locked
Server 2012 R2 DirectAccess Logging and Auditing RRS feed

 , 
 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    We recently setup a test pilot for DirectAccess in our domain. Setup was successful users from off campus can access resources on campus with no problem. Our networking and security groups have concerns about DirectAccess going forward. Both groups concerns come down to this. We currently use the Cisco SSL VPN client. If there was a security incident the networking group could provide information to the security group mapping the intranet address, to the internet address, and to the user who logged so it is easy for the security group to connect the dot from endpoint to the endpoint.

    In the short time we've been doing our test pilot, we've noticed that all of the endpoints users access over DirectAccess logs the IP address of the DirectAccess server as the endpoint the users are logged into accessing intranet resources. It looks like one box is accessing thousands of resource at the same time with multiple concurrent connections. When I look at the logs on the DirectAccess server I can see when a user connects and from what machine. For some reason it's not pulling the ISP Address which would be very helpful. But I don't see a way to easily correlate information especially when we'll have possibly hundreds of users connecting at the same time.

    Currently with the Cisco client each user is given an unique IP address and the users login, external, and internal addresses are logged so it is very easy to say yes this security incident occurred at this time with this IP address and it corresponds to this user logged in from this computer at this IP address.

    Is there any way to get that level of logging with DirectAccess? Also is there away to ship the DirectAccess logs to a syslog server? We are currently using "inbox accounting" that writes to a Windows Internal Database on the DirectAccess server. We are not using a UAG server.

    Thursday, October 2, 2014 3:21 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Due to DirectAccess is working on IPv6, we need to use NAT64 and DNS64 to let DirectAccess clients access the IPv4 internal resources.

    NAT64 will translate the IPv6 addresses of clients to the internal IPv4 address of the DirectAccess Server. That's why we see that all the connections are from the DirectAccess server.

    If the internal resource can be accessed by IPv6, NAT64 will not work and the IPv6 address of the client will be visible by the internal network.

    The DirectAccess Server provides two accounting methods

    • RADIUS accounting
    • Inbox Accounting

    For detailed information about accounting, please  refer to the link below,

    http://technet.microsoft.com/en-us/library/jj574136.aspx

    Best Regards.

    Steven Lee

    TechNet Community Support

    Friday, October 3, 2014 9:45 AM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    As explained, NAT64 operate a transtation from IPv6 to IPv4. So it's logic you only have the source IPv4 Address in IPv4. Only way to have the IPv6 source address is to use the selected server access. With this mode, each server registred in the configuration have a dedicated IPv6 transport. This also means that your servers can negociate an IPv6 (ISATAP). It works but noet really used ad IPv6 is not wildely deployed on our LAN. At last ISATAP usage is no longer recommanded by Microsoft for multiple reasons.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Sunday, October 5, 2014 2:44 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Due to DirectAccess is working on IPv6, we need to use NAT64 and DNS64 to let DirectAccess clients access the IPv4 internal resources.

    NAT64 will translate the IPv6 addresses of clients to the internal IPv4 address of the DirectAccess Server. That's why we see that all the connections are from the DirectAccess server.

    If the internal resource can be accessed by IPv6, NAT64 will not work and the IPv6 address of the client will be visible by the internal network.

    The DirectAccess Server provides two accounting methods

    • RADIUS accounting
    • Inbox Accounting

    For detailed information about accounting, please  refer to the link below,

    http://technet.microsoft.com/en-us/library/jj574136.aspx

    Best Regards.

    Steven Lee

    TechNet Community Support

    Friday, October 3, 2014 9:45 AM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    As explained, NAT64 operate a transtation from IPv6 to IPv4. So it's logic you only have the source IPv4 Address in IPv4. Only way to have the IPv6 source address is to use the selected server access. With this mode, each server registred in the configuration have a dedicated IPv6 transport. This also means that your servers can negociate an IPv6 (ISATAP). It works but noet really used ad IPv6 is not wildely deployed on our LAN. At last ISATAP usage is no longer recommanded by Microsoft for multiple reasons.

    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Sunday, October 5, 2014 2:44 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    I’m writing to just check in to see if the suggestions were helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up.

    Best Regards.

    Steven Lee

    TechNet Community Support

    Thursday, October 16, 2014 7:04 AM
    Moderator