none
Monitoring client traffic - finding which clients are hitting an internal server RRS feed

  • Question

  • Hi,

     I'm attempting to track down some DA clients which are hitting an internal web page - the page is a simple found.htm page which displays an old intranet site. The page used to be used as the connectivity verifier. I have since changed this via GPO, but some clients are still hitting the old NCA. In the server's IIS logs I can see "Client+DCA" as well as "Client+NCA".

    DA is being provided by 3 Windows 2012 R2 servers across 2 sites. The servers are configured in a unicast NLB array. I've installed Network monitor on my old intranet server and I can see the DA servers are polling my old intranet server - specifically requesting the found.htm page for the "Client+DCA" and "Client+NCA". The traffic source always shows as the DA server and nothing in the packet identifies the client as far as I can see.

    I tried installing Network monitor on the DA server itself, but the experience is horrendous as a  10 second packet capture took 4 minutes to save. In addition pinging 192.168.0.10 from the DA server and then filtering the corresponding packet for "ipv4.destinationaddress==192.168.0.10" fails to find the packet. I've tweaked netmon for performance, but that hasn't helped.

    Is there a reliable and straightforward way to find which clients are requesting the old intranet page?

    Thanks

    Friday, November 4, 2016 1:17 PM

Answers

  • I never found a way to do that using the built-in NAT64 system of DirectAccess.

    My client also asked for a better client identification and we implemented a Cisco Appliance between the DA infrastructure and the internal network. DirectAccess is thinking that the Internal network is using IPv6 and the Cisco Appliance, where we can clearly identify the client IPv4 and IPv6 addresses, is used for the NAT64.  

    Gerald 

    • Marked as answer by Peter.Siffredi Wednesday, November 16, 2016 1:14 PM
    Wednesday, November 9, 2016 9:26 AM

All replies

  • I never found a way to do that using the built-in NAT64 system of DirectAccess.

    My client also asked for a better client identification and we implemented a Cisco Appliance between the DA infrastructure and the internal network. DirectAccess is thinking that the Internal network is using IPv6 and the Cisco Appliance, where we can clearly identify the client IPv4 and IPv6 addresses, is used for the NAT64.  

    Gerald 

    • Marked as answer by Peter.Siffredi Wednesday, November 16, 2016 1:14 PM
    Wednesday, November 9, 2016 9:26 AM
  • Hello,

    Can't you just extract that info from the IIS access log files? Like you would do for Apache for example. You could develop a small script to print all the IP addresses into an external file. By executing this as a scheduled task every X minutes would populate you external file with the IP addresses that are still requesting your old site.

    Regards.

    Thursday, December 1, 2016 11:42 AM