Converse agora com nosso suporte
Chat com o suporte

InTrust 11.4.2 - Preparing for Auditing Microsoft Forefront Threat Management Gateway and ISA Server

Gathering Data Without Agents

You can configure InTrust to collect ISA Server 2000 logs without agents.

Caution: To collect audit data from TMG, ISA Server 2004 and ISA Server 2006, agents are required.

However, TMG logs in SQL Server Express format can also be gathered without agents if you do the following:

  • Allow RPC connections to the Threat Management Gateway server.
  • Make the SQL Server instance named "MSFW" on the Threat Management Gateway remotely available.
  • Install the Microsoft TMG Management Console on the InTrust server.
  • To work without agents, Microsoft ISA Administrative Components must be installed on the InTrust server.
  • On the processed computer, you can use Remote Registry Service, or Microsoft ISA Administrative Components.
  • The account under which the gathering service will access site computers (specified explicitly in the site’s settings, or inherited from InTrust server or task) requires the following:
    1. Access this computer from the network right must be granted.
    2. Deny access to this computer from network right must be disabled.
    3. Membership in the local Administrators group.
    4. Read permission to the HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation registry key.
    5. Read permission to the HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language registry key.
    6. Read and List Folder Contents permissions to log file folders; the Delete permission must also be granted if the Clear log files after gathering option is enabled for the data source.

Resolution of IP Addresses

If specified by InTrust settings, IP addresses found in the log are resolved to host names, and InTrust saves them both (IP addresses and host names) into the log, appending them to original fields. This can significantly slow down gathering process; that is why this option is disabled by default. If necessary, you can enable this option in the following way:

  1. In InTrust Manager, select Configuration | Data Sources.
  2. On the right pane, select the ISA Server log you need, for example, Web Proxy Log.
  3. From its shortcut menu, select Properties, on the Settings tab select Resolve IP addresses to and specify whether to resolve them into NetBIOS names or DNS names.

InTrust Knowledge Pack for Microsoft ISAS/Proxy Server

The Knowledge Pack for Microsoft ISAS/Proxy Server offers a set of predefined InTrust objects that will help you configure the gathering and monitoring of event data from your Microsoft TMG/ISA/Proxy Servers. The following objects are included:

  • Gathering policies:
    • TMG and ISAS: Security
      Collects all TMG and ISAS security events to both a repository and a database.
    • TMG and ISAS: Health
      Collects all TMG and ISAS health events both to a repository and a database.
    • TMG and ISAS: Usage: Proxy
      Collects TMG and ISAS Web Proxy log both to a repository and a database.
    • TMG and ISAS: Usage: Firewall
      Collects TMG and ISAS Firewall log both to a repository and a database.
  • Import policies:
    • TMG and ISAS: Security
      Imports all TMG and ISAS security events to a database.
    • TMG and ISAS: Health
      Imports all TMG and ISAS health events to a database.
    • TMG and ISAS: Usage: Proxy
      Imports events from TMG and ISAS Web Proxy log to a database.
    • TMG and ISAS: Usage: Firewall
      Imports events from TMG and ISAS Firewall log to a database.
  • Jobs:
    • TMG and ISAS Security events collection
      Collection of all the TMG and ISAS security events to the default repository and the default database.
    • Weekly TMG and ISAS Web Proxy Reporting
      Weekly reporting of TMG and ISAS Web Proxy usage.
    • Weekly TMG and ISAS Firewall Reporting
      Weekly reporting of TMG and ISAS Firewall usage.
  • Tasks:
    • TMG and ISAS Daily collection
      Daily collection of all the TMG and ISAS security events to the default repository and the default database.
    • TMG and ISAS Weekly Reporting
      Weekly reporting of TMG and ISAS Statistics and the most critical events.
  • “All TMG and ISA servers” site
Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação