Real Time Web Monitoring with GFI’s Web Monitor 2 for ISA Firewalls
By Thomas W Shinder MD, MVP
Product: GFI WebMonitor for ISA Server
Product Homepage: click here
Freeware Version: click here
Something I’ve heard ISA firewall administrators complain a lot about is the inability to stop users from downloading large files and disconnect individual users from specific Web sites. For example, you might notice that Internet performance isn’t very good. If you could identify a user or collection of users downloading large files, you could immediately disconnect the user’s download and then create a firewall policy preventing them from doing so again.
We had a lot of hope that ISA 2004 firewalls would include this type of monitor. While ISA 2004 firewalls include a real time logging facility that allows you to see all the log file entries recorded in real time, and filter those real time entries to spot specific types of connections you’re interested in, there still is no facility within the ISA 2004 firewall package that makes it easy to spot inappropriate Web access and file downloads.
I should say there wasn’t an easy way to do this until now. The GFI WebMonitor 2 for ISA Server provides exactly what you’ve been looking for. It’s the perfect solution for any ISA firewall admin who needs to take control over downloads and Internet access, and do it in a way that’s virtually transparent to the user. You don’t have to get on the phone and harass the user (who’s going to ignore you anyhow) to get him to stop heavy downloading.
Here are the some of the things you can do with the GFI Web Monitor:
- View Web access, include HTTP and FTP downloads, in real time and disconnect those sessions in real time
- View a URL history of all Web connections made by all users. You’ll see a list of URLs, the number of hits each URL has received, the file types accessed and the user name or IP address of the machine that accessed the URL.
- View a User History, so that you can see the specific URLs accessed by each user. If the user didn’t authenticate with the ISA firewall, then you’ll see a list of URLs visited by the IP address of the machine that made the connection
- View a chronological history of URLs accessed through the ISA firewall. You’ll see the user name, IP address of the machine the user used, the number of bytes transferred, the type of content (file extension or MIME type) and the exact URL accessed
View and Control Web Access in Real Time
You’ve noticed that the Web has slowed down and you’re getting calls from users complaining about slow Web performance. Without GFI’s Web Monitor 2 for ISA Server, you would have to go through the ISA 2004 real time log monitor and try to guess what type of Web access was slowing things down and then disconnect that user from another location in the console. With GFI’s Web Monitor 2 for ISA Server, it’s a no-brainer to find out what’s going on and stop the user in his tracks.
For example, suppose you maintain a SUS server on your network. This allows you to download system updates once and have users connect to the SUS server to obtain their updates. This saves a lot of bandwidth, since your users don’t need to download system updates over and over again over the Internet.
The problem is that not all your users are aware of this and try to go to the Web to access system updates. You haven’t implemented SUS Group Policy, so you depend on your users doing the right thing. Now the Web is slow and you have to find out what the problem is. Open GFI Web Monitor 2 and take a look.
Here we see that a domain user tshinder is downloading a file with the MIME type of application/octet-stream, which indicates that he’s possibly downloading files. Notice the red "x" on the right side of the page? We’ll use that to stop the download in progress.
Before we whack this user’s session, let’s scroll to the right of the page and see the precise URL the user is connected to. Looks like this user is downloading Windows XP Service Pack 1a, which is about 125 MB. We’ll have none of that! We need to stop the download by clicking the red "x".
You’re asked if you really want to stop the download. Click OK and the download is disconnected. Just remember to block the URL using a Destination Set (ISA Server 2000) or URL Set (ISA Server 2004) so that the users don’t go downloading the same thing again.
Easily View URL Popularity and Activity
GFI’s WebMonitor 2 for ISA Server also allows you to see a complete history of the URLs visited by your users. This is great for giving you a "birds-eye" view of what all your users have been up to during the day. Using the URL History feature, you can see the URLs visited, the number of hits each URL has received, the file type the user accessed, and the user name or IP address of the host accessing the site. If multiple users have accessed the same URL, then you’ll see a number next to the user’s name and the number of hits that user has made to the URL.
For example, in the figure below you can see that tshinder and Administrator have been to the www.isaserver.org Web site. tshinder has 25 hits to the site and Administrator has 51 hits. This is a sign of a well-run shop, because most of the hits in this organization are being made to www.isaserver.org. You can also see that there are a total of 47 hits to the www.gfi.com Web site and that Administrator has generated all of these hits.
Drill Down on Activity Generated by Specific Users
While the URL History feature is very good at giving you the big picture, you’re going to need to drill down and see what specific users are doing on the Web. For example, your boss tells you he needs a list of sites a problematic employee has been visiting today. You could use the ISA Server 2004 log viewer and filter for connections attributed to that user’s account, but then you’ll need to figure out how to export those entries to a text file and then format them for the boss so that the information is easy to interpret.
A better solution is to use the GFI WebMonitor 2 for ISA Server. Suppose tshinder is the problem employee. We can go WebMonitor 2 and click the Users history tab and see what appears in the figure below. Here we see that tshinder has generated a total of 141 hits. We also see a graph showing his daily web usage based on time of day. On the right side of the page there is a list of specific servers (FQDNs) he’s been visiting and the number of hits generated at each server (or site).
If we click on the 25 under the # column, we see the exact sites he’s visited and the number of hits he’s generated at each site. The page is rendered in a very easy to read and interpret format, so you can print it out as is and give it to your boss. Nice!
Get a Chronological View of Web Site Access through the ISA Firewall
You may want to see what sites have been visited recently. GFI’s WebMonitor 2 can show you a list of URLs that have been visited in chronological order. You can quickly look at the list and drill down on the day and time you’re most interested.
The figure below shows a list of URLs accessed, listed in chronological order. You also see the user who initiated the connection, the source IP address, the Bytes transferred, the type of resource accessed and the complete URL.
GFI WebMonitor 2 fills an important gap in the ISA Server 2004 and ISA Server 2000 firewall feature set. WebMonitor 2 is a dream come true for ISA firewall administrators who want total control over their users’ Web and FTP access. You can now view in real time, on a per user basis, what Web sites and content is being downloaded by users protected by ISA 2000 and ISA 2004 firewalls. We’ve been using WebMonitor 2 in our of our ISA 2004 installations and wouldn’t be without it. WebMonitor 2 is a one of a kind utility for ISA firewalls and we give it 5 stars as must have add-on for every ISA 2000 and ISA 2004 installation.
ISAserver.org Rating 5/5
For more information about GFI WebMonitor for ISA Server, click here.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=20;t=000197 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom
If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our 'Real-Time Article Update' by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.