by
Scott Glew
TMG Reporter gets its information through Forefront TMG's Web Proxy and Firewall Log files. If these logs are lacking information, some sections of TMG Reporter will be blank or simply not working. Here are six important TMG settings you should check to ensure you get the best reports.
If you want to know the user that is responsible for certain activity, it is essential that you authenticate your users with TMG.
TMG Reporter relies on the username field top populate all of the 'User' and 'Department' charts in the Dashboard and in Reports. If TMG is not authenticating users, this field will contain the user 'anonymous'.
If you are authenticating users and you're still seeing a lot of anonymous traffic, check that your Web Access 'allow' rules are requiring authentication. That is, instead of allow 'All Users', set it to 'Authenticated Users'. For non-Web traffic, the firewall client needs to be installed on your client computers. Once authenticated, their usernames will be logged. For more information, see our knowledgebase article on why Usernames and Site names may not be displayed.
The Productivity features in TMG Reporter rely on Microsoft Forefront TMG's URL Filtering feature which identifies the web category for any given URL such as Sport, Entertainment, Adult and so on.
When URL Filtering is enabled, the URL Category is logged along side each web site in TMG's web proxy log files. TMG Reporter then groups these categories into Productivity groups (Unacceptable, Unproductive, Acceptable and Productive). You can configure how these URL categories are assigned in Settings | Productivity.
TMG Reporter showing the top URL Filtering Web Categories
If TMG's URL Filtering is not enabled, all productivity sections in TMG Reporter will be blank. TMG's URL filtering requires an active subscription to TMG's Web Protection Services. Without this subscription, TMG will log 'Unknown' in the category field for all URLs and the Productivity sections in TMG Reporter will be blank.
See our knowledgebase article on enabling TMG's URL filtering feature for more information.
There is a large section in TMG Reporter's Dashboard and Reports dedicated to Malware and IPS Events. These sections rely on the information logged in TMG's malware and Network Inspection Services (NIS) fields, which are only populated if the Malware Inspection and NIS features are enabled. The NIS feature does not require an active subscription to TMG's Web Protection Services, but the Malware inspection feature does.
There is a great article over at ISAServer.org on how to enable TMG's advanced web protection features.
If there is a section in TMG Reporter that is not being populated, make sure the required log fields are enabled. A great way to ensure this is the case is by enabling all fields in TMG's Web Proxy and Firewall Log files.
To do this:
TMG Field Selection - Select All
As of right now (TMG Reporter build 2.0.1.6), TMG Reporter only supports the default SQL Express logging method, as well as W3C Text Logging method.
TMG Reporter's Supported Logging Methods
W3C Text logs are faster to import into TMG Reporter, but using W3C text logs comes at the expense of losing TMG's built in reporting functionality.
If you're un-willing to part with TMG's built in reports (even though TMG Reporter will more than adequately cover you!), then it is fine to stay with SQL Express logging. The import speed difference is about 10,000 records per second. You can expect somewhere between 5000 to 10,000 records per second with SQL Express, and around 15,000 -20,000 records per second with W3C text logs.
Once TMG Reporter has imported all your historical TMG logs, import speed becomes less of a concern as it monitors your TMG log files in real time. In the very unlikely case that TMG is writing more than 5000 records every second, then you may want to consider switching to W3C text logs.
This is covered in our getting started video guide, but I thought I'd mention it here as well.
After installing the Fastvue Arbiter on your TMG Server, you need to add an Access Rule to TMG to allow access between the Arbiter and TMG Reporter. Simply put, this rule should allow port TCP port 49361 from the TMG Reporter server to Localhost (the TMG Server) for all users.
Here are the steps to add the rule. You can also watch a video on adding this rule.
Open Forefront TMG's Management Console
Select Firewall Policy on the left hand side
Click Create Access Rule on the right hand side. This launches the Access Rule wizard.
Give the access rule the name Fastvue.
Select Allow as the Rule Action.
Select Selected Protocols from the drop down list and click Add...
Click New... | Protocol on the tool bar. This launches the new Protocol Definition Wizard.
Call the Protocol Fastvue
On the Primary Connection Information page click New... and select:
Click OK and click Next.
Select No on to Use secondary connections
Click Finish to add the protocol
Expand the User-Defined folder, select the new Fastvue protocol and click Add.
Back on the Access Rule Wizard, click Next.
On the Access Rule Sources page click Add...
Click New... | Computer on the toolbar
Enter the name TMG Reporter and enter the IP address of the TMG Reporter Server. Click OK.
Expand the Computers folder and select the newly added TMG Reporter computer. Click Add.
Back on the Access Rule Wizard, click Next.
On the Access Rule Destinations wizard, click Add...
Expand the Networks folder and select Localhost then click Add.
Back on the Access Rule Wizard, click Next.
On the User Sets page, leave 'All Users' in the list and click Next.
Click Finish to add the rule.
That's about it. If your TMG server is configured with the settings above, you should have no issues getting the best reports from Fastvue TMG Reporter.
If you have any questions, we'd love to hear from you!
Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.
Blocking Sites with Forefront TMG