Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the initiated or trained, looking at the log files or reading the output from a set of trace files created from the 'repro' tool within the best practice analyser is sufficient; and fairly easy to do if you understand what you are looking at.
For the less knowledgeable - or for those who do not have the time to deep-dive and work it out for themselves - there is diagnostic logging, a new option that works really well in Forefront TMG 2010.
This brief article walks through the diagnostic logging routine and brings together a sample view of what can be picked up from it including the sequencing of events.
Diagnostic logging is disabled by default - it stands to reason that it takes up a fair bit of processing power and storage so should only be used when troubleshooting a specific issue rather than leaving it running all the time.
To enable the function, open the FTMG GUI, select Troubleshooting and then the Diagnostic Logging tab along the top on the right-hand-side. Open the task pane on the far right and click enable diagnostic logging.
FTMG will now commence its inspection of events that take place and attempt to put them into an intelligible framework but note that you will NOT see anything appear on the screen. It is also noteworthy that you should try and undertake this activity when normal traffic is light or even out of normal working hours, if possible. In the meantime, try and recreate the event that you are trying to investigate or the scenario that you wish to be enlightened on. Once recreation has taken place or, after a short period of time driven by your storage really, disable the diagnostic logging option. Again, nothing will appear on the screen at this time, everything is held in the log ready for recall.
Click Show All then stand back..... you should now be looking at a fairly lengthy output of events that the FTMG server has undertaken during that period.
I have attached a Word document that contains a number of screenshots of these steps and some sample test-bed outputs for convenience. diag-logging.docx