TL;DR
Absolute agent can monitor some aspects of VPN traffic, but it’s not a complete picture. It depends on the VPN protocol used and how Absolute is configured. You won’t see decrypted data, but you can detect connection events (connect/disconnect) and potentially identify the VPN provider based on DNS requests or IP addresses.
How Absolute Agent Works
Absolute agent operates at a fairly high level within the operating system. It doesn’t typically inspect encrypted traffic directly. Instead, it relies on:
- Event Logging: Tracking when applications connect and disconnect (including VPN clients).
- DNS Monitoring: Observing DNS requests to identify the VPN server addresses.
- Network Connection Information: Recording IP address changes associated with the VPN connection.
Steps to Monitor VPN Traffic with Absolute Agent
- Check Event Logs for VPN Client Activity:
- In the Absolute Management Console, navigate to Events > Application Events.
- Filter by application name (e.g., OpenVPN, Cisco AnyConnect, NordVPN).
- Look for events indicating when the VPN client started and stopped. This confirms if the agent is even *seeing* the VPN connection attempts.
- Monitor DNS Requests:
- Go to Events > Network Events or a similar section depending on your Absolute console version.
- Filter for DNS requests.
- Examine the domain names being requested. If users connect to a VPN, you should see requests related to the VPN provider’s servers (e.g.,
vpn.example.com). This can help identify which VPN service is in use.
- Track IP Address Changes:
- In the Absolute console, look for network connection events that show changes in the device’s IP address.
- A sudden change to an IP address associated with a known VPN provider is a strong indicator of VPN usage. You may need to cross-reference these IPs with public VPN server lists.
- Configure Absolute Agent Settings (if applicable):
- Some versions of Absolute agent allow you to customize the types of events that are logged. Ensure that network and application connection events are enabled.
- Check if there are specific settings related to VPN detection or monitoring – consult your Absolute documentation.
- Use Reporting Features:
- Absolute often provides pre-built reports that can summarize application usage and network activity. Look for reports that highlight connection events or IP address changes over time.
Limitations
- Encrypted Traffic: Absolute agent cannot decrypt VPN traffic. You won’t be able to see the websites users are visiting while connected to a VPN.
- VPN Protocols: Some VPN protocols (e.g., WireGuard) might be harder for Absolute to detect than others, depending on how they handle network connections.
- Split Tunneling: If a user is using split tunneling (where only some traffic goes through the VPN), Absolute may only see activity related to the non-VPN traffic.
- Advanced VPN Configurations: Users with advanced VPN configurations or custom setups might be able to bypass detection.
Example Command Snippet (for checking network connections – not directly used in Absolute, but helpful for understanding)
netstat -an | findstr :443Note: This command is a Windows example and won’t run within the Absolute agent itself. It’s shown to illustrate how you might manually check network connections on a device.