Forefront TMG 2010 hardware recommendations

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

Before you install Forefront TMG, it is recommended that you review this topic to ensure that your hardware is sufficient for your deployment. The hardware requirements for servers running Forefront TMG vary, and are dependent on a number of factors:

  • The features you enable.

  • The number of concurrent users.

  • The maximum available wide area network (WAN) bandwidth.

This topic describes the hardware recommendations for common deployment scenarios. Note that Forefront TMG is capable of supporting more than the values shown in Table 1. Test results on hardware available at RTM show that a single Forefront TMG server, deployed as a secure Web gateway, can reasonably support up to 12,169 concurrent users and a peak WAN bandwidth of 487 Mbps. To support this level of features, users, and bandwidth, you need a top of the line server with 2 Intel Xeon Core i7 3333 MHz processors, each with 8 cores, and 12 GB RAM.

The following table shows the hardware recommendations for common deployment scenarios.

Table 1: Hardware recommendations for common deployment scenarios

  Proxy Server1 Secure Web Gateway2 Secure Web Gateway2 Secure Mail Gateway3 Secure Mail Gateway3

Users

1,500

750

1,500

4,000

10,000

WAN Bandwidth

100 Mbps

50 Mbps

100 Mbps

10 Mbps

20 Mbps

CPU: AMD Opteron

1 Dual Core

1 Quad-Core

2 Quad-Core

1 Quad-Core

2 Quad-Core

CPU: Intel Xeon 4

1 Dual Core

1 Core2 Quad

2 Core2 Quad

1 Core i7 Quad5

1 Core2 Quad

2 Core2 Quad

1 Core i7 Quad5

Memory

2 GB

4 GB

8 GB

4 GB

8 GB

Disk Space for Logging

150 GB

80 GB

150 GB

10 GB

20 GB

Extra Disks for Web Caching

1

0

1

N/A

N/A

Network Interface

100 Mbps

100 Mbps

100 Mbps

100 Mbps

100 Mbps

Note

1 Includes Web caching and URL filtering.

2 Includes URL filtering, malware inspection, HTTPS inspection, Network Inspection System, Web caching, mail protection, and SIP/VoIP protection.

3 Includes mail protection, such as anti-spam and anti-malware.

4 “Core2” refers to processors with the Intel Core Microarchitecture; “Core i7” refers to processors with the Intel microarchitecture codename Nehalem.

5 Make sure that the particular Core i7 processor has Intel Hyper-Threading Technology.

Important

If the number of users or bandwidth in your deployment exceed those displayed in the table, or you want to refine the scenario in terms of the features that are enabled, it is recommended that you download the Capacity Planning tool, available from the Download Center (https://go.microsoft.com/fwlink/?LinkId=182886).

The following sections provide guidance on how to properly provision and configure your server hardware according to your deployment:

  • Server hardware design

  • Processor considerations

  • Storage considerations

  • Network adapter considerations

  • Redundancy recommendations

Server hardware design

Design your server hardware according to current and future requirements to prepare for growth. You might want to consider adding processors, adding memory, and a reliable storage subsystem with a capacity of at least two or three times your estimated requirements. Note that due to the rapid evolvement of hardware technology, within a relatively short period of time, upgrade options might not be available for your server platform. This could pose a serious problem if future demands require you to increase system performance; for example, in the event that you need additional processors.

Processor considerations

Be sure to select a supported processor, and to consider the processor performance recommendations.

Selecting a supported processor

For production environments, you must choose a processor that will work with the x64-based version of Windows Server.

The release to manufacturing (RTM) version of Forefront TMG is only supported in production environments when it is installed on a computer with x64-compatible processors that is running the Windows Server 2008 x64 Edition or Windows Server 2008 R2 operating systems.

You can select processors from Intel that support Intel Extended Memory 64 Technology or processors from AMD that support AMD64. For more information about these options, see the Intel 64 Architecture Web site (https://www.intel.com/technology/intel64/)or the AMD Opteron Processor Family Web site (https://www.amd.com/us-en/Processors/ProductInformation/0,,30\_118\_8825,00.htm). Forefront TMG is designed to run only on x64-capable processors such as those listed; it will not run on Itanium-based systems.

Regardless of which processor you select, it is recommended that you use a server product listed in the Windows Server Catalog (https://go.microsoft.com/fwlink/?LinkId=64547).

Processor performance recommendations

Forefront TMG benefits significantly when running on multi-core and multithreaded processors. The performance benefit for Forefront TMG from multi-core technology depends upon the specific processor that is used. Multi-core processors are an attractive option for Forefront TMG servers based on price and performance. 

The processor usage on a server should maintain a load of no more than 70 percent during peak working hours. This percentage level allows for periods of extreme load. If the processor usage is consistently greater than 75 percent, processor performance is considered a bottleneck.

There following factors directly affect the performance of the CPU in a server:

  • The processor clock speed.

  • The number of processors.

  • The number of cores per processor (quad core processors provide a better price/performance ratio than dual core processors).

  • Hyper Threading—Unlike in older architectures, hyper threading in the architectures available today provides an almost linear capacity increase. If you deploy a processor with hyper-threading capability, be sure to enable the feature in the system’s BIOS.

For performance, selecting the fastest processor available within your budget yields the best results. Forefront TMG can fully use multiple processors, and using servers with more processors improves performance.

Tip

When deploying Intel microarchitecture “Nehalem” processors, it is recommended that you configure the computer’s BIOS for the best performance results, according to the following:

  • Enable Intel Hyper-Threading (H-T) Technology for a marked increase in throughput.

  • Set the CPU Idle State to High Performance Mode. Although this cancels the economic and environmental benefits of power-saving, in testing it was found that the ramp up from power saving to performance mode can negatively impact performance during the transition.

Storage considerations

You need to consider Forefront TMG’s disk space requirements for varying deployment scenarios and sizes.

Forefront TMG has the following disk space requirements:

  • System—Holds OS and program files, approximately 40 GB.

  • Logging—It is recommended that you store log records for 3 days in addition to the current day. When calculating the necessary storage space, estimate that each user creates about 25 MB of logs per day for Web traffic, which means that 1000 users create about 25 GB of logs per day; hence, you will need 100 GB of space to store logs for this period of time.

    Note

    If your scenario is logging SMTP traffic only, as in the secure mail gateway scenario, each user creates about 0.5 MB of logs per day.

  • Web Caching—Some scenarios require separate physical drives for caching. It is recommended to limit the cache file to a maximum of 40 GB on any disk. See Caching considerations for details.

Deployments of up to 500 users

If you are deploying Forefront TMG for less than 500 users, in most cases a 250 GB hard drive is sufficient for system, logging and cache. You can install a single hard drive, or a small redundant array of independent disks (RAID) to provide redundancy.

Deployments of more than 500 users

If you are deploying Forefront TMG for more than 500 users, the hardware requirements increase, and if you enable Web caching, you might need to add disk drives (see Caching considerations below). The following table shows the recommended hard disk size based on the number of users.

Maximum Number of Users Hard Disk Size

2000

250 GB

4000

500 GB

10000

1 TB

13000

2 TB

Caching considerations

If you enable Web caching in a deployment of more than 500 users, for performance reasons, you should have one or more separate, physical disks dedicated to Web caching. While the actual maximum cache file size per volume is 64 GB, the recommended maximum size of a cache file is 40 GB per physical disk drive; allocating more disk space for caching will impair performance. If, according to your scenario, you need more disk space for caching, use separate physical drives for each 40 GB cache file. There are two possible configurations:

  • Multiple physical disks (not RAID)—Use one hard disk for system and logging, and separate hard disks for caching. This option involves deploying more storage space than is actually consumed, as only 40 GB on each drive should be used for caching.

  • RAID (preferably RAID-5, for redundancy)—RAID allows for more flexibility. You can allocate up to 40 GB per disk for caching, and use the remaining space on each disk for system and logging.

Network adapter considerations

Typical throughput of gigabit adapters

During testing, a 1 Gigabit Ethernet adapter was found to support a throughput of approximately 600 megabits per second (Mbps).

Receive-side scaling

Use network adaptors with receive-side scaling (RSS), a technology that enables packet receive-processing to scale with the number of available computer processors. This allows the Windows Networking subsystem to take advantage of multi-core and many core processor architectures.

Redundancy recommendations

Deploying an array

It is recommended that you deploy an array of Forefront TMG computers for redundancy (array support is available in Forefront TMG Enterprise Edition only). After determining the number of computers your deployment requires, add at least one more computer for redundancy that will allow your deployment to continue functioning during a computer failure or other required maintenance.

Load balancing

Deploying a Forefront TMG array requires a load balancing mechanism: Network Load Balancing (NLB), DNS round robin, or a hardware load balancer.

Important

During testing, NLB’s maximum total bandwidth was found to be about 500 Mbps; if your traffic volume exceeds this limit, your deployment will require a different load balancing mechanism.

For more information on redundancy and load balancing, see Planning for Forefront TMG server high availability and scalability.

Resources

Capacity Planning Tool on the Download Center

Concepts

Installation design guide for Forefront TMG
System requirements for Forefront TMG