Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

High internet usage, need logging software

Posted on 2010-09-02
14
235 Views
Last Modified: 2013-11-16
Hi Guys,

i want to install the latest Micosoft Forefront Threat Management mainly for logging web traffic. We are having many data usage issues at the moment and i want it to restrict certain traffic from leaving my network form specific users.

1. Will forefront proxy log all traffic going out of my network and report the usage?
2. What other cheeper products are there available?
0
Comment
Question by:ReinerWentzel
  • 7
  • 5
14 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33588324
It reports the usage by site and by user. it does not log duration - it can't as it has no idea how long you have stayed on the site. For example, you could open a page at 9 AM, switch straight to another application then return to that browser window at lunchtime. The duration would read as three hours but the reality would be a matter of seconds.

No idea about cheaper products - this is the ISA and Forefront zone.

Keith
0
 
LVL 2

Author Comment

by:ReinerWentzel
ID: 33588445
but will isa log all other traffic going out even torrrents not using the browser? or virusses?
0
 
LVL 4

Expert Comment

by:EshuunDara
ID: 33589863
ReiinerWentzel:  That depends.  In many environments, users aren't allow to reach the internet directly.  In this instance, if your forefront server was the only IP that was allowed to get to the internet, and it is configured for logging, then your answer is yes.  
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33590848
Lets be clear on a couple of things. ISA will log all traffic - it has to in order to meet the EAL4+ accreditation requirements. However, there are caveats. For example, an SSL connection between a client and an external server. ISA will log the fact that an SSL session has been created but it obviously cannot then identify what traffic has gone across that link session as it is encrypted within the SSL tunnel. Forefront TMG IS able to break out that traffic as it has a new function called https inspection (although this has legal implications if used that need to be carefully thought through).

ISA logs traffic based on source and destination and by protocol. if you have used an authentication method for users (as opposed to the All Users option) then it will report the credentials of the user who carried used the traffic as opposed to just reporting the IP address of the client.

You can purchase GFI Webmonitor to install over the top of ISA if you want really in-depth reporting. Not that cheap but is certainly the best ISA reporting tool i have found.

Bandwith splitter is the additional product if you really want to get 'down and dirty' and start controlling by bandwidth quotas and the like.

Keith
0
 
LVL 2

Author Comment

by:ReinerWentzel
ID: 33599183
thx for the advice. i have a trial of isa 2004 that i would like to try. my plan is this : (please note the network is a mess at the moment and no structure - company does not have money at the mom for proper infrastructure - i just want to solve the data issues first) we have Windows 2000 Server(i know very old lol) used as a file server only(no dhcp). i want to install ISA 2004 in cache mode only. and then redirect all internet options under proxy to the isa server. will this work and does this mean the isa is the only server allowed out of the network? sorry i am still new to isa.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33599227
No, it just means that internal clients and servers make a session between themselves and ISA and ISA uses its IP address as the source when heading out to the next hop which is likely your firewall/external router.
0
 
LVL 2

Author Comment

by:ReinerWentzel
ID: 33606439
Hi Keith, i will respond to that question shortly and award points. Sorry just been very busy :-) Ok so lets say i install 2 network cards in my Server 2000 box with on going to my internal network and the other to my external adsl modem and install ISA 2004 on the Windows 2000 box. I then enable DHCP on my 2000 box so that clients use the internal card's ip as the gateway. And then enable the proxy in the internet options of each client. Will all traffic in and out be logged so i can trace where my internet cap is going? i dont care about detailed reports, all i want is source, destination, protocol and usage?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33606453
OK - ISA 2004 will give you source/destination/protocol, no issue. bear in mind that if you want source by username you need to ensure users are authenticated. using an All Users criteria in a rule will result in source logging by IP address, not user name.

Usage will be reported by traffic passing through the interfaces, not by time spent on a site as that is pretty much impossible for ISA. It has no knowledge of whether a person spends 50 minutes reading a web page or 10 seconds reading it (as no other traffic passes through its interfaces).

Keith
0
 
LVL 2

Author Comment

by:ReinerWentzel
ID: 33606522
Thx for the response. Just to finalise everything. I will need two network cards for my setup? one for external and one for internal? i will need to point all clients to my isa as their gateway? How will i restrict only the isa to have access to the external network?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33606662
I don't understand your final point. What do you mean restrict access to the ISA? Why would you want to do that?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33606667
Yes for the network cards though and the gateway.
0
 
LVL 2

Author Comment

by:ReinerWentzel
ID: 33606731
what i mean is : allow only my isa to have internet access. so this forces all clients to have the isa as there gateway and this is the only way they can have internet access? this forces all traffic to go through the isa server. I dont want a client or traffic not going through isa as this will obviously then not be logged by isa
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 33606814
OK - I think I get your drift.

Think about protocols as opposed to ports.
Create a new protocol on the ISA 2004 server (or any version over ISA 2000 really) - call it 'transparent http' or 'pure-tcp80' or something similar. This is an outbound tcp port 80 to port 80, no secondaries.

Create a new access rule and place it above your normal outbound http/https rule along the following lines:

rule name:  Block tcp port 80
Action:  Deny
protocol:  transparent http (or whatever you called it)
from:  Internal
To;  External
Users:   All users

This will block tcp port 80 traffic and effectively cover ANY internal device that tries to get to an external web server directly, as opposed to the same access that is operating with the web proxy settings in place. Remember this will effect ANY device so you may need to put other rules above for appliances etc that cannot operate with a proxy. Down to you to work out the right sequencing/order etc but you will get the point.

Anyway, if the ISA is the default gateway, the traffic would have to go through ISA anyway but the above is good best-practice.

Keith

Make sure you close any existing opening browsers on the pc before testing on a client. A browser only looks at the proxy the first time the browser is opened on a session.




0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question