Checking User VPN Connections on SBS 2003

Microsoft Windows Server 2012 Essentials1px x 1px image
You can determine who is connected to a Windows Small Business Server (SBS) 2003 system from home using a VPN connection, by taking the following steps:

  1. Click on Start.
  2. Click on All Programs.
  3. Select Administrative Tools.
  4. Select Routing and Remote Access.
  5. You will see the remote access clients in the right-hand pane of the Routing and Remote Access window.

    RRAS clients

    The window will show the username and the the amount of time the user has been connected.

If you want to see the IP address assigned to the user you can right-click on the user's connection and choose Status.

Status

You will see the VPN IP address assigned to the user's system in the IP address field under "Network registration".

You may be able to obtain further information on the connecting system using the nbtstat command.

C:\>nbtstat -A 192.168.0.103

Server Local Area Connection:
Node IpAddress: [192.168.0.3] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    DC0H6341       <00>  UNIQUE      Registered
    MSHOME         <00>  GROUP       Registered
    DC0H6341       <20>  UNIQUE      Registered
    MSHOME         <1E>  GROUP       Registered

    MAC Address = 00-53-45-00-00-00


RAS Server (Dial In) Interface:
Node IpAddress: [192.168.0.108] Scope Id: []

    Host not found.

In this case, I can see the user's home system is named "DC0H6341". The server assigned the address 192.168.0.103 to her system (the server is using 192.168.0.108 for itself). If I see future connections from the same user I would expect to see the same system name listed, if I issue an nbtstat command against the IP address assigned to the user's computer when the VPN connection is established.

Since there is only one connection to the VPN server at this time, I can easily determine the user's actual IP adress assigned by her ISP also by usng the netstat -a and find commands.

C:\>netstat -a | find "pptp" | find "ESTABLISHED"
  TCP    S:pptp                 pool-71-163-174-184.washdc.fios.verizon.net:2193
  ESTABLISHED

In this case, I am looking for PPTP connections, since PPTP is a network protocol used for the connections. The port used on the server for the connections is port 1723, i.e. PPTP equates to TCP port 1723, so I could also use the -n option with the netstat command to look for connections to that port and obtain the IP address assigned to the user's system, or at least her router in this case, rather than its Fully Qualified Domain Name (FQDN), which happens to be pool-71-163-174-184.washdc.fios.verizon.net in this case.

C:\>netstat -an | find ":1723" | find "ESTABLISHED"
  TCP    192.168.0.3:1723       71.163.174.184:2193    ESTABLISHED

I looked for ":1723", since I just wanted to see connections to port 1723 and not other ports that might have "1723" as part of the port number, e.g. "4173".

If I tried the same nbtstat -a command I used with the address assigned by the VPN server to her ISP-assigned address instead, I would get a "host not found" response, since the query would be blocked by the router at her end and would not get passed to her PC.

C:\>nbtstat -A 71.163.174.184

Server Local Area Connection:
Node IpAddress: [192.168.0.3] Scope Id: []

    Host not found.

RAS Server (Dial In) Interface:
Node IpAddress: [192.168.0.108] Scope Id: []

    Host not found.

If you want to review the ISP-assigned IP addresses from which users have been connecting, you can look in the logfile maintained for the connections. You can find its location by double-clicking on Remote Access Logging in the Routing and Remote Access window.

Remote Access Logging

For futher details, right-click on Local File in the right-pane of the window after you have clicked on Remote Access Logging in the left pane. Then select Properties. Then click on the LogFile tab to see information on the format being used for the logfile as well as how often a new logfile is created.

Iaslog.log properties

In this case the logfiles are in C:\WINDOWS\system32\LogFiles. When I look in that directory, I see iaslog0.log.

If you look in the logfile, you may find it hard to parse the contents of the file manually. There are tools to help you. Microsoft offers one, iasparse.exe, on the Disc # 2 of the installation CDs for Windows Small Business Server 2003 Standard Edition. Look in the folder \Support\Tools on Disc # 2. You will see a file there named SUPTOOLS.MSI. Double-click on that file and follow the instructions that follow to install the tools, or, if you just want to install the iasparse.exe tool, double-click on the SUPPORT.CAB file in the same directory and copy it to a location on the system's hard disk.

The tool is run from a command line. For usage information type iasparse /?

C:\Program Files\SysMgmt\Support Tools>iasparse /?
USAGE: iasparse [-f:filename] [-p] [-?]
-f:filename    Parses the file 'filename'
               By default iasparse parses the file %windir%\system32\logfiles\ia
slog.log

-p             Gives an output to screen directly. Set the Log File Directory to
 \\.\pipe
-?             Displays help

If you get the error message below, then you will need to specify the filename for the logfile, since it isn't the default name of iaslog.log, e.g. it may be iaslog0.log.

C:\Program Files\SysMgmt\Support Tools>iasparse
The Accounting log file "C:\WINDOWS\system32\LogFiles\iaslog.log" cannot be open
ed.
Processing cannot continue!

You can specify the location of the file with the -f: option, e.g. iasparse -f:\windows\system32\logfiles\iaslog0.log. You will probably also want to redirect the output to a file that you can view with Notepad or some other editor, since you are likely to see a lot of entries scrolling by very rapidly on the screen otherwise, e.g. you can use iasparse -f:\windows\system32\logfiles\iaslog0.log >out.txt

You will then have results that are easier to read than the raw logfile. You will still see the individual lines of raw data logged in the file, but below each line is the information in a tabular format that is easier to read, as shown below:


The line logged into the file: 192.168.0.3,SOLUTIONS\Debbie,03/14/2007,08:15:38,RAS,S,4,192.168.0.3,6,2,7,1,5,6,61,5,64,1,65,1,31,71.163.174.184,66,71.163.174.184,25,311 1 192.168.0.3 03/13/2007 03:43:41 4,44,251,8,192.168.0.103,12,1400,50,7,51,1,55,1173874538,45,2,40,1,4108,192.168.0.3,4147,311,4148,MSRASV5.20,4160,MSRASV5.10,4159,MSRAS-0-DC0H6341,4120,0x00736F6C7574696F6E73,4294967206,4,4154,Use Windows authentication for all users,4136,4,4142,0

 NAS-IP-Address      : 192.168.0.3
 User-Name           : SOLUTIONS\Debbie
 Record-Date         : 03/14/2007
 Record-Time         : 08:15:38
 Service-Name        : RAS
 Computer-Name       : S
 NAS-IP-Address      : 192.168.0.3
 Service-Type        : Framed
 Framed-Protocol     : PPP
 NAS-Port            : 6
 NAS-Port-Type       : Virtual
 Tunnel-Type         : PPTP
 Tunnel-Medium-Type  : IP
 Calling-Station-Id  : 71.163.174.184
 Tunnel-Client-Endpt : 71.163.174.184
 Class               : 311 1 192.168.0.3 03/13/2007 03:43:41 4
 Acct-Session-Id     : 251
 Framed-IP-Address   : 192.168.0.103
 Framed-MTU          : 1400
 Acct-Multi-Session-Id: 7
 Acct-Link-Count     : 1
 Event-Timestamp     : 1173874538
 Acct-Authentic      : Local
 Acct-Status-Type    : Start
 Client-IP-Address   : 192.168.0.3
 MS-RAS-Vendor       : Microsoft
 MS-RAS-Version      : MSRASV5.20
 MS-RAS-Client-Version: MSRASV5.10
 MS-RAS-Client-Name  : MSRAS-0-DC0H6341
 MS-CHAP-Domain      : 0x00736F6C7574696F6E73
 MS-MPPE-Encryption-Types: Strongest Encryption
 Proxy-Policy-Name   : Use Windows authentication for all users
 Packet-Type         : Accounting-Request
 Reason-Code         : The operation completed successfully.

DeepSoftware.Com also offers a tool for analyzing the IAS log files called IAS Log Viewer. IAS Log Viewer has a GUI and displays the data in a format that makes it much easier to track logins (see Sample Screenshot). The cost for the software, which is shareware, was $49.32 as of March 14, 2007. You can download a trial version to test the capabilities of the software. The trial version of IAS Log Viewer has a nag screen that reminds you to register and has a limitation on the number of lines in reports. If you need to analyze the log files on a regular basis, I would recommend purchasing IAS Log Viewer.

References:

  1. Iasparse Overview
    Updated: March 28, 2003
    Microsoft Windows Server TechCenter
  2. Install Windows Support Tools
    Updated: January 21, 2005
    Microsoft Windows Server TechCenter
  3. Tracking RRAS users in Windows 2003 server
    by Janani Vasudevan
    February 16, 2006
    Janani's WebLog
  4. IAS Log Viewer
    DeepSoftware.Com - Professional Software Solutions

 

TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px

Valid HTML 4.01 Transitional

Created: Thursday March 15, 2007