Logging Improvements in Forefront TMG 2010

One of the areas that improved significantly in Forefront Threat Management Gateway (TMG) 2010 is logging. Sure, it doesn’t get all the attention that TMG’s advanced web protection capabilities do. Things like integrated URL filtering, virus and malicious software scanning, intrusion detection and prevention, and outbound HTTPS inspection seem to grab all the headlines when discussing TMG with network engineers and security administrators. However, veteran ISA firewall administrators probably recall how painful the logging facilities were with ISA. The default logging option, or “advanced logging” option logged to a local instance of an MSDE database. There were numerous problems with this, most significant was that if the firewall couldn’t log to the database, the firewall service would shut down and subsequently deny access to everyone. This is good from a security standpoint (if you can’t log the request, don’t allow it!), but unfortunately the MSDE database was not robust enough to handle the load in many environments and resulted in frustrating service outages. Switching to text logging would resolve the issue, but administrators had to give up the ability to view logged events in real time with the ISA management console.

Thankfully the Forefront TMG product team invested significant time and effort into improving TMG’s logging infrastructure. Forefront TMG now utilizes a local instance of SQL 2008 Express, which is much more robust than MSDE. In addition, TMG now has a local logging queue that enables the firewall to spool logged data off to disk in the event the database is offline or unavailable for any reason. The days of the firewall service shutting down because of logging issues are finally gone.

Ironically, one of the things that was sorely lacking in ISA server, and was improved only slightly in Forefront TMG 2010, is reporting. This is extremely frustrating given the fact that reporting is even more critical as Forefront TMG 2010 is widely deployed as a secure web gateway. With TMG providing granular control over user’s Internet access, TMG firewall administrators are often required to provide detailed reports about user activity. Frequently these reports are generated by department and distributed to managers for review. In addition, security administrators require the ability to interactively drill down to discover more detailed information as they are reviewing high-level reports. TMG Reporter by Fastvue addresses these shortcomings quite nicely. TMG Reporter provides an instant view in to the traffic controlled by the TMG firewall in near real time with the dashboard view. Highly detailed reports are just a few clicks away, and if they contain interesting or anomalous activity, the administrator can instantly drill down to discover additional information about the activity without the need for creating and generating a new report.

Of course administrators don’t want to have to continuously monitor access logs looking for indications of nonproductive or malicious activity. Forefront TMG includes myriad alerts, but today still lacks alerting for things like unproductive web browsing or access attempts to restricted web sites. Again, all of this is included in with TMG Reporter. Administrators can rest easy knowing that they won’t have to constantly sift through mountains of log data looking for activity that doesn’t conform to acceptable use policy. Once alerts have been configured in TMG Reporter, the administrator will be proactively notified via e-mail when users violate acceptable use policy or attempt to circumvent access controls. Alerts are granular and configurable, allowing the administrator to tailor the level of alerting and notification to their requirements.

Forefront TMG 2010 is an outstanding edge security solution. An enterprise-class firewall with advanced web protection capabilities, it will provide outstanding protection for your corporate assets when deployed as your organization’s secure web gateway. Do yourself a favor though, and complete the solution with the best enhanced reporting and alerting solution for Forefront TMG 2010 – TMG Reporter by Fastvue.