Archive

Posts Tagged ‘logging’

Disable SSL 3.0 and TLS 1.0 on Forefront TMG and UAG 2010

December 27, 2016 Comments off

When performing SSL and TLS hardening on Microsoft Forefront Threat Management Gateway (TMG) 2010 or Forefront Unified Access Gateway (UAG) 2010 servers, disabling SSL 3.0 and TLS 1.0 is often required to meet regulatory and compliance guidelines for security. However, disabling SSL 3.0 and TLS 1.0 causes the SQL Server (ISARS) and SQL Server Express services to fail on start up.

Disable SSL 3.0 and TLS 1.0 on Forefront TMG and UAG 2010

Switching from SQL logging to text file logging can be employed as a workaround. However, when using text file logging, generating historical reports in the TMG management console is no longer supported.

Disable SSL 3.0 and TLS 1.0 on Forefront TMG and UAG 2010

To restore full functionality for SQL logging and reporting when SSL 3.0 and TLS 1.0 are both disabled, an update to the local security policy of the server is required. Open the Local Security Policy editor by clicking on the Start button and navigating to Administrative Tools and Local Security Policy. Expand Local Policies and click on Security Options. Double-click on System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. Click Enabled and then click OK.

Disable SSL 3.0 and TLS 1.0 on Forefront TMG and UAG 2010

Restart the computer for the changes to take effect. Once complete, all SQL services should start and run without issue.

Disable SSL 3.0 and TLS 1.0 on Forefront TMG and UAG 2010


Note: If Remote Desktop Services (RDS) is used to manage the Forefront TMG firewall it will be necessary to install update KB3080079.


 

Fastvue TMG Reporter 3.0 Beta Now Available

March 4, 2015 Comments off

Fastvue TMG Reporter Advanced Reporting Solution for Microsoft Forefront TMG 2010I’m a huge fan of the Fastvue TMG Reporter advanced reporting solution. If you’ve spent any time at all with the native Forefront TMG 2010 reporting tools, you know they are, as my British friends say, “rubbish”. While it is possible to configure Forefront TMG 2010 to log to an external SQL server and create your own reports, a better alternative is to use Fastvue TMG Reporter. They’ve already done all the hard work for you! Also, TMG Reporter from Fastvue works with TMG when configured to use an external SQL server, so you get the best of both worlds!

Recently the fine folks at Fastvue announced a sneak peak at their latest update to TMG Reporter in v3.0 Beta. This latest release includes a bunch of great new features, including the following:

  • Site Clean – This provides a way to clean up a lot of noise from your activity reports by consolidating related requests (e.g. analytics and CDN requests).
  • Private Report Sharing – Create a report for an individual or group and prevent them from accessing any other report data.
  • AD Security Group Filtering – A must have for searching activity reports!
  • Export to CSV for Reports and Report Tables – Great feature for detailed, granular data analysis offline.
  • Filter by Firewall Server Name or IP Address – This is essential for enterprise customers managing multiple TMG firewalls across the organization.

The latest release also includes Gantt Bars for Activity Reports, changes to the Productivity Dashboard, inclusion of search terms in User Overview reports, an updated Alerts interface, and improved data visibility. In addition, v3.0 includes memory usage improvements and the usual bug fixes and miscellaneous minor improvements.

Be sure to download Fastvue TMG Report v3.0 Beta today!

Fastvue TMG Reporter v2.1 Now Available

April 10, 2013 1 comment

Today Fastvue announced the general availability of TMG Reporter v2.1, the latest release of their advanced reporting and alerting platform built specifically for Forefront TMG 2010. I’ve been working with some of the early release builds and although this is technically considered a minor release, this latest update includes some important new features that make this a worthwhile and compelling upgrade. Here are some of the great new features included with TMG Reporter v2.1:

Activity Reports – Easily the single most important feature included in Fastvue TMG Reporter v2.1 is the addition of detailed activity reports. Prior to v2.1 only overview reports were available. You can now create extremely granular reports on user, site, category, or application activity that include timestamps, full URLs, browse time, category, and disposition (allowed or denied).

Scheduled Custom Reports – Another excellent new feature in Fastvue TMG Reporter v2.1 allows the administrator to create custom reports using the new filtering interface and schedule them for automated delivery to recipients.

Comprehensive Filtering – Fastvue TMG Reporter v2.1 includes a powerful new filtering facility that allows security administrator to dig deep in to the logging data to find the pertinent information they desire. The new enhanced filtering feature is available for use on all reports.

Drilldown Reporting – Another feature that has been greatly improved in the v2.1 release is drilldown reporting. Previously executing a drilldown report resulted in the creation of a completely new and separate report. With v2.1, the new drilldown report now respects the initial filter settings, allowing the administrator to see detailed information as necessary while maintaining the context that the original report was created within.

SQL Server integration – This is one of my favorite (and most requested!) new features. TMG Reporter v2.1 now includes native support for SQL server logging. There are many compelling reasons to configure the Forefront TMG 2010 firewall to log to an external SQL server, and now TMG Reporter can connect directly to your TMG firewall’s configured SQL server to collect report data.

Full support for Windows 8 and Server 2012 – You can now install TMG Reporter on Windows 8 and Windows Server 2012! This is great news as many organizations are beginning to deploy Windows 2012 server and Windows 8 desktops. The TMG Reporter installer now detects which server platform you are installing on and installs the necessary prerequisites automatically. The TMG Reporter web interface is also fully supported on Windows 8 with Internet Explorer 10 (modern and desktop).

Since its initial release a few years ago, Fastvue TMG Reporter has continued to add features and functionality. If you’re running an older version, or if you haven’t yet made the switch to TMG Reporter, the new capabilities in TMG Reporter v2.1 may finally compel you to take the leap and implement or upgrade to TMG Reporter v2.1 for your Forefront TMG monitoring, alerting, and report needs. Download a free, fully functional evaluation copy of Fastvue TMG Reporter v2.1 today. You’ll be glad you did, trust me!

Advanced alerting and reporting with TMG Reporter by Fastvue

Identifying and Reducing Anonymous Traffic Allowed by Forefront TMG 2010

March 4, 2013 Comments off

My recent blog post about altering the SafeSearch enforcement rule in Forefront TMG 2010 to require authentication has sparked some discussion on Twitter and Facebook regarding unauthenticated, anonymous access, particularly to resources located on the public Internet. In a perfect world (ok, my perfect world!), all access to and through the TMG firewall would be fully authenticated. Unfortunately, for a variety of reasons, this isn’t achievable. To start, authenticating all traffic to and through the TMG firewall would necessitate that all clients be configured as explicit web proxy clients. In addition, if non web-based protocols are allowed by firewall policy the Firewall Client would need to be distributed to all clients. While this is ideal if we’re designing a solution on paper, in the real world many administrators don’t have the luxury of forcing proxy configuration or installing the Firewall Client on all their systems. For example, some systems may not be under the administrator’s control or they may be required to support non web-based protocols on platforms other than Windows, for which the Firewall Client is not supported. Also, as veteran ISA and TMG firewall administrators know all too well, there are some applications that simply don’t play nice with an authenticating proxy, even with the Firewall Client installed. Applications that don’t leverage Winsock for network communication or that use IP-based protocols such as ICMP or GRE also prevent us from realizing our goal of authenticating all network traffic through TMG. Windows Update traffic also poses challenges for authenticating all TMG traffic, as the Windows Update service often makes requests to the Internet for updates in the background and perhaps even if there is no interactive user logged on.

Just because out of necessity some traffic has to be allowed through the TMG firewall anonymously doesn’t mean that undertaking an effort to reduce unauthenticated traffic isn’t a worthwhile project. If you’re interested in doing something like this, have a look at the Fastvue blog and read Scott Glew’s excellent article detailing how to use TMG Reporter to identify and reduce unauthenticated traffic on the Forefront TMG 2010 firewall. Not using TMG Reporter? You’re missing out! Download a free evaluation here!

Disable Logging on System Policy Rules in Forefront TMG 2010

July 5, 2012 Comments off

I’ve written a number of articles on improving system performance and logging optimization over the years. As I’ve mentioned previously, this involves the security administrator reviewing each access rule and deciding if the traffic is interesting enough to require logging. If it is not, to improve performance and reduce log pollution it is advisable to disable logging for the access rule in question.

However, when attempting to make this change to a system policy rule you will encounter the following error:

The changes cannot be saved.

Error: 0xc0040334

This property cannot be modified for the predefined item.

The error occurred on object <policy rule name> of class
‘Policy Rule’ in the scope of array .

Unfortunately the system policy editor provides no facility to make this change in the GUI. To work around this limitation you can use COM to disable logging on system policy rules programmatically using the following script. In this example I’ve chosen to disable logging on the Allow intra-array communication system policy rule.

Option Explicit

Dim Root, Array, Rule

Set Root = CreateObject("FPC.Root")

Set Array = Root.GetContainingArray()
Set Rule = Array.SystemPolicy.PolicyRules.Item("Allow intra-array communication")

Rule.EnableLogging = False
Rule.Save

WScript.Echo “Done!”

Set Rule = Nothing
Set Array = Nothing
Set Root = Nothing

Note: To see this change reflected in the management console, hit F5 to refresh or close and reopen the console.

If you wish to disable logging for all system policy rules, alter the script to use a For Each Next construct as follows:

Set Rules = Array.SystemPolicy.PolicyRules

For Each Rule in Rules
Rule.EnableLogging = False
Next

Forefront TMG 2010 Guest Blogging for Fastvue

Recently I was given the opportunity to write some guest blog posts about Forefront TMG 2010 for Fastvue. Fastvue develops TMG Reporter, an excellent real-time dashboard, alerting, and reporting tool that integrates with Forefront TMG 2010. Be sure to check out these new articles that have been posted:

Logging Improvements in Forefront TMG 2010
Enterprise Reporting Challenges with Forefront TMG 2010
Tips for Healthy Logging and Reporting in Forefront TMG 2010
Forefront TMG 2010 Enterprise Logging with Remote SQL Server

TMG Reporter is a significant upgrade from the native reporting tools included with Forefront TMG 2010. Download a free evaluation of their software today and give it a try. You won’t be disappointed!

Advanced alerting and reporting with TMG Reporter by Fastvue

Fastvue Enhanced Reporting for Forefront TMG 2010

Recently I had the pleasure of reviewing the Fastvue Dashboard product for Forefront TMG 2010 at ISAserver.org. Fastvue is a real-time dashboard that integrates with Forefront TMG to provide a nearly instantaneous view of traffic being controlled by your TMG firewall. Although the real-time dashboard is a nice feature, if you’ve spent any time at all with Forefront TMG 2010’s native reporting tools you know that TMG is severely lacking in this area. A major limitation of Forefront TMG 2010’s in-box reporting is that the reports are generated using summarized data. Data summarization occurs only once daily, so reports can be lacking essential information if you are looking for recent activity. In addition, the native reports are static and one-dimensional. If a report reveals something interesting that you want to know more about, creating and generating a new report is required.

Thankfully the good folks at Fastvue recognized these shortcomings and have addressed many of these issues with their latest release. Fastvue v2.0 now includes full historical reporting capabilities, with detailed company overview and user investigation reports that can be shared via e-mail. Reports can also be scheduled to run automatically. The reports are highly interactive, allowing the administrator to dynamically drill down to generate more granular reports in an instant.

Fastvue for Forefront TMG 2010

The current version of Fastvue is priced at $395.00 per TMG firewall. The newest version will be priced at $795.00 per server. However, for a limited time, readers of my blog can purchase Fastvue v1.0 for the current price and receive a free upgrade to v2.0 when it is released. Click here to download a trial of the software and to take advantage of this offer!

Fastvue for Forefront TMG 2010