As I outlined in a previous blog post, the native reporting tools included with Forefront TMG 2010 are quite limited. In addition to the shortcomings I mentioned previously, deployments of Forefront TMG 2010 Enterprise Edition face some unique challenges when it comes to reporting.
Many large organizations have multiple ingress and egress points where Forefront TMG 2010 is deployed to protect, and in each location there may be multiple TMG firewalls configured in a clustered array to provide redundancy and high availability. To provide centralized management, an Enterprise Management Server (EMS) can be configured to manage all of the arrays in the organization, regardless of their physical location. Surprisingly, centralized management does not include centralized reporting! Reporting in Forefront TMG Enterprise Edition is provided on a per array basis, preventing administrators from producing aggregate reports for all user activity throughout the enterprise. To illustrate this point, consider a scenario in which a security administrator needs to identify all of the users in the organization who visited a particular web site in the last 24 hours, regardless of which array handled the request. In this case, the administrator has to generate reports for each individual array in the enterprise and review those reports separately, making this investigation much more difficult and time consuming.
Another severe limitation of reporting in Forefront TMG 2010 is the timeliness of information available for reports. Reports in Forefront TMG 2010 are generated from summarized data, not the raw data contained in the firewall and web proxy logs. This poses limitations on the availability of data included in Forefront TMG reports. Each day the Forefront TMG firewall will summarize data from the log files, and that summarized data is used as the basis for reporting. Since this log summarization process runs only once daily, information in native TMG reports is inherently stale. Depending on when the report is generated, the information included in reports could be as much as one day old. Obviously this is not an ideal situation. For example, if a department head suspects that one of their employees is uploading sensitive data to a file sharing web site and asks the security administrator to provide a web browsing report for that individual immediately, the report will not include any requests that occurred during the current day. The department head would have to wait until the following day for a report that includes this information.
TMG Reporter by Fastvue addresses all of the concerns. TMG Reporter provides the ability to collect log data from multiple Forefront TMG firewalls simultaneously. TMG Reporter queries the “Arbiter”, which is an agent that is installed on each Forefront TMG firewall in the organization. This enables the central report server to collect and aggregate log data from every array member in the Enterprise. This allows TMG Reporter to function as a true centralized reporting tool with the ability to generate reports on user activity across the entire organization. In addition, TMG Reporter queries the arbiter every five seconds by default, ensuring the most up to date information for generated reports.
Forefront TMG 2010 Enterprise Edition provides medium and large sized organizations with a powerful security infrastructure that can be managed easily and efficiently from a central management console. Adding TMG Reporter significantly enhances an already compelling solution by providing functionality not available in the native Forefront TMG reporting tools. Take a look at TMG Reporter by Fastvue today and I’m confident you’ll be impressed with the enhanced visibility it provides. You’ll wonder how you ever survived without it!