WebSpy is a Fastvue Product

Support Center

Anonymous Traffic in TMG and ISA Server

Last Updated: Nov 17, 2015 11:26PM PST
One of the most common questions we get asked by users of Microsoft TMG and ISA is why there is so much traffic attributed to the Anonymous user. Even though unauthenticated access to the web has been disabled, they still see the ‘Anonymous’ user as one of the top users in their reports.
 
So let’s use WebSpy Vantage to drill into that Anonymous user and find out what is going on.
 
One way to do this is to run an Ad-hoc analysis on the Summaries screen and drilldown into the Anonymous user to view all the information about that user. However, TMG and ISA tend to log a lot of information that may not be relevant to this particular investigation, so I’ve created some report templates (one for ISA and one for TMG) and a set of Aliases that pull out some relevant information.
 

Download our Anonymous Traffic Investigation Report

If you’re running WebSpy Vantage download the Anonymous Traffic Report Templates & Aliases
 
Then open the .Templates file on the Reports tab, and the .Aliases file on the Aliases tab. Once you have both files opened, go to the Reports tab and click either the ‘Anonymous Traffic Investigation (ISA)’ or the ‘Anonymous Traffic Investigation (TMG)’ report. Then click the ‘Generate report’ link and run the report template on your ISA or TMG storage.
 
The report gives you the ability to drill into the Allowed, Denied and Failed traffic to see a list of the unauthenticated IPs, Sites, Rules responsible for blocking or allowing the traffic, unauthenticated Applications and Result Codes.
 

Main Causes of Anonymous Traffic

What you will probably find is that most of the Anonymous traffic is being denied by your TMG or ISA firewall. When a client first requests a web page, the proxy will challenge the client for authentication. These events are often logged with the result code 12209 meaning ‘authorization is required to fulfill the request’. These requests are therefore denied by the proxy until the client’s credentials are authenticated.
 
Have a look at the amount of traffic being denied and then checkout the Result Codes associated with the denied traffic. Chances are you’ll see ‘proxy authentication required’ appear predominantly.
 
If you also look at the Applications section you may also find that Windows Updates are sailing through your TMG or ISA firewall unauthenticated.

However, you may also have a rule set up that allows unauthenticated users to access the internet. For web traffic, check that your 'allow' Web rules are requiring authentication. That is, instead of allow 'All Users', set it to 'Authenticated Users'. 

You can configure TMG to require all users to authenticate. To do this:
1. Open the Microsoft Forefront TMG Management console.
2. Click on the ‘Networking’ node in the left pane and select the ‘Networks’ tab in the right pane.
3. Right click on the ‘Internal’ network and select ‘Properties’.
4. Select the ‘Web Proxy’ tab and click on the ‘Authentication…’ button.
5. Select the ‘Require all users to authenticate’ checkbox.
6. Click ‘OK’ to save changes.
7. Repeat the same procedure for ‘Local Host’ in the Networks Tab.
 

Filter out Unauthenticated Traffic from Reports

The most logical next step is to filter out the information you do not want in your reports. You’ll probably still want to include Windows Update traffic in your reports, but you’re probably not so interested in the ‘proxy authentication required’ information. So let’s filter that out.
 
To do this:
 
  1. Go to the Reports tab and select the report you want to filter (such as your Organization report)
  2. Click ‘Edit Template’, then click ‘Template Properties’.
  3. In the filter section at the bottom of the dialog, click Add | Field value filter.
  4. Select the ‘Result Code’ summary and select the Status Code Names (ISA-FTMG) alias.
  5. On the toolbar, search for Authorization, and check the following two items:
  • The server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
  • The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.
       6. Ensure the ‘Exclude’ radio button is selected and click OK.

If you decide that you don’t care about seeing ANY unauthenticated traffic in your reports, you can always simply filter out the Anonymous user from your reports.
 
To do this:
 
  1. Go to the Reports tab and select the report you want to filter (such as your Organization report)
  2. Click ‘Edit Template’, then click ‘Template Properties’.
  3. In the filter section at the bottom of the dialog, click Add | Field value filter.
  4. Select the ‘Username’ summary.
  5. On the toolbar, click Add and type ‘anonymous’. Click OK.
  6. Ensure the Exclude radio button is selected and click OK.
Hopefully this article improves your understanding of the ‘anonymous’ user, and gives you some actions to take for your specific reporting situation.
 

Try Fastvue TMG Reporter

You may also like to know that we have a separate application that makes reporting on Forefront TMG much easier. Check out Fastvue TMG Reporter at http://www.fastvue.co/tmgreporter

Contact Us

support@fastvue.co
http://assets0.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete