Sign in
 
HomeProductsLibraryLearnDownloadsSupportForums
Microsoft Forefront TechCenter >
Forefront TMG reports only show IP addresses for SecureNAT

Answered Forefront TMG reports only show IP addresses for SecureNAT

  • Tuesday, March 08, 2011 1:33 AM
     
     
    Sign In to Vote
    0

    Hi,

    I'm aware that by default that TMG will only show the IP addresses of traffic from SecureNAT clients.  I have tried both the 'LogHostnames' product, and a script I found here: http://support.microsoft.com/kb/980723
    Which both fix the site names displayed when I do a URL query, but it doesn't fix the reports which all still just show IP Addresses.

    I can't seem to find any information relating to this problem, as it seems that after either applying that script or installing LogHostnames it usually would fix both the query URL and the reports?

     

All Replies

  • Tuesday, March 08, 2011 6:30 AM
     
     Answered
    Sign In to Vote
    0

    Hi,

    you must configure the clients as Webproxy clients:
    http://technet.microsoft.com/en-us/library/cc302624.aspx

    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
     
  • Tuesday, March 08, 2011 7:37 PM
     
     
    Sign In to Vote
    0

    I can't configure the clients as WebProxy clients due to business requirements.

    I understand that was a requirement in the past, with older versions (like the article you linked), but the following articles/software seem to indicate it should be possible, as they inspect the http header information.

    http://www.collectivesoftware.com/Products/LogHostname

    http://support.microsoft.com/kb/980723

     

    I am seeing the correct URL showing in the Query Logs after applying those changes (where in the past it would only show IP address), my problem is the daily reports still show IP addresses.

     
  • Thursday, March 10, 2011 2:35 AM
     
     
    Sign In to Vote
    0
    It seems strange to me that the reports would not include the modified field from the web filter. I'm going to test this and see if I can figure out what's going on.
     
  • Thursday, March 10, 2011 2:48 AM
     
     
    Sign In to Vote
    0

    I feel it is probably more an issue with the reporting.

    The logs only get written out to the report database once a day (hence when can't run reports on the current day).  The values getting populated in that database are just IP addresses.

    Perhaps there's a way to modify what gets put in the daily summaries?

     

    As far as reports are concerned, it's all just set up as per default settings, logs go to a local mdf file (which I can't seem to attach in SQL), and the summaries get generated once daily to the report database.

     
  • Thursday, March 10, 2011 4:23 PM
     
     
    Sign In to Vote
    1

    No it is not an issue with the reporting and it is not an ISA/TMG issue in any way at all.  It is simply the way that NAT works.  NAT works at Layer1-3, and Layer4 if PAT is included.  It does not go high enough in the Layers to possess the Hosts name. 

    The second part of it is that SecureNAT Clients do not communicate with the ISA/TMG,...all they do is blindly drop their traffic on the wire,...the only reason ISA/TMG processes the traffic is because the LAN's Routing Scheme sends the traffic down the correct wire and it "slams" blindly into the ISA/TMG.  So there is no higher level communication between the Client and the ISA/TMG taking place that would "pass" the hostname to the ISA/TMG.

    There have been third party tools that attempt to do reverse lookups and report the Hostsname,...but that is pretty much worthless if all the Clients are using DHCP and hence the IP# would not always be consistant.

    For the Destiantions you will notice that this is also always an IP#.  This is because the SecureNAT Client does its own DNS Resolution independently by itself,...again it does not involve the ISA/TMG because it has no concept that the ISA/TMG even exists.  So, since the outbound request has already been resolved to an IP# before it ever leaves the Client, the only thing the ISA/TMG receives in the packets in the IP#,...it never sees the Domain Name in the URL.

    Again there have been thrid party tools that attempt to do reverse lookups and report the Destination Domainname,...but that requires that the Domain involved has pointer Records created at their Authoritative DNS Hoster which may not always be consistant.

     
  • Thursday, March 10, 2011 7:58 PM
     
     
    Sign In to Vote
    0

    Hi Phillip,

    I understand what you're saying, but the tools in the links provided seem to hint that they will read into the HTTP header an extract the url destination.  In fact I can clearly see the full URL destination when I do a URL query in TMG, so the information is definitely available.   It is just getting that information into a report that I'm having issues with.

    I'm concerned so much with the user IP address/hostname, as I can just look that up against our DNS.  I just need to see the top web sites listed as url names and not IP addresses.

    Again, the information is visible in the URL query view, but will not show in the reports.

     
  • Thursday, March 10, 2011 8:27 PM
     
     
    Sign In to Vote
    0

    The ISA/TMG reports are generated by the data in the ISA logs....

    ...and the logs record what is actually seen in the packets coming from the clients....

    ...and the packets coming from the clients do not contain the host name or the domain name in the URL

    It is pretty much as simple as that.

    The article of http://support.microsoft.com/kb/980723 is refering the Firewall Clients with the Firewall Client installed,...please note the beginning of the Symptoms section of the article.

    The Collective Software product is comming up with the information independently on it's own by doing reverse lookups against the IP#s in the ISA logs.  It is not getting the host names or domain names from the ISA/TMG itself,...even if it gets the data from the actual data stream via it's Application Filter instead of the logs (which is may be),...it is still doing reverse DNS lookups adainst the IP# it gets from the ISA/TMG.  So the ISA/TMG is never at any point aware of the Hostnames or domain names involving the SecureNAT Clients.

     
  • Thursday, March 10, 2011 9:40 PM
     
     Answered
    Sign In to Vote
    1
    Phillip, the limitations you mention are correct, but not all third party tools operate in the way you assume.

    LogHostname does not do reverse lookups on the IP, that would be dumb and error prone. We take the Host header and do an anti-spoof check on it, then change the URL field (supported in API as pszTarget) so it contains the proper host name.

    The problem the OP has is that the TMG reports take the daily site ranking from the log field "URL Destination Host Name", and there is NO API exposed to affect this column. I am still going to investigate changing this as a third party. We may just have to go a bit farther outside the box.
    • Marked As Answer by Snozzle Tuesday, March 15, 2011 9:08 PM
    •  
     
  • Thursday, March 10, 2011 11:08 PM
     
     
    Sign In to Vote
    0

    Makes sense.

    Thanks for the update on that.

     
  • Monday, March 18, 2013 10:29 AM
     
     
    Sign In to Vote
    0

    Hi All,

    I am also facing issues with TMG reporting, It showing IP address & computer name with $ sign in Users field in one time report. wheres we have enabled authentication on access rule. we have only proxy client not SNAT client. please advice  


    • Edited by abhay_sbm Monday, March 18, 2013 10:30 AM
    •