TMG - web proxy result codes

Microsoft Forefront TMG 2010 – Web Proxy Result Code Values

Source values	Description
0	The operation completed successfully.
200	OK.
201	Created.
202	Accepted.
204	No content.
301	Moved permanently.
302	Moved temporarily.
304	Not modified.
400	Bad request.
401	Unauthorized.
403	Forbidden.
404	Not found.
500	Server error.
501	Not implemented.
502	Bad gateway.
503	Out of resources.
995	Operation aborted.
10060	A connection timed out.
10061	A connection was refused by the destination host.
10065	No route to host.
11001	Host not found.
12201	A chained proxy server or array member requires proxy-to-proxy authentication. Please contact your server administrator.
12301	A chained server requires authentication. Contact the server administrator.
12202	The Forefront TMG denied the specified Uniform Resource Locator (URL).
12302	The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.
12204/ 12304	The specified Secure Sockets Layer (SSL) port is not allowed. Forefront TMG is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests.
12206	The Forefront TMG detected a proxy chain loop. There is a problem with the configuration of the Forefront TMG routing policy. Please contact your server administrator.
12306	The server detected a chain loop. There is a problem with the configuration of the server routing policy. Contact the server administrator.
12207	Forefront TMG dial-out connection failed. The administrator should manually dial the specified phonebook entry to determine if the number can be reached.
12307	The dial-out connection failed. The dial-out connection failed with the specified phonebook entry. The administrator should manually dial the specified phonebook entry to confirm that the problem is not the Windows auto-dial facility.
12208	Forefront TMG is too busy to handle this request. Reenter the request or renew the connection to the server (now or at a later time).
12308	The server is too busy to handle this request. Reenter the request or try again later.
12209	The Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
12309	The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.
12210/ 12310	An Internet Server API (ISAPI) filter has finished handling the request. Contact your system administrator.
12211	Forefront TMG requires a secure channel connection to fulfill the request. Forefront TMG is configured to respond to outgoing secure (Secure Sockets Layer (SSL)) channel requests.
12311	The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator.
12213	Forefront TMG requires a client certificate to fulfill the request. A Secure Sockets Layer (SSL) Web server, during the authentication process, requires a client certificate.
12313	The page requires a client certificate as part of the authentication process. If you are using a smart card, you will need to insert your smart card to select an appropriate certificate. Otherwise, contact your server administrator.
12214/ 12314	An Internet Server API (ISAPI) filter caused an error or terminated with an error.
12215	The size of the request header is too large. Contact your Forefront TMG administrator.
12315	The size of the request header is too large. Contact the server administrator.
12216	The size of the response header is too large. Contact your Forefront TMG administrator.
12316	The size of the response header is too large. Contact the server administrator.
12217	The request was rejected by the HTTP filter. Contact your Forefront TMG administrator.
12317	The request was rejected by the HTTP filter. Contact the server administrator.
12218	Forefront TMG cannot handle your request because the DNS quota was exceeded. Contact your Forefront TMG administrator.
12318	Forefront TMG cannot handle your request because the DNS quota was exceeded. Contact the server administrator.
12219	The number of HTTP requests per minute exceeded the configured limit. Contact your Forefront TMG administrator.
12319	The number of HTTP requests per minute exceeded the configured limit. Contact the server administrator.
12320	Forefront TMG is configured to block HTTP requests that require authentication.
12221/ 12321	The client certificate used to establish the SSL connection with the Forefront TMG computer is not trusted.
12222/ 12322	The client certificate used to establish the SSL connection with the Forefront TMG computer is not acceptable. The client certificate restrictions not met.
12323	Authentication failed. The client certificate used to establish an SSL connection with the Forefront TMG computer does not match the user credentials that you entered.
12224	The SSL server certificate supplied by a destination server is not yet valid.
12225	The SSL server certificate supplied by a destination server expired.
12226	The certification authority that issued the SSL server certificate supplied by a destination server is not trusted by the local computer.
12227	The name on the SSL server certificate supplied by a destination server does not match the name of the host requested.
12228	The SSL certificate supplied by a destination server cannot be used to validate the server because it is not a server certificate.
12229	The Web site requires a client certificate, but a client certificate cannot be supplied when HTTPS inspection is applied to the request.
12230	The SSL server certificate supplied by a destination server has been revoked by the certification authority that issued it.
12234/ 12334	The traffic was blocked by IPS.
12235	Web traffic was blocked for a rule with URL filtering enabled because the URL filtering database is not available.
12236/ 12336	Download failed because a third-party Web content filter does not support downloads that exceed 4GB.
12337	Download failed because the Link Translation filter does not support downloads that exceed 4GB.
12238/ 12338	Download failed because the Compression filter does not support downloads that exceed 4GB.
12239/ 12339	Request failed because the size of the request body is too large.

TMG - web proxy log fields

Microsoft Forefront TMG 2010 – Web Proxy Log Fields

Bit number	Field name (log viewer)	Field name (W3C)	Description
0	Client IP	c-ip	The IP address of the requesting client.
1	Client Username	cs-username	The user account making the request. A question mark (?) indicates that the user name was sent but the user was not authenticated by Forefront TMG. If Forefront TMG access control is not being used, Forefront TMG uses Anonymous.
2	Client Agent	c-agent	The name and version of the client application sent in the HTTP User-Agent header. When Forefront TMG is actively caching, this field is set to Forefront TMG.
3	Authenticated Client	sc-authenticated	Indicates whether the client has been authenticated with the Forefront TMG computer. Possible values are Y and N.
4	Log Date	date	The date on which the logged event occurred. In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.
5	Log Time	time	The local time when the logged event occurred. In the W3C extended file format and in ODBC-compliant SQL Server databases, this time is in Coordinated Universal Time (UTC). In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.
6	Service	s-svcname	The type of service that logged this record. This may be Proxy or Reverse Proxy.
7	Server Name	s-computername	The name of the Forefront TMG server.
8	Referring Server	cs-referred	Reserved for future use.
9	Destination Host Name	r-host	The domain name for the remote computer that provides service to the current request. A hyphen (-) in this field may indicate that an object was retrieved from the local cache and not from the destination.
10	Destination IP	r-ip	The network IP address of the remote computer that provides service to the current connection. A hyphen (-) in this field may indicate that an object was sourced from the local cache and not from the destination. One exception is negative caching. In that case, this field contains a destination IP address for which a negative cached object was returned.
11	Destination Port	r-port	The port number on the target computer that provides service to the current connection.
12	Processing Time	time-taken	The total time, in milliseconds, that Forefront TMG took to process the current request. It measures the time elapsed from the time when the server first receives the request to the time when final processing occurs on the server—when results are returned to the client. For cache requests that are processed through Web Proxy filter, the processing time measures the elapsed server time needed to fully process a client request and return an object to the client.
13	Bytes Received	cs-bytes	The number of bytes sent from the remote computer and received by the client during the current request. A hyphen (-), or a zero (0) in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.
14	Bytes Sent	sc-bytes	The number of bytes sent from the client to the remote computer during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were sent to the remote computer.
15	Protocol	cs-protocol	The application protocol used for the connection. Common values are HTTP, HTTPS, and FTP.
16	Transport	cs-transport	The transport protocol used for the connection. This is always TCP for Web requests.
17	HTTP Method	s-operation	The HTTP method used. Common values are GET, PUT, POST, and HEAD.
18	URL	cs-uri	The URL requested.
19	MIME Type	cs-mime-type	The MIME type for the current object. This field may also contain a hyphen (-) to indicate that this field is not used or that a valid MIME type was not defined for the current object.
20	Object Source	s-object-source	The type of source that was used to retrieve the current object. A table of some possible values is provided in Web proxy object source log values.
21	HTTP Status Code	sc-status	A Windows (Win32®) error code (for values less than 100), an HTTP status code (for values between 100 and 1,000), a Winsock error code (for values between 10,004 and 11,031), or a Forefront TMG error code. A table of some possible values is provided in Result code log values.
22	Cache Information	s-cache-info	A number reflecting the cache status of the object, which indicates the reasons why the object was or was not cached. The number logged is the sum of the values for all the conditions that are met. A table of the possible values is provided in Web proxy cache log values.
23	Rule	rule	The rule that either allowed or denied access to the request, as follows: If an outgoing request was allowed, this field indicates the access rule that allowed the request. If an outgoing request was denied by a policy rule, this field indicates the access rule that blocked the request. If an incoming request was denied by a policy rule, this field indicates the Web publishing or server publishing rule that denied the request. If Forefront TMG denied the connection for any reason other than a policy rule (for example due to an intrusion attempt or exceeding a flood resiliency threshold) this field contains a hyphen (-), and the Result Code field (bit 21) indicates the reason.
24	Filter Information	FilterInfo	Information supplied by a Web filter. For example, if HTTP Filter rejected a request, this field contains the reason for the rejection.
25	Source Network	cs-Network	The network from which the request originated.
26	Destination Network	sc-Network	The network for which the request was destined.
27	Error information	error-info	A 32-bit bitmask that provides additional information about the request that can help identify the source of the error if an error occurred. A table of the possible bit fields is provided in Web proxy error log values.
28	Action	action	The action performed by the Microsoft Firewall Service for the current session or connection. The possible values are defined in the FpcAction enumerated type.
29	GMT Log Time	GmtLogTime	The date and time in Coordinated Universal Time (UTC) when the log entry was made.
30	Authentication Server	AuthenticationServer	The name of the authentication server.
31	NIS Scan Result	NIS scan result	The result of NIS scanning of the traffic or the connection (inspected/detected/blocked).
32	NIS Signature	NIS signature	The NIS signature detected that resulted in the traffic been blocked.
33	Threat Name	ThreatName	The string describing the threat.
34	Malware Inspection Action	MalwareInspectionAction	Describes the action performed on the inspection content. Possible values are Allowed, Cleaned or Blocked.
35	Malware Inspection Result	MalwareInspectionActionResult	Describes the outcome of the malware inspection process. Possible values include: No Violation Detected Low and Medium Level Threats Not Blocked Infected File Suspicious File Encrypted File Maximum Archive Nesting Exceeded Maximum Size Exceeded Maximum Unpacked File Size Exceeded Unknown Encoding Corrupted File Time Out Storage Space Limit Exceeded Unknown Malware Inspection Disabled Malware Inspection Disabled for the Matching Policy Rule Malware Inspection Disabled for the Matching Web Chaining Rule Destination Included in Malware Inspection Exceptions List Response Originated from Proxy Server Request Served by Malware Inspection Web Filter Request/Response Pair Identified as Exempted Protocol Message Response Identified as a 200 Response to a CONNECT Request Response Scanned Before Being Routed by CARP (this is not relevant for Forefront TMG in the Essential Business Server scenario.
36	URL Category	UrlCategory	Specifies the URL category that is assigned to the requested URL.
37	Content Delivery Method	MalwareInspectionContentDeliveryMethod	Specifies whether users were informed by trickling partial content, or progress notifications.
38	UAG Array Id	UAG Array ID	The array name of the message's array context.
39	UAG Version	Not in use.
40	UAG Module Id	UAG module name	The name of the module that produced the message.
41	UAG Id	Not in use.
42	UAG Severity	UAG message severity	The message severity (Error, Warning, Information, Notice).
43	UAG Type	Type of message	The type of the message (Security, Application, System, Session).
44	UAG Event Name	Not in use.
45	UAG Session Id	UAG session ID	The ID of the session which is the context of the message.
46	UAG Trunk Name	UAG trunk name	The name of the trunk which is the context of the message.
47	UAG Service Name	UAG service name	The name of the UAG service that generated the message.
48	UAG Error Code	UAG message ID	Specifies the UAG message ID.
49	Malware Inspection Duration (msec)	MalwareInspectionDuration	Specifies the inspection duration in milliseconds. If content is not inspected, 0 is shown. Inspected content shows a minimum value of 1.
50	Threat Level	MalwareInspectionThreatLevel	Shows the threat level. Possible values include: Low Medium High Severe
51	Internal Service Info Log Fields	internal-service-info	Internal
52	NIS Application Protocol	NIS application protocol	The application protocol in which NIS detected the signature.
53	NAT Address	NAT Address	Public IP address used as a source IP for outbound traffic.
54	URL Categorization Reason	UrlCategorizationReason	The reason for the URL categorizations. Possible values include: For successful categorizations: From overrides From cache From Web service For unknown: Feature disabled Not in database Connection error Web service down License expired