Terminal Server: Log external client IP address

hudsoncid
hudsoncid used Ask the Experts™
on
Greetings Gurus,

We are running remote desktop services on Windows Server 2008 R2.

I would like to log the external (WAN) IP address of clients that are connecting to the server, each time a user connects. Currently I am using the GETTSCIP tool from CTRL-ALT-DEL, as part of the user login scripts, and appending the IP address results to a text file for each user (%username%iplog.txt). The trouble is it's logging the users NAT address instead of the WAN address, rendering my tracking mostly useless.

I have searched the web for an application, or simple script function, that would help me accomplish this. Unfortunately I find the same reference to the GETTSCIP tool, or to Visual Basic scripts that are quite a bit above my comfort level. My current login script is effectively the same as an old DOS batch file, with NET USE commands, and so forth.

Can anyone suggest a tool, script, or even eventlog feature that would help me collect this date? I'd certainly appreciate any suggestions or guidance you have to offer.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
If these remote users are connecting via VPN, then and your terminal server is on the private LAN, then you have a lot of work ahead of you.

The problem there is, only your VPN server device (such as a Cisco Router or ASA appliance) has knowledge of the user's true WAN IP address. Once the VPN connection is established, and the remote user receives a VPN IP address (i.e. NAT address), all other computers/servers on the local network only see that NAT address. Only the VPN server knows the true public IP address of that user.

Author

Commented:
Thanks for the response. We are a pretty small shop, so the external users are connection using RDP clients on their PC or Macs. We don't employ any VPN technology at the current time.
Are you saying that your log is only picking up the NAT IP address of the user's PC - from their HOME network?

Maybe describe the topology a little more:

1. Is the Terminal Server behind a firewall?

2. Does the Terminal server have a "public IP address" - or only a private IP address?

3. Is there a Remote Desktop Gateway server anywhere in this equation?

4. To what, are the remote users pointing their RDP clients to?  (i.e. a public IP address or a hostname?)
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Commented:
Hi, we have been required to log similar information on behalf of our clients and similarly accessing a RDS from remote WAN locations across the internet. Your answer is available via Event Viewer, which will have items logged so far.

Navigate to the following location from Event Viewer:

Applications and services logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational.

Here you will see all sessions that have logged on, with usernames and WAN IP addresses.

You can increase the amount of logging more than 1MB by right clicking and choosing properties. By default it should list approx 1500 - 2000 events (log on, log off, disconnects and reconnects.

This should answer your question precisely. Best of luck!

Author

Commented:
Yes, that is correct. When the login script runs it is reporting the users' NAT address on their own network, instead of the public address assigned to their firewall\device.

1: The terminal server is behind a firewall, and has been assigned a static address on our private network (192.0.168.x).
2: The terminal server has also been assigned a public static IP address
3: We are not using a remote desktop gateway, just the stand alone terminal server
4: The remote users are pointing to the host name (ts1 when they connect

Author

Commented:
@Netflo, yes that's exactly what we needed!  Thanks for your help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial