[isalist] Re: "Top Users" report
- From: "Jonathon J. Howey" <Jonathon@xxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Mon, 17 Apr 2006 14:22:44 -0600
Trying to track down what's causing IP's to be published in report
instead of Username
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: April 17, 2006 1:53 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: "Top Users" report
Why is autodiscovery information publishing unchecked?
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jonathon J. Howey
Sent: Monday, April 17, 2006 2:34 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: "Top Users" report
OK found it for the Internal Network.
*On the Auto Discovery tab, "Publish automatic discovery
information" was unchecked
*On Firewall Client tab, "Enable FWC support" is checked, my
Server name is typed in, then "Automatically detect settings" and "Use
automatic config. script" (default URL) is checked. "Use a Web proxy
server" is NOT. (these would all be default as I do not remember
changing any of this).
Now knowing this, should I check 'Use a web proxy server', or
uncheck the auto. detect settings?
Furthermore, I've never changed ISA Console > General > Define
Firewall Client Setting, so everything there should still be the same.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
Sent: April 17, 2006 1:12 PM
To: ISA Mailing List
Subject: [isalist] Re: "Top Users" report
From within the ISA console, in the the properties of your
protected network, on the firewall client tab.
That should be selected if you want to autocinfigure the FWC.
S
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jonathon J. Howey
Sent: Monday, April 17, 2006 3:55 PM
To: ISA Mailing List
Subject: [isalist] Re: "Top Users" report
Could you further explain? I remember during ISA 2004 setup
whether I'm connecting a console to an existing ISA server, or make a
new ISA server, but I doubt that's it.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
Sent: April 17, 2006 12:17 PM
To: ISA Mailing List
Subject: [isalist] Re: "Top Users" report
Have you disabled auto detect in the ISA console, because that's
where the instruction comes from.
S
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jonathon J. Howey
Sent: Monday, April 17, 2006 2:52 PM
To: ISA Mailing List
Subject: [isalist] Re: "Top Users" report
Yes, but like I said, I believe most of my FWC installs have a
hard-coded server address typed in, so it shouldn't be used the WPAD
entry?
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
Sent: April 17, 2006 11:44 AM
To: ISA Mailing List
Subject: [isalist] Re: "Top Users" report
Take it out the dhcp scope, (it don't work as it should), and
just use a DNS A record for wpad.
S
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jonathon J. Howey
Sent: Monday, April 17, 2006 12:46 PM
To: ISA Mailing List
Subject: [isalist] Re: "Top Users" report
Each client does have FWC installed (hard-coded to the ISA WINS
name (instead of DNS i've now realized); but i also have configured the
WPAD o252 in my domain.local DHCP scope .. ), and then after I installed
it, I proceeded to the 'Web Browser' tab and hit 'Configure Now', which
changed the old ISASERVER:8080 config in the client's Internet Options
to the configuration script.
After reading the 'Client Overview' in the Help section, I'm
pretty sure that I just have FWC users which would also be Web Proxy
users, so therefore the report should be working... yes?
Jonathon J. Howey
MENSE Inc.
P 780.409.5620
F 780.409.5621
D 780.409.5628
C 780.965.8363
Jonathon@xxxxxxxx
Defining the Future of Transportation
www.MENSE.ca <http://www.mense.ca/>
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
Sent: April 17, 2006 9:33 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: "Top Users" report
Read up on client types. The help file has excellent information
on this. If it's authentication you'd like and tracking by username
rather than IP address, then you'll need the firewall client.
As far as what the #7 entry represents you'll have to consult
your logs to see what t Client Typesdd
\ hat user was doing.
Amy
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jonathon J. Howey
Sent: Monday, April 17, 2006 11:13 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] "Top Users" report
Anyone have any idea on why the IP of the machine is showing up
instead of the user? Has it anything to do with using a config. script
in IE/Mozilla instead of proxy and port? Reason I ask is, the report is
misleading if you use DHCP, as it looks like the User (IP) is being
stored as the PK, and hence if that IP get's re-assigned to a diff. user
(as it has in my case), it doesn't reset the totals.
As well, anyone have any ideas of where I can find out where the
IP in #7 is coming from? Is it possible that it's a spammer server and
the ISA report is considering traffic on port 25 as well? (this is an
SBS box).
No
User
Requests
% of Total Requests
Bytes In
% of Total Bytes In
Bytes Out
% of Total Bytes Out
Total Bytes
% of Total Bytes
1
192.168.100.119
20096
2.90 %
22.69 GB
30.60 %
2.30 GB
4.80 %
24.99 GB
20.50 %
2
192.168.100.117
3626
0.50 %
19.37 GB
26.10 %
1.33 GB
2.80 %
20.70 GB
17.00 %
3
192.168.100.126
15047
2.20 %
3.29 GB
4.40 %
10.74 GB
22.40 %
14.03 GB
11.50 %
4
192.168.100.127
13424
2.00 %
1.88 GB
2.50 %
8.44 GB
17.60 %
10.32 GB
8.50 %
5
192.168.100.139
17883
2.60 %
5.90 GB
8.00 %
3.80 GB
7.90 %
9.70 GB
7.90 %
6
192.168.100.100
13107
1.90 %
1.29 GB
1.70 %
3.16 GB
6.60 %
4.45 GB
3.60 %
7
198.53.112.177
76
0.00 %
3.38 GB
4.60 %
219.57 MB
0.40 %
3.60 GB
2.90 %
8
192.168.100.104
746
0.10 %
611.11 MB
0.80 %
2.73 GB
5.70 %
3.33 GB
2.70 %
9
192.168.100.122
5902
0.90 %
1.38 GB
1.90 %
1.27 GB
2.70 %
2.66 GB
2.20 %
10
192.168.100.85
110655
16.10 %
725.06 MB
1.00 %
1.94 GB
4.00 %
2.65 GB
2.20 %
11
192.168.100.124
14410
2.10 %
1.15 GB
1.60 %
1.11 GB
2.30 %
2.26 GB
1.90 %
12
192.168.100.134
12922
1.90 %
1.28 GB
1.70 %
920.23 MB
1.90 %
2.18 GB
1.80 %
13
192.168.100.114
20273
3.10 %
1.60 GB
2.20 %
548.31 MB
1.10 %
2.13 GB
1.80 %
14
192.168.100.132
14908
2.30 %
216.83 MB
0.30 %
1.83 GB
3.80 %
2.04 GB
1.70 %
15
192.168.100.113
14029
2.20 %
1.09 GB
1.50 %
451.77 MB
0.90 %
1.53 GB
1.30 %
All Others
374959
59.30 %
6.29 GB
11.10 %
7.06 GB
15.10 %
13.36 GB
12.60 %
Total
652063
100.00 %
72.12 GB
100.00 %
47.81 GB
100.00 %
119.93 GB
100.00 %
Thanks.
Jonathon J. Howey
MENSE Inc.
P 780.409.5620
F 780.409.5621
D 780.409.5628
C 780.965.8363
Jonathon@xxxxxxxx
Defining the Future of Transportation
www.MENSE.ca <http://www.mense.ca/>
Other related posts:
