• State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 24 subscribers
  • Views 315 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

NTA doesn't show user details such as ip address, shows proxy server instead

rsteve

how do i deploy/configure NTA to show user details such as ip address to show on my dashboard. it only reflects my proxy server communicating to websites instead of endpoint details. need your help...

  • 0

    It sounds like you are receiving NetFlow export from a device in front of the proxy. If you want to see details of devices behind the proxy, you need to configure your infrastructure devices behind the proxy for NetFlow export to NTA.

  • 0 in reply to jswan

    This is our current set-up: Workstations are directly connected to a Cisco 4506 Switch which is directly connected to a Core Switch 6509.  Workstations are accessing the Internet using a Linux Proxy server.  We have enabled netflow on the Core Switch.  But still, we cannot see any conversations from workstation to external sites.  We tried testing a workstation that does not use any proxy, still same results.  Do we need to add the Proxy server for us to able to monitor conversations from pc to websites???  Note that our proxy server is a linux one.  We can't add it on the NPM though it already has the enabled SNMP. 

    Anyone?? 

  • 0 in reply to rsteve

    If the proxy server is a regular one where each client browser has to be explicitly configured with the hostname/IP address of the proxy server, there's no way to see the client conversations in NetFlow. This is because the destination IP address for the client is actually the proxy server itself; the proxy terminates the HTTP session with the client, proxies it out to the Internet, then feeds the result back to the client. NetFlow isn't aware of this; in your case it only sees the flows between the proxy server and the Internet.

    If you want to see your client activity in a case like this, the only option is to look at the proxy server logs.

    If you can change your proxy server configuration to an "intercepting proxy" aka "transparent proxy", where the client isn't aware of the proxy's existence and the source/destination IP address aren't rewritten from the client's perspective, then you could place your NetFlow exporter on the client side of the proxy server and see the full conversation details in NTA. In your case, the 4506 may or may not support NetFlow export, depending on what Supervisor it has.

  • 0 in reply to jswan

    i'll check on that. im just surprise when i tried to use other neflow analyzer using the same configuration on my switch it displays the clients conversing to external sites. im wonderin if it has something to do with SNMP configuration on PCS since solarwinds NTA is integrated to NPM which rely mostly on SNMP.

  • 0 in reply to rsteve

    There's something I'm misunderstanding about your configuration, then.

    If you do a "show ip cache flow" on the 6500, you're saying that you see the IP addresses of internal clients?

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.