Can anyone tell me at what point does the AMD convert the Client IP Address to User name. Is this done in real-time at packet capture or later when the CAS reports are generated?
Reason I'm asking is because I use the "MAP_IPUser-map" property in the Diagnostic Console to reference my uploaded file with IP to User mappings. However if the AMD does not convert the Client IP to User name at time of capture then the whole process will be out of sync. Especially for Citrix user's who log in and out of sessions all day and any one user could have a dozen different IP addresses in a day.
AMD does not convert IPs to user names ...
AMD is only capable to detect the user names in the traffic according to configuration rules and report almost every piece of the traffic as a user name. Typically user names are recognized from GET or POST HTTP parameters or cookie values. If AMD fail to recognize the user name base of defined rule it puts empty string in username field in zdata file.
Then CAS reads the zdata file and here is the place where all the magic occurs. You can keep recognized user name phrase, it it's not present you can replace it with client IP or AS/CIDR bloc name/number and many others. Or use MAP_IPUser-map property like you do: if the zdata file provides recognized user name it mapping file is omitted, if it's empty then base on the file content IPs are translated to user names that can be used i.e. in DMI.
Hi Adam and thks for your reply.
I should have used the term "recognize" and not "convert" 🙂
Everything you say makes perfect sense. Do you know what the duration is between the time AMD updates the zdata file with empty string (ie: no user name present) and the CAS doing the lookup of mapping file? I'm certain I recall during installation of our APM solution that there was an option to leave the user mapping until a DMI report was run thereby increasing the time to generate reports but improving CAS performance during collation of data.
I have coded a C++ program that runs as a Windows service and updates the MAP_IPUser-map.properties file every 10 min. I have increased our username versus IP ratio in DMI reports considerably. My concern is that if the CAS does not do lookup of mapping file immediately then the data I am providing for user mapping (extracted from AD & uploaded to CAS every 10 min) is only going to be looked at when a DMI report is run and therefore mapping of IP to username will be out dated.