How to track users behind a single NAT IP?

[Cooky]

We're doing single NAT / PAT for all our remote sites for their outbound Internet access.
One drawback of doing that is you lose accountability.

I'm wondering what people are doing to track which user is online at a particular time / date, and which destination web sites he visited.
We've had several incidents where our security analyst asked us to provide that information, but we were not able to because there are hundreds of users behind a single IP.

Is there any product that can provide accounting information?

 

[reicherb]

What you are looking for is a proxy server. There are many flavors. Some require independant authentication. Some will integrate with A/D, eDIR, or LDAP directories.

 

[Cooky]

Does this require a tweak in end users' browsers?
Is there any particular product that you recommend?

 

[Nothinman]

It's possible to do transparent proxying if you have a device that can redirect all of their outbound traffic to the proxy but most places just push out a GPO to configure the proxy in everyone's browser.

 

[RebateMonger]

This can be done with both hardware and software proxies. Microsoft's AD-integrated Proxy/Firewall/Caching product is ISA Server 2004/2006, but there are hardware and Linux-based proxies, too.

 

[Cooky]

I'm looking for a hardware solution