Planning for reporting

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

Forefront TMG provides flexible, customizable reports that can help you to analyze and summarize log information, as well as create a permanent record of common usage patterns.

Four types of reports are available:

  • One-time report—Provides an immediate picture of the activity that is recorded by Forefront TMG over any period that you specify.

  • Recurring report job—Provides a way to automatically generate reports on a daily, weekly, or monthly basis. The time periods available for these reports are more structured than those of one-time or user activity reports; a report that is generated every day shows a day's activity, and a report that is generated once a month will show exactly a month's activity.

  • User activity report—Displays the websites (including URL categories) that are requested by specific users for any period that you specify.


    The user activity report is a new feature of Forefront TMG SP1.

  • Site activity report—Displays the amount of data transferred to and from different websites for any period that you specify, per user. Additionally, you can display the total data transfer to and from a specific website, per user.


    The site activity report is a new feature of Forefront TMG SP2.

When planning for reporting in Forefront TMG, consider the following:

  • Report categories

  • Custom reporting

  • The reporting mechanism

  • Publishing reports to a file share

Report categories

By default, one-time reports and recurring report jobs show the full range of activity that is available for reporting on Forefront TMG. The activity that is recorded is divided into the following report categories:

  • Summary—Provides information about network traffic usage, sorted by application. This category is most relevant to the network administrator or the person who is managing or planning a company's Internet connectivity.

  • Web Usage—Displays information about frequent web users, common responses, and browsers. This category shows how the web is being used in a company. It is most relevant to the network administrator or the person who is managing or planning a company's Internet connectivity.

  • Application Usage—Displays Internet application usage information about top users, client applications and destinations.

  • Traffic and Utilization—Displays total Internet usage by application, protocol and direction. This category also shows average traffic and peak simultaneous connections, cache hit ratio, errors, and other statistics.

  • Security—Lists attempts to breach network security.

  • Malware Protection—Displays the names of current threats, the users, and websites that generate the largest number of malware incidents, statistics regarding the Malware Filter, and a daily summary of malware activity.

  • URL Filtering—Lists Forefront TMG URL filtering activity.

  • Network Inspection System—Displays information about network attacks that are detected by the Network Inspection System (NIS). NIS is a traffic inspection system, based on protocol decoding, that uses signatures of known vulnerabilities to detect and potentially block attacks on network resources.


The user activity report produces a short report listing the sites, with their associated URL categories, that specific users have requested to access during a specified time period. Unlike the one-time and recurring report job, the user activity report has no categories, but you can modify the number of websites that it will display. When creating a user activity report, you enter the user names or aliases that you want to appear in the report. For more information about creating a user activity report, see Creating reports.

Custom reporting

When you configure a report, you can choose to exclude some report categories, as well as modify the details of the subcategories for each category included in the report. For example, you could edit the Summary report category by selecting the Top Protocols subcategory and changing the Number of protocols to include from the default value of 15 to 7. Alternatively, you could exclude the Summary report category altogether.

For more details about creating reports, see Configuring Forefront TMG reports.

The reporting mechanism

Forefront TMG reports are based on log summaries that are derived from the Web Proxy and Firewall logs, and thus contain activity from the previous day and earlier. Using SQL Server reporting services, Forefront TMG generates daily and monthly log summaries, on which all reports are based. Log summaries are generated at night (by default at 1:00am); however this time is configurable.

The report server

The report server is a Forefront TMG server running SQL Server reporting services in order to aggregate log summaries. The default report server is the first Forefront TMG array member created.

At the time of summary log generation the firewall and web proxy logs from each array member are consolidated as a summary log and are stored on the report server. All report jobs are based on this consolidated summary log.

In Forefront TMG Enterprise Edition, the Report Server tab in the Reporting properties can be used to change the designated report server. For instructions, see Changing the report server.

In Forefront TMG Standard Edition, the report server is always the local Forefront TMG server.

Publishing reports to a file share

When you plan to publish reports, consider the following:

  • When specifying a published reports directory, the directory must exist in the file system. The report generator will not create the folder.

  • When publishing reports, you must grant at least Read access permissions to users who must view the report in this shared folder. If you do not publish the report, you can only view the report on the computer that is running Forefront TMG Management.

  • When publishing a report, the Forefront TMG computer requires Write permissions to the folder to which you publish the report. By default, the Local System account is used to publish the report. However, if you publish the report to a folder that resides on a different computer, the Local System account credentials are passed as the account of the Forefront TMG-based computer. For this reason, the account of the Forefront TMG-based computer must have sufficient permissions to write to the destination folder. If you specify a user account to publish the report, make sure that this user account is granted Write permissions to the destination folder.

  • If Forefront TMG is installed in workgroup mode, Forefront TMG uses the Unauthenticated account. In this case, it is recommended that you specify user credentials when publishing reports to another computer.


Configuring Forefront TMG reports
Administering planning guide for Forefront TMG