Re: Quick (and probably obvious) question

  • From: "Jim Harrison" <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 13 Aug 2002 14:13:24 -0700

Quick (and probably obvious) questionTheir statement makes sense.
Since SurfControl installs itself as a web filter, it can't control SecureNAT 
and FW client web access if they don't use the Web Proxy service.
They can only get there via the HTTP redirector.
The problem is that they all appear to come from the ISA itself (127.0.0.1), 
and you lose any user-specific information, since the HTTP redirector drops 
credentials.

You'll get better logs if you force your users to talk only to the ISA Web 
Proxy service.

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison
http://jalojash.org/isatools
Read the books!

  ----- Original Message ----- 
  From: Rogers, Brian 
  To: [ISAserver.org Discussion List] 
  Sent: Tuesday, August 13, 2002 2:01 PM
  Subject: [isalist] Re: Quick (and probably obvious) question


  http://www.ISAserver.org


  Hmm...I was told by the surfcontrol people that the only way to monitor 
firewall/snat clients via Superscout was to use this setting (redirect 
firewall/snat to web proxy)



  Very interesting indeed.  Thanks for the info!



  -----Original Message-----
  From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
  Sent: Tuesday, August 13, 2002 4:53 PM
  To: [ISAserver.org Discussion List]
  Subject: [isalist] Re: Quick (and probably obvious) question



  http://www.ISAserver.org

  You'll see this when SecureNAT and Firewall clients access the web proxy 
service via the HTTP Redirector.

  Unless you have to allow direct web access for them, set it to "Reject" and 
you should see these drop off.

  It *could* also be SurfControl...



  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/authors/harrison
  http://jalojash.org/isatools
  Read the books!

    ----- Original Message ----- 

    From: Rogers, Brian 

    To: [ISAserver.org Discussion List] 

    Sent: Tuesday, August 13, 2002 10:16 AM

    Subject: [isalist] Quick (and probably obvious) question



    http://www.ISAserver.org




    When looking at the "Sessions" container in ISA management I see quite a 
few rather unusual entries on a consistent basis.

    Session Type - Web Session 
    User Name - Anonymous 
    Client Computer - Blank 
    Client Address - External Routable IP or 127.0.0.1 (this one bugs me) 
    Activiation - Current Date/time 



    My question is this.  I would assume that the Client Address section lists 
External Routable IP addresses this is tracking an inbound Web session to one 
of our published websites/ftp sites through the ISA Server.   However what I 
don't get is the 127.0.0.1 entry.  Noone logs on to the ISA box itself and 
browses the web.

    It is obvious that A LOT of web traffic is being generated with the source 
address being 127.0.0.1 as we use Surfcontrol to monitor proxy traffic.  It 
shows 10s of thousands of hits to various websites from the client 127.0.0.1 
and I cannot figure out why.

    Normal proxy and firewall clients show up just fine in the Surfcontrol 
reports....I just cannot figure out why all this traffic is listing itself as 
coming from the loopback adapter.

    ------------------------------------------------------
    You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
    To unsubscribe send a blank email to $subst('Email.Unsub') 

  ------------------------------------------------------
  You are currently subscribed to this ISAserver.org Discussion List as: 
rogersb@xxxxxxxxxxxxxx
  To unsubscribe send a blank email to $subst('Email.Unsub') 

  ------------------------------------------------------
  You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
  To unsubscribe send a blank email to $subst('Email.Unsub') 

Other related posts: