Monitor Bandwidth and Limit Internet Speed in Forefront TMG 2010

Fastvue TMG Reporter is unique in that it allows you to monitor internet usage in real-time. Another great feature is that it allows you to generate longer term internet usage reports. This allows you to visually identify and isolate not only user behaviour but also system behavior.

A good example of this system behavior is your WSUS server retrieving updates and patches. These updates are important but you would not want them to impact users internet speed during office hours. You may also occasionally have the requirement to limit certain user's internet speed so that their online behavior doesn't impact others. Below is a user report showing the bandwidth peak usage.

Forefront TMG allows you to create scheduled rules that grant or deny access to a system or user.  The problem is that this is a binary 'off or on' option.  It also has a limitation in that it will not close any active sessions. For example, a large download will not be stopped once the schedule becomes active.

Using Bandwidth Splitter

Bandwidth Splitter is a very good and cost effective tool for implementing more flexible bandwidth control in Forefront TMG. It is also very capable and supports arrays.

One really nice feature is that allows you to not only limit the user’s available bandwidth but you can also set usage caps.  What makes it even better is that you can specify a soft cap after which the bandwidth is further throttled or shaped. Bandwidth Splitter has the ability to do this for authenticated users based on their AD username, as well as for IPs. Check the Bandwidth Splitter site for more information.

This guide will step you through using Bandwidth Splitter for the following use cases:

• Ensure no user has more than x amount of bandwidth available
• Set a soft cap after 100MB of data usage the resets daily
• Throttle a user to a very low bandwidth once the cap is reached

Creating The Shaping Rules

1. Limit the maximum bandwidth per user

This first rule will limit the maximum bandwidth available for each user in your 'Internal' network.

1. Open the Forefront TMG Management console

2. Expand the Bandwidth Splitter Section

3. Right click Shaping Rules and select New | Rule

4. Name the rule 'Pre-cap shaping'

5. Select IP address sets specified below

6. Click Add | Networks | Internal

7. Click Next

   

8. On the Destinations page click Add | Networks | External and click Next

   

9. On the Schedule page, select Always then click Next

   

10. On the Shaping page select 'Shape incoming and outgoing traffic'

11. Specify the Maximum available incoming and outgoing bandwidth values Note: this is in kbits/s and not KB/s

12. Click Next

    

13. Do not limit the number of concurrent connection. Click Next

14. On the Shaping Type page select 'Assign bandwidth individually to each applicable user/address'

15. Click Next

    

16. On the Extra Parameters page do not check any boxes. Click Next

17. Click Finish to create the rule.

2. Throttle bandwidth once the usage cap is reached

We now need to create another rule to limit the maximum bandwidth available once the usage cap is reached.

Follow the same process above but with the following changes:

1. Name the shaping rule 'Post-Cap Shaping'

2. On the Shaping page select a smaller kbits/s value

   

3. On the Extra Parameters page check Apply this rule only when traffic quota is exceeded

Reorder the rules and apply changes

You should now have two rules in the Rules list. You need to reorder the Post-Cap shaping rule above the Pre-Cap Rule. To do this:

1. Right click the 'Post-Cap rule' and select Move Up
2. To apply these changes to Forefront TMG you need to click the green check button in the toolbar.

Creating the Bandwidth Cap / Quota Rule

The following rule will set the limit for “high bandwidth” usage. After this amount of data has been used the “lower bandwidth” limit is enforced.

1. Open the Forefront TMG Management console

2. Expand the Bandwidth Splitter Section

3. Right-click Quota Rules | New | Rule

4. Name the rule 'Soft Data Cap'

5. Select 'IP address sets' specified below

6. Click Add | Networks | Internal

7. Click Next

8. On the Traffic Quota page select 'Limit total traffic (incoming+outgoing)'

9. Specify the Total MB value you want to allow

10. Select the Reset period to 'Daily'. Click Next

    

11. On the Quota Type page select 'Assign quota individually to each applicable user/address'

12. Click Next and click Finish

13. Apply the rule to the Forefront TMG configuration with the green check button in the toolbar.

    

Testing the configuration

Since the data caps and available bandwidth is not visible to the user during normal usage it is a little trick to test the effectiveness of your rules.  To test the configuration yourself, set a low quota so that you can easily hit the soft cap. You can watch the usage graphs in the bandwidth manager console but a more graphic way of doing is as follows:

1. Use a speed benchmark tool like https://speedtest.net
2. Run a benchmark test before you consume any of your cap data. This would give you an indication of what your maximum throughput is.
3. Generate enough data to use up your cap (Google Earth does this very quickly)
4. Once things start to slow down, run the speed test again.  You should now see the data rate being pegged to your low limit.

That’s all there is to it.  This is a basic example for some common use cases, and should hopefully give you a good indication to the bandwidth management potential using Bandwidth Splitter.