Re: ISA 2004 Logging and Reporting

---

• From: "isax242@xxxxxxxxxxx" <isax242@xxxxxxxxxxx>
• Date: 10 Apr 2007 13:43:42 -0700

---

On Apr 5, 3:55 pm, "Jim Harrison \(ISA SE\)"
<jmh...@xxxxxxxxxxxxxxxxxxxx> wrote:

Machine accounts do in fact exist in AD; they just appear without '$' there.
When they're used for authentication, the '$' is appended to indicate that a
machine account being used.
Search your ISA logs; for those requests where you see machine accounts in
the user field, the request is likely for
"/ms_proxy_intra_array_auth_query".
This request is used in three cases:
1. array peer configuration requests
2. server-side CARP
3. web chaining to an upstream proxy

In either case, unless a TCP connection already exists between the two, the
request from the downstream ISA will be preceded by the authentication
request, which includes machine credentials by default.
The fact that you see a lot of this in your reports indicates that the
clients are not acquiring or using (or both) the WPAD script, since the
server-side CARP requests number so high.
If so, this article may help:www.microsoft.com/technet/isa/2006/auto_discovery.mspx

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.

<isax...@xxxxxxxxxxx> wrote in message

news:1175786473.231944.268910@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
We have 2 ISA 2004 server participating in an array on our intranet.
When I view the daily Array Reports, I see that the top web user is
always an AD account that doesn't exist.

The user account is the name of ONE of the ISA server computers with a
"$" appended to the end of it. Below is an example of the Top Web
User that I see in my daily reports:

"domain_name\isa_computer_name$".

The other ISA Server computer name in the array does not show up in
the reports like this one does.

What does this account do? Where is it coming from?

Any help is greatly appreciated.

Thanks for your help, it was driving me nuts. I'll check up on this.

.

---

• References:
  • ISA 2004 Logging and Reporting
    • From: isax242@xxxxxxxxxxx
  • Re: ISA 2004 Logging and Reporting
    • From: Jim Harrison \(ISA SE\)

• Prev by Date: Re: Access internet with or without ISA?
• Next by Date: Re: How to install additional web/application filters ?
• Previous by thread: Re: ISA 2004 Logging and Reporting
• Next by thread: SMTP Traffic from Exchange 2003 Not Working
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: ISA 2004 Logging and Reporting ... Machine accounts do in fact exist in AD; they just appear without '$' there. ... This request is used in three cases: ... request from the downstream ISA will be preceded by the authentication ... The user account is the name of ONE of the ISA server computers with a ... (microsoft.public.isa.configuration) Re: Sample Logon Script ... > Re-entered push account and here is some of the CCM.log ... > Submitted request successfully SMS_CLIENT_CONFIG_MANAGER ... > name "ZRWKSHYMAN", in queue "Processing". ... > ---> Trying each entry in the SMS Client Remote ... (microsoft.public.sms.admin) Re: Sample Logon Script ... Re-entered push account and here is some of the CCM.log ... Stored request "ZRWKSHYMAN", machine name "ZRWKSHYMAN", ... Getting a new request from queue "Retry" after 100 ... (microsoft.public.sms.admin) Re: Sample Logon Script ... Check to make sure the account specified has local admin rights on the ... >>> Getting a new request from queue "Retry" after 100 ... (microsoft.public.sms.admin) Re: 3rd post: OWA/HTTPS Error. Help! ... If you notice the error message below is being generated by ISA. ... DNS set to 10.0.0.1 on both NICs ... EXCERPT I: ... I thought so too about the account lockout, ... (microsoft.public.windows.server.sbs)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > ISA  > microsoft.public.isa.configuration  > 2007-04