1. Understanding the Traffic

 

One of the main things that you need to be aware prior to start monitoring your session is how the traffic works. On the part 1 of this walk through I showed you (on figure 1) a brief explanation of the traffic.  The following netmon traffic was taken from the internal interface of the IAG Server, the idea is to show what happens on each phase of the process:

 

Phase 1 – User authenticates to the IAG Portal

 

In this phase the following packages are exchanged between the IAG and the Domain Controller:

IAG    DC      LDAP                     LDAP: Search Request, MessageID: 35, BaseObject: NULL, SearchScope: base Object, SearchAlias: neverDerefAliases

DC      IAG    LDAP                     LDAP: Search Result Entry, MessageID: 35, Status: Success

IAG    DC      LDAP                     LDAP: Search Request, MessageID: 36, BaseObject: NULL, SearchScope: base Object, SearchAlias: neverDerefAliases

DC      IAG    LDAP                     LDAP: Search Result Entry, MessageID: 36, Status: Success

IAG    DC      KerberosV5      KerberosV5: AS Request Cname: administrator Realm: contoso.com Sname: krbtgt/contoso.com

DC      IAG    KerberosV5      KerberosV5: AS Response Ticket[Realm: CONTOSO.COM, Sname: krbtgt/CONTOSO.COM]

IAG    DC      KerberosV5      KerberosV5: TGS Request Realm: CONTOSO.COM Sname: ldap/DC

DC      IAG    KerberosV5      KerberosV5: KRB_ERROR  - KDC_ERR_S_PRINCIPAL_UNKNOWN (7)

IAG    DC      LDAP                     LDAP: Bind Request, MessageID: 37, Version: 3

DC      IAG    NTLMSSP            NTLMSSP: 200 Bytes

IAG    DC      LDAP                     LDAP: Bind Request, MessageID: 38, Version: 3

DC      IAG    LDAP                     LDAP: Bind Response, MessageID: 38, Status: Success

IAG    DC      LDAP                     LDAP: , MessageID: 0

 

As you can see we have the LDAP Query, then we have the Kerberos Authentication and then the LDAP Bind to the directory. This sequence can vary; it will depend on what authentication method you will be using.

 

Phase 2 – Accessing the Terminal Server

 

IAG    DC      RDP                        RDP

DC      IAG    RDP                        RDP

DC      IAG    RDP                        RDP

DC      IAG    RDP                        RDP

DC      IAG    RDP                        RDP

 

The IAG Server will access the Terminal Server on port 3389 internally. This is the default port, if you change the port on the Terminal Server you need to also change on the application portal.

 

3. What is currently active?

 

The Web Monitor is the tool that you will use on the server side to monitor the sessions that are in use. To access this tool you can launch the IAG Configuration and then go to Admin and click in Web Monitor. The screen will appear like the one below:

 

 

Figure 1 – Web Monitor.

 

On the right side you have the options that will be mostly used, for this demonstration let’s click in the Active Sessions under Session Monitor. On the right side you will see a table like the one below:

 

 

Figure 2 – Session Monitor.

 

If you click on the session ID UID (Unique Identifier) you will see more details about that particular session. One of the most valuable information that we have after we click on the session ID link is the endpoint information.

 

 

Figure 3 – Session Details.

 

As you can see, this endpoint information has deep details about the client that is accessing the portal. Here you can even see what is the Antivirus that the client workstation is using.

 

4. Terminating the Session

 

To terminate a session you can click on the Active Sessions under User Monitor, on the right side you will see the session ID and you have the option to terminate.

 

 

Figure 4 – Terminating the session.

 

5. Reviewing the Session on the Client Side

 

On the client side you also can easily identify the Terminal Server session using the Portal Activity. To do that, click on the Activity button:

 

 

Figure 5 – Session on the client side.

 

If you have multiple applications opened you will be able to see what applications were launched and what is the connection that is handling this application.