Re: RWW Timing

Hi Martin,

Thanks for your update. I am glad to know that information is useful to
you-).

Yes, you are right. If you have installed ISA, you can clearly find access
records in web proxy log. It locates under folder:

C:\Program Files\Microsoft ISA Server\ISALogs

*Note: the web proxy can only record traffic from external network.

To enable the full Web Proxy/firewall logging option, you can refer to the
following steps:
a. Open ISA 2004 management console.
b. Expand the server node and highlight ''Monitoring''.
c. In the right pane, switch to the ''Logging'' tab, make sure the ''Task
Pane'' is showed there.
d. In the ''Task Pane'', click ''Configure Web Proxy Logging'' under
''Logging Tasks'', and then switch the ''log storage format'' from ''MSDE
database'' (default) to ''File''.
e. Switch to the ''Fields'' tab, and then click ''Select All''.
f. Click OK, and then click ''Apply'' to save changes and update the
configuration.
g. Click ''Configure Firewall Logging''. Do step d~f to enable the full
logging options for firewall logging.

According to access port, we can identify where the traffic comes.
Generally there are some predefined ports to allow some specific traffic, I
list some for your reference, hope it helps!

TCP port Definition
25 Email (SMTP)
80 required for HTTP
requests for your site
443 required for HTTPS
requests using SSL, which secures communications from your server and a Web
browser
444 Companyweb
4125 Remote Web Workplace
1723 (plus GRE Protocol 47) VPN
3389 Terminal Services
21 FTP

To apply SBS 2003 SP1, I would like to suggest you refer to the following
link to process:

http://www.smallbizserver.net/Default.aspx?PageContentID=359&tabid=236

In the following website you can find many useful resources related to SBS
SP1:
http://www.smallbizserver.net/Default.aspx?PageContentID=53&tabid=236

The website includes: What is SP1 for SBS 2003 and what you need to know |
Standard install step-by-step | Premium install step-by-step | Things to do
after the upgrade | Errors that can occur after the upgrade

Hope above information helps! I am happy to be an assistance of you!

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>From: "Martin Hazell" <martin.hazell@xxxxxxxxxxxxxxx>
>References: <uzN0RN37FHA.3804@xxxxxxxxxxxxxxxxxxxx>
<eM#oOd37FHA.2816@xxxxxxxxxxxxxxxxxxxx>
<nK1zuH$7FHA.3764@xxxxxxxxxxxxxxxxxxxxx>
>Subject: Re: RWW Timing
>Date: Wed, 23 Nov 2005 12:33:14 -0000
>Lines: 194
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>X-RFC2646: Format=Flowed; Original
>Message-ID: <uMHudoC8FHA.2036@xxxxxxxxxxxxxxxxxxxx>
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: host213.137.3.112.manx.net 213.137.3.112
>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:224937
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>Hi Jenny,
>
>Thank you for the detailed response.
>
>It has certainly helped my understanding, but I was wondering if there was
a
>way of extracting the information from the ISA logs easily. We are
>currently using ISA 2000, but we will be shortly upgrading to 2004.
>
>Many thanks
>
>Martin
>
>""Jenny wu [MSFT]"" <v-yanniw@xxxxxxxxxxxxxxxxxxxx> wrote in message
>news:nK1zuH$7FHA.3764@xxxxxxxxxxxxxxxxxxxxxxxx
>> Hi Martin,
>>
>> Thanks for using the SBS newsgroup!
>>
>> For your description, I understand that you want to monitor when and how
>> long clients logon to the server through RWW site. If I am off base,
>> please
>> don't hesitate to let me know.
>>
>> First I would like to explain how RWW works when a remote client connects
>> to an internal Windows XP or Terminal Server computer. The following is
>> the
>> process:
>>
>> 1. User navigates to the Computer Selection page of the Remote User
Portal
>> in a web browser, and is prompted to download the stanard Terminal
>> Services
>> ActiveX Component, if necessary.
>>
>> 2. SBS queries the Active Directory for all internal client computers
>> running an OS that supports Remote Desktop and provides the list to the
>> user.
>>
>> 3. User selects a computer from the list and presses Connect button.
>>
>> 4. Server listens on TCP port 4125 which is already opened by firewall.
>>
>> 5. SBS creates a connection to the internal client on port 3389 which is
>> designed for TS and Remote Desktop.
>>
>> 6. The TS ActiveX Control downloaded and installed on the external client
>> creates a TS connection to the SBS server on port 4125.
>>
>> 7. SBS Server forwards the connection to the internal Remote Desktop
>> client
>> or TS server as a TS/Remote Desktop client.
>>
>> I. After understanding the RWW/Remote Desktop process, you will know that
>> after RWW traffic entered internal network, it will use terminal services
>> and do RDP process, so we can use Terminal Services Manager to monitor
>> terminal session. But it can not tell which one session from the RWW,
>> which
>> one from VPN or RDP session. To do this, you can refer to the following:
>>
>> Type 'TSadmin' in command line to open Terminal Services Manager console.
>> In the console, you can view detail information about terminal sessions.
>>
>> If one session connect to the computer shows user name and computer name,
>> the connection should be from internal computer.
>> If one session connect to the computer shows user name but not the
>> computer
>> name, the connection should be from external computer.
>>
>> II. If you want to monitor which users have logon to the server when it
>> run. You can check this information in Event Viewer.
>>
>> Start -> Administrator Tools ->Event Viewer -> click Security in Event
>> Viewer panel.
>>
>> *Note: you need enable 'Audit account logon Events' group policy. By
>> default the group policy is enabled.
>>
>> III. You can also monitor them from IIS log. Please follow below steps to
>> enable IIS log and check it:
>>
>> a. Open IIS MMC, right click Default Web Site and then click Properties.
>> b. Click Website tab and then check Enable logging.
>> c. Stop the Default Website and rename the existing IIS log files under
>> C:\WINDOWS\system32\LogFiles.
>> d. Restart the Default Website.
>>
>> However I would like to provide more information to monitor online
>> connection sessions:
>>
>> I. If you want to monitor which users are accessing shared resource, you
>> can check the following information.
>>
>> Server Management | Advanced Management | Computer Management | System
>> Tools | Shared Folders.
>> You click the sessions and open files item to view which users from which
>> computer are accessing which information.
>>
>> II. If you want to monitor which users are accessing the server included
>> remote desktop connection, you can check information in Task Manager
>> Console.
>>
>> Method 1:
>> Right-click Taskbar in the bottom of the screen and click Task Manager to
>> open Task Manager Console. And then you click Users tab to view
>> information.
>>
>> Method 2:
>> Type 'TSadmin' in command line to open Terminal Services Manager console.
>> In the console, you can view detail information about terminal sessions.
>>
>> Hope above information helps! If you have any further concern or question
>> about the issue, please feel free to let me know. I am looking forward to
>> you!
>>
>> Have a nice day!
>>
>> Sincerely,
>>
>> Jenny Wu
>> Microsoft CSS Online Newsgroup Support
>> Get Secure! - www.microsoft.com/security
>> ======================================================
>> This newsgroup only focuses on SBS technical issues. If you have issues
>> regarding other Microsoft products, you'd better post in the
corresponding
>> newsgroups so that they can be resolved in an efficient and timely
manner.
>> You can locate the newsgroup here:
>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>
>> When opening a new thread via the web interface, we recommend you check
>> the
>> "Notify me of replies" box to receive e-mail notifications when there are
>> any updates in your thread. When responding to posts via your newsreader,
>> please "Reply to Group" so that others may learn and benefit from your
>> issue.
>>
>> Microsoft engineers can only focus on one issue per thread. Although we
>> provide other information for your reference, we recommend you post
>> different incidents in different threads to keep the thread clean. In
>> doing
>> so, it will ensure your issues are resolved in a timely manner.
>>
>> For urgent issues, you may want to contact Microsoft CSS directly. Please
>> check http://support.microsoft.com for regional support phone numbers.
>>
>> Any input or comments in this thread are highly appreciated.
>> ======================================================
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> --------------------
>>>From: "Frank McCallister SBS MVP" <anonymous>
>>>References: <uzN0RN37FHA.3804@xxxxxxxxxxxxxxxxxxxx>
>>>Subject: Re: RWW Timing
>>>Date: Tue, 22 Nov 2005 09:13:31 -0600
>>>Lines: 23
>>>X-Priority: 3
>>>X-MSMail-Priority: Normal
>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
>>>X-RFC2646: Format=Flowed; Response
>>>Message-ID: <eM#oOd37FHA.2816@xxxxxxxxxxxxxxxxxxxx>
>>>Newsgroups: microsoft.public.windows.server.sbs
>>>NNTP-Posting-Host: adsl-068-209-195-008.sip.pns.bellsouth.net
68.209.195.8
>>>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
>>>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:224619
>>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>>
>>>Do you have ISA installed?
>>>
>>>--
>>>Frank McCallister SBS MVP
>>>COMPUMAC
>>>"Martin Hazell" <martin.hazell@xxxxxxxxxxxxxxx> wrote in message
>>>news:uzN0RN37FHA.3804@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Does anybody know of an easy programme of monitoring when users log
into
>>>> and out of RWW? Quite a few of our users will ocaasionally log in from
>>>> home of an evening time, but would like to know when they are doing
it,
>>>> and for how long? Ideally, there should be a log file produced with
the
>>>> following columns: username, date/time logged in, date/time logged out.
>>>>
>>>> I am aware that you can see the average session length and who has been
>>>> into the server through Server Managment, Reporting and Monitoring, but
>> it
>>>> doesn't give enough detail for what I would like to do.
>>>>
>>>> Many thanks in advance
>>>>
>>>> Martin
>>>>
>>>
>>>
>>>
>>
>
>
>

.