How Kerberos and CARP Affect Forefront TMG Reporting

When using Kerberos authentication as well as CARP on a TMG array you will notice a certain anomaly in TMG Reporter's Top Users section.

The cause of the traffic

With Forefront TMG 2010 SP2 it is now possible to use Kerberos authentication on an array.  Previously you were limited to only NTLM.  There are advantages to using Kerberos, not least of which is a performance gain and proper support for Mac OSX Lion and above.  To use Kerberos however, you need to do a few things as documented here https://fixmyitsystem.com/2012/02/how-to-enable-kerberos-authentication.html.  The main thing to focus on for this article is that you need to change the Firewall Service account to run as a domain account.  From now on I will simply refer to this as the “Service Account”

CARP or Cache Array Routing Protocol allows multiple array members to act as a single consolidated cache.  With Server-Side CARP (between TMG array members) the following happens when a request is received from a client.  If the receiving array member cannot serve the request from its own cache, it uses CARP.  The CARP algorithm is used to determine the list and priority of array members, these will then be queried until the object is found or not found, in which case the request will be sourced from the internet.

This traffic is displayed in TMG Reporter in the 'Users' sections. TMG Reporter provides the option to “Exclude Anonymous User” from the Settings tab under the Import Filters section.  With NTLM this would also hide the CARP traffic.

If however you are using Kerberos and therefore a domain account for the firewall service, CARP traffic is no longer Anonymous.  The specified service  account will now start showing up on the various 'Users' graphs and tables within the TMG Reporter Dashboard.

If we further analyse the Web Proxy logs for activity for the service account we will see the following:

• The service account will generally have a high byte count since it is aggregated over all user requests – so it would naturally show up at the top of the metrics
• The traffic volume for the service account would rise and fall with all the other user browsing.
• The Client or Source IP address will be limited to the internal IPs of the array members.
• Looking at the Object source for the service account traffic you will notice that object source 6 (Returned from another array member) is strangely absent.
• The TMG Firewall access rule that allows the traffic is the system rule “Intra-Array.”

Since this is a system policy rule it is not possible to disable logging for this rule.

I started off by calling the CARP traffic an anomaly in the TMG Reporter stats.  The reason for this is that despite what it looks like to the uninformed eye, there is no additional outbound or inbound traffic for the service account. Fortunately, an additional import filter to exclude such Intra Array traffic is on Fastvue's roadmap for TMG Reporter. In the mean time, you can effectively ignore this traffic.

However, since we are now very much aware of the traffic it makes you wonder how CARP actually works and where can we change it.

Settings that govern CARP and Cache

By enabling or altering the setting listed below you can change how CARP and cache function.

Turn on Caching

If there is no caching there is no CARP.  By default Caching is not enabled.  This is because a Cache drive has to be specified and alternatively additional Cache rules can be defined.

1. From the Forefront TMG Management Console
2. Expand the Array
3. Select Web Access Policy
4. Select Configure Web Caching from the Tasks pane
5. Select the Cache Drives tab
6. Configure a maximum cache size per array member

Forefront TMG also makes use of a RAM cache per array member.  The size of this is 10% of the installed RAM on the server.  So if the Server has 32GB of RAM, the RAM cache would be 3.2GB.  The cache drive should then at least be this size or bigger.  It is recommended to specify large cache drives but not more than 60GB.

Configuring CARP

Set the Carp Load Factor

The CARP Load factor setting is normally not changed since Forefront TMG array servers are usually similarly spec'd. But in cases where they are not, you can increase or decrease the load on a particular member:

1. From the Forefront TMG Management Console
2. Expand the Array
3. Select System
4. Select a server
5. By selecting the properties of each server you can set the load factor on the CARP tab

Enable CARP

1. From the TMG Management Console
2. Expand the Array
3. Select Networking
4. Select the Internal network
5. View the properties and select the CARP tab
6. Check or uncheck the “Enable CARP on this network” box

You can also specify CARP exceptions.  This is for sites that require the client's IP to remain the same throughout a session.  Certain banking and online shopping sites require this.

If you do not enable CARP you will not see the service account show up in Forefront TMG's logs. As long as Caching is configured there will still be caching but it will be a discreet cache per TMG array member.

For even more information about how CARP works you can refer to https://msdn.microsoft.com/en-us/library/ff823958(v=vs.85).aspx