If you want to see the IP address assigned to the user you can right-click on the user's connection and choose Status.
You will see the VPN IP address assigned to the user's system in the IP address field under "Network registration".
You may be able to obtain further information on the connecting system
using the nbtstat command.
C:\>nbtstat -A 192.168.0.103
Server Local Area Connection:
Node IpAddress: [192.168.0.3] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
DC0H6341 <00> UNIQUE Registered
MSHOME <00> GROUP Registered
DC0H6341 <20> UNIQUE Registered
MSHOME <1E> GROUP Registered
MAC Address = 00-53-45-00-00-00
RAS Server (Dial In) Interface:
Node IpAddress: [192.168.0.108] Scope Id: []
Host not found.
In this case, I can see the user's home system is named
"DC0H6341". The server assigned the address 192.168.0.103 to her
system (the server is using 192.168.0.108 for itself). If I see
future connections from the same user
I would expect to see the same system name listed, if I issue
an nbtstat command against the IP address
assigned to the user's computer when the VPN connection
is established.
Since there is only one connection to the VPN server at
this time, I can easily determine the user's actual IP
adress assigned by her
ISP
also by usng the netstat -a and find commands.
C:\>netstat -a | find "pptp" | find "ESTABLISHED" TCP S:pptp pool-71-163-174-184.washdc.fios.verizon.net:2193 ESTABLISHED
In this case, I am looking for
PPTP connections, since
PPTP is a
network protocol used for the connections. The port used on the server
for the connections is port 1723, i.e. PPTP equates to
TCP port 1723, so I
could also use the -n option with the netstat command
to look for connections to that port and obtain the IP address assigned to
the user's system, or at least her router in this case, rather than its
Fully Qualified Domain Name (FQDN), which happens to be
pool-71-163-174-184.washdc.fios.verizon.net in this case.
C:\>netstat -an | find ":1723" | find "ESTABLISHED" TCP 192.168.0.3:1723 71.163.174.184:2193 ESTABLISHED
I looked for ":1723", since I just wanted to see connections to port 1723 and not other ports that might have "1723" as part of the port number, e.g. "4173".
If I tried the same nbtstat -a command I used with the
address assigned by the VPN server to her ISP-assigned address instead, I would
get a "host not found" response, since the query would be blocked by the router
at her end and would not get passed to her PC.
C:\>nbtstat -A 71.163.174.184
Server Local Area Connection:
Node IpAddress: [192.168.0.3] Scope Id: []
Host not found.
RAS Server (Dial In) Interface:
Node IpAddress: [192.168.0.108] Scope Id: []
Host not found.If you want to review the ISP-assigned IP addresses from which users have been connecting, you can look in the logfile maintained for the connections. You can find its location by double-clicking on Remote Access Logging in the Routing and Remote Access window.
For futher details, right-click on Local File in the right-pane of the window after you have clicked on Remote Access Logging in the left pane. Then select Properties. Then click on the LogFile tab to see information on the format being used for the logfile as well as how often a new logfile is created.
In this case the logfiles are in C:\WINDOWS\system32\LogFiles. When I look in that directory, I see iaslog0.log.
If you look in the logfile, you may find it hard to parse the contents of the file manually. There are tools to help you. Microsoft offers one, iasparse.exe, on the Disc # 2 of the installation CDs for Windows Small Business Server 2003 Standard Edition. Look in the folder \Support\Tools on Disc # 2. You will see a file there named SUPTOOLS.MSI. Double-click on that file and follow the instructions that follow to install the tools, or, if you just want to install the iasparse.exe tool, double-click on the SUPPORT.CAB file in the same directory and copy it to a location on the system's hard disk.
The tool is run from a command line. For usage information type
iasparse /?
C:\Program Files\SysMgmt\Support Tools>iasparse /?
USAGE: iasparse [-f:filename] [-p] [-?]
-f:filename Parses the file 'filename'
By default iasparse parses the file %windir%\system32\logfiles\ia
slog.log
-p Gives an output to screen directly. Set the Log File Directory to
\\.\pipe
-? Displays helpIf you get the error message below, then you will need to specify the filename for the logfile, since it isn't the default name of iaslog.log, e.g. it may be iaslog0.log.
C:\Program Files\SysMgmt\Support Tools>iasparse The Accounting log file "C:\WINDOWS\system32\LogFiles\iaslog.log" cannot be open ed. Processing cannot continue!
You can specify the location of the file with the -f: option,
e.g. iasparse -f:\windows\system32\logfiles\iaslog0.log.
You will probably also want to redirect the output to a file that you can
view with Notepad or some other editor, since you are likely to see a lot
of entries scrolling by very rapidly on the screen otherwise, e.g.
you can use iasparse -f:\windows\system32\logfiles\iaslog0.log
>out.txt
You will then have results that are easier to read than the raw logfile. You will still see the individual lines of raw data logged in the file, but below each line is the information in a tabular format that is easier to read, as shown below:
The line logged into the file: 192.168.0.3,SOLUTIONS\Debbie,03/14/2007,08:15:38,RAS,S,4,192.168.0.3,6,2,7,1,5,6,61,5,64,1,65,1,31,71.163.174.184,66,71.163.174.184,25,311 1 192.168.0.3 03/13/2007 03:43:41 4,44,251,8,192.168.0.103,12,1400,50,7,51,1,55,1173874538,45,2,40,1,4108,192.168.0.3,4147,311,4148,MSRASV5.20,4160,MSRASV5.10,4159,MSRAS-0-DC0H6341,4120,0x00736F6C7574696F6E73,4294967206,4,4154,Use Windows authentication for all users,4136,4,4142,0
NAS-IP-Address : 192.168.0.3
User-Name : SOLUTIONS\Debbie
Record-Date : 03/14/2007
Record-Time : 08:15:38
Service-Name : RAS
Computer-Name : S
NAS-IP-Address : 192.168.0.3
Service-Type : Framed
Framed-Protocol : PPP
NAS-Port : 6
NAS-Port-Type : Virtual
Tunnel-Type : PPTP
Tunnel-Medium-Type : IP
Calling-Station-Id : 71.163.174.184
Tunnel-Client-Endpt : 71.163.174.184
Class : 311 1 192.168.0.3 03/13/2007 03:43:41 4
Acct-Session-Id : 251
Framed-IP-Address : 192.168.0.103
Framed-MTU : 1400
Acct-Multi-Session-Id: 7
Acct-Link-Count : 1
Event-Timestamp : 1173874538
Acct-Authentic : Local
Acct-Status-Type : Start
Client-IP-Address : 192.168.0.3
MS-RAS-Vendor : Microsoft
MS-RAS-Version : MSRASV5.20
MS-RAS-Client-Version: MSRASV5.10
MS-RAS-Client-Name : MSRAS-0-DC0H6341
MS-CHAP-Domain : 0x00736F6C7574696F6E73
MS-MPPE-Encryption-Types: Strongest Encryption
Proxy-Policy-Name : Use Windows authentication for all users
Packet-Type : Accounting-Request
Reason-Code : The operation completed successfully.
DeepSoftware.Com also offers a tool for analyzing the IAS log files called IAS Log Viewer. IAS Log Viewer has a GUI and displays the data in a format that makes it much easier to track logins (see Sample Screenshot). The cost for the software, which is shareware, was $49.32 as of March 14, 2007. You can download a trial version to test the capabilities of the software. The trial version of IAS Log Viewer has a nag screen that reminds you to register and has a limitation on the number of lines in reports. If you need to analyze the log files on a regular basis, I would recommend purchasing IAS Log Viewer.
References:
Created: Thursday March 15, 2007
