TrentSlater
asked on
Need Proxy Server Software to log internet activity for terminal services clients.
Need a proxy cserver program (preferably cheap or FREE!) to log internet access by username. Our network setup is as follows. Domain Controller and Mail Server is an SBS 2003 box. The Terminal server box is Windows Server 2003. Clients are all thin clients and log into the TS box for Internet, email etc. All my client wants to do at this stage is generate a report on a weekly basis which shows the sites that have been visited per user, (not IP address as this would result in just the TS box IP being reported.) The program would need to have NT authentication so that users were not prompted to authenticate when trying to access sites. No restriction site is required at this stage.
Any help appreciated.
Any help appreciated.
I think ISA Server would do a much better job. Beside, it was designed to do that.
Why don't you use it?
vico1
Why don't you use it?
vico1
ASKER
Regarding ISA - we tried that and had several issues. Unless the firewall client is loaded on the TS box, the ISA web logging is purely IP address. (useless for a Thin Client network). The other issue was that once we installed the FW client on the TS box, an internal accounting application (web based) hosted on the server could not be accessed. We tried several workarounds but eventually we had to uninstall the FW client to allow access to this package.
The firewall Client must be installed in order for you to have a very good report.
And it is not running on the Client it is running on the server, so regardless of the thin client that you are running they are accessing the desktop on the term server.
Now as far as you accounting program What make you think that you are not going to have the same issue with another firewall?
I think that you gave up because of a configuration complication If you configure ISA properly and apply all the patches you shold be able to make your program to work.
You must know, what port and protocol that the program require for it to work.
If you know that we can help you with the confuguration.
I don't believed that you would want to spend more money when you already have one of the most powerfull proxy software.
Good Luck!
And it is not running on the Client it is running on the server, so regardless of the thin client that you are running they are accessing the desktop on the term server.
Now as far as you accounting program What make you think that you are not going to have the same issue with another firewall?
I think that you gave up because of a configuration complication If you configure ISA properly and apply all the patches you shold be able to make your program to work.
You must know, what port and protocol that the program require for it to work.
If you know that we can help you with the confuguration.
I don't believed that you would want to spend more money when you already have one of the most powerfull proxy software.
Good Luck!
Don't forget that you can hide the ISA Icon so users don't see it.
http://www.isaserver.org/tutorials/Automating_the_Configuration_of_the_Firewall_Client_Part_1.html
Vico1
http://www.isaserver.org/tutorials/Automating_the_Configuration_of_the_Firewall_Client_Part_1.html
Vico1
ASKER
I understand your thoughts and you are correct regarding our ISA issues. My customers support for the accounting package was very minimal so we were unable to establish the port number. Is there a way to establish this from the ISA logs? The other issue we experienced with ISA was that even though the firewall client was running, the ISA log still showed a majority of "anonymous" entries, rather than actual user names. This information is not good to show management!!! I am happy to re visit the ISA scenario but the blocked internal website is a major issue. Can this port be determined from ISA logs?
i am certainly willing to concede that ISA is the better product (I havnt used it, and my knowledge on MS proxy is that i did my MCSE with proxy2).
But when i looked into ISA i believe i found that whilst it works well as a proxy it lacked the ability to do content filtering with exception to basic filtering (Blocking an IP).
As i believe the original question of only monitoring user access without restriction, the natural progression is the ability to limit access to certain staff (possibly groups of users). And the ability to limit them from catagorised sites, eg. shopping, gambling, sex, ect.
my beleif was that ISA cannot do this. You must know the IP of the site you wish to block and enter that manually. This is obviously no good for content filtering. Vico can you expand on this
But when i looked into ISA i believe i found that whilst it works well as a proxy it lacked the ability to do content filtering with exception to basic filtering (Blocking an IP).
As i believe the original question of only monitoring user access without restriction, the natural progression is the ability to limit access to certain staff (possibly groups of users). And the ability to limit them from catagorised sites, eg. shopping, gambling, sex, ect.
my beleif was that ISA cannot do this. You must know the IP of the site you wish to block and enter that manually. This is obviously no good for content filtering. Vico can you expand on this
ASKER
Hi Experts - I am back now.
I have re-enabled the ISA firewall client and all appears to be working OK, including the internal site but the ISA logs are not populating. What is the time frame for the log to populate when a user accesses a site? Why would the logs be empty?
I have re-enabled the ISA firewall client and all appears to be working OK, including the internal site but the ISA logs are not populating. What is the time frame for the log to populate when a user accesses a site? Why would the logs be empty?
Afternoon Trent - got your message.
Just to add a couple of items here to the conversation.
ISA is a full blown layer 3 firewall/layer 7 aplication gateway. There are not many scenarios's (actually cant think of any) that it cannot log/block/allow against.
Although you have deployed the ISA firewall client, have you configured the client settings to ignore for the local domains (for your local app)?
configure - networks - internal (properties) - firewall client. in here you can set the domains that the firewall client will effectively ignore. One would assume you have added your local domain here?
How are the users getting to the app? ie Is this a published application or do they log on to the ts box then fire up a client/ie browser?
On the box hosting the service, from the cmd prompt, type in netstat -an - this should show you the ip's and ports that are in a listening state. If you stop the applications service and rerun, the port you disappear from the list.
You should also see the access attempts from the realtime monitor (monitoring - logging - click start query)
To be honest, it sounds like two issues
1. Sort the logging out.
2. Allow the accounting app to run.
Maybe we need to break the required activities accordingly. for example, get the logging to work then adjust to allow the app to run successfully.
Keith
ISA MVP
Just to add a couple of items here to the conversation.
ISA is a full blown layer 3 firewall/layer 7 aplication gateway. There are not many scenarios's (actually cant think of any) that it cannot log/block/allow against.
Although you have deployed the ISA firewall client, have you configured the client settings to ignore for the local domains (for your local app)?
configure - networks - internal (properties) - firewall client. in here you can set the domains that the firewall client will effectively ignore. One would assume you have added your local domain here?
How are the users getting to the app? ie Is this a published application or do they log on to the ts box then fire up a client/ie browser?
On the box hosting the service, from the cmd prompt, type in netstat -an - this should show you the ip's and ports that are in a listening state. If you stop the applications service and rerun, the port you disappear from the list.
You should also see the access attempts from the realtime monitor (monitoring - logging - click start query)
To be honest, it sounds like two issues
1. Sort the logging out.
2. Allow the accounting app to run.
Maybe we need to break the required activities accordingly. for example, get the logging to work then adjust to allow the app to run successfully.
Keith
ISA MVP
ASKER
Hi Keith
Thanks for the input.
Number 2 on your list is actually sorted - i.e. access the the application is working. It is a browser based app that the users access after logging into the TS box. So it is only the logging part that I need to sort out.
With regards to the firewall client ignoring the local domain - I cannot find this setting. When I go configure - networks - internal (properties) - firewall client all I get is an option to set ISA server name and/or IP address. There is nowhere to ignore domains. I have ISA 2000 - is this a feature of 2004 and above?
Also I cannot access the real time logging as all I see under Monitoring is Alerts, Services, Sessions and Reports.
When I check the ISAlog files in the program folder the last log entry is about 2 weeks ago.
Cheers,
Trent
Thanks for the input.
Number 2 on your list is actually sorted - i.e. access the the application is working. It is a browser based app that the users access after logging into the TS box. So it is only the logging part that I need to sort out.
With regards to the firewall client ignoring the local domain - I cannot find this setting. When I go configure - networks - internal (properties) - firewall client all I get is an option to set ISA server name and/or IP address. There is nowhere to ignore domains. I have ISA 2000 - is this a feature of 2004 and above?
Also I cannot access the real time logging as all I see under Monitoring is Alerts, Services, Sessions and Reports.
When I check the ISAlog files in the program folder the last log entry is about 2 weeks ago.
Cheers,
Trent
ASKER
Hi again experts.
I have just found that even though the FW Client was installed and updated OK, IE was not set to use the ISA server. I made a proxy setting change in GP and now the logging is working OK and the sessions are updating realtime in ISA - shouldn't the FW client setup take care of this? what else am I missing? How do I stop clients from turning off the FW client?
ps - sorry this question is heading in all different directions!!
Trent
I have just found that even though the FW Client was installed and updated OK, IE was not set to use the ISA server. I made a proxy setting change in GP and now the logging is working OK and the sessions are updating realtime in ISA - shouldn't the FW client setup take care of this? what else am I missing? How do I stop clients from turning off the FW client?
ps - sorry this question is heading in all different directions!!
Trent
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Quick pointer here and sorry if you have already mentioned it but what verison of ISA are you? ISA2000 or 2004?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
My point exactly :)
ASKER
Thank you both for the comments - I am running ISA 2000 so I will certainly look at upgrading to 2004.
Keith - the FW client notes make sense now regarding gateway and logging.
Cheers,
Trent
Keith - the FW client notes make sense now regarding gateway and logging.
Cheers,
Trent
Welcome -:) and thanks
Cheers
Keith
ISA MVP
Cheers
Keith
ISA MVP
http://www.software602.com/
it has a lot of other features built into it but you can enable just the proxy if that is all you wish to use.
I am using it on a SBS2003 server that has a standard 2003 server running terminal services, with a mixture of fatclients, HP thin clients, Wyse thin clients. It does the trick well.