Is it possible to generate an easy to read report based on the traffic to websites from a users active directory domain name? I assume this could be managed by implementing some sort of non-transparent proxy, but not sure how one would go about doing so with a transparent proxy. So how would you go about setting this up?
Asked
Active
Viewed 349 times
2
-
If you only need this once, you could ask your local Palo Alto firewall sales team for a "Demo" box to borrow for a week. It will give you an insane amount of detail. If you're in the midwest, I can set this up for you. – SpacemanSpiff Feb 21 '11 at 01:16
-
Actually this would be for extended use so a demo box of anything won't cut it. – James Bow Feb 21 '11 at 01:53
-
The 'problem' with a transparent proxy are that they usually doesn't force you to authenticate. At that point any measurement of who visited what website becomes unreliable. – Rob Moir Apr 25 '11 at 07:27
3 Answers
1
You're going to need a proxy server that includes Active Directory integration. Not just for policy management, but you'll need to make sure it does reporting per user too (to solve your initial question). This, of course, is not going to be a cheap solution (support-wise) if you don't have enough knowledge to set this up with Squid (which is open source--free), as most AD integrated proxies that have good reporting, and are somewhat useful (off the box) will cost some money. You'll want to look at Forefront TMG (since it's Microsoft's own solution--and will be the best integrated with AD), but there are others that some will suggest here.
Some other resources to look at:
- Squid and Active Directory authentication
- https://serverfault.com/search?q=squid+AD+integration
- How to install Squid web proxy with AD integration
Another thing to think about is to NOT look for a 'per AD user' reporting tool, but per host/network tool such as nTop.
0
Well if you don't want transparet proxy, then first that crosses my mind is DNS. Force subnet to use local dns, and extract from logs in DNS what they resolved.
Hrvoje Špoljar
- 5,245
- 26
- 42
-
DNS would show lookups only. He needs to measure the traffic at the edge with something like Netflow or a device built to do this. I'm sure there are open source goodies for it, but they might not be so easy to setup. – SpacemanSpiff Feb 21 '11 at 01:18
-
I don't have a problem with using a proxy, but even to do use I would do so, I'm not sure. – James Bow Feb 21 '11 at 01:54
0
Logs of transparent proxy (or SNMP-monitoring of gateway) are IP-based, so you will need to map IP-addresses to AD users. Unfortunately, I did not find any tools which do that automatically.
Luckily, number of abusers is not big, so I used either psloggedon or Trend Micro Console(which shows IP, MAC-address and AD name) to trace them back manually.
alexm
- 458
- 3
- 11