Tom, My front ISA server is a firewall only server. Does it still maintain a cache? It is like looking at a needle in a haystack! When I accessed the site from my internal network, I was still redirected to the fake site. Interesting thing to note. My sites were offline for 2 1/2 weeks while I read and worked with my site planning. The the first time I brought them up this redirection happened. Thank you for taking the time to respond! Joseph -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, August 22, 2001 8:46 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Possible Virus with ISA http://www.ISAserver.org Hi Joseph, Looks like the Cache was corrupt or received a bad referral. If its fixed now, I'd just watch it and see if it happens again. Pretty interesting stuff, though. HTH, Tom www.isaserver.org/shinder Thomas W Shinder, M.D., MCSE, MCT -----Original Message----- From: cismic [mailto:cismic@xxxxxxx] Sent: Wednesday, August 22, 2001 10:34 AM To: [ISAserver.org Discussion List] Subject: [isalist] Possible Virus with ISA http://www.ISAserver.org Hello, Dose anyone know about the following possible virus? I'm not receiving any replies I guess I'll get "PSS" from Microsoft involved and then share what I find with the group. Tonight I was finally able to have my DNS appear behind my fire wall and publish web sites. Thanks to all my really dumb sounding questions And all the great answers I received form everyone! Once I had the appropriate settings in DNS and created my server publishing rule for DNS All was well. I tried a couple of my sites and it was great seeing them appear from a separate line dialing out to another ISP. Then I tried to go to my http://www.cismic.com site and the following was happening! I was not able to access this site since it was being redirected to 212.227.118.93!!!! Not even my site identification by far. I looked at my web publishing rule CISMIC and it showed appropriate internal web site address and yet this log entry shows Something completely different. Where my internal site should appear you can see 212.227.118.93. The 304 code tells me that It was being redirected. I deleted the web publishing rule and then tried to access the site and I received a 403 message which is What I expected. I rebooted my ISA machine and added another web publishing rule going to the same destination set and this time renamed the rule www.cismic.com and the site worked. Does anyone know how this type of redirection could have happened???? Please share with me any ideas that you may have! Now how can I really tighten down the front ISA server firewall? Thank you in advanced, I'm off to sleep for awhile but will be looking for some answers and solutions later in the day. Joseph 63.11.248.173 anonymous Mozilla/4.0 (compatible; MSIE 5.0; MSNIA; Windows 98; DigExt) N 2001-08-20 10:28:47 W3ReverseProxy LMSISA01 - www.cismic.com 212.227.118.93 80 491 297 158 http TCP GET http://www.cicmic.com/ - Inet 304 0x40001002 CISMIC - 63.11.248.173 anonymous Mozilla/4.0 (compatible; MSIE 5.0; MSNIA; Windows 98; DigExt) N 2001-08-20 10:28:47 W3ReverseProxy LMSISA01 - www.cismic.com 212.227.118.93 80 260 349 156 http TCP GET http://www.cicmic.com/spicons/baustelle.gif - Inet 304 0x40001002 CISMIC - 63.11.248.173 anonymous Mozilla/4.0 (compatible; MSIE 5.0; MSNIA; Windows 98; DigExt) N 2001-08-20 10:28:52 W3ReverseProxy LMSISA01 - www.cismic.com 212.227.118.93 80 261 297 158 http TCP GET http://www.cicmic.com/ - Inet 304 0x40001002 CISMIC - 63.11.248.173 anonymous Mozilla/4.0 (compatible; MSIE 5.0; MSNIA; Windows 98; DigExt) N 2001-08-20 10:28:53 W3ReverseProxy LMSISA01 - www.cismic.com 212.227.118.93 80 260 349 156 http TCP GET http://www.cicmic.com/spicons/baustelle.gif - Inet 304 0x40001002 CISMIC - Tracert turned up the following; (less some routes of course) 23 230 ms 221 ms 230 ms kundenserver.de [212.227.118.93] ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')