Hi guys! Is it possible to run a report that shows all the users that have a VPN connection. The Username, the date and the time they spent online as well as the duration? Also, how can I check if anybody is getting into our domain from outside, ie intruders? Thanks a stack!~vCb~
It would be difficult to generate a report from this data, but you can open the RRAS snap-in > properties of your ISA/RRAS box > Logging tab > check the box to Log All Events. Then look in the System event log for events from the "RemoteAccess" source, e.g., event ID 20194, after VPN users have connected and disconnected normally.
If you do want to extract that event log data and search it somehow, try using the script named "WMI_ADO_DumpEventLog.vbs" from www.ISAscripts.org (it's in the zip file). This can dump local/remote event logs to a comma-separated values file that can be easily searched or imported into Excel. There're some sample search batch scripts in that zip for extracting useful auditing data, e.g., for normal/failed logons, user accounts created, group memberships modified, etc.
On that web site is another script named "RRAS_Account_Lockout.vbs" which is used to help thwart password-guessing attacks against your ISA VPN gateway (see the KB article it mentions for more info).
Finally, you'll also find a script named "ISA_LogParser.vbs" which demos a variety of ways to run SQL queries against ISA text logs to get useful auditing data. You can modify the sample queries inside that script to extract data pertaining just to traffic to/from the VPN Clients network. However, this will require being fairly SQL-savvy, which isn't very fun if you're not already into that sort of thing...but, hey, it's free... :-)