In this post, we discuss the hardware recommendations for Forefront TMG, based on the number of users and deployment scenario. Enabling different features on Forefront TMG carries different costs. When considering the hardware required for your deployment, take into account the projected growth of your organization and the Internet’s increasing bandwidth demands. The recommendations that follow are based on an allocation of 100 kilobits per second (Kbps) per user during peak time.
In this post:
· Design server hardware generously
· CPU considerations
· Storage considerations
· Network adapter considerations
· Redundancy recommendations
· Typical configurations
Design your server hardware according to current and future requirements to prepare for future growth. You might want to consider additional processors, additional memory, and a reliable storage subsystem that has a capacity of at least two or three times your estimated requirements. Note that hardware technology evolves at a rapid pace. Within a relatively short period of time, upgrade options might not be available for your server platform, which can pose a serious problem if future demands require you to increase system performance; for example, in the event that you need additional processors.
Microsoft does not recommend one processor architecture over another. The configurations below simply show the results of our tests, which you can use to help you plan your deployment and configuration.
The Forefront TMG product team has tested TMG in a variety of scenarios with the following processors:
· Intel Xeon E5410—a mid-range processor.
· AMD Opteron 2387—a Quad-core processor, with 6 MB shared L3-cache.
· Intel Xeon L5520—a high-end processor, Intel’s Nehalem microarchitecture provides a significant performance boost over earlier Xeon processors.
Forefront TMG has the following disk space requirements:
· System–Holds OS and program files, approximately 40 GB.
· Logging–You should store log records for 3 days in addition to the current day. When calculating the necessary storage space, estimate that each user creates about 25 MB of logs per day, which means that 1000 users create about 25 GB of logs per day. Hence, you will need 100 GB of space to store logs for this period of time.
· Web Caching–Some scenarios require separate physical drives for caching. It is recommended to limit the cache file to a maximum of 40 GB on any disk. See Caching considerations for details.
If you are deploying Forefront TMG for fewer than 500 users, in most cases a 250 GB hard drive is sufficient for system, logging and cache. You can install a single hard drive, or for redundancy, a small redundant array of independent disks (RAID).
If you are deploying Forefront TMG for more than 500 users, the hardware requirements begin to increase, and if you enable Web caching, you may need to add disk drives (see Caching considerations below). The following table shows the recommended hard disk size based on number of users.
Table 1: Recommended Space for System and Logging
Maximum Number of Users
Hard Disk Size
If you enable Web caching in a deployment of more than 500 users, for performance reasons, you should have one or more separate, physical disks dedicated to Web caching. The recommended maximum size of a cache file is 40 GB per physical disk drive; allocating more disk space for caching will actually impair performance. If, according to your scenario, you need more disk space for caching, use separate physical drives for each 40 GB cache file. There are two possible configurations:
· Multiple physical disks (not RAID)—Use one hard disk for system and logging, and separate hard disks for caching. This option involves deploying more storage space than is actually consumed, as only 40 GB on each drive should be used for caching.
· RAID (preferably RAID-5, for redundancy)—RAID allows for more flexibility. You can allocate up to 40 GB per disk for caching, and use the remaining space on each disk for system and logging.
Use the following table to help you determine the number of additional disk drives you should have for your deployment.
Table 2: Recommended Number of Disk Drives for Web Caching
Maximum Number of Users
Number of disk drives
In testing, a 1 Gigabit Ethernet adapter was found to support throughput of approximately 600 megabits per second (Mbps). As we mentioned in the introduction, these hardware recommendations are based on an allocation of 100 Kbps per user during peak time. Dividing 600 Mbps by 100 Kbps yields support for 6000 users for every pair of internal/external network adapters. If your organization averages more or less bandwidth per user, adjust the number of adapters accordingly. The following table shows the recommended number of network adapters per 6000 users.
Table 3: Recommended Number of 1 Gigabit Network Adapters
Number of Adapters
2 (1 internal, 1 external)
4 (2 internal, 2 external)
6 (3 internal, 3 external)
Best Practice – Assign each network adapter a unique IP address, and load balance all adapters uniformly on the same subnet via DNS lookup or wpad configuration.
It is recommended that you deploy an array of Forefront TMG computers for redundancy. Use the test results below to determine the number of computers your deployment requires, and then add at least one more computer for redundancy that will allow your deployment to continue functioning during a computer failure or other required maintenance.
Deploying a Forefront TMG array requires a load balancing mechanism – either Network Load Balancing (NLB), DNS round robin, or a hardware load balancer. Note that NLB has a maximum total bandwidth limit of 500 Mbps; if your traffic volume exceeds this limit, your deployment requires a different load balancing mechanism.
The following section contains hardware recommendations based on test results of Forefront TMG in its principal deployment scenarios.
Forefront TMG’s secure Web gateway, a solution designed to protect enterprise users from Web-based threats, incorporates the following features:
· URL filtering—Blocks user access to Web sites based on URL categorization service
· Malware inspection—Inspects Web content for viruses and spyware at the network edge
· HTTPS inspection—Inspects SSL-encrypted Web traffic for malware and validate secure Web site certificates
· Network Inspection System—Detects exploits of known vulnerabilities in operating systems and applications
· Web caching—Enhances user Web surfing experience and reduces bandwidth costs.
You can deploy Forefront TMG as a secure Web gateway with the following features as well:
· Mail protection—Helps protects your network against spam and viruses that enter your organization via electronic mail.
· SIP/VoIP—Enables VoIP communications while protecting your network from malformed SIP traffic.
The table below shows the number of users supported in this scenario by a specific hardware configuration.
Table 4: Recommended Hardware for Secure Web Gateway, with Mail Protection & VoIP
Intel Xeon E5410
AMD Opteron 2387
Intel Xeon L5520
Forefront TMG’s proxy server solution includes the following features:
· Web caching— Enhances user Web surfing experience and reduces bandwidth costs.
The table below shows the number of users supported in this scenario by a specific hardware configuration:
Table 5: Recommended Hardware for Proxy Server Scenario, with URL Filtering
Forefront TMG’s secure mail gateway solution protects your network against spam and viruses that enter your organization via electronic mail. For more information about the secure mail gateway, see http://blogs.technet.com/isablog/archive/2009/11/10/email-protection-in-forefront-tmg-2010-release-candidate.aspx.
Table 6: Recommended Hardware for Secure Mail Gateway Scenario
Authors David Strausberg, Technical Writer – Forefront TMG
Gabriel Koren, Forefront TMG Test Team
Reviewers Ittai Gilat, Senior Development Engineer Test - Forefront TMG Tom Shinder, Technical Writer – Forefront UAG Vladimir Holostov, Senior Program Manager – Forefront TMG Zakie Mashiah, Principal Group Manager – Forefront TMG
Are there plans to release a capacity planning tool for TMG like you did with ISA?
Yes, we are planning to make a capacity planning tool for Forefront TMG 2010 available shortly. We'll announce its availability right here on the TMG blog, so be sure to visit frequently! We'll also release an enhanced version of the information you see in this post on the Forefront TMG 2010 TechNet Library, including fine-tuning guidance and other best practices.
Very interesting blog, just what I needed!
I do have a question about a quote "Note that NLB has a maximum total bandwidth limit of 500 Mbps; if your traffic volume exceeds this limit, your deployment requires a different load balancing mechanism." Do you mean you have a maximum of 500Mbps per array member or per total array?
There is also one thing I like to mention. What I miss (not in this blog though) from Microsoft is more information regarding NLB configuration considerations on ISA/TMG Server. (e.g. scenarios about NLB in multicast mode or with seperate load balancers, and how to deal with more than one switch per interface.
Sorry, my previous post should be addressed to David...
I want to ask about Forefront TMG and vendor network teaming solutions compatibility; like HP Network Configuration Utility or IBM/Broadcom's Advanced Control Suite (Teaming of adapters in one server based on 802.3ad or similiar) ?
If you plan to use NLB then you will have problems, due the fact the NLB and NIC Teaming have problems. See articles below for more infor on that:
Using teaming adapters with network load balancing may cause network problems
Network Load Balancing cluster node does not successfully converge
Yes, that is why we hope Microsoft will work an an integrated teaming functionality in Windows. This is a big issue when you have redundent/logical switches on every network and multiple TMG Servers in an aray. Somebody has added this as feedback at Microsoft Connect. Please read the following link...
Native NIC teaming for Windows Server
What is the maximum supported memory for TMG?
Can you please clarify the NLB limitation of 500 mbps throughput that you mentioned? I cannot find any official documentation on TechNet around this limitation and if it is truly a limitation, I would like to know.