Zaid Arafeh's Blog

Options
Search Blogs
Tags
Archive
Archives

Simple TMG Perfromance Tweaks using DNS

TechNet Blogs » Zaid Arafeh's Blog » Simple TMG Perfromance Tweaks using DNS

Simple TMG Perfromance Tweaks using DNS

zarafeh zarafeh
2 Dec 2010 4:44 AM
  • Comments 4
  • Likes

Boosting TMG Performance through simple DNS tweaks

TMG uses Its own Built-in Name resolution Cache, Then it fails back to DNS, then it fails back to Netbios Name Resolution. Accordingly below are some DNS related methods that can be used to optimize TMG Performance

  1. TMG Perfroms Forward and backward name resolution for Firewall Rules, so pay attention to the effeciency of its access to the DNS server
  2. DISABLE Netbios broadcasts on all network cards. Netbios resolution fails back to a broadcast which takes a very long time, leaving the request pending during that time. The best way to perform this is the following registry value
     Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT
     Parameters
     Name: NodeType
     Type: REG_DWORD
     Value: 2
  3. It is preferable to dedicate a name Server for each TMG Server Array
  4. Put the internal adapter on top of the adapters list, and configure it to use an internal DNS Server
  5.  Do not configure Other adapters with DNS Servers
     
Comments
Comments
  • Anonymous Suliman Abu Kharroub
    9 Dec 2010 12:28 AM

    Thank you Zaid, very useful tips.

    "3.Try to avoid using an IP Address in access Rules - Very few Public DNS records provide backward Look-up Zones"

    Why does TMG need to resolve ip addresses to names?  I dont think there is a need for that.

    If I may rewrite the point, I will write it like this " 2. try to avoid using domain names in DENY access rules- because ISA/TMG will do an additional reverse lookup query from ip address to domain name in order to determine  whether the ip address match any of the blocked domains in the rule."

  • Anonymous Mohit Saxena
    31 Jan 2011 7:52 PM

    If you have allowed or denied access based on Domain Name sets or URL sets, if TMG gets an IP, it needs to do a reverse lookup to match the set. TMG cannot automagically resolve that IP to a name. have a read at blogs.technet.com/.../isa-server-2006-stops-answering-requests.aspx

  • Anonymous Mohit Saxena
    31 Jan 2011 7:58 PM

    BTW my previous comment was for Suliman

  • MikeSTL MikeSTL
    15 May 2012 10:05 PM

    Is this registry setting any different than going into the adapter's setting, WINS tab and disabling NetBIOS over TCP/IP?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment