Forefront TMG web chaining is a clever way to allow one Forefront TMG server to pass proxy clients on to another TMG server that has Internet access. This scenario is typical for companies that have remote offices connected via a private network without a local Internet breakout on site.
Once web chaining has been configured the following flow of traffic is observed:
Web chaining is only configured on the downstream TMG server.
When a response is received from a web server, Forefront TMG adds data to the response header in the Via field. We can see this information by using the Internet Explorer's F12 developer tools and looking at the network capture. When the request is routed through a single TMG proxy, the via field looks as follows:
If the request is routed through a web chain you will see that the chain members are appended to the via field. In this case you can see that the request has been routed through additional proxy servers.
Forefront TMG web chains create an interesting scenario when reporting on Internet usage. Any request being routed directly to the edge TMG server will be logged with the original username. Any request being directed to the remote TMG will be logged at the remote TMG server with the original username, but it will be logged as the web chain user account at the edge TMG server. If you are only monitoring the edge TMG Server, the entire remote office will show up as a single user. To report on usernames from the remote site, you need to also monitor the remote TMG server directly, however this creates a duplication of traffic from that location.
One solution here is to monitor the remote TMG server using a separate instance of TMG Reporter. This also gives you the advantage of running TMG reporter at the remote site to prevent all the log shipping going over the WAN.
Another option is to monitor both the edge TMG and the remote TMG Servers, and use the latest development build of TMG Reporter to exclude the web chain user account from your reports. To do this:
This will give you a report for all users except the web chain account:
Note: Excluding the web chain user is possible for Reports, but specific user accounts cannot be excluded from TMG Reporter's dashboard. This is a feature currently being considered.
It is possible to delegate basic credentials when configuring the web chain. However, for this to work your upstream edge TMG server needs to be configured to allow basic authentication over HTTP. If basic authentication delegation is configured then there is no distinguishable difference between local and web chain traffic when monitoring the edge TMG server. For more information see the 'Authenticating Chained Requests' section in this article: https://technet.microsoft.com/en-us/library/cc995172.aspx.
For more information about web chaining, check out this great article by Tom Shinder: Web Proxy Chaining as a Form of Network Routing.
Download the free 30 day trial, or schedule a demo and we'll show you how it works!
Make The World A Better Place with Fastvue and Microsoft Reputation Services (MRS)
How to Report on YouTube Activity with Fastvue TMG Reporter