Thanks a lot for the explanation. After reading your explanation, I have found this KB article http://support.microsoft.com/default.aspx?scid=kb;en-us;288571&Product=ISAS -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Sunday, 18 April 2004 4:15 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Authentication on outgoing web requests on ISA http://www.ISAserver.org This is normal behavior for almost every browser on this planet. It generates the anonymous requests for every link it asks for. ISA also logs every request it receives from a client. Since authentication traffic can take up to 4 request/response cycles, you'll see them all as "anonymous". Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: <mathif@xxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Saturday, April 17, 2004 07:37 Subject: [isalist] Re: Authentication on outgoing web requests on ISA http://www.ISAserver.org Hi jim, Thanks for the response. Yes I can see that succesful connection from the log for "RIYADH\jtena" . Actually, my question is why is it anonymous for the first 2-3 requests and then we culd see "RIYADH\jtena" . But, initially, it was anonymous, why?? Is it the normal behavior of ISA? IF so Can we overcome this?? I have also specified authentication on outgoing web request then why does it show anonymous initially Is there any KB article explaining this behavior?? Yes, actually iam trying to block these spywares with the help of ISA LOGS, understading SC-Result codes. Thanks, Athif -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Saturday, 17 April 2004 5:24 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Authentication on outgoing web requests on ISA http://www.ISAserver.org Quit using hotbar. It and Gator (that comes with it) are some of the worst spyware apps on the Internet. The only successful connection (sc-result = 200) wasn't anonymous: 172.20.45.79, RIYADH\jtena, Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; Hotbar 4.4.2.0), Y, 4/16/2004, 0:14:38, w3proxy, IT-ISA01, -, 212.93.193.87, 212.93.193.87, 8080, 500, 488, 495, http, -, GET, http://spweather.whenu.com/summary/SA/XX/0017.html <http://spweather.whenu.com/summary/SA/XX/0017.html> , -, Upstream, 200, -, Your username "RIYADH\jtena" is clearly listed in the log. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org ----------------------------------------------------- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom/which they are addressed. If you have received this email in error please notify the system manager at the following email address: sadmin@xxxxxxxxxxxxxxx <mailto:sadmin@xxxxxxxxxxxxxxx>. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Al Faisaliah Group. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message, which arise as a result of Internet transmission. Finally, the recipient should check this email and any attachments for the presence of viruses. Al Faisaliah Group accepts no liability for any damage caused by any virus transmitted by this email. -----------------------------------------------------