Hi Neil My opinion is the following: As long as you have enabled the Rule#1 and Rule#2 as mentioned in my previous post, if the last 2 fields are shown as "-", then that means that the ISA Server did NOT permit the request as no matching Protocol Rule and S&C Rule were found to authenticate the request. So from the log that you included in your post my conclusion is that the user was not able to surf the NASTY website. You can of course also confirm this by going to that users workstation and trying to access the specific website, and then check your logs again to see what ISA reported. Cheers William R. -----Original Message----- From: Sullivan, Neil (CALBRIS) [mailto:Neil.Sullivan@xxxxxxxxxxxxxxxxxxxxxxx] Sent: 28 November 2002 09:08 AM To: [ISAserver.org Discussion List] Subject: [isalist] FW: Unauthorised access http://www.ISAserver.org Bit more context for this one, is looked thru the logs again and this is the tail end of the log. There are about a dozen or so of these, all slightly different of course. To me it seems the ISA returned no page to the user? Should this have ever hit the logs? The user was resolved - not anonymous.. IP.IP.IP.IP, Domain\User, Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1), -, 9/27/2002, 7:57:27, -, PROXY, -, -, -, 0, 125, 479, 0, -, -, GET, http://www.nastyurl.com/images/page1_02.jpg, -, -, 12209, -, -, - Is this correct behaviour? > -----Original Message----- > From: Sullivan, Neil (CALBRIS) > Sent: Thursday, 28 November 2002 4:40 PM > To: [ISAserver.org Discussion List] (E-mail) > Subject: Unauthorised access > > > Got a strange problem with an ISA SP1 Cache only server. > > Access to the Internet is via Group membership, applied to site and content rules. > > So far so good, been working OK for ages, but now someone has turned up in the logs who does NOT have access via the group membership. > > Furthermore, looking thru the security log, there is no evidence of this person ever having authenticated with the ISA.. > ISA is set to Authenticate Users, using Basic and Windows authentication. > > Tests have shown that removing a legitimate user from the Group does remove their access - as it should. > > So how does my mystery user get access? It's not via any nested group membership either. > > I'm stuffed if I can find out.. > > Cheers > Neil > > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: robertson.william@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')