locked
UAG sessions RRS feed

  • Question

  • Hi All,

    I'm trying to get a better understanding of the data provided thru web montior...

    1. Can somone define "session" as is availble thru web logs session started/session stopped report?  Does this equal to TCP connections?

    2. For a given session, all I get back is session started, priveileged session, session stopped (filtering based on session GUID).  How can I see the details such as which virtual directory was accessed/what URLs were accesses/returned.  On a TMG server, this type of info is esy to get from TMG logging.

    Here is an example of starting outlook 2011 accessing E2l7 EWS externalURL via UAG using basic auth.

    Severity   Time   Type   Category   Description  
     Information 3/27/2012 12:52 Session Started Session Session 7CB881E1-28B1-4AB3-83BA-DFD33DE5DC74 was started on trunk qa2lab (secure=1). The source IP address is 192.168.1.10.
     Information 3/27/2012 12:52 Privileged Session Session Session 7CB881E1-28B1-4AB3-83BA-DFD33DE5DC74 is a privileged session on trunk qa2lab; Secure=1.
     Information 3/27/2012 12:52 Successful Login Security User qa2\testsbkqa2xmb1 with source IP address logged in to trunk qa2lab (secure=1) using authentication server qa2 with session ID 7CB881E1-28B1-4AB3-83BA-DFD33DE5DC74.
     Information 3/27/2012 12:52 Successful Login Security User qa2\testsbkqa2xmb1 with source IP address logged in to trunk qa2lab (secure=1) using authentication server qa2 with session ID 7CB881E1-28B1-4AB3-83BA-DFD33DE5DC74.
     Information 3/27/2012 12:52 Successful Login Security User qa2\testsbkqa2xmb1 with source IP address logged in to trunk qa2lab (secure=1) using authentication server qa2 with session ID 7CB881E1-28B1-4AB3-83BA-DFD33DE5DC74.
     Information 3/27/2012 12:52 Successful Login Security User qa2\testsbkqa2xmb1 with source IP address logged in to trunk qa2lab (secure=1) using authentication server qa2 with session ID 7CB881E1-28B1-4AB3-83BA-DFD33DE5DC74.
     Information 3/27/2012 12:52 Successful Login Security User qa2\testsbkqa2xmb1 with source IP address logged in to trunk qa2lab (secure=1) using authentication server qa2 with session ID 7CB881E1-28B1-4AB3-83BA-DFD33DE5DC74.
     Information 3/27/2012 12:52 Successful Login Security User qa2\testsbkqa2xmb1 with source IP address logged in to trunk qa2lab (secure=1) using authentication server qa2 with session ID 7CB881E1-28B1-4AB3-83BA-DFD33DE5DC74.
     Information 3/27/2012 12:52 Successful Login Security User qa2\testsbkqa2xmb1 with source IP address logged in to trunk qa2lab (secure=1) using authentication server qa2 with session ID 7CB881E1-28B1-4AB3-83BA-DFD33DE5DC74.
     Information 3/27/2012 12:52 Successful Login Security User qa2\testsbkqa2xmb1 with source IP address logged in to trunk qa2lab (secure=1) using authentication server qa2 with session ID 7CB881E1-28B1-4AB3-83BA-DFD33DE5DC74.
     Information 3/27/2012 12:52 Successful Login Security User qa2\testsbkqa2xmb1 with source IP address logged in to trunk qa2lab (secure=1) using authentication server qa2 with session ID 7CB881E1-28B1-4AB3-83BA-DFD33DE5DC74.
     Information 3/27/2012 12:52 Successful Login Security User qa2\testsbkqa2xmb1 with source IP address logged in to trunk qa2lab (secure=1) using authentication server qa2 with session ID 7CB881E1-28B1-4AB3-83BA-DFD33DE5DC74.
     Information 3/27/2012 12:52 Successful Login Security User qa2\testsbkqa2xmb1 with source IP address logged in to trunk qa2lab (secure=1) using authentication server qa2 with session ID 7CB881E1-28B1-4AB3-83BA-DFD33DE5DC74.
     Information 3/27/2012 12:52 Successful Login Security User qa2\testsbkqa2xmb1 with source IP address logged in to trunk qa2lab (secure=1) using authentication server qa2 with session ID 7CB881E1-28B1-4AB3-83BA-DFD33DE5DC74.
     Information 3/27/2012 12:52 Session Stopped Session Session 7CB881E1-28B1-4AB3-83BA-DFD33DE5DC74 was stopped on trunk qa2lab (secure=1). The source IP address is 192.168.1.10.

    Mohsin Malik


    Mohsin M.

    Tuesday, March 27, 2012 5:53 PM

All replies

  • Hi Mohsin,

    1. When a user access the UAG for the first time, the UAG issue a session cookie (NLSession) which is a context that represent the user's session in UAG. Each request that arrive with that cookie associate with that Session, so "Session" is more UAG logical entity and does not represent TCP connection, as you can have many TCP connections use the same cookie and hence defined as one session.

    2. The UAG web monitor does not log all the sessions details, but only a set of specific events. In order to get URL level logging, you can set UAG to generate IIS logs.

    To do that, you need to enable the "Log trunk traffic in IIS" option in the Advance trunk configuration:

    Web Site Logging

    When you enable this (after activate the configuration), you can see all the details of URLs accessed from the IIS logs on the UAG machine.

    Hope this answer your questions.

    Ophir.

    Thursday, March 29, 2012 2:41 PM