Archive for the ‘Utilities’ Category

How to Determine TMG Version

October 11, 2010 Comments off

Recently Tarek Majdalani, one of my fellow Forefront Edge Security MVPs, published an informative article detailing several ways to determine which version of TMG is installed. One additional method you can use to determine the version of TMG you are running is by using COM. The VBScript code looks like this:

Option Explicit

Dim Root, Server

Set Root = CreateObject("FPC.Root")
Set Server = Root.GetContainingServer

WScript.Echo Server.ProductVersion

Set Server = Nothing
Set Root = Nothing

Copy the code above and save it in a file with a .vbs extension, or download the script file here.

You can execute the script from the command line using cscript.exe using the following syntax:

cscript.exe <path_to_script_file>

The output of the command includes the TMG version and build number information.

You can also double-click the script file in the GUI and a Windows message box will appear with the TMG version and build number information.

Changing the WebSpy Vantage Scheduled Task Recurrence Interval

July 16, 2010 1 comment

There are many third-party reporting tools available today that can aggregate log data for analysis, reporting, and event correlation. One of my favorites for Microsoft Forefront Threat Management Gateway (TMG) 2010 is WebSpy Vantage. Vantage uses its own data stores (called storage), so before you can view logged data or generate reports, you must first import data from your current TMG logging repository (SQL or text file) in to Vantage storage. Once this data has been imported you can do pretty much whatever you want with it after that.

When you create a task to automate the import of log data, you will notice that the Recurrence options are limited to None, Daily, Weekly, and Monthly.

What if you’d like to import the data more frequently than daily? You could create another daily task and schedule that to run daily at a different time, but fortunately there’s an easier way. Since WebSpy Vantage leverages the Windows Task Scheduler, we can use the schtasks.exe command line tool to alter the schedule to run more frequently.

To accomplish this, first copy the Key for the scheduled task you wish to modify.

Next, open a command prompt. The syntax for the command when using Vantage Ultimate is:

schtasks /change /tn “Vantage Ultimate […key…]” /ri <interval_in_minutes>

For example, if we want to alter the task above to run every 4 hours, the command would look like this:

schtasks /change /tn “Vantage Ultimate [87bfae7f-a476-4e4e-8f04-d801d58ca736]” /ri 240

You can verify the new task settings by entering the following command:

schtasks /query /tn “Vantage Ultimate [87bfae7f-a476-4e4e-8f04-d801d58ca736]” /v /fo list

The output will look similar to this:

With schtasks.exe, the interval range in minutes is 1-599940.

Creating User Mode Process Dumps in Microsoft Forefront Threat Management Gateway (TMG) 2010

May 1, 2010 Comments off

In a recent post on his blog, Yuri Diogenes shared with us how to create a manual dump of the wspsrv.exe process in TMG by using the Windows Task Manager. This is tremendously helpful in many situations, but there are scenarios that require more flexibility. For this I use procdump.exe from Sysinternals. To create a dump of a user mode process, enter the following command:

procdump <process>

For example, creating a dump of the wspsrv.exe process would look like this:

procdump wspsrv

This will immediately generate a dump file called wspsrv.dmp.

Procdump provides additional flexibility by allowing you to trigger a dump based on specific thresholds. This is extremely useful when troubleshooting intermittent high CPU utilization issues with TMG. For example, if you wanted to create a dump of the wspsrv.exe process when CPU utilization reaches 90% for more than 5 seconds, enter the following command:

procdump –c 90 –s 5 c:\wspsrv.dmp

When CPU utilization stays at or above 90% for more than 5 seconds, a user mode process dump will be generated and saved in the file c:\wspsrv.dmp. This can be beneficial in situations where high CPU utilization prevents you from using the mouse or typing commands at the command prompt. Automating the task of capturing dumps based on triggers also frees the administrator from having to be at the console when the symptom occurs. Additional command line switches allow you to create multiple dumps, increasing your chances of collecting accurate data for troubleshooting.

Configuring Syslog on ISA and TMG with Splunk Log Management

[Updated July 26, 2011: You can also use the Splunk Universal Forwarder to deliver Microsoft ISA Server and Forefront TMG 2010 log files to a Splunk indexing server. More details here.]

In a recent article I wrote about the enhancements made to the logging infrastructure in Microsoft Forefront Threat Management Gateway (TMG) 2010. With regard to logging, one commonly requested feature for ISA and TMG is integration with syslog. Many organizations collect log data from numerous systems and network devices in their environment and aggregate that data in a central repository. This makes auditing, reporting, and event correlation with multiple systems much easier.

Although ISA and TMG do not support syslog natively, this functionality is available by using a free third-party utility. Snare Epilog for Windows is a tool that takes data from ISA and TMG log files and exports them to a syslog server such as Splunk.

Before installing Snare Epilog for Windows you will need to change the Firewall and Web Proxy logging properties to use the text file format. Be advised that when you do this, you will no longer be able to view historical log data in the ISA or TMG management console.

Configure Logging

To configure TMG for text file logging, open the management console and highlight Logs & Reports in the console tree, then select the Logging tab.

To configure ISA for text file logging, open the management console and highlight Monitoring in the console tree, then select the Logging tab.

For both ISA and TMG, click Configure Firewall Logging or Configure Web Proxy Logging in the Tasks pane.

Select the File option and choose W3C Extended Log File Format. Do the same for Web Proxy Logging.

Configure Syslog Access Rule

To allow ISA or TMG to communicate with a remote syslog server, an access rule must be created that allows syslog traffic from the Local Host to the syslog server. This will require a new custom protocol to support syslog (UDP 514) with a direction of send.

Once completed, the access rule should look like this.

Installing and Configuring Snare Epilog for Windows

Download and install Snare Epilog for Windows on the ISA or TMG firewall. For ISA or TMG arrays, install Epilog on each array member. Installation is simple and straightforward – just accept the defaults until completed.

To configure Epilog to send log data to a remote syslog server, such as a Splunk log management server, navigate to Start/All Programs/InterSect Alliance and select Epilog for Windows. On the left side, click Log Configuration.

Click Add, and then in the drop-down box, select Microsoft ISA Firewall Logs.

In the Log File or Directory field, enter the location of the firewall logs. For TMG, the default log folder is C:\Program Files\Microsoft Forefront Threat Management Gateway\Logs. For ISA, the default log folder is C:\Program Files\Microsoft ISA Server\ISALogs. In the Log Name Format: field, enter *FWS*.w3c. Click Change Configuration when finished.

To add Web Proxy log files, repeat the steps above, selecting Microsoft ISA Web Logs as the log type and specifying *WEB*.w3c for the log name format.

Note: For demonstration purposes I have used the default location for the ISA and TMG log files. Best practices dictate that the log files be located on a separate physical disk from the system partition, however.

Click Network Configuration.

Enter the IP address and destination port for your syslog server, and then click Change Configuration.

After completing the log and network configuration, click Apply the Latest Audit Configuration to complete the process.

To confirm that Epilog for Windows is configured correctly, click Latest Events to view the current events. Epilog will display any monitored log information.

If everything is configured correctly and working properly, you should now see ISA or TMG log data in your syslog console. If you do not see log data in your syslog console, you may need to restart the Epilog service on the ISA or TMG firewall.

NMap 5.21 Released

January 28, 2010 Comments off

NMap, the venerable network security scanner, has recently been updated. NMap 5.21 includes a ton of new enhancements. If you are new to NMap or would simply like to enhance your skills I would strongly encourage you to read the NMap Network Scanning book, written by the author of NMap.

Categories: Networking, Utilities

Forefront Threat Management Gateway (TMG) 2010 Best Practices Analyzer

January 21, 2010 Comments off

The Microsoft Forefront Threat Management Gateway (TMG) 2010 Best Practices Analyzer is now available. Download it today!

Sysinternals NewSID Utility Retired

November 4, 2009 Comments off

If you frequently work with virtual machines like I do, you have most likely used the Sysinternals tool NewSID to generate new machine SIDs for your cloned systems. If you’ve attempted to use NewSID on a Windows Server 2008 R2 system, you no doubt have discovered (as I did) that NewSID no longer works! As a workaround I reverted to using sysprep, anxiously awaiting an update to the utility that I have used for over ten years on an almost daily basis it seems. I was surprised when I read the news that NewSID would be retired, but this post from Mark Russinovich explains the reasoning behind retiring the tool, and also explains the myth of machine SID duplication. As it turns out, generating a new machine SID was never really necessary in the first place. Who knew!

Categories: Utilities

Performance Analysis of Logs (PAL) v2.0 Technology Preview

November 2, 2009 Comments off

The Performance Analysis of Logs (PAL) tool, developed by Microsoft Premiere Field Engineer (PFE) Clint Huffman, is a very powerful free tool available on CodePlex that makes the analysis of logged performance data much simpler. The utility is used to automate the assessment of a performance monitor counter log (in any format) and compares that information to known thresholds provided with the tool. It produces reports in HTML format and will generate alerts when thresholds are exceeded.

The current release (v1.35) is written in VBScript. The v2.0 release of PAL has been completely rewritten in PowerShell, and is now available as a very early technology preview. PAL does not require installation, but it does have some dependencies; PowerShell v1.0 or higher, Microsoft .Net Framework 3.5 SP1, and Microsoft Chart Controls for Microsoft .NET Framework 3.5.

PAL includes threshold files for most major Microsoft products, including IIS, MOSS, SQL Server, BizTalk, Exchange, and Active Directory. ISA and Forefront Threat Management Gateway support will be added in the near future.

Download Performance Analysis of Logs (PAL) v2.0 Technology Preview today!

Categories: Utilities

Wireshark v1.2.3 Now Available!

October 27, 2009 Comments off

Wireshark just announced the availability of Wireshark v1.2.3. Included in this release is version 4.1.1 of WinPcap that now works with Windows 7! Download your copy today!

Download Wireshark

Categories: General, Networking, Utilities

Windows Sysinternals Administrator’s Reference – Coming Soon!

September 17, 2009 2 comments

If you perform any sort of Windows troubleshooting at all, no doubt you have used some of Mark Russinovich’s wonderful Sysinternals Utilities Suite. If not, you are seriously missing out on some valuable diagnostic tools! I use Process Explorer and Process Monitor on an almost daily basis, as I am sure many of you do as well. Other than attending one of Mark’s or David Solomon’s TechEd presentations, training for these tools has been limited. The good news is that soon Microsoft will be releasing the Windows Systernals Administrator’s Reference. This book will be a definite must have for anyone serious about performing diagnostics on the Windows platform. It is available now for pre-order on, so be sure and order your copy today. I did!


Categories: General, Utilities