That's a pretty skimpy log; I hope that you aren't limited to just those fields... There's no sc-status, so I can't tell what ISA thought of those connections. You have to remember; EVERY browser connection starts as anonymous. Also, ISA reports a "session" as any successful TCP connection to the ISA. Without seeing the "before" and "after" ipconfig/all and route print from the ISA, I can't tell you whether your IP stack is happy or completely dead. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ----- Original Message ----- From: "tim S" <tim724342@xxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, October 05, 2004 16:54 Subject: [isalist] Re: anonymous user with internet IP number in websession http://www.ISAserver.org Jim, Here is part of my webproxy log c-ip cs-username sc-authenticated date time s-computername cs-referred r-host r-ip 162.3.45.66 anonymous N 2004-10-05 22:02:46 ISA2K - ftp.xyz.com 10.0.0.16 68.45.32.234 anonymous N 2004-10-05 22:04:10 ISA2K - ftp1.xyz.com 10.0.0.15 I set the outgoing listener to ask for authentication, but still I get the anonymous logins (not for internal users though). Those two c-ip numbers appear in the web session client IP address column, when I look at the monitoring node. I have integrated authentication method enabled on all incoming web listeners. Those ftp sites are our servers. This is what I did. ISA2K's external NIC has five different IP numbers. I removed the primary IP number of the external NIC, added another IP number and put the old one back again (not as a primary IP attached to the card). Then rebuilt the routing table. I also told my users to start using both firewall and web proxy clients. HTTP redirector drops all HTTP requests from firewall and secureNat clients. But now I only see anonymous usernames even for internal users in websession unless if I set the outgoing listener to ask for authentication. I thought setting up the webproxy client means I didn't haven't to ask for authentication because domain\user info won't be stripped off from HTTP redirector. I would appreciate it if you can tell me whether I screwed up the ISA by removing the IP and rebuilding the routing table. Thanks Is it normal for ISA to show external user sessions in the websession node? Jim Harrison <jim@xxxxxxxxxxxx> wrote: http://www.ISAserver.org You should be seeing those requests getting bounced. Have you checked your web proxy logs? Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ----- Original Message ----- From: "tim S" To: "[ISAserver.org Discussion List]" Sent: Tuesday, October 05, 2004 10:20 Subject: [isalist] Re: anonymous user with internet IP number in websession http://www.ISAserver.org I configured individual IP numbers and all of them use integrated authentication. Jim Harrison wrote: http://www.ISAserver.org How have you configured the inbound web listener; all IPs or single IP? Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ----- Original Message ----- From: "tim S" To: "[ISAserver.org Discussion List]" Sent: Tuesday, October 05, 2004 07:29 Subject: [isalist] Re: anonymous user with internet IP number in websession http://www.ISAserver.org Jim, Yes, I publish number of websites and ftp sites. The log says those connections were for my ftp site. But why would that show up in the web session monitor. I thought you only see web sessions initiated from the internal network on the monitoring node. Am I correct? Jim Harrison wrote: http://www.ISAserver.org Look in the ISA web proxy logs and you'll see what ISA thought of that connection srequest. Are you publishing any web sites? Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Mon, 4 Oct 2004 17:12:14 -0700 (PDT) tim S wrote: http://www.ISAserver.org I noticed the web session displays an anonymous user with an internet IP number as client address. This internet IP number is not the external NIC IP and doesn't belong to me at all. All my internal IPs are 10.10.10.0/24. Does this mean the web proxy session is hacked? Thanks --------------------------------- Do you Yahoo!? vote.yahoo.com - Register online to vote today! ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tim724342@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx --------------------------------- Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tim724342@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx --------------------------------- Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tim724342@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx