Hi Joseph, Doesn't make a difference. You'll see the same thing even when NetBT is disabled on all interfaces. I do recall reading something about disabling it on RRAS interfaces, but haven't checked to see if that fixes the issue. Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA 2004 Beta - Get it now! http://www.microsoft.com/isaserver/beta/default.asp ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: cismic [mailto:cismic@xxxxxxx] Sent: Wednesday, February 25, 2004 12:55 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Can anybody here me with IPPEXTD logs http://www.ISAserver.org Isn't it also a good idea to configure at the adapter not to use netbios over tcpip? ----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, February 25, 2004 6:54 AM Subject: [isalist] Re: Can anybody here me with IPPEXTD logs http://www.ISAserver.org Hi Jim, Those records are also a lot of fun when you publishing Web sites and the NetBIOS node adapter status queries fill up the logs :) I just created packet filters for the NetBIOS protocols and then configured the filters to not log. Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA 2004 Beta - Get it now! http://www.microsoft.com/isaserver/beta/default.asp ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Wednesday, February 25, 2004 8:38 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Can anybody here me with IPPEXTD logs http://www.ISAserver.org Actually (sorry, Joe; I have to do this), those entries are ISA trying to use NetBIOS name resolution (UDP-137) because DNS resolution failed. Since you don't have a PF allowing ISA to use the this protocol (don't add one), it shows as "BLOCKED". Dont get in a twist over this; since you're completely dependent on the distant site and their ISP to maintain proper DNS records, these entries are commonplace. The IP..log entries are always Source-IP, Destination-IP; not ISA-IP, Remote-IP... Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Wed, 25 Feb 2004 12:12:54 -0000 Paul Crisp <PCrisp@xxxxxxxxxxxxxxxxx> wrote: http://www.ISAserver.org Cool, another less thing to worry about then. Thanks again Paul Crisp Snr Network Support Analyst t: 020 7 827 5201 f: 020 7 827 5266 -----Original Message----- From: cismic [mailto:cismic@xxxxxxx] Sent: Wednesday, February 25, 2004 12:09 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Can anybody here me with IPPEXTD logs Importance: High http://www.ISAserver.org Hi Paul, A machine from the outside world is trying to gain access and the good thing is that ISA blocked them. Joseph ----- Original Message ----- From: "Paul Crisp" <PCrisp@xxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, February 25, 2004 3:11 AM Subject: [isalist] Re: Can anybody here me with IPPEXTD logs http://www.ISAserver.org Thanks Joseph I will. Does this mean then that the ISA Server or a machine on the LAN is transmitting these possible vulnerabilities or the machine from the outside world is trying to expose them ? Paul Crisp Snr Network Support Analyst t: 020 7 827 5201 f: 020 7 827 5266 -----Original Message----- From: cismic [mailto:cismic@xxxxxxx] Sent: Wednesday, February 25, 2004 11:03 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Can anybody here me with IPPEXTD logs Importance: High http://www.ISAserver.org Hi Paul, The way the logs are layed out will show your ISA IP address first then the IP Address of the site that was attempting to talk to your site. In this case most are UDP transports using ports 2629, 2630 etc. They were attempting access to TCP transport 137. Which is a good thing. ISA blocked those. Read up on NETBIOS and directory traversal vulnerabilities. HTH, Joseph ----- Original Message ----- From: "Paul Crisp" <PCrisp@xxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, February 25, 2004 2:05 AM Subject: [isalist] Can anybody here me with IPPEXTD logs http://www.ISAserver.org I am getting the following appearing in my IPPEXTD logs. The first IP address is my external IP address of the ISA server and the second address changes. What is causing this? 2004-02-25 00:00:01 195.xxx.xxx.xxx 66.151.150.33 Udp 2629 137 BLOCKED 195.xxx.xxx.xxx 45 00 00 4e 89 91 00 00 80 11 00 00 c3 9d 37 fa 42 97 96 21 0a 45 00 89 00 3a 2e ed 2004-02-25 00:00:01 195.xxx.xxx.xxx 66.151.150.33 Udp 2630 137 BLOCKED 195.xxx.xxx.xxx 45 00 00 4e 89 92 00 00 80 11 00 00 c3 9d 37 fa 42 97 96 21 0a 46 00 89 00 3a 2e ea 2004-02-25 00:00:01 195.xxx.xxx.xxx 66.151.150.33 Udp 2631 137 BLOCKED 195.xxx.xxx.xxx 45 00 00 4e 89 93 00 00 80 11 00 00 c3 9d 37 fa 42 97 96 21 0a 47 00 89 00 3a 2e e7 2004-02-25 00:00:01 195.xxx.xxx.xxx 66.151.150.33 Udp 2632 137 BLOCKED 195.xxx.xxx.xxx 45 00 00 4e 89 94 00 00 80 11 00 00 c3 9d 37 fa 42 97 96 21 0a 48 00 89 00 3a 2e e4 2004-02-25 00:00:02 195.xxx.xxx.xxx 66.151.150.33 Udp 2629 137 BLOCKED 195.xxx.xxx.xxx 45 00 00 4e 89 fe 00 00 80 11 00 00 c3 9d 37 fa 42 97 96 21 0a 45 00 89 00 3a 2e df Paul Crisp Snr Network Support Analyst t: 020 7 827 5201 f: 020 7 827 5266 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: pcrisp@xxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: pcrisp@xxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')