For those that never heard about GFI WebMonitor; it’s an ISA Server (2004 or 2006) “add-on” that helps you monitor in real time the network traffic inside your organization, it also complements with ISA Server giving you the chance to directly configure white/black lists, set some access rules to the internet and scan all the traffic for virus and malware.

In this post I’ll try to review the functionality, pros and cons, as well as the process of installing and configuring.

GFI WebMonitor 2009 Requirements

I’m evaluating the GFI UnifiedProtection Edition (that combines WebFilter and WebSecurity) in one package.

Hardware

• Processor: 1.8ghz
• Memory: 2GB RAM
• Hard Disk: 10/15 GB free

Operating System and Software

• Windows Server 2000 SP4 / Windows Server 2003
• ISA Server 2004 SP3 / ISA Server 2006
• Internet Explorer 6 or later
• .Net Framework 2.0

GFI WebMonitor Installation

You can download the trial version for GFI WebMonitor from this link.

The installation process it’s simple, you shouldn’t have any problem with this.

Access Permissions. Here you can set from which of the IP address the GFI web configuration will be accessible. Take note that you can specify the users that can access it.

Mail Settings. Configure it to receive mail notifications about when, for example, a user is trying to infringe a configured policy in WebMonitor.

Testing mail notifications.

Once the installation is complete, two new access rules are configured in your ISA Server Firewall Policy: One to allow access to the WebMonitor tool from a browser, and the other for updates.

GFI WebMonitor Dashboard

You can access the main window from the Program Menu of from your web browser.

Always having a dashboard it’s a good idea, specially with this kind of tool. Making a quick look here you’ll get most of the necessary information that WebMonitor provides: Bandwidth consumed, active connections, blocked content, etc.

Including also a graphical presentation of the data, that, of course, helps you a lot to discover any anomaly.

Monitoring

Within this section you’ll find all of data parsed and sorted in a very user-friendly way. They are pretty much self-explained.

All of this information is sorted also from a calendar, so if you want to take a look from previous dates, just use the “<” “>” buttons from upper right corner.

Active and Past Connections.

Bandwidth Consumption and Distribution.

Top Policy Breakers. Users marked that tried to access or download blocked content. In my case, only IPs are showing but remember this tool is highly integrated with ISA Client and ISA Server authentication that associates traffic with specific users.

If that’s not enough for you, check the charts options for specific URLs:

White/Black Lists

By default, there are a few sites configured already in the white list.

As an interesting option, you also have a “temporary white list” to allow specific sites for a few hours.

When a black listed site is trying to be browsed, the client will receive this message.

Web Filtering Policies

Here you can create rules and policies for your network traffic. You have a “Default Web Filtering Policy” that allows all contents from all categories; you can modify this one or create a new one for a specific user or IP.

Creating a new policy it’s quite simple and intuitive.

Policy name and schedule.

Categories to be blocked and allowed by the policy.

Applies to (users, groups or IPs).

Notification options when a user intents to access blocked content.

To define a website category a query is run to the WebGrade Database, that also receives updates periodically.

You can also run queries manually to the database and find out the category for a specific site.

Web Security Policies

These policies have the same functionality that the filtering policies, but are defined for file downloads, IM access and virus scanning.

Download Policies

By default, all content is allowed for download.

As an alternative policy to blocked downloads is the “quarantine” option.

IM Control Policies

This an option that is constantly asked and requested by ISA Server administrators, how to block IM on their networks.

Unfortunately, using this tool, you can only block MSN and Live Messenger traffic using HTTP connections.

Virus Scanning Policies

By default any suspicious download will be scanned by three different antivirus engines: BitDefender, Kaspersky and Norman; that, of course are updated constantly.

The default files that are scanned: Microsoft Office documents, PDFs, ZIP and RAR, executables and MSI.

Whenever any of these files are downloaded, the client will open the GFI WebMonitor Secure Download window that validates the file it’s not infected.

Download and virus scan completed.

Conclusions

Pros

• It is one of the best monitoring tools for bandwidth consumption available in the market. With a nice data parsing as well.
• It represents a great complement for ISA Server access and deny rules.
• Rules and policies are very easy to add and configure.
• Minimum overhead in network connectivity.
• Antivirus Integration: This is probably my favorite feature. Has almost the same functionality than an corporative antivirus solution that controls any suspicious packet in the network.

Cons

• Hardware requirements. It is not recommendable to use GFI WebMonitor on a machine with less than 2gb of RAM.
• Even though the data parsing is great, there’s no easy way to export those reports to a document or even a CSV file.
• There are no options available for export/import WebMonitor configurations. It is not possible to replicate the same configuration on another server or make a backup in a simple way.

If you are an IT Administrator that continuously perceive that your network is slow or it does not has the performance that it should, this tool can give you a lot of help. As a bonus, it will simplify configuring access rules and provide you with an excellent protection with 3 antivirus engines scanning packets.

But if you are using a small resources machine as your gateway, don’t bother installing it, it would give you a lot more problems than solutions.

Hope that you find this useful,

Cheers!

Download the testking 642-642 dumps and testking 350-029 tutorials prepared by certified experts at testking to help you learn how to improve web access using gfi web monitor

A small comment about this: The same configuration described here, can also work for Team Foundation Server 2008.

It’s very important that you already have defined your public name for the TFS Server and even more important that this public name can be resolved by the ISA Server and over the Internet.

Let’s start then:

1 – Publish TFS Services

1.1 – Select “Publish Web Site” and use the proper name for that rule.

1.2 – Select “Publish a single Web Site or load balancer”.

1.3 – If you are not going to use SSL the just select “Use non-secured connections…”

1.4 – In this step you must indicate the FQDN that the clients will use to connect with the Team Foundation Server. Remember that this name should be already accessible for the ISA Server.

1.5 – No selection on Path and select “Forward the original host header…”

1.6 – Select “Accept Requests for: This domain name (type below)” and use the public TFS name again.

1.7 – On the next window you will need to create a Web Listener, which will be accepting the incoming requests for TFS Services port.

1.8 – Select again what kind of HTTP connections will use, secure or not secure.

1.9 – Select that the Listener will be getting the requests from the External network that you should already have on your ISA Server

1.10 Select that the Listener will not require authentication. This process will be done by the TFS itself.

1.11 Hit Next and Finish the new listener creation.

1.12 Once that the creation of the listener finishes, you’ll be back at the rule wizard.
Leave selection of “No delegation, and client cannot authenticate directly”

1.13 Leave the “All Users” option and hit Next.

1.14 The wizard will complete but that’s not all. The web listener and the rules that you just created it actually didn’t complete with their proper configuration, all the listeners are created to “listen” in the default port of HTTP. Like TFS use the port 8080 to receive incoming requests, we will need to change that default port.

Access the rule properties and get to the “Bridging” and select the port 8080.

Now enter to the listener properties and select on “Connections” the correct port.

On “Authentication” select “Advanced” and check the option “Allow client authentication over HTTP”

1.15 Hit OK twice and the rule for TFS Services it’s ready.

2 – Publish TFS SharePoint

This rule follows the same configuration that the TFS Services on the steps 1 to 13. As you can imagine the differences are made within the ports configuration, and we will replace the 8080 used on the first rule by the 17012 of our SharePoint Services.

2.1 Enter the properties of the rule you just created for the SharePoint services and Access to the “Bridging” options and select the 17012 port.

Access the Listener properties and select “Connections” with the proper port:

Again on “Authentication” select “Advanced” and mark “Allow client authentication over HTTP”

2.2 Now the TFS SharePoint Rule it’s created.

3 – Publish TFS www

Like the other two rules, the steps from 1 to 13 are completely the same. Like this rule it’s representing an HTTP connection, neither ports on the Bridging option nor the Web Listener needs to be changed, they must keep as the default port 80 configured. The only thing that you must do is the authentication method, as we did on the first two.

3.1 “Authentication” select “Advanced” and “Allow client authentication over HTTP”

3.2 Hit OK twice and you are set to go.

That’s pretty much everything to do.

There’s a common issue within TFS public name. When you use this FQDN to connect over the Internet, it appears that the users have not the proper permissions, making the “Documents” and “Reports” items unavailable, for Team Explorer. You should check another post of mine that has the workaround for that problem.

Also here’s an interesting article about how ISA Server handles authentication:
http://technet.microsoft.com/en-us/library/bb794722.aspx

I hope you find it useful!

Cheers!