Monitoring Forefront UAG DirectAccess clients and users in SP1

After deploying Forefront UAG DirectAccess, you can monitor the currently active sessions to the intranet using Web Monitor, and historical sessions using Forefront Threat Management Gateway (TMG). When you have an array of Forefront UAG DirectAccess servers configured, you can display aggregated active and historical session information for all nodes in the array.

Active sessions are presented as one event for each session. With historical sessions, each session state change is written separately to the log, for example; new session created, machine name added, user name added, intranet tunnel opened.

Monitoring active DirectAccess session from Web Monitor

Active DirectAccess session activity can be monitored using Web Monitor.

Note:
When viewing active sessions in the DirectAccess monitor: If OTP is configured, sessions of type ID 60 (Session started) and ID 61 (Session stopped) on the otptrunk may contain unreadable IPv6 source addresses. All open IPsec security associations (SAs) are displayed regardless of theirs source or target. This results in SAs from internal IPsec rules being displayed in the DirectAccess monitor; for example Domain and Server Isolation rules that are deployed on the intranet.

Note:

When viewing active sessions in the DirectAccess monitor:

If OTP is configured, sessions of type ID 60 (Session started) and ID 61 (Session stopped) on the otptrunk may contain unreadable IPv6 source addresses.
All open IPsec security associations (SAs) are displayed regardless of theirs source or target. This results in SAs from internal IPsec rules being displayed in the DirectAccess monitor; for example Domain and Server Isolation rules that are deployed on the intranet.

To monitor active DirectAccess sessions from Web Monitor

In the Forefront UAG Management console, click the Admin menu, and then click Web Monitor.
To retrieve information about active DirectAccess sessions, in DirectAccess Monitor, click Active Sessions. The DirectAccess – Active Sessions window opens.

The following details for an active DirectAccess session are displayed:
- Session Status—The tunnel opened in the session (Intranet access or Infrastructure access).
- Last Status Time—The time the session was last updated.
- Computer Account—The name of the client computer.
- User Account—The name of the user account.
- Certificate—The certificate name (for the One Time Password (OTP) scenario) used for second tunnel authentication.
- IPv6 Source Address—The IPv6 source address of the DirectAccess client.
- Array Member—The name of the Forefront UAG DirectAccess server the session is connected through.
- Log On Time—The time the session was started.
- Description—A client certificate was not provided, a NAP health status issue, a smartcard was not provided.
- Transition Mode—The transition technology used in this session.

Querying DirectAccess sessions in Web Monitor

In the Forefront UAG Management console, click the Admin menu, and then click Web Monitor.
To retrieve information about active DirectAccess sessions, in DirectAccess Monitor, click Active Sessions.
Expand Client Filter Options and enter filter strings as follows:
- Client computer account—Enter a full computer account or a partial string. For example to retrieve sessions for all computer accounts in the Contoso1 domain, enter Contoso in client computer account.
- User account— Enter a full user account, or a partial string. For example to retrieve sessions for all user accounts in the Contoso domain, enter Contoso in user account.
- IPv6 source address—Enter the full IPv6 source address, or a partial string containing a full IPv6 prefix. For example to retrieve sessions for an IPv6 prefix of 2002, enter the filter string 2002::.
- Certificate subject name—Enter a full certificate subject name, or a partial certificate subject name string. The certificate is displayed when using One Time Password (OTP).
Click Search to retrieve results, or Clear to clear the current filter settings.

Monitoring historical DirectAccess sessions

DirectAccess historical session activity is stored in an SQL log that can be queried by using a pre-prepared filter in Forefront Threat Management Gateway (TMG).

To monitor historical DirectAccess sessions

On the taskbar, click Start, click All Programs, click Microsoft Forefront TMG, and then click Forefront TMG Management.
Expand the Forefront TMG node, and then click Logs & Reports
In the right pane, click Tasks, click Load Filter Definitions, and import the filter definition file <Forefront UAG installation directory>\common\bin\da\monitoring\DaLogFilter.xml.

Click Start Query.

Note:
To customize the fields displayed in the logging tab, right-click any column title header in the results list, and then click Add/Remove columns. In the Add/Remove Columns dialog box, add or remove columns as required. For a list of Forefront UAG-specific logging fields, see SQL fields for Forefront UAG DirectAccess user logging in the Technical Reference.

To change the query log time click Edit Filter, click Log Time, under Define the criteria used to filter the data, select a Condition, click Update, and then click Start Query.