Configuring alert actions

For each alert definition, you can specify the actions that should occur when the alert is triggered.

Viewing and configuring alert definition actions

View and modify alert actions as follows:

1. In the Forefront TMG console tree, click** Monitoring**.
2. In the details pane, click the Alerts tab.
3. On the Tasks pane, click Configure Alert Definitions.
4. In the Alert Definitions list, select the alert you want to modify, and then click Edit.
5. On the Actions tab, configure the alert action. You can define alerts to perform one or more of the following actions when triggered:
   • Send an e-mail message.
   • Run a program.
   • Log the event in the Windows event log. By default, this is enabled for all alerts.
   • Stop or start the Microsoft Firewall service or Scheduled Content Download service.

Alert action for sending an e-mail message

You specify the following settings when configuring an alert to send an e-mail message when it is triggered:

• Name of the SMTP server. Note the following:
  • If you specify an SMTP server located on the Internal network, you must enable the system policy rule to allow this traffic. To do this, in the Remote Monitoring configuration group of the System Policy Editor, select SMTP, and then click Enable. This enables the "Allow SMTP protocol from firewall to trusted servers" system policy rule.
  • If you specify an SMTP server located on the External network, you must create an access rule that allows the Local Host network to access the External network (or the network on which the SMTP server is located), using SMTP.
• E-mail address of sender.
• E-mail addresses of recipients.

Alert action for running a program

You can specify the following settings when configuring an alert to run a program when it is triggered:

• Path location of the program.
• Parameters required for running the program.
• Credentials for running the program.

Note the following:

• Use the Local Security Policy to configure user privileges.
• If you specify an alert to run a program, the program path specified must exist on the Microsoft Forefront Threat Management Gateway computer, and we recommend that you use an environment variable (such as %SystemDrive%) within the path name.
• Be sure that the specified user has Logon as batch job privileges.
• Do not specify an interactive program that requires user input.

The new alert will appear in the list of alert definitions.

Configuring actions for Alert Action Failure alert

Although the Alert Action Failure alert can be configured, we recommend that you do not edit properties for this alert. If the action for this alert fails, the failure is not registered anywhere, and troubleshooting will be difficult.

If you encounter this alert, check the event log for action failures. Check the event message associated with the failure and the previous events issued before the action failure event. They may provide additional information about which action failed.