RE: monitoring users web activity using ISA 2004

Hello Gary,

Thank you for posting here. Let's also thank John and Allan for the
3rd-party tools.

According to your description, I understand that the ISA report displays IP
address but not computer name for the Internet access. If I have
misunderstood the problem, please don't hesitate to let me know.

First, I want to explain that to achieve your goal on built-in SBS, the
configure steps is a little complex, maybe the 3rd-party tool will help you
more.

Before we go further, we need to run CEICW to verify the ISA server has
correct allow rules for Internet access:

Go through the follow KB and rerun CEICW carefully.

How to configure Internet access in Windows Small Business Server 2003
http://support.microsoft.com/kb/825763/en-us

The CEICW will create SBS Internet Access rule for all client computers. We
can move the "SBS Internet Access" rule to the top of other policies.

Then, install ISA firewall client on workstations which you had done.

To resolve this issue, I want to explain How the ISA Report work first:

The Weblogging service receives IP address of the source and destination
from ISA/RAS of every Internet connection. It saves the IP addresses and
time stamp in the WebEvt.log file in "%windows%\temp". When the scheduled
report time (by default it's 4:30 AM every day) comes, a reverse DNS look
up is done to the source IP address to find the name of the machine. A
entry contains the source IP, destination IP, source machine name (if
available through reverse DNS look-up) and time of the connection will be
added to the MSDE database, then the webevt.log is deleted. If the reverse
DNS look up is successful, the machine name will show in the report,
otherwise the IP address will show. The IP address is always in the
database.

You can confirm whether the DNS server can reverse DNS look-up individual
IP from the following 2 method:

Method 1:
1. Click Start on SBS, click Run, type "dnsmgmt.msc" and click OK.

2. Expand your server\Reverse Lookup Zones\<your local subnet>.Subnet.

3. Can you see the PTR record for the unresolved IP address, if not, please
add a PTR record for this IP address.

Pointer (PTR) - For mapping a reverse DNS domain name based on the IP
address of a computer that points to the forward DNS domain name of that
computer.

PTR records are used to support the reverse lookup process, based on zones
created and rooted in the in-addr.arpa domain. These records are used to
locate a computer by its IP address and resolve this information to the DNS
domain name for that computer.

PTR RRs can be added to a zone in several ways:

- You can manually create a PTR RR for a static TCP/IP client computer
using the DNS, either as a separate procedure or as part of the procedure
for creating an A RR.

- Computers use the DHCP Client service to dynamically register and update
their PTR RR in DNS when an IP configuration change occurs.

- All other DHCP-enabled client computers can have their PTR RRs registered
and updated by the DHCP server if they obtain their IP lease from a
qualified server. The Windows 2000 and Windows Server 2003 DHCP Server
service provides this capability.

The pointer (PTR) resource record is used only in reverse lookup zones to
support reverse lookup.

Example:
2.16.168.192.in-addr.arpa PTR sbs2k3pre.woody.local

Method 2:
1. On SBS, run nslookup command in command line

2. Then input the unresolved IP address, press Enter

3. Can you get the computer name of this IP?

Please also perform the following steps to make DNS can update PTR record
automatic:

In dnsmgmt, right-click <your local subnet>.Subnet and click Properties. On
General tab, in "Dynamic updates" please select "Nonsecure and secure".
Click Aging button, do not tick "Scavenge stale resource records".

Then monitor for one day (waiting for auto update).

Additional, I suggest you download and install ISA server 2004 sp3 on your
SBS:

Microsoft? Internet Security and Acceleration (ISA) Server 2004 Standard
Edition Service Pack 3
http://www.microsoft.com/downloads/details.aspx?familyid=A05A074A-5033-4792-
AF8B-58B90D841436&displaylang=en

ISA Server 2004 Service Pack 3
http://www.microsoft.com/technet/isa/2004/sp3.mspx

I hope these steps will give you some help.

Thanks and have a nice day!

Happy New Year!

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Gary D" <gary@xxxxxxxxxxxxxxxx>
| Subject: monitoring users web activity using ISA 2004
| Date: Wed, 2 Jan 2008 13:36:08 -0000
| Lines: 8
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Windows Mail 6.0.6000.16480
| X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6000.16545
| Message-ID: <ugfnHQUTIHA.280@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: mail.adm-partnership.co.uk 217.41.7.239
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:84339
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| I have used the embedded reports in ISA 2004 which give me pretty
| meaningless graphs.
| Is it possible to use ISA2004 reporting to show me which users (not IP
| addresses) are accessing which web sites and when ?
|
| Thanks in advance
| GD
|
|

.