Hardware recommendations for Forefront TMG 2010

Hardware recommendations for Forefront TMG 2010

  • Comments 10
  • Likes

In this post, we discuss the hardware recommendations for Forefront TMG, based on the number of users and deployment scenario. Enabling different features on Forefront TMG carries different costs. When considering the hardware required for your deployment, take into account the projected growth of your organization and the Internet’s increasing bandwidth demands. The recommendations that follow are based on an allocation of 100 kilobits per second (Kbps) per user during peak time.

In this post:

· Design server hardware generously

· CPU considerations

· Storage considerations

· Network adapter considerations

· Redundancy recommendations

· Typical configurations

Design server hardware generously

Design your server hardware according to current and future requirements to prepare for future growth. You might want to consider additional processors, additional memory, and a reliable storage subsystem that has a capacity of at least two or three times your estimated requirements. Note that hardware technology evolves at a rapid pace. Within a relatively short period of time, upgrade options might not be available for your server platform, which can pose a serious problem if future demands require you to increase system performance; for example, in the event that you need additional processors.

CPU considerations

Microsoft does not recommend one processor architecture over another. The configurations below simply show the results of our tests, which you can use to help you plan your deployment and configuration.

The Forefront TMG product team has tested TMG in a variety of scenarios with the following processors:

· Intel Xeon E5410—a mid-range processor.

· AMD Opteron 2387—a Quad-core processor, with 6 MB shared L3-cache.

· Intel Xeon L5520—a high-end processor, Intel’s Nehalem microarchitecture provides a significant performance boost over earlier Xeon processors.

Storage considerations

Forefront TMG has the following disk space requirements:

· System–Holds OS and program files, approximately 40 GB.

· Logging–You should store log records for 3 days in addition to the current day. When calculating the necessary storage space, estimate that each user creates about 25 MB of logs per day, which means that 1000 users create about 25 GB of logs per day. Hence, you will need 100 GB of space to store logs for this period of time.

· Web Caching–Some scenarios require separate physical drives for caching. It is recommended to limit the cache file to a maximum of 40 GB on any disk. See Caching considerations for details.

For deployments of 500 users or less

If you are deploying Forefront TMG for fewer than 500 users, in most cases a 250 GB hard drive is sufficient for system, logging and cache. You can install a single hard drive, or for redundancy, a small redundant array of independent disks (RAID).

For deployments of more than 500 users

If you are deploying Forefront TMG for more than 500 users, the hardware requirements begin to increase, and if you enable Web caching, you may need to add disk drives (see Caching considerations below). The following table shows the recommended hard disk size based on number of users.

Table 1: Recommended Space for System and Logging

Maximum Number of Users

Hard Disk Size

2000

250 GB

4000

500 GB

10000

1 TB

13000

2 TB

Caching considerations

If you enable Web caching in a deployment of more than 500 users, for performance reasons, you should have one or more separate, physical disks dedicated to Web caching. The recommended maximum size of a cache file is 40 GB per physical disk drive; allocating more disk space for caching will actually impair performance. If, according to your scenario, you need more disk space for caching, use separate physical drives for each 40 GB cache file. There are two possible configurations:

· Multiple physical disks (not RAID)—Use one hard disk for system and logging, and separate hard disks for caching. This option involves deploying more storage space than is actually consumed, as only 40 GB on each drive should be used for caching.

· RAID (preferably RAID-5, for redundancy)—RAID allows for more flexibility. You can allocate up to 40 GB per disk for caching, and use the remaining space on each disk for system and logging.

Use the following table to help you determine the number of additional disk drives you should have for your deployment.

Table 2: Recommended Number of Disk Drives for Web Caching

Maximum Number of Users

Number of disk drives

500

0

1500

1

2500

2

3500

3

4500

4

5500

5

6500

6

7500

7

8500

8

9500

9

10500

10

11500

11

12500

12

13500

13

Network adapter considerations

In testing, a 1 Gigabit Ethernet adapter was found to support throughput of approximately 600 megabits per second (Mbps). As we mentioned in the introduction, these hardware recommendations are based on an allocation of 100 Kbps per user during peak time. Dividing 600 Mbps by 100 Kbps yields support for 6000 users for every pair of internal/external network adapters. If your organization averages more or less bandwidth per user, adjust the number of adapters accordingly. The following table shows the recommended number of network adapters per 6000 users.

Table 3: Recommended Number of 1 Gigabit Network Adapters

Maximum Number of Users

Number of Adapters

6000

2 (1 internal, 1 external)

12000

4 (2 internal, 2 external)

12000+

6 (3 internal, 3 external)

Best Practice – Assign each network adapter a unique IP address, and load balance all adapters uniformly on the same subnet via DNS lookup or wpad configuration.

Redundancy recommendations

Deploy an array

It is recommended that you deploy an array of Forefront TMG computers for redundancy. Use the test results below to determine the number of computers your deployment requires, and then add at least one more computer for redundancy that will allow your deployment to continue functioning during a computer failure or other required maintenance.

Load balancing

Deploying a Forefront TMG array requires a load balancing mechanism – either Network Load Balancing (NLB), DNS round robin, or a hardware load balancer. Note that NLB has a maximum total bandwidth limit of 500 Mbps; if your traffic volume exceeds this limit, your deployment requires a different load balancing mechanism.

Typical configurations

The following section contains hardware recommendations based on test results of Forefront TMG in its principal deployment scenarios.

Secure Web gateway

Forefront TMG’s secure Web gateway, a solution designed to protect enterprise users from Web-based threats, incorporates the following features:

· URL filtering—Blocks user access to Web sites based on URL categorization service

· Malware inspection—Inspects Web content for viruses and spyware at the network edge

· HTTPS inspection—Inspects SSL-encrypted Web traffic for malware and validate secure Web site certificates

· Network Inspection System—Detects exploits of known vulnerabilities in operating systems and applications

· Web caching—Enhances user Web surfing experience and reduces bandwidth costs.

Special Forefront TMG Edge roles

You can deploy Forefront TMG as a secure Web gateway with the following features as well:

· Mail protection—Helps protects your network against spam and viruses that enter your organization via electronic mail.

· SIP/VoIP—Enables VoIP communications while protecting your network from malformed SIP traffic.

The table below shows the number of users supported in this scenario by a specific hardware configuration.

Table 4: Recommended Hardware for Secure Web Gateway, with Mail Protection & VoIP

Maximum Number of Users

# CPUs

CPU

RAM (GB)

500

1

Intel Xeon E5410

4

1000

1

Intel Xeon E5410

4

1000

1

AMD Opteron 2387

4

1500

2

Intel Xeon E5410

8

1500

1

Intel Xeon L5520

8

2000

2

AMD Opteron 2387

8

3000

2

Intel Xeon L5520

12

Proxy server (including URL filtering)

Forefront TMG’s proxy server solution includes the following features:

· Web caching— Enhances user Web surfing experience and reduces bandwidth costs.

· URL filtering—Blocks user access to Web sites based on URL categorization service

The table below shows the number of users supported in this scenario by a specific hardware configuration:

Table 5: Recommended Hardware for Proxy Server Scenario, with URL Filtering

Maximum Number of Users

# CPUs

CPU

RAM (GB)

4000

1

Xeon E5410

4

5000

1

Opteron 2387

4

6000

2

Xeon E5410

8

8000

1

Xeon L5520

8

8000

2

Opteron 2387

8

13000

2

Xeon L5520

12

Secure mail gateway

Forefront TMG’s secure mail gateway solution protects your network against spam and viruses that enter your organization via electronic mail. For more information about the secure mail gateway, see http://blogs.technet.com/isablog/archive/2009/11/10/email-protection-in-forefront-tmg-2010-release-candidate.aspx.

The table below shows the number of users supported in this scenario by a specific hardware configuration.

Table 6: Recommended Hardware for Secure Mail Gateway Scenario

Maximum Number of Users

# CPUs

CPU

RAM (GB)

1500

1

Xeon E5410

4

2000

1

Opteron 2387

4

3000

2

Xeon E5410

8

3500

1

Xeon L5520

8

4000

2

Opteron 2387

8

6000

2

Xeon L5520

12

Authors
David Strausberg, Technical Writer – Forefront TMG

Gabriel Koren, Forefront TMG Test Team

Reviewers
Ittai Gilat, Senior Development Engineer Test - Forefront TMG
Tom Shinder, Technical Writer – Forefront UAG
Vladimir Holostov, Senior Program Manager – Forefront TMG
Zakie Mashiah, Principal Group Manager – Forefront TMG

Comments
  • Are there plans to release a capacity planning tool for TMG like you did with ISA?

    Thanks

    JJ

  • Excelent post!

  • Hi Jason,

    Yes, we are planning to make a capacity planning tool for Forefront TMG 2010 available shortly. We'll announce its availability right here on the TMG blog, so be sure to visit frequently! We'll also release an enhanced version of the information you see in this post on the Forefront TMG 2010 TechNet Library, including fine-tuning guidance and other best practices.

    Regards,

    David Strausberg

  • Hi Jason,

    Very interesting blog, just what I needed!

    I do have a question about a quote "Note that NLB has a maximum total bandwidth limit of 500 Mbps; if your traffic volume exceeds this limit, your deployment requires a different load balancing mechanism." Do you mean you have a maximum of 500Mbps per array member or per total array?

    There is also one thing I like to mention. What I miss (not in this blog though) from Microsoft is more information regarding NLB configuration considerations on ISA/TMG Server. (e.g. scenarios about NLB in multicast mode or with seperate load balancers, and how to deal with more than one switch per interface.

    Regards,

    Boudewijn

  • Sorry, my previous post should be addressed to David...

  • Hi all,

    I want to ask about Forefront TMG and vendor network teaming solutions compatibility; like HP Network Configuration Utility or IBM/Broadcom's Advanced Control Suite (Teaming of adapters in one server based on 802.3ad or similiar) ?

    Thanks.

    Regards,

    --

    Martin Necas

  • If you plan to use NLB then you will have problems, due the fact the NLB and NIC Teaming have problems. See articles below for more infor on that:

    Using teaming adapters with network load balancing may cause network problems

    http://support.microsoft.com/kb/278431/en-us

    Network Load Balancing cluster node does not successfully converge

    http://support.microsoft.com/kb/812870/en-us

  • Yes, that is why we hope Microsoft will work an an integrated teaming functionality in Windows. This is a big issue when you have redundent/logical switches on every network and multiple TMG Servers in an aray. Somebody has added this as feedback at Microsoft Connect. Please read the following link...

    Native NIC teaming for Windows Server

    https://connect.microsoft.com/WindowsServerFeedback/feedback/details/484992/native-nic-teaming-for-windows-server

  • Thank You,

    What is the maximum supported memory for TMG?

  • Hello,

    Can you please clarify the NLB limitation of 500 mbps throughput that you mentioned? I cannot find any official documentation on TechNet around this limitation and if it is truly a limitation, I would like to know.

    Thanks,

    Bhargav

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment