Solved

High internet usage, need logging software

Posted on 2010-09-02
14
238 Views
Last Modified: 2013-11-16
Hi Guys,

i want to install the latest Micosoft Forefront Threat Management mainly for logging web traffic. We are having many data usage issues at the moment and i want it to restrict certain traffic from leaving my network form specific users.

1. Will forefront proxy log all traffic going out of my network and report the usage?
2. What other cheeper products are there available?
0
Comment
Question by:Reinert Wentzel
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
14 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33588324
It reports the usage by site and by user. it does not log duration - it can't as it has no idea how long you have stayed on the site. For example, you could open a page at 9 AM, switch straight to another application then return to that browser window at lunchtime. The duration would read as three hours but the reality would be a matter of seconds.

No idea about cheaper products - this is the ISA and Forefront zone.

Keith
0
 
LVL 2

Author Comment

by:Reinert Wentzel
ID: 33588445
but will isa log all other traffic going out even torrrents not using the browser? or virusses?
0
 
LVL 4

Expert Comment

by:EshuunDara
ID: 33589863
ReiinerWentzel:  That depends.  In many environments, users aren't allow to reach the internet directly.  In this instance, if your forefront server was the only IP that was allowed to get to the internet, and it is configured for logging, then your answer is yes.  
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33590848
Lets be clear on a couple of things. ISA will log all traffic - it has to in order to meet the EAL4+ accreditation requirements. However, there are caveats. For example, an SSL connection between a client and an external server. ISA will log the fact that an SSL session has been created but it obviously cannot then identify what traffic has gone across that link session as it is encrypted within the SSL tunnel. Forefront TMG IS able to break out that traffic as it has a new function called https inspection (although this has legal implications if used that need to be carefully thought through).

ISA logs traffic based on source and destination and by protocol. if you have used an authentication method for users (as opposed to the All Users option) then it will report the credentials of the user who carried used the traffic as opposed to just reporting the IP address of the client.

You can purchase GFI Webmonitor to install over the top of ISA if you want really in-depth reporting. Not that cheap but is certainly the best ISA reporting tool i have found.

Bandwith splitter is the additional product if you really want to get 'down and dirty' and start controlling by bandwidth quotas and the like.

Keith
0
 
LVL 2

Author Comment

by:Reinert Wentzel
ID: 33599183
thx for the advice. i have a trial of isa 2004 that i would like to try. my plan is this : (please note the network is a mess at the moment and no structure - company does not have money at the mom for proper infrastructure - i just want to solve the data issues first) we have Windows 2000 Server(i know very old lol) used as a file server only(no dhcp). i want to install ISA 2004 in cache mode only. and then redirect all internet options under proxy to the isa server. will this work and does this mean the isa is the only server allowed out of the network? sorry i am still new to isa.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33599227
No, it just means that internal clients and servers make a session between themselves and ISA and ISA uses its IP address as the source when heading out to the next hop which is likely your firewall/external router.
0
 
LVL 2

Author Comment

by:Reinert Wentzel
ID: 33606439
Hi Keith, i will respond to that question shortly and award points. Sorry just been very busy :-) Ok so lets say i install 2 network cards in my Server 2000 box with on going to my internal network and the other to my external adsl modem and install ISA 2004 on the Windows 2000 box. I then enable DHCP on my 2000 box so that clients use the internal card's ip as the gateway. And then enable the proxy in the internet options of each client. Will all traffic in and out be logged so i can trace where my internet cap is going? i dont care about detailed reports, all i want is source, destination, protocol and usage?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33606453
OK - ISA 2004 will give you source/destination/protocol, no issue. bear in mind that if you want source by username you need to ensure users are authenticated. using an All Users criteria in a rule will result in source logging by IP address, not user name.

Usage will be reported by traffic passing through the interfaces, not by time spent on a site as that is pretty much impossible for ISA. It has no knowledge of whether a person spends 50 minutes reading a web page or 10 seconds reading it (as no other traffic passes through its interfaces).

Keith
0
 
LVL 2

Author Comment

by:Reinert Wentzel
ID: 33606522
Thx for the response. Just to finalise everything. I will need two network cards for my setup? one for external and one for internal? i will need to point all clients to my isa as their gateway? How will i restrict only the isa to have access to the external network?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33606662
I don't understand your final point. What do you mean restrict access to the ISA? Why would you want to do that?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33606667
Yes for the network cards though and the gateway.
0
 
LVL 2

Author Comment

by:Reinert Wentzel
ID: 33606731
what i mean is : allow only my isa to have internet access. so this forces all clients to have the isa as there gateway and this is the only way they can have internet access? this forces all traffic to go through the isa server. I dont want a client or traffic not going through isa as this will obviously then not be logged by isa
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 33606814
OK - I think I get your drift.

Think about protocols as opposed to ports.
Create a new protocol on the ISA 2004 server (or any version over ISA 2000 really) - call it 'transparent http' or 'pure-tcp80' or something similar. This is an outbound tcp port 80 to port 80, no secondaries.

Create a new access rule and place it above your normal outbound http/https rule along the following lines:

rule name:  Block tcp port 80
Action:  Deny
protocol:  transparent http (or whatever you called it)
from:  Internal
To;  External
Users:   All users

This will block tcp port 80 traffic and effectively cover ANY internal device that tries to get to an external web server directly, as opposed to the same access that is operating with the web proxy settings in place. Remember this will effect ANY device so you may need to put other rules above for appliances etc that cannot operate with a proxy. Down to you to work out the right sequencing/order etc but you will get the point.

Anyway, if the ISA is the default gateway, the traffic would have to go through ISA anyway but the above is good best-practice.

Keith

Make sure you close any existing opening browsers on the pc before testing on a client. A browser only looks at the proxy the first time the browser is opened on a session.




0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question