Everyone has seen the Anonymous user in their Forefront TMG Reports. This is because Forefront TMG logs ‘anonymous’ in the username field for all unauthenticated traffic. We have blogged about the Forefront TMG Anonymous User, and written numerous support articles. But here is the best tip we can give you to reduce unauthenticated traffic in Forefront TMG:
To reduce the amount of unauthenticated traffic recorded by Forefront TMG:
- Use TMG Reporter to run a report on your anonymous user (hover over the anonymous user and click the green arrow to ‘Run report on anonymous’)
- Go to the Firewall Rules section of the report and you will see all the rules that are allowing the unauthenticated traffic.
- Edit these rules in Forefront TMG and set them from ‘All Users’ to ‘All Authenticated Users’.
There are certain system defined rules that allow unauthenticated traffic, and unfortunately these rules cannot be edited via the TMG Management Console.
One such rule is the SafeSearch rule that gets created when using Forefront TMG’s SafeSearch enforcement feature. This rule effectively allows all browsing to search engines to pass through unauthenticated. If you want to identify the user that was responsible for a specific search, bad luck!
Fortunately there is a way to set this rule to ‘All Authenticated Users’ but it needs to be done using a script. Richard Hicks explains how to do this in his post, Enable Authentication for SafeSearch Enforcement Rule in Forefront TMG 2010.
Thanks for the tip Richard!
Richard Hicks has made a follow up post outlining some of the challenges associated with the ideal goal of ‘authenticating everything’. I recommend checking it out here Identifying and Reducing Anonymous Traffic Allowed by Forefront TMG 2010
On this point, we often see authenticating BYOD (bring your own devices) such as mobile phones and tablets as a major headache for Forefront TMG Administrators. The recommended course of action in this situation is to create a separate network for these devices, and create an access rule for this network in Forefront TMG. This rule can allow ‘All Users’ (unauthenticated), and then it is easy to include or exclude this traffic using a Rule Equal to ‘my unauthenticated traffic’ Filter in TMG Reporter. Make sure you’re using the latest 2.1 Beta to access this comprehensive filtering feature.