All posts tagged reporting

Always On VPN RRAS Centralized Monitoring and Reporting

A while back, I wrote about the monitoring and reporting options for Windows Server Routing and Remote Access (RRAS) servers supporting Microsoft Always On VPN. In that article, I outlined how administrators can use the Routing and Remote Access Management console (rrasmgmt.msc) or the Remote Access Management console (ramgmtui.exe) to perform configuration tasks and review current user and device activity. However, neither solution is ideal in a distributed environment with multiple RRAS servers. Thankfully, there’s a new option available to address this crucial limitation today.

Centralized Reporting

I’m excited to announce the availability of a cloud-based, centralized reporting solution for Windows Server RRAS and Always On VPN from the folks at PowerON Platforms. Created by the folks that brought us the Dynamic Profile Configurator (DPC) solution for managing Always On VPN client configuration settings, PowerON Platforms’ new reporting solution allows administrators to aggregate configuration, performance, and user activity data from multiple individual RRAS servers across their organization.

Important! I’ll be joining the folks at PowerON Platforms for a webinar on Thursday, January 18 to introduce and demonstrate this new Always On VPN reporting solution. Register now!

Summary View

The Summary view page provides a consolidated high-level look at the environment’s health status and capacity of VPN servers. Administrators can quickly see if any servers are unhealthy and view current usage details to assess the capacity of the deployment.

Server Overview

The Server Overview page provides a more detailed look at individual server health status and configuration. Here, you’ll find information about the number of active and available connections and the TLS certificate status. In addition, you’ll find detailed information about provisioned CPU and RAM, disk space utilization, and system uptime. You will also see information about the size of the reporting database on disk and the number of IKEv2 and SSTP VPN ports provisioned.

VPN Server Configuration

The VPN Server Configuration page looks into the IP address pool configuration and current utilization. In addition, this page provides an in-depth look at the VPN server TLS certificate health status. Currently, configured authentication and accounting servers are also shown.

Server Performance

The Server Performance page shows granular details about resource utilization on RRAS servers. This includes CPU and memory utilization, disk space usage, and database size. Administrators can view aggregated data or select individual servers. The view can be further customized by filtering by date.

Connection History

The Connection History page details concurrent connections observed on all VPN servers. Data can be filtered by date, individual server, and user or device name.

Client Distribution

The Client Distribution page provides an intuitive graphical display of client activity by server and tunnel type. In addition, it includes details about usage by individual clients and the number of connections made by individual endpoints.

Connection Detail

The Connection Detail page allows administrators to view user activity across all servers in the organization. Once again, data can be filtered by date, individual server, and user or device name. This view provides granular details on user activity, enabling the administrator to drill down to view specific resources accessed over the VPN for individual sessions.

Data Flow

The Data Flow page displays information about data transfer through the VPN server.

Summary

The Always On VPN cloud-based centralized reporting solution for Microsoft Always On VPN by PowerON Platforms is sure to be helpful for organizations managing distributed RRAS server deployments. The reporting solution aggregates data from all RRAS servers in the enterprise, providing a holistic view of configuration, health status, and user activity in one management console. This consolidated visibility is crucial for capacity planning and configuration maintenance, making the identification of performance bottlenecks or misconfigured servers easy. Also, the ability to view certificate expiration status for all servers in the organization is sure to prevent outages. Security administrators will find the solution helpful for forensic reporting and to identify sources of data leakage and exfiltration.

You can contact PowerON Platforms and request additional information here.

More Information

Are you interested in learning more about PowerON Platforms Always On VPN reporting? Would you like an interactive solution demonstration or an evaluation license to trial the product in your environment? Fill out the form below, and I’ll contact you with more details.

Leave a comment
by Richard M. Hicks on January 9, 2024  •  Permalink
Posted in administration, Always On VPN, AOVPN, AovpnDPC, Azure, DPC, Dynamic Profile Configurator, Enterprise, enterprise mobility, Infrastructure, Microsoft, Mobility, multisite, Operational Support, Remote Access, Remote Administration, reporting, routing and remote access service, RRAS, RSAT, Security, systems management, VPN, webinar, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 9, 2024

https://directaccess.richardhicks.com/2024/01/09/always-on-vpn-rras-centralized-monitoring-and-reporting/

Inbox Accounting Database Management

The Routing and Remote Access Service (RRAS) role in Windows Server is a popular VPN server choice for administrators deploying Windows Always On VPN. It is easy to configure, scales well, and is cost-effective. After installing RRAS, administrators can optionally enable inbox accounting to log historical data and generate user access and activity reports as described in Always On VPN RRAS Monitoring and Reporting.

Inbox Accounting Database

A Windows Internal Database (WID) is automatically installed and configured for data storage when inbox accounting is enabled.

WID is nothing more than a basic instance of Microsoft SQL Server. As such, the database will require periodic maintenance to perform optimally.

Inbox Accounting Database Management Scripts

I have created a series of PowerShell scripts to address the inbox accounting database management requirements for organizations using Windows Server RRAS. Scripts are available to perform the following inbox accounting database management tasks.

  • Optimize the inbox accounting database.
  • View the size of the inbox accounting database files.
  • Compress the size of the inbox accounting database.
  • Back up the inbox accounting database to a file on disk.
  • Restore the inbox accounting database from a backup file.
  • Move the inbox accounting database file to a different location.
  • Remove the inbox accounting database.

Optimize Database

A known issue with the inbox accounting database can result in high CPU and memory utilization for very busy RRAS VPN servers. Specifically, a crucial index is missing from one of the tables in the logging database. This issue persists in Windows Server 2022. To correct this issue, download and run the following PowerShell script on each RRAS VPN server in the organization.

Optimize-InboxAccountingDatabase.ps1

View Database Size

The database can grow rapidly depending on how busy the RRAS server is. Administrators can view the current database file sizes by downloading and running the following PowerShell script on the RRAS server.

Get-InboxAccountingDatabaseSize.ps1

Compress Database

Over time, the database can become fragmented, decreasing performance. Compressing the database can improve performance and result in significant recovery of disk space. To compress the inbox accounting database, download and run the following PowerShell script on each RRAS server in the organization.

Compress-InboxAccountingDatabase.ps1

In this example, compressing the database reduced its size by more than 8MB, resulting in a nearly 70% reduction in disk space usage.

Backup Database

Administrators may wish to back up the inbox accounting database before purging older records from the inbox accounting database. Also, backing up the database preservers access records when migrating to a new server. To back up the inbox accounting database, download and run the following PowerShell script on each RRAS server in the organization.

Backup-InboxAccountingDatabase.ps1

Restore Database

Naturally, to restore the inbox accounting database from a previous backup, administrators can download and run the following PowerShell script.

Restore-InboxAccountingDatabase.ps1

Restoring a database from backup will erase all records in the current database. It does not append. Proceed with caution!

Move Database Files

Inbox accounting database and log files are located in C:\Windows\DirectAccess\Db by default.

However, storing database and log files on the system drive is not ideal. A better alternative is to place the inbox accounting database and log files on a separate disk for optimum performance. To move the inbox accounting database, download and run the following PowerShell script on each VPN server in the organization.

Move-InboxAccountingDatabase.ps1

Moving inbox accounting files may not be formally supported by Microsoft. Use caution when making this change.

Remove Database

Occasionally an inbox accounting database becomes corrupt and can no longer be managed. If this happens, completely removing the database is required. It is essential to know that simply disabling and re-enabling inbox accounting on the VPN server does not delete the database. To delete the database completely, download and run the following PowerShell script.

Remove-InboxAccountingDatabase.ps1

PowerShell Module

To simplify things, the PowerShell scripts described in this article are available in a PowerShell module that can be installed from the PowerShell gallery using the following command.

Install-Module InboxAccountingDatabaseManagement

Additional Information

Windows Always On VPN RRAS Inbox Accounting Database Management PowerShell Module

Windows Always On VPN RRAS Monitoring and Reporting

Windows Always On VPN PowerShell Scripts on GitHub

3 Comments
by Richard M. Hicks on March 21, 2022  •  Permalink
Posted in administration, Always On VPN, AOVPN, DirectAccess, Enterprise, enterprise mobility, GitHub, Mobility, Operational Support, PowerShell, Remote Access, reporting, routing and remote access service, RRAS, VPN, Windows 10, Windows 11, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 21, 2022

https://directaccess.richardhicks.com/2022/03/21/inbox-accounting-database-management/

Always On VPN RRAS Monitoring and Reporting

Always On VPN RRAS Monitoring and ReportingWindows Server with the Routing and Remote Access Service (RRAS) role installed is a popular choice for Windows 10 Always On VPN deployments. Configuring RRAS is commonly performed using the RRAS management console but it can also be configured using PowerShell and/or netsh. In addition, there are a few different options for natively monitoring server health and client connection status.

RRAS Management Console

After installing the RRAS role, the administrator uses the RRAS management console (rrasmgmt.msc) to perform initial configuration. The RRAS management console can also be used to view client connection status by expanding the server and highlighting Remote Access Clients.

Connection Details

To view connection details for a specific connection, the administrator can right-click a connection and choose Status, or simply double-click the connection.

High level information about the connection including duration, data transfer, errors, and IP address assignment can be obtained here. In addition, the administrator can terminate the VPN connection by clicking the Disconnect button.

RRAS Management Console Limitations

Using the RRAS management console has some serious limitations. It offers only limited visibility into client connectivity status, for example. In addition, the client connection status does not refresh automatically. Also, the RRAS management console offers no historical reporting capability.

Remote Access Management Console

The Remote Access Management console (ramgmtui.exe) will be familiar to DirectAccess administrators and is a better option for viewing VPN client connectivity on the RRAS server. It also offers more detailed information on connectivity status and includes an option to enable historical reporting.

Dashboard

The Dashboard node in the Remote Access Management console provides high-level status for various services associated with the VPN server. It also provides a high-level overview of aggregate VPN client connections.

Operations Status

The Operations Status node in the Remote Access Management console provides more detailed information regarding the status of crucial VPN services. Here the administrator will find current status and information about service uptime.

Remote Client Status

The Remote Client Status node in the Remote Access Management console is where administrators will find detailed information about client connectivity. Selecting a connection will provide data about the connection including remote IP addresses, protocols, and ports accessed by the remote client, in addition to detailed connection information such as authentication type, public IP address (if available), connection start time, and data transferred.

Always On VPN RRAS Monitoring and Reporting

Double-clicking an individual connection brings up a detailed client statistics page for the connection, as shown here.

Always On VPN RRAS Monitoring and Reporting

Custom View

The Remote Access Management console includes the option to customize the data presented to the administrator. To view additional details about client connections, right-click anywhere in the column headings to enable or disable any of the fields as required.

Always On VPN RRAS Monitoring and Reporting

Recommended Columns

From personal experience I recommend adding the following columns in the Remote Access Management console.

  • IPv4 Address (this is the IP address assigned to the VPN clients by RRAS)
  • Connection Start Time
  • Authentication Method
  • Total Bytes In
  • Total Bytes Out
  • Rate

Always On VPN RRAS Monitoring and Reporting

Drawbacks

The only real drawback to using the Remote Access Management console is that it supports viewing connections from just one VPN server at a time. If you have multiple RRAS servers deployed, you must retarget the Remote Access Management console each time to view connections on different VPN servers in the organization.

You can retarget the Remote Access Management console at any time by highlighting the Configuration node in the navigation pane and then clicking the Manage a Remote Server link in the Tasks pane.

Always On VPN RRAS Monitoring and Reporting

Reporting

Remote Access reporting is not enabled by default on the RRAS VPN server. Follow the steps below to enable historical reporting for RRAS VPN connections.

1. Highlight the Reporting node in the Remote Access Management console.
2. Click Configure Accounting.
3. Uncheck Use RADIUS accounting.
4. Check Use inbox accounting.
5. Review the settings for data retention and make changes as required.
6. Click Apply.

Always On VPN RRAS Monitoring and Reporting

Optionally, historical reporting can be enabled using PowerShell by opening and elevated PowerShell command window and running the following command.

Set-RemoteAccessAccounting -EnableAccountingType Inbox -PassThru

Database Management

A Windows Internal Database (WID) is automatically installed and configured for data storage when inbox accounting is enabled. WID is nothing more than a basic instance of Microsoft SQL Server. As such, the database will require periodic maintenance to perform optimally. I have published the InboxAccountingDatabaseManagement PowerShell module to address many of the required and optional administrative tasks associated with inbox accounting. You can learn more about this PowerShell module and its functions here.

https://directaccess.richardhicks.com/2022/03/21/inbox-accounting-database-management/

Important Note! There is a known issue with the inbox accounting database that can result in high CPU utilization for very busy RRAS VPN servers. Specifically, a crucial index is missing from one of the tables in the logging database. To correct this issue, be sure to run the Optimize-InboxAccountingDatabase function included in my InboxAccountingDatabaseManagement PowerShell module.

Additional Information

Always On VPN Inbox Accounting Database Management

Always On VPN Inbox Accounting Database Management PowerShell module on Github

Windows 10 Always On VPN and Windows Routing and Remote Access Service (RRAS)

Windows 10 Always On VPN Protocol Recommendations for Windows Server Routing and Remote Access Service (RRAS)

Windows 10 Always On VPN and RRAS with Single NIC

Windows 10 Always On VPN and RRAS in Microsoft Azure

54 Comments
by Richard M. Hicks on December 15, 2019  •  Permalink
Posted in administration, Always On VPN, AOVPN, Enterprise, enterprise mobility, Mobility, Operational Support, PowerShell, Remote Access, reporting, routing and remote access service, RRAS, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
Tagged , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on December 15, 2019

https://directaccess.richardhicks.com/2019/12/15/always-on-vpn-rras-monitoring-and-reporting/

« Older Posts