Forefront TMG web chaining is a clever way to allow one Forefront TMG server to pass proxy clients on to another TMG server that has Internet access. This scenario is typical for companies that have remote offices connected via a private network without a local Internet breakout on site.

Once web chaining has been configured the following flow of traffic is observed:

  1. Remote client Internet requests are routed to the remote TMG proxy with the logged on user name
  2. The request is evaluated against the Internet access rules for the remote user account.
  3. If access is granted the request is forward down the chain to the upstream edge TMG server.
  4. The request arrives at the edge TMG with the username specified in the Web chain configuration.
  5. The request is evaluated against the Internet access rules for the web chain user account
  6. The access is granted or denied.
  7. Response traffic is sent back up the chain to the original client.

How to configure Forefront TMG web chaining

Web chaining is only configured on the downstream TMG server.

  1. Open the TMG management console
  2. Select Networking
  3. Select the Web chaining tab and click Create new web chaining rule from the tasks pane
  4. Specify a name and click Next
  5. Add the destination to which the chain would apply (normally External network). Click Next.
  6. Select Redirect requests to a specific upstream server. Click Next.
  7. Specify the FQDN of the Edge TMG. The port defaults are 8080 and 8443
  8. Check Use this account and specify a domain account with internet access by clicking the Set Account button.
  9. For Authentication type select Integrated Windows. Click Next.
  10. When primary route is unavailable, select Ignore requests. Click Next. 
  11. Click Finished, and Apply the Changes.

The ‘Via’ Response Header field

When a response is received from a web server, Forefront TMG adds data to the response header in the Via field. We can see this information by using the Internet Explorer’s F12 developer tools and looking at the network capture.  When the request is routed through a single TMG proxy, the via field looks as follows:

If the request is routed through a web chain you will see that the chain members are appended to the via field. In this case you can see that the request has been routed through additional proxy servers.

Reporting On Forefront TMG Web Chain Environments

Forefront TMG web chains create an interesting scenario when reporting on Internet usage. Any request being routed directly to the edge TMG server will be logged with the original username.  Any request being directed to the remote TMG will be logged at the remote TMG server with the original username, but it will be logged as the web chain user account at the edge TMG server. If you are only monitoring the edge TMG Server, the entire remote office will show up as a single user. To report on usernames from the remote site, you need to also monitor the remote TMG server directly, however this creates a duplication of traffic from that location.

One solution here is to monitor the remote TMG server using a separate instance of TMG Reporter. This also gives you the advantage of running TMG reporter at the remote site to prevent all the log shipping going over the WAN.

Another option is to monitor both the edge TMG and the remote TMG Servers, and use the latest development build of TMG Reporter to exclude the web chain user account from your reports. To do this:

  1. Open the TMG Reporter Web Site
  2. Select the Reports Tab and click Custom Report
  3. Change the Operator to Not equal to
  4. In the Values, select the Web Chain account
  5. Select the date and time range as per usual
  6. Click Run Report

This will give you a report for all users except the web chain account: 

Note: Excluding the web chain user is possible for Reports, but specific user accounts cannot be excluded from TMG Reporter’s dashboard. This is a feature currently being considered.

Authentication Delegation

It is possible to delegate basic credentials when configuring the web chain. However, for this to work your upstream edge TMG server needs to be configured to allow basic authentication over HTTP. If basic authentication delegation is configured then there is no distinguishable difference between local and web chain traffic when monitoring the edge TMG server. For more information see the ‘Authenticating Chained Requests’ section in this article: http://technet.microsoft.com/en-us/library/cc995172.aspx.

For more information about web chaining, check out this great article by Tom Shinder: Web Proxy Chaining as a Form of Network Routing.