TMG Reporter gets its information through Forefront TMG’s Web Proxy and Firewall Log files. If these logs are lacking information, some sections of TMG Reporter will be blank or simply not working. Here are six important TMG settings you should check to ensure you get the best reports.
1. Authenticate Users
If you want to know the user that is responsible for certain activity, it is essential that you authenticate your users with TMG.
TMG Reporter relies on the username field top populate all of the ‘User’ and ‘Department’ charts in the Dashboard and in Reports. If TMG is not authenticating users, this field will contain the user ‘anonymous’.
If you are authenticating users and you’re still seeing a lot of anonymous traffic, check that your Web Access ‘allow’ rules are requiring authentication. That is, instead of allow ‘All Users’, set it to ‘Authenticated Users’. For non-Web traffic, the firewall client needs to be installed on your client computers. Once authenticated, their usernames will be logged. For more information, see our knowledgebase article on why Usernames and Site names may not be displayed.
2. Enable URL Filtering
The Productivity features in TMG Reporter rely on Microsoft Forefront TMG’s URL Filtering feature which identifies the web category for any given URL such as Sport, Entertainment, Adult and so on.
When URL Filtering is enabled, the URL Category is logged along side each web site in TMG’s web proxy log files. TMG Reporter then groups these categories into Productivity groups (Unacceptable, Unproductive, Acceptable and Productive). You can configure how these URL categories are assigned in Settings | Productivity.
If TMG’s URL Filtering is not enabled, all productivity sections in TMG Reporter will be blank. TMG’s URL filtering requires an active subscription to TMG’s Web Protection Services. Without this subscription, TMG will log ‘Unknown’ in the category field for all URLs and the Productivity sections in TMG Reporter will be blank.
See our knowledgebase article on enabling TMG’s URL filtering feature for more information.
3. Enable Malware Inspection & NIS
There is a large section in TMG Reporter’s Dashboard and Reports dedicated to Malware and IPS Events. These sections rely on the information logged in TMG’s malware and Network Inspection Services (NIS) fields, which are only populated if the Malware Inspection and NIS features are enabled. The NIS feature does not require an active subscription to TMG’s Web Protection Services, but the Malware inspection feature does.
There is a great article over at ISAServer.org on how to enable TMG’s advanced web protection features.
4. Log all required fields
If there is a section in TMG Reporter that is not being populated, make sure the required log fields are enabled. A great way to ensure this is the case is by enabling all fields in TMG’s Web Proxy and Firewall Log files.
To do this:
- Open the Forefront TMG Management Console
- Go to Logs and Reports on the left hand side
- Click Configure Web Proxy Logging on the right hand side
- Click the Fields tab
- Check all checkboxes and click OK.
- Click Configure Firewall Logging, and repeat steps 4 and 5.
5. Use SQL Express or W3C Text Logging
As of right now (TMG Reporter build 188.8.131.52), TMG Reporter only supports the default SQL Express logging method, as well as W3C Text Logging method.
W3C Text logs are faster to import into TMG Reporter, but using W3C text logs comes at the expense of losing TMG’s built in reporting functionality.
If you’re un-willing to part with TMG’s built in reports (even though TMG Reporter will more than adequately cover you!), then it is fine to stay with SQL Express logging. The import speed difference is about 10,000 records per second. You can expect somewhere between 5000 to 10,000 records per second with SQL Express, and around 15,000 -20,000 records per second with W3C text logs.
Once TMG Reporter has imported all your historical TMG logs, import speed becomes less of a concern as it monitors your TMG log files in real time. In the very unlikely case that TMG is writing more than 5000 records every second, then you may want to consider switching to W3C text logs.
6. Add the Fastvue Firewall Rule
This is covered in our getting started video guide, but I thought I’d mention it here as well.
After installing the Fastvue Arbiter on your TMG Server, you need to add an Access Rule to TMG to allow access between the Arbiter and TMG Reporter. Simply put, this rule should allow port TCP port 49361 from the TMG Reporter server to Localhost (the TMG Server) for all users.
Here are the steps to add the rule. You can also watch a video on adding this rule.
- Open Forefront TMG’s Management Console
- Select Firewall Policy on the left hand side
- Click Create Access Rule on the right hand side. This launches the Access Rule wizard.
- Give the access rule the name Fastvue.
- Select Allow as the Rule Action.
- Select Selected Protocols from the drop down list and click Add…
- Click New… | Protocol on the tool bar. This launches the new Protocol Definition Wizard.
- Call the Protocol Fastvue
- On the Primary Connection Information page click New… and select:
- Protocol Type: TCP
- Direction: Outbound
- From: 49361
- To: 49361
- Click New… | Computer on the toolbar
- Enter the name TMG Reporter and enter the IP address of the TMG Reporter Server. Click OK.
- Expand the Computers folder and select the newly added TMG Reporter computer. Click Add.
That’s about it. If your TMG server is configured with the settings above, you should have no issues getting the best reports from Fastvue TMG Reporter.
If you have any questions, we’d love to hear from you!