Reporting on Hostnames with Forefront TMG SecureNAT Clients

Posted December 18, 2012









There are a few differences when reporting on clients configured to use Forefront TMG as a Web Proxy Client versus SecureNAT (also known as SecureNET) Clients.

No Authenticated Usernames

One of the key differences is that Forefront TMG does not log user credentials for SecureNAT clients. When defining Internet access rules in Forefront TMG for SecureNAT clients, you can only utilize the “All Users” user object, not the ‘All Authenticated Users” object. As SecureNAT clients do not authenticate, all the SecureNAT Internet requests are logged as Anonymous.

TMG Reporter provides the option to exclude the Anonymous user from being imported (Settings | Import Filters). It is therefore important to understand that doing so will exclude all SecureNAT traffic from your reports.

No Site Hostnames

Another difference is that Internet requests are logged with only the destination IP address in the URL as opposed to hostname. If you look at Forefront TMG’s logs and reports view, you will see something similar to this for SecureNAT traffic:

The top sites section in TMG Reporter will therefore only contain IP Addresses and not site names such as ‘youtube.com’.

This still gives you a good indication of bandwidth used, but you lose the ability to report on real site names. This becomes even more relevant when you realise that a single IP address can be used for many different purposes. For example, the Akamai content delivery network (CDN) utilized by many popular websites could serve resources for nba.com, jetstar.com and facebook.com all from the same IP.

This limitation is due to Forefront TMG itself not logging the information for SecureNAT clients. Fortunately there is a solution to this!

Logging Hostnames for SecureNAT Clients

Microsoft has published a hotfix that enables the logging of hostnames for SecureNAT clients as it does for Web Proxy clients. The hotfix involves saving the script below as a .vbs file, and running it on your Forefront TMG Server. Your Forefront TMG Server needs to be running SP1 or above.

Applying the Hotfix

Copy the script text below into Notepad and save it as EnableHotfix980723.vbs:

Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_NAME = "LogDomainNameForFWC"
Const SE_VPS_VALUE = true
Sub SetValue()
' Create the root object.
 Dim root ' The FPCLib.FPC root object
 Set root = CreateObject("FPC.Root")
'Declare the other objects that are needed.
 Dim array ' An FPCArray object
 Dim VendorSets ' An FPCVendorParametersSets collection
 Dim VendorSet ' An FPCVendorParametersSet object
' Get references to the array object
 ' and the network rules collection.
 Set array = root.GetContainingArray
 Set VendorSets = array.VendorParametersSets
On Error Resume Next
 Set VendorSet = VendorSets.Item( SE_VPS_GUID )
If Err.Number <> 0 Then
 Err.Clear
' Add the item
 Set VendorSet = VendorSets.Add( SE_VPS_GUID )
 CheckError
 WScript.Echo "New VendorSet added... " & VendorSet.Name
Else
 WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)
 End If
if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
Err.Clear
 VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
If Err.Number <> 0 Then
 CheckError
 Else
 VendorSets.Save false, true
 CheckError
If Err.Number = 0 Then
 WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
 End If
 End If
 Else
 WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
 End If
End Sub
Sub CheckError()
If Err.Number <> 0 Then
 WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
 Err.Clear
 End If
End Sub
SetValue

On your Forefront TMG Server, double-click your new ‘EnableHotfix980723.vbs’ file to run the script.

Verifying the Hotfix

Once the script has run, open Forefront TMG’s ‘Logs and Reports’ view and run a live query. You will see that any new requests will include the host name in the URL field.

This will also reflect in TMG Reporter’s live dashboard. Keep in mind that the Dashboard shows the top sites for the past 12 hours. It may therefore take the 12-hour window to fully clear any ‘IP only’ records from the dashboard. If you want to start with a fresh dashboard showing only the new site names, just restart the Fastvue TMG Reporter service.

It is important to remember that reports on dates before the script was run will still only show the IP.

Disabling the Hotfix

If you ever need to disable the hotfix and revert back to logging only the IP you can use the following script:

Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_NAME = "LogDomainNameForFWC"
Const SE_VPS_VALUE = false

Sub SetValue()

 ' Create the root obect.
 Dim root ' The FPCLib.FPC root object
 Set root = CreateObject("FPC.Root")

 'Declare the other objects needed.
 Dim array ' An FPCArray object
 Dim VendorSets ' An FPCVendorParametersSets collection
 Dim VendorSet ' An FPCVendorParametersSet object

 ' Get references to the array object
 ' and the network rules collection.
 Set array = root.GetContainingArray
 Set VendorSets = array.VendorParametersSets

 On Error Resume Next
 Set VendorSet = VendorSets.Item( SE_VPS_GUID )

 If Err.Number <> 0 Then
 Err.Clear

 ' Add the item
 Set VendorSet = VendorSets.Add( SE_VPS_GUID )
 CheckError
 WScript.Echo "New VendorSet added... " & VendorSet.Name

 Else
 WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)
 End If

 if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

 Err.Clear
 VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

 If Err.Number <> 0 Then
 CheckError
 Else
 VendorSets.Save false, true
 CheckError

 If Err.Number = 0 Then
 WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
 End If
 End If
 Else
 WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
 End If

End Sub

Sub CheckError()

 If Err.Number <> 0 Then
 WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
 Err.Clear
 End If

End Sub

The Hotfix information from Microsoft can be found at: http://support.microsoft.com/kb/980723

Please note there is a formatting error on the Microsoft page.  The script is not split into the two separate ones as it is here. You also need TMG SP1 for the script to work.

If running the scripts is something that makes you uncomfortable, you can also use the LogHostname Plugin from Collective Software.  It does exactly the same thing but it comes at a small dollar price. Also note that you may need to change Forefront TMG’s logging method to W3C text logs to ensure hostnames make it into the log file when using the LogHostname product. See our support issue: Site names still not showing after setting up loghostname.

Other Resources:

The SecureNAT (SecureNET) Client Guide to the Universe (By Thomas Shinder):
http://www.isaserver.org/tutorials/SecureNAT-SecureNET-Client-Guide-Universe.html

Configuring SecureNAT Clients:
http://technet.microsoft.com/en-us/library/cc441537.aspx

About SecureNAT Clients:
http://technet.microsoft.com/en-us/library/cc995118.aspx


Posted in , , ,

Etienne Liebetrau

Based in Cape Town, South Africa he is an IT Professional working in various environments building, testing and maintaining systems for a large national retail chain. An IT professional since 1996 Etienne has worked in various environments and is certified by Comptia, Dell and Microsoft. Etienne is the technical blogger and primary technical consultant for FixMyITsystem.com a solutions provider company based in Cape Town with a global client base.

fixmyitsystem.com
Follow me on twitter

Discussion

4 Comments
  1. Great Etienne!!! Very good post! I´m learning a lot with your articles! Thank you!

  2. Hi,

    I have done above settings and now TMG log show site url. but on my dashboard show IP address even after restart services.

    • Hey Jet,

      Sorry to hear that. Assuming you’re logging to SQL Express, are you able to query your SQL Express database using something like SQL Management studio to confirm if hostnames are being written to the log or not?

      If not, I’d be interested to see if changing your logging to W3C text logs fixes the issue.

      Let us know how it goes.

      Cheers!
      Scott

    • Hey Jet,

      We finally identified and fixed the issue preventing site domains making it into the reports. We were pulling this information from the DestHost field instead of the URL field. Even with this hot fix the DestHost field only contains IPs.

      You can download the latest release at http://fastvue.co/download

      Simply run the new installer over the top of your existing installation. The installer will pick up your existing settings, so just click next throughout the wizard without making any changes. Once installed, browse to the site and clear the browser cache by hitting ctrl + F5 (cmd + R on Mac).

      Once you’re upgraded, the Dashboard will start to rebuild and you should hopefully start seeing site names instead of IPs on the Bandwidth Dashboard. Same for any new reports you run. Old reports will still have IP addresses unfortunately.

      Cheers!
      Scott

Leave a Response

If you have a question or comment, or just need to get in touch, please use the form below.