Microsoft Forefront TMG – Best Practice Analyzer

by [Published on 16 Feb. 2010 / Last Updated on 20 May 2013]

How to install and use the Forefront TMG Best Practice Analyzer (TMGBPA).


In this article I will show you how to install and use the Forefront TMG Best Practice Analyzer (TMGBPA). You can use TMGBPA to analyze your Forefront TMG environment for security holes, performance problems and configuration mismatches. The Best Practices Analyzer (BPA) Tool is designed for administrators who want to determine the overall health of their Forefront TMG computers and to diagnose current problems.

Get your copy of the German language "Microsoft ISA Server 2006 - Das Handbuch"

Let us begin

TMGBPA scans the configuration settings of the local Forefront TMG computer and reports issues that do not conform to the recommended best practices. TMG BPA uses some different technologies to get information about the TMG computer. TMG BAP uses COM objects to find information, Windows Management Instrumentation (WMI) classes, the system registry, files on disk, and the Domain Name System (DNS) settings to collect all necessary information about the Forefront TMG computer.

The resulting report details critical configuration issues, potential problems, and information about the local computer. TMG uses an integrated Windows help (chm file) or external website links for additional information on how to solve problems found in your TMG configuration.

TMG BPA comes with two tools:

  • TMG Data Packager
  • BPA2Visio

TMG Data Packager

TMG Data Packager creates a single .cab file containing Forefront TMG diagnostic information that can be easily sent to Microsoft Product Support Services for analysis.


BPA2Visio generates a Microsoft Office Visio diagram of your network topology as seen from a Forefront TMG computer or any Windows computer based on output from Forefront TMG BPA. Visio 2003, 2007, or 2010 must be installed in order to run BPA2Visio, so it is not recommended using BPA2Visio on the Forefront TMG computer, because you had to install Visio on the Firewall. A better practice is to install the Forefront TMG BPA on a machine with Visio installed. It is possible to use saved TMG BPA scan results for BPA2Visio.

System Requirements

The System requirements for running TMG BPA are moderate:

Supported Operating Systems:

Windows Server 2008

Windows Server 2008 R2

Windows Vista

Windows 7

Microsoft .NET Framework 2.0 or higher


Forefront TMG Medium Business Edition (MBE)

Forefront TMG 2010


For BPA2Visio: Microsoft Office Visio 2003; Microsoft Office Visio 2007; Microsoft Office Visio 2010

Installing TMGBPA

First we need to download the Forefront TMG Best Practice Analyzer (TMGBPA) from the following website. After downloading, you can install the TMGBPA tool following the instructions of the wizard.

Figure 1: Installation of the Forefront TMG Best Practice Analyzer Tool

Read, understand and accept the License Agreement

Figure 2: Forefront TMG Best Practice Analyzer Tool automatic update option

If you want to participate in the CEIP – Customer Experience Improvement Plan click the appropriate option. You can change this setting later.

Figure 3: Forefront TMG Best Practice Analyzer Tool - CEIP

Click Install to start the TMG BPA installation process. The installation takes some time, depending on the speed and load of your TMG machine. After the installation of the TMG BPA has finished, start the Forefront TMG Best Practice Analyzer tool.

Figure 4: Installation of the Forefront TMG Best Practice Analyzer Tool has finished

On first startup, TMG BPA is checking for the most current version on the Internet

Figure 5: TMG BPA checking for updates

Create a First Scan

After checking for TMG BPA updates, it is time to create a first TMG BPA scan. Select options for a new scan.

Figure 6: TMG BPA – Select options for a new scan

Start a scan and select the scan option. Enter the scan label to identify the scan job later, and enter the Scan type.

Figure 7: Enter scan label, and scan type

The scan process can take some time, but the estimated time remaining will give you helpful information how long the process takes to complete.

Figure 8: TMG BPA starts scanning the TMG configuration

It takes some time…

Figure 9: TMG BPA scanning in progress

Scanning completed. Click view a report of the Best Practices Scan.

Figure 10: TMG BPA scan completed

It takes some time to display all issues. The issues are sorted from Critical to informational items.

Figure 11: TMG BPA scan results

If you want to have more information about the found issue, click the issue to find more information how to resolve the found problem. Forefront TMG BPA uses a Built In help file with TMG BPA information.

Figure 12: TMG BPA – getting additional information

It is also possible to schedule a BPA scan if you want to create TMG health reports over a specific time. Scheduling TMG BPA reports is always helpful if you often change the Forefront TMG configuration.

Figure 13: Schedule a TMG BPA scan

You can view the TMG BPA help file without executing the TMG BPA tool. You can find the TMG BPA help file (.CHM file) in the installation directory of Forefront TMG BPA. The TMG BPA help is really helpful to get additional information about all Forefront TMG issues.

Figure 14: TMG BPA integrated help

It is also possible to configure Forefront TMG BPA update checking, and Customer Experience improvement Program settings.

Figure 15: Configuring Updates and customer Feedback

TMG BPA has the option to open saved BPA reports for later reviewing. Click Import scan to open a saved report.

Figure 16: Importing TMG BPA scan reports

To determine the version of the TMG BPA version, click About the Forefront TMG Best Practice Analyzer. The version used for this article is 2.5.7970.100.

Figure 17: TMG BPA version information


In this article, I gave you an overview of the Microsoft Forefront TMG Best Practice Analyzer. TMGBPA is great tool for Administrators and TMG consultants to analyze their TMG Server computers for potential problems. TMG BPA has also some basic documentation capabilities in form of saved TMG BPA reports and the BPA2Visio component.

Related links

See Also

The Author — Marc Grote

Marc Grote avatar

Marc Grote is an MCSA/MCSE Messaging & Security, MCSE Private Cloud and Server Virtualization, an MCTS/MCITP and a Microsoft Certified Trainer and MCLC. He is a freelance Consultant and IT Trainer in the north of Germany near Hanover. He specializes in System Center, TMG/UAG Server, Exchange, Security for Windows Server 2012 R2 and Windows Server 2012 R2 designs, migrations and implementations. His efforts have earned him recognition as a Microsoft MVP for ISA Server since 2004 until 2014. Starting in 2014 he has been awarded as an MVP for Hyper-V.


Featured Links