TCP port exhaustion. You’ll have a far greater chance of success if you most/all of your clients are explicit web proxy clients because you they make more efficient use of TCP connections. SecureNAT clients will consume easily three times the amount of TCP ports, however, so be careful there. I would strongly recommend that you configure your array members with multiple IP addresses on the internal network interfaces to reduce/eliminate any issue with TCP port exhaustion for sure. As far as load is concerned, that is directly influenced by your hardware configuration. I’d suggest monitoring your performance closely and make sure you’ve got ample CPU and memory resources. Physical is probably better than virtual in your scenario too, as optimum performance is key.

  1. No trackbacks yet.
Comments are closed.