Quick (and probably obvious) questionTheir statement makes sense. Since SurfControl installs itself as a web filter, it can't control SecureNAT and FW client web access if they don't use the Web Proxy service. They can only get there via the HTTP redirector. The problem is that they all appear to come from the ISA itself (127.0.0.1), and you lose any user-specific information, since the HTTP redirector drops credentials. You'll get better logs if you force your users to talk only to the ISA Web Proxy service. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison http://jalojash.org/isatools Read the books! ----- Original Message ----- From: Rogers, Brian To: [ISAserver.org Discussion List] Sent: Tuesday, August 13, 2002 2:01 PM Subject: [isalist] Re: Quick (and probably obvious) question http://www.ISAserver.org Hmm...I was told by the surfcontrol people that the only way to monitor firewall/snat clients via Superscout was to use this setting (redirect firewall/snat to web proxy) Very interesting indeed. Thanks for the info! -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, August 13, 2002 4:53 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Quick (and probably obvious) question http://www.ISAserver.org You'll see this when SecureNAT and Firewall clients access the web proxy service via the HTTP Redirector. Unless you have to allow direct web access for them, set it to "Reject" and you should see these drop off. It *could* also be SurfControl... Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison http://jalojash.org/isatools Read the books! ----- Original Message ----- From: Rogers, Brian To: [ISAserver.org Discussion List] Sent: Tuesday, August 13, 2002 10:16 AM Subject: [isalist] Quick (and probably obvious) question http://www.ISAserver.org When looking at the "Sessions" container in ISA management I see quite a few rather unusual entries on a consistent basis. Session Type - Web Session User Name - Anonymous Client Computer - Blank Client Address - External Routable IP or 127.0.0.1 (this one bugs me) Activiation - Current Date/time My question is this. I would assume that the Client Address section lists External Routable IP addresses this is tracking an inbound Web session to one of our published websites/ftp sites through the ISA Server. However what I don't get is the 127.0.0.1 entry. Noone logs on to the ISA box itself and browses the web. It is obvious that A LOT of web traffic is being generated with the source address being 127.0.0.1 as we use Surfcontrol to monitor proxy traffic. It shows 10s of thousands of hits to various websites from the client 127.0.0.1 and I cannot figure out why. Normal proxy and firewall clients show up just fine in the Surfcontrol reports....I just cannot figure out why all this traffic is listing itself as coming from the loopback adapter. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rogersb@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')