Hello List- Over the last few months I have been transitioning from ISA (stand-alone, standard) to TMG (stand-alone, standard). We are a relatively small non-profit organization (roughly 300 employees, less than 100 in the building utilizing the MS firewall). We don't generate that much traffic. I am here today to tell you about my experience with TMG. We've been using ISA for something like five or six years. It's always been a great workhorse for us, carrying all of our traffic without getting in the way of end-user usability. Back in about March I decided to upgrade to TMG. I bought a new server for it-lots more memory, more and better processors, etc. Right off the bat there were problems. When I tried to import my settings from ISA to TMG, the process failed. I tried a few things, made sure all the SSLs were installed, etc. But I never could get that to go. So I built all the rules from scratch. Over the course of several weeks I got all the rules created and put into use, except for all the email-related rules. When I moved all our workstations onto TMG, things went pretty well. There were a few glitches, but the biggest problem we had there was with a live stream from the local public radio station that would not play. After weeks of back-and-forth with MS PSS, and quite a bit of time on the phone, we finally got that one fixed. Then about three weeks ago we took the last step and moved all the email-related things onto TMG. That included all SMTP traffic, OWA, and the rules that allow ActiveSync and whatnot for mobile devices. When TMG started handling that new traffic, things slowed way down. Slow DNS lookups appear to have been part of the problem. Web pages loaded very slowly, if at all. Our remote sites (we have a lot of them) slowed down, too. Their web traffic doesn't go through our firewall at this site, but their DNS lookups have to come to us. However, they don't pass through the TMG firewall. Some things to bear in mind. 1. All this traffic passed over our ISA firewall without issue. 2. The ISA server was far less capable than the TMG server. 3. We don't have any of the Forefront services turned on for email. Instead we just pass the SMTP traffic over the firewall to our Barracuda server and it does all the email hygiene. So TMG shouldn't really be doing all that much work with the SMTP traffic. I tried a number of things to address the problem, trying to ease the load on the firewall: 1. Put all the inbound and outbound SMTP traffic on the default IP address, just as it had been in ISA. (At first it was going out on a different IP address, but I thought maybe that required a lot of processing.) 2. Turned off Malware Inspection. (We weren't paying for the updates anyway.) 3. Turned off URL filtering. (Ditto.) 4. HTTPS inspection-which was earlier causing unrelated problems-was already off. 5. Installed the firewall client on our Windows PCs. (This actually helped a lot. But there's no firewall client for our Macs. We don't have many of them, but the ones we have tend to belong to the higher-ups. Proxy settings for them helped some. And in any case, putting the firewall client on the PCs at our remote sites wouldn't have been a good idea, so they were all still real slow.) Except for that last one, nothing helped. One thing I still don't understand is what's causing it? The addition of SMTP traffic caused the server to work that much harder? Even though the firewall (theoretically at least) wasn't processing much with it? Is it doing that much more with SMTP traffic than ISA did with it? How come the far-less-powerful ISA server could handle it all without problems? And if the TMG server is so dang busy, how come the Task Manager says the server is barely doing anything? Finally, I put things back almost the way they were before the slowdown: I moved all the SMTP traffic back to our resuscitated ISA server. (I left OWA and the mobile email connectivity stuff on TMG.) Voila, instant relief. The network is once again performing normally. So now I'm left with some choices: 1. Leave things as they are, with an ISA firewall (or something else) for SMTP only, and TMG for everything else. 2. Go back to ISA for everything and forget about TMG, at least for a while. 3. Go to some other brand of firewall altogether. 4. Call PSS and plan to spend $260 and a lot of time trying to get to the bottom of this problem. Finally, another disappointment has been the Malware Inspection and URL Filtering you can do. Licenses for the updates you get cost money-a lot of it, in fact. Even at our non-profit discount with a relatively small number of users, they are steep. So we opted not to use them. OK, enough venting for now. I hope you have better luck with your own transition to TMG, if you go there. When is TMG SP1 coming out? Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Rob Moore Network Manager 215-241-7870 Helpdesk: 800-500-AFSC