Using Events and Alerts

An application filter can signal any event that is defined in the stored Forefront TMG configuration by calling the IFPCEventDefinition::Signal method on it when a specific situation is detected. Alerts, which specify actions to be taken in response to an event and are issued by the Microsoft Firewall service when all the specified conditions are met, can also be defined in the stored Forefront TMG configuration. The actions that can be triggered by an alert include sending an email message, invoking a command, writing to a log, and starting or stopping Forefront TMG services. Additional events and alerts can be defined by the registration module of an application filter.

The steps that you need to include in the code of your filter are as follows:

  1. Define an event that the filter will signal whenever it encounters a specific situation.

    The filter must define an event in the stored Forefront TMG configuration.

    The event should be defined during registration of the filter with the Firewall service because you want the administrator to be able to define alerts for the event. When the filter is unregistered, the event definition should be removed.

  2. Create an alert that will be issued for the event.

    The filter can define an alert for the event during the filter registration process using Forefront TMG administration COM interfaces, or the administrator can define an alert for the event programmatically using a separate script or manually as described in the Forefront TMG product documentation. The definition of this alert should also be removed before the event definition is removed.

  3. Call the IFPCEventDefinition::Signal method to signal the event when the specific situation is encountered.

An attacker can use an alert to consume the resources of Forefront TMG computers. A successful attack can trigger an alert for each network packet sent. To mitigate this risk, the filter should include a mechanism for preventing each alert that is issued by it from being issued more than once per second. The MinutesBeforeReRaise property of the alert can be used for this purpose.

The Data Monitor filter sample provided with the Forefront TMG SDK creates both an event and an alert for the event during the registration process.

Note  The events and alerts that are defined during filter installation should be removed when the filter is uninstalled.

For more information about creating an event and alert, see Customizing the Setup Process.



Build date: 7/12/2010