It was late in the Spring of 2010. I was working my way across the tubes as the chief technologist on an archaeological dig whose goal was simple; exploration and exploitation of binary resources. We were to venture deep into the heart of the world wide web, seeking fame, fortune, treasure, and the odd little application. Way down in the uncharted wilds of microsoft.com, where few have ever dared to venture, while wearing a 1920′s era vintage safari jacket in olive green 500 thread count Egyptian cotton I discovered in a British supply depot in Burma (available in S,M,L, and XL for $425,) and a faithful reproduction pith helmet in silk-wrapped Kevlar made specifically for me by a group of Benedictine monks on an island monastery in the Mediterranean sea (unisex, one size fits all for $175,) I discovered what has proven to be one of the most useful applications ever for Microsoft Forefront TMG 2010 admins and consultants.
The Microsoft Forefront Threat Management Gateway 2010 Best Practices Analyzer, or TMGBPA to its friends, is a tool that can perform health checks, diagnostics, and even create Visio diagrams from your TMG 2010 servers. It looks at installation, licensing, alerts, logs, rules, and the overall health of the underlying operating system, and is something no TMG consultant should be without.
You will want to install the TMGBPA on each of your TMG servers, as well as your workstation with Visio installed (unless of course you don’t want the diagrams, or you’re willing to install Visio on your server.)
<rant> That you cannot remotely assess a TMG server from a workstation that is part of the Remote Management Computers group seems a little lame…but then again, this is a free app. Maybe that will be a feature in the pay version.</rant>
The install
So once you know what machine you want to evaluate first, you’re ready to proceed.
- Download the Microsoft Forefront Threat Management Gateway Best Practices Analyzer Tool and then launch the install.
- Like most things Microsoft, this one installs with a wizard. Click Next.
- Then accept the license and click next.
- I recommend that you have the TMGBPA check for updates each time you launch it. Choose, and then click Next.
- Decide whether or not to reveal all that you do to Microsoft, then click Next, and then click Install.
- When the product finishes, the option to launch it is already selected. Click Finish.
Running a report
- When the TMGBPA first launches (assuming you took my advice) it with check for updates.
If it cannot, check your rules to make sure your TMG server itself can surf the web…you may have forgotten that part. - We then get to choose whether we want to perform a new scan, or review an existing one. Since this is probably our first time running this, click Select options…
- Give the scan a title, select a domain controller (preferably in the same site as the TMG server,) and choose either a health check, or to run all tasks. We’re going to do all tasks for this post.
- This may take a while…go get some coffee. Mmmm…coffee
- Once done, you have a shiny reporting interface you can use to browse the reports.
Reviewing the report
Here’s a look at a report run against a server with some issues…specifically set up to show them to you. The first view is the List Reports, and we can see a list of our critical issues and our warnings. 
Yikes! It looks like we have two critical issues, and a handful of alerts. Each can be expanded to show the details of the issue, and a link to the CHM file that provides more information about the problem.
Here is a close up on another server’s warning item. 
<rant> One thing that really ticks me off in this report is the warning that Forefront Client Security is installed on the server….whut? That feels like I went to the Ford dealership to buy a new air filter, put it in my Focus, and then later the Ford mechanic told me I shouldn’t have put a Ford filter into my Ford. Since TMG’s anti-malware only protects by scanning files downloaded through the TMG, I don’t know any enterprise that is going to let you run a server without antivirus software. Hmmm, Forefront Client Security on a Forefront server…seems kinda natural sounding to me. What do the TMG folks know that the FCS folks aren’t telling? </rant>
If you select the radio button for Tree Reports, you get the following view, and you can expand or contract topics as necessary. Red Xs show where critical items are, yellow !s show where warnings are.
The "Other Reports" button just shows the log generated as the report was run. If you hit errors running the reports, presumably you can debut those there. So far, the TMGBPA has run for me without any errors each time I have used it, or a client has used it to provide me with data. And speaking of…
How to export to xml
The Export report function lets you dump the report to an XML file. Copy that file to another machine (like your workstation with TMGBPA and Visio installed) and you can Select a Best Practices scan to view, browse to the XML file you copied over, and go to town. All you have to do is click Export report, choose where to save it, and if you wish, give it a name.
Creating Visio diagrams
To use the BPA2Visio tool, you have to have both Visio and the TMGBPA installed on the computer. This usually means installing the TMGBPA on your workstation, exporting a report from the TMG server as we just showed above, copying the XML file over to your workstation, and then choosing to load an existing report to build the diagram. Here is the rundown in four easy steps.
- Click Start BPA2Visio Tool.
- Click Load an existing report and browse to the XML file you exported from the TMG server.
- Watch Visio launch and then act as if it is possessed.
- Profit…or at least bill by the hour
The Visio is created with two tabs, the network diagram (shown above) and another tab summarising the errors and warnings from the BPA analysis. You can manipulate this Visio just like any other to suit your needs, or those of your clients. Save them as documentation, embed the image into a report…you get the point. Have at it.
Some of you may have no idea what I was doing in the intro to this post…others who share my particular brand of insanity might have recongised an homage to John O’Hurley and the best character to ever come out of Seinfeld. Based on the actual clothier, J. Peterman is the one Seinfeld character I wish would come back in some format on practically any show. Best J. Peterman quote ever? My mind is as barren as the surface of the moon. It’s much funnier in his voice.
Direct link for RSS and email subscribers…http://www.youtube.com/watch?v=2R9kYeJ-DaI
Oh, and John O’Hurley was totally robbed on Dancing with the Stars! I only started watching that show because of him, and stopped right after that obviously fixed competition.
You might also enjoy:
