Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1
    Untanglit
    Join Date
    Nov 2016
    Location
    Grafton, Australia
    Posts
    18

    Default Blank User in Web Filter Reports

    I support a school that has been running Untangle for several years, mostly without any issues.

    It comprises some 250 students & staff in a very simple single gateway, single AD / DHCP environment of Win Server 2008 and Windows 7 Workstations using Roaming profiles.

    Recently a small number of users are getting their web usage blocked by untangle Web Filter. I traced the issues to the USER NAME being blank in the UT Web Filter Reports, thus defaulting to the Default Rack Rules that should indeed block these sites. The majority of other users continue to work OK. We've made no changes to any Organisation Groups.

    I know their network connectivity is good because all their shared drives are all still mounted and accessible.

    I checked Windows Diagnostics Security Events and I can see successful Active Directory logons for the effected users. I've tried Rebooting the workstation, renewing the AD lease but it does not solve the issue.

    After 3 or 4 days, all returns to normal, but latter, some other user will experience the same problem.

    Any ideas ? Thx in advance.

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    6,210

    Default

    What method are you using to identify their IP with the AD login? Also version of Untangle and AD server?
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untanglit
    Join Date
    Nov 2016
    Location
    Grafton, Australia
    Posts
    18

    Default

    Thx. We're using Windows Server 2008 R2 with DHCP, Active Directory and GPO profiles. Users logon to the domain with standard domain Username & password. Normally the AD Account name matches the USERNAME logged in the UT reports.

    UT version is Build: 13.1.0.20171012T092147.9901a18-1jessie / Kernel: 3.16.0-4-untangle-amd64

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    6,210

    Default

    Sorry, I should have been clearer. Are you using AD monitor or AD script to send login events to the Untangle?
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untanglit
    Join Date
    Nov 2016
    Location
    Grafton, Australia
    Posts
    18

    Default

    Apologies from me too...I've only just taken over support from someone who has left.

    Is there an easy way to tell if AD Monitor has been installed as I couldn't see anything obvious on the domain server. ?

    I can see DIRECTORY CONNECTOR in UT APPS, and ENABLE ACTIVE DIRECTORY CONNECTOR is checked there. There is activity in the UT Directory Connector reports and the AD TEST Button in UT reports a good test.

    I also notice that the USER NOTIFICATION API is also turned on, but I'm not sure if this is the info you need.
    Last edited by Pilotpak; 12-07-2017 at 07:25 PM. Reason: Error

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    16,668

    Default

    what do you see under reports > directory connector > api events ?
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Untanglit
    Join Date
    Nov 2016
    Location
    Grafton, Australia
    Posts
    18

    Default

    I can see many UPDATE & LOGIN records.
    I can't see any obvious errors at all.
    There are LOGIN records for all users - perhaps more than I was expecting to see
    There seems to be UPDATE records for most users every 5 minutes or so.
    The Username & Client IP address are always populated correctly, the Domain column is not populated.
    Strangely, I see some LOGIN messages every 5 minutes for some users who are on holidays with their PC locked or OFF.
    I didn't see any LOGOFF events.

  8. #8
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    16,668

    Default

    now just find a machine/IP that isn't getting its username identified properly.
    And look and see if Untangle is getting api calls to update that IP with the correct username.

    If untangle isn't getting notified that a username is logged into a certain IP, it won't know that username is associated with that IP.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  9. #9
    Untanglit
    Join Date
    Nov 2016
    Location
    Grafton, Australia
    Posts
    18

    Default

    OMG..This is so strange..my brain hurts and it's late on a Friday night ! !

    I have found that at some times, the API updates for certain users just seem to stop. And of course, there is an obvious correlation between the blocked web pages and when the AD API Updates stop.

    ScreenHunter_571 Dec. 08 21.28.jpg

    You can see on the "ALL WEB EVENTS REPT" that sites were being blocked, (obviously due to the unpopulated User), until 5:12 pm on Dec 7th.

    Now have a look at the "API EVENTS" rept below. You can see a LOGIN for the user at 3:12pm on the same day, an UPDATE 5 minutes later then a large gap until another login at 5:11 pm.

    The strange thing about this is that it is a school, and everyone had gone home at 5:11 pm,, so I can't understand this later LOGIN.

    You may notice an ADMINISTRATOR login. The school has found that logging off does not solve the issue, nor does re-booting, but sometime, logging on another user will fix the problem.



    ScreenHunter_572 Dec. 08 21.36.jpg

  10. #10
    Untanglit
    Join Date
    Nov 2016
    Location
    Grafton, Australia
    Posts
    18

    Default

    Also, I forgot to mention, that whenever you get these "inactive" API-Logging periods for the affected users, the API LOGS show normal LOGIN/UPDATE activity for all other users. At most times, there will be 50 active users and one or two users who exhibit this behaviour of un-populated userid.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2