Simulating network traffic

  • Article

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

The traffic simulator simulates network traffic in accordance with specified request parameters, and provides information about firewall policy rules that are evaluated for the request. This feature can help troubleshoot communication issues that users may have with the destination server (for example, when a user from the internal corporate network tries to access an Internet Web server but is denied access). The traffic simulator scans all of the published rules correlating with the scenario. The administrator can then check the results to determine how to resolve the issue. In addition, this feature can verify the functionality of a new policy rule by testing traffic that is handled by the new rule.

The traffic simulator can be run from a remote management computer. The traffic simulator is run per array. You select the server within the array on which you want to run the traffic simulator.

Important

The traffic simulator checks rules only on the basis of what is allowed or denied by the firewall engine. The traffic simulator is not aware of traffic that is blocked or allowed based on application filter settings, or HTTP filtering, which means that even if simulated traffic is allowed, real traffic may be blocked by a filter.

The following describes how to configure the traffic simulator, and how to simulate traffic scenarios.

Configuring the traffic simulator

The following lists the different firewall policy scenarios that can be simulated:

  • Web access—Simulates traffic handled by an access rule, by allowing or denying Web access for clients making Web proxy requests.

  • Non-Web access—Simulates traffic handled by access rules, by allowing or denying internal client requests for non-Web resources in other networks.

  • Web publishing—Simulates traffic from clients making requests to published Web servers located on corporate networks (requests that are handled by Web publishing rules in ISA Server).

  • Server publishing—Simulates traffic between clients and non-HTTP published servers located on corporate networks (requests that are handled by server publishing rules in Forefront TMG).

The results of the simulation for the configuration properties of the policy rules appear at the bottom of the screen. You can check any of the setting details in the following list to evaluate the cause of any network issues.

Setting Description

Rule Name

Displays the name of the policy rule used by the request.

Rule Order

Displays the order number of the rule. Rule ordering numbers are displayed in the details pane of the Firewall Policy node in Forefront TMG Management.

From

Displays the source network from which the traffic is initiated.

To

Displays the destination network to where the traffic is being sent.

Network Rule Name

Specifies the name of the network rule used.

Network Relationship

Specifies the network relationship in the policy rule as either network address translation (NAT) or Route.

Protocol

Specifies the protocol used to establish the connection (for example, HTTP).

Rule Application Filters

Used by the application filter types defined in the published rule.

Simulating traffic scenarios

To run the traffic simulation, you must first configure the traffic scenario settings. The following procedures describe how to simulate traffic:

  • For Web proxy access to the Internet

  • For non-HTTP access connection

  • To a published Web server

  • To a non-HTTP published server

To simulate traffic for Web proxy access to the Internet

  1. In the Forefront TMG Management console, in the Troubleshooting node, click the Traffic Simulator tab.

  2. In Simulation Scenarios, click Web access.

  3. In Source Parameters, configure the source request settings.

  4. Select if traffic is to be sent from an anonymous or authenticated user. For authenticated users, in Namespace, select Windows or RADIUS.

  5. In Destination Parameters, in the URL box, type the URL address of the target site. If the rule is configured to apply to any domain, you can specify an IP address or a URL.

  6. In Server, select the server from which you are running the traffic simulator.

  7. Click Apply diagnostic logging to simulated traffic to collect diagnostic logging information for the simulation

  8. Click Start.

  9. If you selected Apply diagnostic logging to simulated traffic, click View Log to view events related to the simulated scenario on the Diagnostic Logging tab.

To simulate traffic for non-HTTP access connection

  1. In the Forefront TMG Management console, in the Troubleshooting node, click the Traffic Simulator tab.

  2. In Simulation Scenarios, click Non-Web access.

  3. In the IP address box, enter the network IP address of the source server.

  4. In Destination/Source Parameters, configure the request settings.

  5. In Server, select the server from which you are running the traffic simulator.

  6. Click Apply diagnostic logging to simulated traffic to collect diagnostic logging information for the simulation.

  7. Click Start.

  8. If you selected Apply diagnostic logging to simulated traffic, click View Log to view events related to the simulated scenario on the Diagnostic Logging tab.

To simulate traffic to a published Web server

  1. In the Forefront TMG Management console, in the Troubleshooting node, click the Traffic Simulator tab.

  2. In Simulation Scenarios, click Web publishing.

  3. In Source Parameters, configure the source request settings.

  4. In Destination Parameters, in the URL box, type the URL address of the target site. If the rule is configured to apply to any domain, you can specify an IP address or a URL.

    Note

    The URL is the one published by Forefront TMG. The URL is specified on the Public Name tab. Forefront TMG must be able to resolve it to its external IP address; otherwise the simulation fails.

  5. In Server, select the server from which you are running the traffic simulator.

  6. Click Apply diagnostic logging to simulated traffic to collect diagnostic logging information for the simulation

  7. Click Start.

  8. If you selected Apply diagnostic logging to simulated traffic, click View Log to view events related to the simulated scenario on the Diagnostic Logging tab.

To simulate traffic to a non-HTTP published server

  1. In the Forefront TMG Management console, in the Troubleshooting node, click the Traffic Simulator tab.

  2. In Simulation Scenarios, click Server Publishing.

  3. In the Destination/SourceParameters box, configure the request settings.

  4. In Server, select the server from which you are running the traffic simulator.

  5. Click Apply diagnostic logging to simulated traffic to collect diagnostic logging information for the simulation

  6. Click Start.

  7. If you selected Apply diagnostic logging to simulated traffic, click View Log to view events related to the simulated scenario on the Diagnostic Logging tab.

Concepts

Forefront TMG Troubleshooting