Realtime Top bandwidth User ISA2006/Websense 7.0

The Summary Reports from ISA will show you the top users.  That is the best you will get with ISA.  The measurments, by nature, are a measurment of something after it happened.  A file transfer for example,...which contray to popular opinion, is the largest bandwith "hog", only shows a log entry when it begins,...there is nothing "log-able" during the transfer.  Then it will show the connection being closed when finished.  After it has finished the size of the file is known.  

So there isn't much availble to help with live activity.  I have seen meters to show the bandwidth on a line being used,..but it was only the total amount of mbps running over the wire,...there was no way to determine the user or anything else above the OSI Physical Layer (layer1).

I don't know anything about Websense.

Yeah, I have noticed that ISA itself doesn't offer a lot for doing this.  I was really hoping there would be some kind of report I could put together with websense that may do this.

Yes, well, like I said I don't have any knowledge of web sense, but if I were in this same position I would run an ISA report and get my "Top Users",...then when a noticable slowdown of the system occured I would physically walk around the building and see what my "top users" were doing at that moment.  ISA is not going to designate them "top users" for nothing.  they'll be you most likely suspects.  

ISA will also show the Top Web Sites,...which will hint at what the users are doing.  Most likely the Top Users and the Top Web Sites will go "hand in hand".

We have also started using OpenDNS here (www.opendns.com) .  I can go to their site and get reports generated by them.  They will show a graph of usage which may show spikes at certain times of the day along with other information.  Combine this with the ISA Reports and a little "common sense" and you can go pretty far with it,...and none of that costs anything ($$$).  Free is always good now-a-days.

Walking around the building would be nice, if there were not 14 buildings across 50 miles and a few hundred users.  We have noticed in the past, that our realtime top users when there are issues, are most likely not our average top users, but some freak thing that for example our marketing department may be doing, like updating all of their terminals at the same time.  Our top users usually still dont peg our pipe.  We want to know what freak thing is going on when our pipe does get pegged which is only once every couple weeks.

You'll have to get someone who already works in those locations to help you.  It is not expected that you can do all that in person.

Your ISP may also be of help.  It is their job to know what is happening on their lines.  If the problem is a certain web site or a certail group of web sites,...then block them (either by the ISA or OpenDNS),...when people start screaming about it,...there are your likely suspects.

There has to be a better solution then that.  There is a lot of money and other things in the products.  Does anybody else know?

Look,..ISA does not do what you want in the detail that you want it,..period.  That is not something that I don't know,...it is something that I do know.

You have WebSense7,...call them,...they are supposed to be a product just for that purpose.  I said in my first post that I don't do anything with Websense.