Re: anonymous user with internet IP number in websession

  • From: "Jim Harrison" <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 6 Oct 2004 08:23:27 -0700

That's a pretty skimpy log; I hope that you aren't limited to just those 
fields...
There's no sc-status, so I can't tell what ISA thought of those connections.

You have to remember; EVERY browser connection starts as anonymous.
Also, ISA reports a "session" as any successful TCP connection to the ISA.

Without seeing the "before" and "after" ipconfig/all and route print from the 
ISA, I can't tell you whether your IP stack is happy 
or completely dead.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!

----- Original Message ----- 
From: "tim S" <tim724342@xxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, October 05, 2004 16:54
Subject: [isalist] Re: anonymous user with internet IP number in websession


http://www.ISAserver.org


Jim,



Here is part of my webproxy log



c-ip  cs-username   sc-authenticated    date   time   s-computername   
cs-referred   r-host   r-ip

162.3.45.66   anonymous  N   2004-10-05  22:02:46  ISA2K  -  ftp.xyz.com  
10.0.0.16
68.45.32.234  anonymous  N   2004-10-05  22:04:10  ISA2K  -  ftp1.xyz.com  
10.0.0.15



I set the outgoing listener to ask for authentication, but still I get the 
anonymous logins (not for internal users though).



Those two c-ip numbers appear in the web session client IP address column, when 
I look at the monitoring node. I have integrated 
authentication method enabled on all incoming web listeners.  Those ftp sites 
are our servers.



This is what I did.  ISA2K's external NIC has five different IP numbers.  I 
removed the primary IP number of the external NIC, added 
another IP number and put the old one back again (not as a primary IP attached 
to the card).  Then rebuilt the routing table.   I 
also  told my users to start using both firewall and web proxy clients.  HTTP 
redirector drops all HTTP requests from firewall and 
secureNat clients.  But now I only see anonymous usernames even for internal 
users in websession  unless if I set the outgoing 
listener to ask for authentication.  I thought setting up the webproxy client 
means I didn't haven't to ask for authentication 
because domain\user info won't be stripped off from HTTP redirector.  I would 
appreciate it if you can tell me whether I screwed up 
the ISA by removing the IP and rebuilding the routing table.   Thanks



Is it normal for ISA to show external user sessions in the websession node?



Jim Harrison <jim@xxxxxxxxxxxx> wrote:

http://www.ISAserver.org

You should be seeing those requests getting bounced.
Have you checked your web proxy logs?

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!

----- Original Message ----- 
From: "tim S"
To: "[ISAserver.org Discussion List]"
Sent: Tuesday, October 05, 2004 10:20
Subject: [isalist] Re: anonymous user with internet IP number in websession


http://www.ISAserver.org


I configured individual IP numbers and all of them use integrated 
authentication.


Jim Harrison wrote:
http://www.ISAserver.org

How have you configured the inbound web listener; all IPs or single IP?

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!

----- Original Message ----- 
From: "tim S"
To: "[ISAserver.org Discussion List]"
Sent: Tuesday, October 05, 2004 07:29
Subject: [isalist] Re: anonymous user with internet IP number in websession


http://www.ISAserver.org

Jim,

Yes, I publish number of websites and ftp sites. The log says those connections 
were for my ftp site. But why would that show up
in the web session monitor. I thought you only see web sessions initiated from 
the internal network on the monitoring node. Am I
correct?

Jim Harrison wrote:
http://www.ISAserver.org

Look in the ISA web proxy logs and you'll see what ISA thought of that 
connection srequest.
Are you publishing any web sites?

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!


On Mon, 4 Oct 2004 17:12:14 -0700 (PDT)
tim S wrote:
http://www.ISAserver.org

I noticed the web session displays an anonymous user with an internet IP number 
as client address. This internet IP number is not
the external NIC IP and doesn't belong to me at all. All my internal IPs are 
10.10.10.0/24. Does this mean the web proxy session is
hacked? Thanks




---------------------------------
Do you Yahoo!?
vote.yahoo.com - Register online to vote today!

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
tim724342@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


---------------------------------
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
tim724342@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


---------------------------------
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
tim724342@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx




__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 10-2004