Thanks Jim, I see it shows ICMP once I add the transport column. I was thinking it would show this under the protocol column which was throwing me off. I checked the system policy and see that rule #11, ICMP requests from ISA are enabled. I take it this indicates the traffic isn't being seen as ICMP Info Request, Timestamp, or Ping? Since you said it sounds like an ICMP response, I tried filtering by the client ip of the exchange server, but I don't see any traffic destined for the ISA internal address. Jeff log snip: (I tried sending as a CSV attachment so it would be readable, but I think the listserv doesn't like that). .38 is ISA and .16 is Exchange Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name HTTP Method URL MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Processing Time HTTP Status Code Cache Information Log Record Type Log Time Destination IP Destination Port Protocol Action Rule Client IP Source Network Destination Network Result Code Error Information Bytes Received Bytes Sent Source Port Raw Payload Client Username Transport xx.xx.xx.38 BORDERGUARD - - - - - 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16 1 Unidentified IP Traffic Denied Connection Default rule xx.xx.xx.38 Local Host Internal 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0 0 0 5 ICMP xx.xx.xx.38 BORDERGUARD - - - - - 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16 1 Unidentified IP Traffic Denied Connection Default rule xx.xx.xx.38 Local Host Internal 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0 0 0 5 ICMP xx.xx.xx.38 BORDERGUARD - - - - - 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16 1 Unidentified IP Traffic Denied Connection Default rule xx.xx.xx.38 Local Host Internal 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0 0 0 5 ICMP xx.xx.xx.38 BORDERGUARD - - - - - 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16 1 Unidentified IP Traffic Denied Connection Default rule xx.xx.xx.38 Local Host Internal 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0 0 0 5 ICMP xx.xx.xx.38 BORDERGUARD - - - - - 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16 1 Unidentified IP Traffic Denied Connection Default rule xx.xx.xx.38 Local Host Internal 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0 0 0 5 ICMP xx.xx.xx.38 BORDERGUARD - - - - - 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16 1 Unidentified IP Traffic Denied Connection Default rule xx.xx.xx.38 Local Host Internal 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0 0 0 5 ICMP xx.xx.xx.38 BORDERGUARD - - - - - 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16 1 Unidentified IP Traffic Denied Connection Default rule xx.xx.xx.38 Local Host Internal 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0 0 0 5 ICMP xx.xx.xx.38 BORDERGUARD - - - - - 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16 1 Unidentified IP Traffic Denied Connection Default rule xx.xx.xx.38 Local Host Internal 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0 0 0 5 ICMP xx.xx.xx.38 BORDERGUARD - - - - - 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16 1 Unidentified IP Traffic Denied Connection Default rule xx.xx.xx.38 Local Host Internal 0xc004000d FWX_E_POLICY_RULES_DENIED 0x0 0 0 5 ICMP -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Friday, March 17, 2006 10:25 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Unidentified traffic to exchange server http://www.ISAserver.org Log snip? This is sounding more like an ICMP response than anything else. -----Original Message----- From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx] Sent: Friday, March 17, 2006 6:48 AM To: [ISAserver.org Discussion List] Subject: [isalist] Unidentified traffic to exchange server http://www.ISAserver.org I'm seeing repeated denied connections from the internal ISA NIC to the backend Exchange server in ths ISA logs. They all have source port of 5 and destination of 1 and show protocol as "unidentified ip traffic". result code is "0xc004000d FWX_E_POLICY_RULES_DENIED". Anyone have an idea what might be wrong? ISA 2004 SP1, Exchange 2003 SP2. I have OWA published from FE and RPC over HTTP set up. Also have POP3S and SMTPS published, but no one is using it. Inbound SMTP is going to the FE server. thanks, Jeff ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: bunting@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx