Absolute Agent & VPN Monitoring

TL;DR

Absolute agent can monitor some aspects of VPN traffic, but it’s not a complete picture. It depends on the VPN protocol used and how Absolute is configured. You won’t see decrypted data, but you can detect connection events (connect/disconnect) and potentially identify the VPN provider based on DNS requests or IP addresses.

How Absolute Agent Works

Absolute agent operates at a fairly high level within the operating system. It doesn’t typically inspect encrypted traffic directly. Instead, it relies on:

• Event Logging: Tracking when applications connect and disconnect (including VPN clients).
• DNS Monitoring: Observing DNS requests to identify the VPN server addresses.
• Network Connection Information: Recording IP address changes associated with the VPN connection.

Steps to Monitor VPN Traffic with Absolute Agent

1. Check Event Logs for VPN Client Activity:
   • In the Absolute Management Console, navigate to Events > Application Events.
   • Filter by application name (e.g., OpenVPN, Cisco AnyConnect, NordVPN).
   • Look for events indicating when the VPN client started and stopped. This confirms if the agent is even *seeing* the VPN connection attempts.
2. Monitor DNS Requests:
   • Go to Events > Network Events or a similar section depending on your Absolute console version.
   • Filter for DNS requests.
   • Examine the domain names being requested. If users connect to a VPN, you should see requests related to the VPN provider’s servers (e.g., vpn.example.com). This can help identify which VPN service is in use.
3. Track IP Address Changes:
   • In the Absolute console, look for network connection events that show changes in the device’s IP address.
   • A sudden change to an IP address associated with a known VPN provider is a strong indicator of VPN usage. You may need to cross-reference these IPs with public VPN server lists.
4. Configure Absolute Agent Settings (if applicable):
   • Some versions of Absolute agent allow you to customize the types of events that are logged. Ensure that network and application connection events are enabled.
   • Check if there are specific settings related to VPN detection or monitoring – consult your Absolute documentation.
5. Use Reporting Features:
   • Absolute often provides pre-built reports that can summarize application usage and network activity. Look for reports that highlight connection events or IP address changes over time.

Limitations

• Encrypted Traffic: Absolute agent cannot decrypt VPN traffic. You won’t be able to see the websites users are visiting while connected to a VPN.
• VPN Protocols: Some VPN protocols (e.g., WireGuard) might be harder for Absolute to detect than others, depending on how they handle network connections.
• Split Tunneling: If a user is using split tunneling (where only some traffic goes through the VPN), Absolute may only see activity related to the non-VPN traffic.
• Advanced VPN Configurations: Users with advanced VPN configurations or custom setups might be able to bypass detection.

Example Command Snippet (for checking network connections – not directly used in Absolute, but helpful for understanding)

netstat -an | findstr :443

Note: This command is a Windows example and won’t run within the Absolute agent itself. It’s shown to illustrate how you might manually check network connections on a device.