tmgreporter

Reporting on Hostnames with Forefront TMG SecureNAT Clients

by

Etienne Liebetrau

Etienne Liebetrau

There are a few differences when reporting on clients configured to use Forefront TMG as a Web Proxy Client versus SecureNAT (also known as SecureNET) Clients.

No Authenticated Usernames

One of the key differences is that Forefront TMG does not log user credentials for SecureNAT clients. When defining Internet access rules in Forefront TMG for SecureNAT clients, you can only utilize the “All Users” user object, not the 'All Authenticated Users" object. As SecureNAT clients do not authenticate, all the SecureNAT Internet requests are logged as Anonymous.

TMG Reporter provides the option to exclude the Anonymous user from being imported (Settings | Import Filters). It is therefore important to understand that doing so will exclude all SecureNAT traffic from your reports.

No Site Hostnames

Another difference is that Internet requests are logged with only the destination IP address in the URL as opposed to hostname. If you look at Forefront TMG's logs and reports view, you will see something similar to this for SecureNAT traffic:

The top sites section in TMG Reporter will therefore only contain IP Addresses and not site names such as 'youtube.com'.

This still gives you a good indication of bandwidth used, but you lose the ability to report on real site names. This becomes even more relevant when you realise that a single IP address can be used for many different purposes. For example, the Akamai content delivery network (CDN) utilized by many popular websites could serve resources for nba.com, jetstar.com and facebook.com all from the same IP.

This limitation is due to Forefront TMG itself not logging the information for SecureNAT clients. Fortunately there is a solution to this!

Logging Hostnames for SecureNAT Clients

Microsoft has published a hotfix that enables the logging of hostnames for SecureNAT clients as it does for Web Proxy clients. The hotfix involves saving the script below as a .vbs file, and running it on your Forefront TMG Server. Your Forefront TMG Server needs to be running SP1 or above.

Applying the Hotfix

Copy the script text below into Notepad and save it as EnableHotfix980723.vbs:

Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}" Const SE_VPS_NAME = "LogDomainNameForFWC" Const SE_VPS_VALUE = true

Sub SetValue()

' Create the root object. Dim root ' The FPCLib.FPC root object Set root = CreateObject("FPC.Root")

'Declare the other objects that are needed. Dim array ' An FPCArray object Dim VendorSets ' An FPCVendorParametersSets collection Dim VendorSet ' An FPCVendorParametersSet object

' Get references to the array object ' and the network rules collection. Set array = root.GetContainingArray Set VendorSets = array.VendorParametersSets

On Error Resume Next Set VendorSet = VendorSets.Item( SE_VPS_GUID )

If Err.Number <> 0 Then Err.Clear

' Add the item Set VendorSet = VendorSets.Add( SE_VPS_GUID ) CheckError WScript.Echo "New VendorSet added... " & VendorSet.Name

Else WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME) End If

if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

Err.Clear VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

If Err.Number <> 0 Then CheckError Else VendorSets.Save false, true CheckError

If Err.Number = 0 Then WScript.Echo "Done with " & SE_VPS_NAME & ", saved!" End If End If Else WScript.Echo "Done with " & SE_VPS_NAME & ", no change!" End If

End Sub

Sub CheckError()

If Err.Number <> 0 Then WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description Err.Clear End If

End Sub

SetValue

On your Forefront TMG Server, double-click your new 'EnableHotfix980723.vbs' file to run the script.

Verifying the Hotfix

Once the script has run, open Forefront TMG's 'Logs and Reports' view and run a live query. You will see that any new requests will include the host name in the URL field.

This will also reflect in TMG Reporter's live dashboard. Keep in mind that the Dashboard shows the top sites for the past 12 hours. It may therefore take the 12-hour window to fully clear any 'IP only' records from the dashboard. If you want to start with a fresh dashboard showing only the new site names, just restart the Fastvue TMG Reporter service.

It is important to remember that reports on dates before the script was run will still only show the IP.

Disabling the Hotfix

If you ever need to disable the hotfix and revert back to logging only the IP you can use the following script:

Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}" Const SE_VPS_NAME = "LogDomainNameForFWC" Const SE_VPS_VALUE = false

Sub SetValue()

' Create the root obect. Dim root ' The FPCLib.FPC root object Set root = CreateObject("FPC.Root")

'Declare the other objects needed. Dim array ' An FPCArray object Dim VendorSets ' An FPCVendorParametersSets collection Dim VendorSet ' An FPCVendorParametersSet object

' Get references to the array object ' and the network rules collection. Set array = root.GetContainingArray Set VendorSets = array.VendorParametersSets

On Error Resume Next Set VendorSet = VendorSets.Item( SE_VPS_GUID )

If Err.Number <> 0 Then Err.Clear

' Add the item Set VendorSet = VendorSets.Add( SE_VPS_GUID ) CheckError WScript.Echo "New VendorSet added... " & VendorSet.Name

Else WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME) End If

if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

Err.Clear VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

If Err.Number <> 0 Then CheckError Else VendorSets.Save false, true CheckError

If Err.Number = 0 Then WScript.Echo "Done with " & SE_VPS_NAME & ", saved!" End If End If Else WScript.Echo "Done with " & SE_VPS_NAME & ", no change!" End If

End Sub

Sub CheckError()

If Err.Number <> 0 Then WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description Err.Clear End If

End Sub

The Hotfix information from Microsoft can be found at: https://support.microsoft.com/kb/980723

Please note there is a formatting error on the Microsoft page.  The script is not split into the two separate ones as it is here. You also need TMG SP1 for the script to work.

If running the scripts is something that makes you uncomfortable, you can also use the LogHostname Plugin from Collective Software.  It does exactly the same thing but it comes at a small dollar price. Also note that you may need to change Forefront TMG's logging method to W3C text logs to ensure hostnames make it into the log file when using the LogHostname product. See our support issue: Site names still not showing after setting up loghostname.

Other Resources:

The SecureNAT (SecureNET) Client Guide to the Universe (By Thomas Shinder): https://www.isaserver.org/tutorials/SecureNAT-SecureNET-Client-Guide-Universe.html

Configuring SecureNAT Clients: https://technet.microsoft.com/en-us/library/cc441537.aspx

About SecureNAT Clients: https://technet.microsoft.com/en-us/library/cc995118.aspx

Take Fastvue Reporter for a test drive

Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.

  • Share this story
    facebook
    twitter
    linkedIn

How To Extend Forefront TMG's Web Protection Services (WPS) After November 30 2012

This article explains how to renew your Web Protection Services (WPS) Subscription for Forefront TMG as it can no longer be purchased from Microsoft.
TMG Reporter

Make The World A Better Place with Fastvue and Microsoft Reputation Services (MRS)

TMG Reporter can find sites that have not been categorized by Forefront TMG. You can then submit these sites to Microsoft Reputation Services (MRS), so everyone can benefit from your discovery!
TMG Reporter