Integrating Your VPN Connections with Microsoft ATA

Do you know how many cloud applications are being accessed by your employees?
Are your employees sharing valuable information via emails and attachments?
Is Your Help Desk Inundated with Password Reset Requests Over and Over?
Get Started With A FREE Trial Get Started With A FREE Trial Request a Consultation Request a Consultation Download FREE MOBILE DEVICE SECURITY REPORT

VPN Connections

A great many IT teams use Virtual Private Network (VPN) connections as a method to grant remote users access to corporate resources from outside the company’s network. A VPN connection provides employees flexibility by allowing them to work on the go and helps to increase productivity.

VPN connections are fully encrypted, they are secure and therefore their content is not always inspected. Hence, VPN offers an entry point for attackers to use existing credentials and remotely connect into a corporate network. With this release of version 1.8, Advanced Threat Analytics (ATA) now detects when and where credentials are being used via VPN and integrates that data into your investigation. Capturing and analyzing the origin of VPN connections increases your chances of identifying where and how attackers are leveraging stolen credentials in your network.

What’s in the new VPN release

With this new release, the network user’s profile page now includes information from VPN connections, such as the IP addresses and locations from where these connections originate:

VPN Connections

In order to do this, ATA listens to the Remote Authentication Dial-In User Service (RADIUS) accounting events forwarded by your VPN solution. This mechanism is based on standard RADIUS Accounting protocols (RFC 2866), and we support the following VPN vendors:

  • Microsoft
  • F5
  • Check Point
  • Cisco Adaptive Security Appliance (ASA)

Check out the simple step-by-step technical guide on how to add VPN data into ATA.

This information can be used to complement the alert data you already have when investigating a potential compromise, as you will quickly be able to identify any user that’s connected from a suspicious location.

We encourage all companies to add this capability to their existing deployment. For more information visit or email

(Visited 211 times, 1 visits today)