Monitoring Forefront UAG DirectAccess clients and users in RTM
Updated: April 8, 2010
Applies To: Unified Access Gateway
You can monitor DirectAccess clients and users by using the Forefront UAG client and user monitoring cmdlet, a Windows PowerShell snap-in that provides information about current and historical client and user logons. Monitoring Forefront UAG DirectAccess clients and users can be analyzed on an on-demand basis, to get a feel for how your current Forefront UAG DirectAccess performance is impacted by the number of concurrent users and clients.
The cmdlet reads events by using one of the following modes:
From a local security event log—Use this mode when you have a standalone Forefront UAG DirectAccess server deployment. This mode does not require you to configure event forwarding. Using this mode when a Forefront UAG DirectAccess NLB array is deployed, limits your viewing of events to only one array member from a single PowerShell session. When the Forefront UAG DirectAccess serves a large user base, the size of the security event log, which also collects other non Forefront UAG DirectAccess related events, can be a limiting factor for the volume of historical information that can be stored.
From an aggregated log—Use this mode when you want to aggregate security events from array members to a centralized log on a single server. When working with an aggregated log, you can see users and clients connected to all array members. The aggregated log only contains Forefront UAG DirectAccess specific events and is therefore more manageable, and allows you to store larger amounts of historical information. To use aggregated logs, you must enable event forwarding on the collector server (the server to which events are forwarded), and on the Forefront UAG DirectAccess server. For more information, see Setting up a source initiated subscription (https://go.microsoft.com/fwlink/?LinkId=164395).
Note
When you enable event forwarding, it is recommended that you use source initiated forwarding.
The following procedures describe how to monitor Forefront UAG DirectAccess clients and users:
Configuring event collection
Enabling IPsec logging
Adding and using the UAGDAUserMonitoring snap-in
Configuring event collection
When the cmdlet reads events from an aggregated log, you must configure event collection on the collector server and on the event source computer.
To configure event collection
On the collector server, follow the instructions in the Configuring the event collector computer section of Setting up a source initiated subscription (https://go.microsoft.com/fwlink/?LinkId=164395).
Note
You can use the XML example of the contents of a subscription configuration file that creates a source-initiated subscription, to forward events from the Application event log of a remote computer to the ForwardedEvents log on the event collector computer. You must configure the XML file so that the subscription should be on event IDs 4981 and 4655 from the security event log.
On the Forefront UAG DirectAccess server, follow the instructions in the Configuring the event source computer section of Setting up a source initiated subscription (https://go.microsoft.com/fwlink/?LinkId=164395).
Enabling IPsec logging
Before installing and using the UAGDAUserMonitoring snap-in, you must enable IPsec logging.
Note
It is recommended that you use the UAG DirectAccess: DA server Group Policy object created by Forefront UAG DirectAccess.
To enable IPsec logging
On a computer with Group Policy Management installed, on the taskbar, click Start, click Administrative Tools, and then click Group Policy Management.
From the Group Policy Management console, open Forest\Domains\Domain\Group Policy Object.
Right-click the UAG DirectAccess: DA server object, and then click Edit.
In the Computer Configuration node, click Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Advanced Audit Policy Configuration, double-click Audit Policies, and then click Logon/Logoff.
Note
For more information on Advanced audit Policy Configuration, see Which Versions of Windows Support Advanced Audit Policy Configuration? (https://go.microsoft.com/fwlink/?LinkId=183018).
In the right pane, double-click Audit IPsec Extended Mode, select Configure the following audit events, select Success and Failure, and then click OK.
Double-click Audit IPsec Main Mode, select Configure the following audit events, select Success and Failure, and then click OK.
Adding and using the UAGDAUserMonitoring snap-in
The snap-in is automatically installed on the Forefront UAG DirectAccess server. When you want to use the snap-in on a non Forefront UAG DirectAccess server, you must first install the snap-in on the local computer, as follows:
On the Forefront UAG DirectAccess server, from Windows Explorer, navigate to \UAG installation directory\bin\da\monitoring, and copy DAUserMonitoringSnapIn.dll to your local computer.
On the local computer, on the taskbar, click Start, click Run, and type the command**: %windir%\Microsoft.NET\Framework64\v2.0.50727\installutil DAUserMonitoringSnapIn.dll**, and then press ENTER.
Note
In the above command, specify the full pathname of the DAUserMonitoringSnapIn.dll
To add and use the UAGDAUserMonitoring snap-in
On the taskbar, click Start, click All Programs, click Accessories, click Windows PowerShell, and then click Windows PowerShell.
From the Windows PowerShell command prompt, type Add-PSSnapin UAGDAUserMonitoring, and press ENTER.
Note
If you want to automatically add the snap-in to all Windows PowerShell sessions when they start, add the snap-in to your Windows PowerShell profile. For more information, see about_Profiles(https://go.microsoft.com/fwlink/?LinkId=164602).
From the Windows PowerShell command prompt, type Get-DirectAccessUsers –parameter value. See the following table for the available parameters.
Parameter Name Parameter Definition Value Example OutputVerbosity
Defines the format in which events are returned.
- Logons—The commandlet returns aggregated logical logon events. The computer and user logons are consolidated (default).
- RawData—The commandlet returns raw IPsec logon events for both computer and user logons.
Get-DirectAccessUsers – OutputVerbosity RawData
ShowHistory
Defines whether current or historical data is returned.
- False—Returns current events (default).
- True—Returns historical events.
Get-DirectAccessUsers –ShowHistory True
StartTime
When ShowHistory is set to True, this parameter defines the start time for the query output.
Locale Time/Date format. (The default is 01/01/0001 12:00 AM.)
Get-DirectAccessUsers –StartTime "7/7/2009 8:56:00 AM"
EndTime
When ShowHistory is set to True, this parameter defines the end time for the query output.
Locale Time/Date format. (The default is the current time.)
Get-DirectAccessUsers –EndTime "7/7/2009 15:36:00 PM"
LogName
Defines the name of the log where events reside.
- ForwardEvents—The default log name.
- Security—Use when event forwarding is not enabled.
Get-DirectAccessUsers –LogName ForwardedEvents
CollectorMachineName
Defines the name of the computer on which events are collected. This should be used when you are using the snap-in on a computer that does not contain the security event log, and should point to the computer where the security event log resides. The default is localhost.
Computer name
Get-DirectAccessUsers –CollectorMachineName localhost
UserName
Used to filter specific users.
User name
Get-DirectAccessUsers –UserName Carlos
ClientName
Used to filter specific client computers.
Client computer name
Get-DirectAccessUsers –ClientName Carlos2008RTM
Note
Query results can be piped to a CSV file which can be read by using Microsoft Excel. For example Get-DirectAccessUsers | Export-Csv results.csv, exports the query result to results.csv.
- Logons—The commandlet returns aggregated logical logon events. The computer and user logons are consolidated (default).