In the Forefront TMG Management console tree, click the Monitoring node. Then click the Sessions tab.

In the details pane, select a session (where a session is the unique combination of a client's IP address and user name). The following information is displayed for each session:

• Activation—Date and time the session began.
  
  
• Server name—The name of the Forefront TMG firewall.
  
  
• Session type—You can monitor connections from the following Forefront TMG clients: Forefront TMG Client, SecureNAT, virtual private network (VPN) client, VPN site-to-site, and Web Proxy.
  
  
• Client IP—The source IP address of the client.
  
  
• Source network—The network from which the session originated.
  
  
• Client username—The client authenticated by Forefront TMG when authentication is required.
  
  
• Client host name—For Forefront TMG Clients.
  
  
• Application name—For Forefront TMG Clients. This field is not displayed by default.
  
  

To disconnect a session, select the session entry, and then click Disconnect Session in the Tasks tab. Disconnecting sessions does not prevent clients from creating new sessions. To do this, you must create access rules specifically denying access to the specific clients.

Note the following:

• A summary of sessions for each client type is displayed on the Dashboard tab.
  
  
• Web proxy client sessions have a corresponding SecureNAT client session. For all Web proxy client sessions from a particular computer, there is one SecureNAT session.
  
  
• Forefront TMG Client sessions have a corresponding SecureNAT client session. For each computer with Forefront TMG Client installed, there is a SecureNAT session in addition to a Forefront TMG Client session. If a Forefront TMG Client computer has an application running as a Web proxy client, only one SecureNAT client session is shown.
  
  
• A connection between two computers through Forefront TMG can only belong to one session. When a server is published using server publishing, a session is shown between the published server and the Forefront TMG computer. Client connections to the published server are associated with this session and do not appear as separate sessions.
  
  
• When authentication is not required, all traffic from the same IP address is considered to be a single session. For example, a Web browser opening more than one TCP connection to the same IP address is considered to be a single session.
  
  
• Web proxy client sessions indicate the last minute of Web browser activity, even if the client is not currently browsing.
  
  

In the Forefront TMG Management console tree, click the Monitoring node. Then click the Sessions tab.

Manage session monitoring as follows:

• To stop monitoring all sessions, click Stop Monitoring Sessions in the Tasks tab. When you stop session monitoring, Forefront TMG loses all information about any sessions that have been monitored.
  
  
• To restart monitoring all sessions, click Start Monitoring Sessions in the Tasks tab. When you restart monitoring Forefront TMG starts collecting information about active sessions.
  
  
• To pause session monitoring, click Pause Monitoring Sessions in the Tasks tab. Sessions displayed are not removed, but new sessions are not added.
  
  
• To resume session monitoring, click Resume Monitoring Sessions in the Tasks tab.
  
  

In the Forefront TMG Management console tree, click the Monitoring node. Then click the Sessions tab.

On the Tasks tab, click Edit Filter.

In the Edit Filter dialog box, specify a filter criteria, condition, and value. For example, you can select to filter by Client IP with the condition Equals, and then specify the IP address of the client as a value. This allows you to filter sessions for a specific client computer.

To save the session filter, click Save Filter.

To load an existing filter, click Load Filter.

Click Start Query to start session monitoring sessions that match the specified filter. The filter expressions are combined using the logical AND operations. Only data for sessions that match all the expressions is displayed.