Quota rules provide restriction of the amount of traffic that may be transferred by a specific client(s) within a certain period of time. When the limit is reached, such rules ensure that Internet access is denied for the appropriate clients.
|Note. Traffic quota is counted only for connections which source IP address is not in External network, and destination IP address is in External network. In all other cases traffic quota don't apply.|
|Quota Rules (click to enlarge figure)|
To create a Quota Rule, in the console tree of Forefront TMG Management, right click Quota Rules, point to New, and then click Rule. Proceed with following the instructions of the wizard. Note that the rule elements necessary for creation of the rule should be set up before starting the wizard.
The below is a description of the Quota Rules options and their effect.
On the General tab, supply the name for the rule and its description. You can also enable or disable the rule here by selecting or deselecting the Enable option.
Use the Applies To tab to specify objects for the rule to apply to. You can select IP address sets or user sets. Exclusions can also be set up here.
The Action tab is used to configure the traffic amount restrictions to be controlled by the rule.
|Action tab of Quota Rule Properties (click to enlarge figure)|
If the No limits mode is selected, the traffic for clients subject to this rule will not be restricted.
You can select different traffic quota modes: limit sum of incoming and outgoing traffic, limit separately incoming and outgoing traffic, limit incoming traffic only, limit outgoing traffic only. Set the traffic amount allowed by the rule in megabytes. When the remaining traffic counter reaches zero, all connections of the client are terminated. If any web requests are sent after this moment, the user sees a message that the allowed traffic quota has been exceeded.
Select the checkbox Don't account cached web content to set the mode of counting of the size of the content cached by Forefront TMG. If this option is active, the data transmitted from the cache is not counted. Otherwise the cached web content is counted like all other traffic.
You can set the quota reset period. On expiry of this period the quota counter is reset to the value specified in the quota value field(s). If the checkbox Transfer remainder to the next period is selected, the unused traffic quota for the expired period will be transferred to the next period. Counters are reset at 0:00. This occurs every day for daily quotas, on the night of Monday - for weekly quotas and on the night of the first day - for monthly quotas.
You can limit the amount of transferrable quota remainder to next period using parameter But no more than X % of the limit. This can be useful in order to prevent continuous quota counters growing. This paramter value is indicated as a percentage of general quota rule limit. It may have values from 1% and higher, including those greater than 100%. For example, on the above figure, the general limit is 500 MB, and not more than 150% of remainder is transferred. This means that if next period comes and remainder is less than 500 * 150% = 750 MB, it will be entirely added to 500 MB provided for new period. If remainder is greater than 750 MB, then only 750 MB will be added. So, the maximum possible value of quota counter in this case is 750 + 500 = 1250 MB.
The Quota Type option defines the way the rule is applied. Depending on the value of this option, the effect of the rule may be very different.
Select Assign quota individually to each applicable user/address to apply the traffic quota set by the rule individually to each user or client host that matches it, i.e. separately from each other.
Select Share quota between all applicable users/addresses to apply the traffic quota set by the rule to all users or hosts as a whole, i.e. one common quota is assigned to all applicable users.
Use the Extra tab to configure additional options.
|Extra tab of Quota Rule Properties (click to enlarge figure)|
Option Continue to evaluate subsequent rules to allow them to be applied too controls whether Bandwidth Splitter continues to evaluate subsequent rules after the current rule was found as matching. This allows to simultaneously apply several rules. If another matching rule is found, this option is also checked in it to decide whether to continue further evalutation. If this option is not set, evaluation is stopped, and only the matching rules that were found till this stage are applied.
Note that if rule is not applied, then this option does not matter, and evaluating is continued unconditionally.
|Note. When multiple quota rules are applied, the sent/received traffic amount is deducted from all corresponding quota counters.|
Option Ensured quota (don't block access until quota allocated by this rule is exceeded, even if other applied rules would have to block it) determines when access should be blocked in a situation when multiple quota rules are applied. You should consider this option in all simultaneously applied quota rules at once to understand the expected result.
When this option is not checked in any of the applied rules, access is blocked when quota is exceeded for any of them.
If this option is checked in one of the applied rules, it means that access will not be blocked until quota of this rule is exceeded, even if quota of other applied rules is already exceeded.
If more than one of the applied rules have this option checked, access will be blocked only when quota is exceeded for each of these rules.
It may seem that rules without this option checked are useless when applied together with rules which have this option checked. They indeed do not affect the result in this case, but their quota counters are still reduced, and this may affect the other cases when this rule is applied without any other rule that has this option checked.
If only one quota rule is always applied, this option does not make any sense.
Here are few examples to clarify the effect of these 2 options.
1. Applying multiple rules without activating Ensured quota option.
1.1. Using the option Continue evaluation, you create 3 rules,
specifying daily, weekly, and monthly quota for the same client.
Traffic is deducted from all 3 counters. When any of these quotas is exceeded, access is blocked.
1.2. Using the option Continue evaluation, you create individual quota
for group Managers, and shared quota for group
which contains Managers and Developers.
When manager uses Internet, his traffic is deducted from his individual quota counter for the first rule, and also from shared quota counter for the second rule.
When developer uses Internet, his traffic is deducted only from shared quota counter for the second rule.
Manager's access is blocked when his individual quota from the first rule is exceeded, or when shared quota from the second rule is exceeded.
Developer's access is blocked when shared quota from second rule is exceeded.
Managers in this case have more severe restriction.
2. Using the Ensured quota option.
2.1. The same configuration as in 1.1, but each rule also has Ensured quota option activated.
Traffic is deducted from all 3 counters. Only when all of these quotas are exceeded, access is blocked.
2.2. The same configuration as in 1.2, but first rule also has Ensured quota option activated, while
it is not activated in the second rule.
Traffic is deducted from quota counters in the same way.
Manager's access is blocked only when his individual quota from the first rule is exceeded, the state of shared quota from the second rule does not affect him at all.
Developer's access is blocked when shared quota from the second rule is exceeded.
In this case developers have exactly the same situation as in 1.2, while managers are only limited by quota allocated in first rule. Manager's traffic will still be deducted from shared quota counter for second rule, but when this quota is exceeded, this will only affect developers.
Such configuration can be useful, for example, when you want to limit the total traffic of all users (using shared quota rule), while ensuring that some important clients (managers) are provided with traffic (using individual quota rule) which can be used in full regardless of shared quota status.
You can choose whether to show the quota counters of this rule in web statistics shown to users using option Show quota counters of this rule in users' web stats.
Parameter Quota description shown to users allows you to specify description text, that users will see in their web statistics along with their quota counters. If it is not specified, then quota rule name is used.
|Note. If Quota Rules have been modified so that a new (non-unlimited) quota has been set up for a client, the existing traffic counter value does not change until it is auto-reseted at the beginning of the new period, or until it is deleted.|