I’ve been having a look through the reporting functionality included in Microsoft Forefront Threat Management Gateway to find that not much has changed from ISA Server 2006. There is some new information regarding the newly implemented URL categorization and threat management technology, but there is very little flexibility or customization for those with reporting requirements beyond general overviews cluttered with irrelevant information.
Here’s a quick video outlining some of the differences between TMGs Reporting, and what can be achieved using WebSpy Vantage. The video does not illustrate all the limitations outlined below, so please read on.
WebSpy vs Microsoft Forefront TMG Reporting from Fastvue on Vimeo.
Whats is in the Forefront TMG report?
The default TMG report contains the following sections
- Summary
- Web Usage
- Application Usage
- Traffic and Utilization
- Security
- Malware Protection
- URL Filtering
- Network Inspection System
Each section contains overviews such as ‘Top users’ and ‘Top Sites’.
If your reporting requirements can be satisfied with these overviews – that’s great! Unfortunately, when you start thinking about what system administrators and other people in your organization actually need to make informed decisions, this report is quite limiting.
The 8 Limitations of Microsoft Forefront TMG’s Reporting
Here is what I consider to be the 8 main limitations of Microsoft Forefront TMG’s reporting functionality.
1. No Drilldowns
Want to see the sites that the top 5 users accessed? Want to see the users that downloaded the most traffic from youtube? These are fairly standard reporting requirements that simply cannot be achieved using the inbuilt TMG reporting.
WebSpy Vantage lets you either interactively drilldown into a user or site, or produce a regular report that includes further details about what your top users have actually been up to.
2. No Filtering
When you generate a report in TMG, you can only filter the report by a date range. There is no way to filter out anonymous (unauthenticated) traffic or exclude traffic coming from advertising servers (such as doubleclick and 2mdn.net) that tend to dominate most of the top 10 sites.
This can easily be achieved using WebSpy’s software. Check out my video on how to remove clutter from your web reports.
3. No Customization
Customization of each overview in the TMG report is limited to the number of items to show (e.g. top 5 or top 50 users), and the sort order (Incoming Bytes, Outgoing Bytes, Requests and Total Bytes).
What about the time a user spent browsing the web, or the number of users that visited a specific site? There is no way to add custom columns such as total browsing time, average session time, or number of users/sites/IPs to the report tables.
Or say you simply want to change your top users chart from a bar to pie to easily see the percentage used. Nope sorry!
If you do make one of the two available customizations in a TMG report, you then get the annoying Apply / Discard message to save changes to the configuration database.
All of these customizations can be achieved using WebSpy Vantage, and it doesn’t touch your TMG server to apply a change to a report.
4. Limited Report Distribution
When you generate a report, you get the option to email it to a specific email address. What if you would like to create a report for every department, and then email it to the managers of each department? Or better yet, host the report on a secure web server where department managers can log in and view their reports?
WebSpy Vantage Ultimate comes with a secure ‘Web Module’ specifically for this purpose and managers still receive a link to the report via email.
5. Cluttered ‘Top Sites’ List
The ‘Top sites’ list can become particularly cluttered due to the inclusion of sub-domains. I don’t want to mentally add up the size values from farm1.static.flickr.com, farm2.static.flickr.com, and farm3.static.flicr.com – I just want to know how much was downloaded from flickr.com.
This is compounded by the inability to exclude sites that are merely placing advertising banners on the actual sites users are visiting (as mentioned in the ‘No Filtering’ limitation above).
WebSpy Vantage breaks URLs down into separate components and lets you analyze each part separately. Look at the Site Domains summary to remove sub-domains and see only flickr.com. Or perhaps you want to see the keywords a user entered into search engines like Google? Or perhaps the top pages accessed within a website? No problem. Just include the Site Keywords or Site Resource summaries in your Vantage reports.
6. No Grouping or Aliasing
There is no way to group users into departments or locations, or IP addresses into subnets, or extensions such as .html, .pdf or .exe into file types. The ability to group and represent raw log data in more meaningful ways, as offered by WebSpy Vantage, can increase the value of a report tremendously.
7. No Productivity Assessment
One of the major features introduced in TMG since ISA Server 2006 is the included URL categorization technology.
Although the TMG report gives you an overview of the categories that have been visited, the report does not use this information to display a productivity assessment for your users.
WebSpy Vantage not only provides this assessment, but also the ability to customize the categories that are deemed productive as this can vary wildly depending on the industry and organization.
8. Not browser independent
This is a minor limitation that can be a major annoyance. The report that TMG produces is a HTML report that only displays correctly in Internet Explorer. As Forefront TMG is a Microsoft product, this is not exactly surprising, but still very annoying if IE is not your default browser.
How to get awesome reports from Forefront TMG
If you have had personal experience with any of the above limitations, you’ve probably been hunting for an alternative solution. I strongly recommend checking out the WebSpy Vantage range of products, and if you would like secure report distribution via the ‘Web Module’, Vantage Ultimate is what you are after.
If you agree or disagree with anything in this article, I encourage you to leave your thoughts in the comments.
Cheers!
Scott
See also:
- Dedicated WebSpy and Forefront TMG pages – Everything you need to know about TMG Log Reporting
- Google Claim 6.4% of Internet traffic. Help us put this to the test
- How I used log file analysis to safely retire a legacy web site
- Making Sensible Employee Internet Reports for the Modern Web (Part 3)
- Advantages of using WebSpy with Cisco IronPort – New Video
Scott, I think you are completely wrong what you have written above. I purchased TMG sometime back and was a bit worried after seeing your blogpost. I opened a Ticket with MS and they were able to pull all the information from SQL whatever i asked them.
In TMG they are using SQL Server 2008 and we need to create custom queries to pull information from SQL database. Its customizable and very informative.
It will be great if you will add this to your blog :).
Thanks,
Bandhar
Hi Bandhar,
Thanks for your comment, and I apologise it has taken me so long to respond. Yes, you’re absolutely correct in that TMG logs to SQL Server 2008, and like any database, this can be queried for relevant information as long as you have the tools and expertise (and time!) required to do so. You noted that you opened a support ticket with Microsoft and they pulled the required information for you which is a great testament to Microsoft’s support services.
Unfortunately, this method of obtaining reports is unacceptable for many of our customers as they may not have a similar support agreement and/or do not want to rely on Microsoft each time they need a report.
There is also much more that goes into our reporting solutions beyond the first step of simply querying the SQL databases.
Our customers want to have access to regular usage reports on a daily, weekly or monthly basis. They also want to distribute those reports automatically to the correct people such as department managers or network administrators. Those reports should only contain information relevant to the person receiving the report. For example, department managers receive reports containing the people in their department, or network administrators receive a traffic report for the subnets they are responsible for.
Our software also pulls information from Active Directory (or any LDAP server) to learn about the structure of your organization and the people within it. This information is used to improve the information in reports (for example, instead of displaying WEBSPY01scottg, the report would simple say Scott Glew, or perhaps Development Department), and filter and distribute reports appropriately.
All this is wrapped in a nice user interface to make it easy for administrators to customize and configure the complete reporting process.
Combine all this with the ability to report on any device (not just Microsoft TMG), masking usernames from certain reports to protect privacy, customizable keyword based categorization of URLs, IP DNS resolution, subnet grouping, file type grouping based on extensions, and… well you get the idea.
Cheers!
Scott
Then what should be the alternative software???
Hi Haseeb,
We recommend using WebSpy Vantage to report on your Micorosft TMG log files. For more details on how to do this, see:
http://www.webspy.com/vendors/microsoft-ftmg/howto.aspx
Cheers!
Scott.
Please update your blog to reflect the updates in Service Pack 1 and the Post SP1 updates.
http://blogs.technet.com/b/forefront/archive/2010/06/07/available-now-forefront-threat-management-gateway-2010-service-pack-1.aspx
Hi Jon. Thanks for your comment!
The changes in SP1 is definitely something I’ve been meaning to write about. I haven’t had a chance to play with the user activity reporting included in SP1, but from what I understand, you need to enter the user you want to report on in the form of domainusername. The advantages of our software that I mention above still apply here, as you can simply get overviews on your ‘top n’ users, without the need of entering their logged usernames. You can also run individual user reports in our software simply select the users you want to report on (displayed as FirstName LastName) rather than typing the full logged username including the ‘domain’ prefix.
This topic deserves its own blog article with a more in depth look at the features in SP1. I’ll hopefully get to this very soon. Thanks for reminder!