by
Etienne Liebetrau
When using Kerberos authentication as well as CARP on a TMG array you will notice a certain anomaly in TMG Reporter's Top Users section.
With Forefront TMG 2010 SP2 it is now possible to use Kerberos authentication on an array. Previously you were limited to only NTLM. There are advantages to using Kerberos, not least of which is a performance gain and proper support for Mac OSX Lion and above. To use Kerberos however, you need to do a few things as documented here https://fixmyitsystem.com/2012/02/how-to-enable-kerberos-authentication.html. The main thing to focus on for this article is that you need to change the Firewall Service account to run as a domain account. From now on I will simply refer to this as the “Service Account”
CARP or Cache Array Routing Protocol allows multiple array members to act as a single consolidated cache. With Server-Side CARP (between TMG array members) the following happens when a request is received from a client. If the receiving array member cannot serve the request from its own cache, it uses CARP. The CARP algorithm is used to determine the list and priority of array members, these will then be queried until the object is found or not found, in which case the request will be sourced from the internet.
This traffic is displayed in TMG Reporter in the 'Users' sections. TMG Reporter provides the option to “Exclude Anonymous User” from the Settings tab under the Import Filters section. With NTLM this would also hide the CARP traffic.
If however you are using Kerberos and therefore a domain account for the firewall service, CARP traffic is no longer Anonymous. The specified service account will now start showing up on the various 'Users' graphs and tables within the TMG Reporter Dashboard.
If we further analyse the Web Proxy logs for activity for the service account we will see the following:
Since this is a system policy rule it is not possible to disable logging for this rule.
I started off by calling the CARP traffic an anomaly in the TMG Reporter stats. The reason for this is that despite what it looks like to the uninformed eye, there is no additional outbound or inbound traffic for the service account. Fortunately, an additional import filter to exclude such Intra Array traffic is on Fastvue's roadmap for TMG Reporter. In the mean time, you can effectively ignore this traffic.
However, since we are now very much aware of the traffic it makes you wonder how CARP actually works and where can we change it.
By enabling or altering the setting listed below you can change how CARP and cache function.
If there is no caching there is no CARP. By default Caching is not enabled. This is because a Cache drive has to be specified and alternatively additional Cache rules can be defined.
Forefront TMG also makes use of a RAM cache per array member. The size of this is 10% of the installed RAM on the server. So if the Server has 32GB of RAM, the RAM cache would be 3.2GB. The cache drive should then at least be this size or bigger. It is recommended to specify large cache drives but not more than 60GB.
The CARP Load factor setting is normally not changed since Forefront TMG array servers are usually similarly spec'd. But in cases where they are not, you can increase or decrease the load on a particular member:
You can also specify CARP exceptions. This is for sites that require the client's IP to remain the same throughout a session. Certain banking and online shopping sites require this.
If you do not enable CARP you will not see the service account show up in Forefront TMG's logs. As long as Caching is configured there will still be caching but it will be a discreet cache per TMG array member.
For even more information about how CARP works you can refer to https://msdn.microsoft.com/en-us/library/ff823958(v=vs.85).aspx
Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.
How to Manage Forefront TMG's Cache with CacheDir
Fastvue TMG Reporter's System Requirements Explained