1. Understanding the Traffic
One of the main things that you need to be aware prior to start monitoring your session is how the traffic works. On the part 1 of this walk through I showed you (on figure 1) a brief explanation of the traffic. The following netmon traffic was taken from the internal interface of the IAG Server, the idea is to show what happens on each phase of the process:
Phase 1 – User authenticates to the IAG Portal
In this phase the following packages are exchanged between the IAG and the Domain Controller:
IAG DC LDAP LDAP: Search Request, MessageID: 35, BaseObject: NULL, SearchScope: base Object, SearchAlias: neverDerefAliases
DC IAG LDAP LDAP: Search Result Entry, MessageID: 35, Status: Success
IAG DC LDAP LDAP: Search Request, MessageID: 36, BaseObject: NULL, SearchScope: base Object, SearchAlias: neverDerefAliases
DC IAG LDAP LDAP: Search Result Entry, MessageID: 36, Status: Success
IAG DC KerberosV5 KerberosV5: AS Request Cname: administrator Realm: contoso.com Sname: krbtgt/contoso.com
DC IAG KerberosV5 KerberosV5: AS Response Ticket[Realm: CONTOSO.COM, Sname: krbtgt/CONTOSO.COM]
IAG DC KerberosV5 KerberosV5: TGS Request Realm: CONTOSO.COM Sname: ldap/DC
DC IAG KerberosV5 KerberosV5: KRB_ERROR - KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
IAG DC LDAP LDAP: Bind Request, MessageID: 37, Version: 3
DC IAG NTLMSSP NTLMSSP: 200 Bytes
IAG DC LDAP LDAP: Bind Request, MessageID: 38, Version: 3
DC IAG LDAP LDAP: Bind Response, MessageID: 38, Status: Success
IAG DC LDAP LDAP: , MessageID: 0
As you can see we have the LDAP Query, then we have the Kerberos Authentication and then the LDAP Bind to the directory. This sequence can vary; it will depend on what authentication method you will be using.
Phase 2 – Accessing the Terminal Server
IAG DC RDP RDP
DC IAG RDP RDP
The IAG Server will access the Terminal Server on port 3389 internally. This is the default port, if you change the port on the Terminal Server you need to also change on the application portal.
3. What is currently active?
The Web Monitor is the tool that you will use on the server side to monitor the sessions that are in use. To access this tool you can launch the IAG Configuration and then go to Admin and click in Web Monitor. The screen will appear like the one below:
Figure 1 – Web Monitor.
On the right side you have the options that will be mostly used, for this demonstration let’s click in the Active Sessions under Session Monitor. On the right side you will see a table like the one below:
Figure 2 – Session Monitor.
If you click on the session ID UID (Unique Identifier) you will see more details about that particular session. One of the most valuable information that we have after we click on the session ID link is the endpoint information.
Figure 3 – Session Details.
As you can see, this endpoint information has deep details about the client that is accessing the portal. Here you can even see what is the Antivirus that the client workstation is using.
4. Terminating the Session
To terminate a session you can click on the Active Sessions under User Monitor, on the right side you will see the session ID and you have the option to terminate.
Figure 4 – Terminating the session.
5. Reviewing the Session on the Client Side
On the client side you also can easily identify the Terminal Server session using the Portal Activity. To do that, click on the Activity button:
Figure 5 – Session on the client side.
If you have multiple applications opened you will be able to see what applications were launched and what is the connection that is handling this application.