Re: ISA 2000 Firewall Log

Hi Andrew.

Thanks for the reply. You did shed some light on the issue! I would just
like to explain a little more of our network setup.

The gateway in our network is not the ISA server. In fact it is one of our
internal routers. This router filters our banking core software traffic and
regular internet traffic. If the traffic that passes through this router is
part of our banking core software, it will pass it along to our banking core
company and does not go through the ISA Server. If it's any other traffic,
it passes it through the ISA server before getting out to the internet.

Could software with their own built-in autoupdate features, like Java,
shockwave, palm pilot software etc.. be causing this? Can I safely assume
that these program don't use Port 80 and that is why it is logged in the
firewall log and not anything harmfull on the workstation?

Thanks again,
Mike




"A.Klimkin" wrote:

> It appears I'm the 3rd who try to shed some light onto the issue ;)
> LAN host might appear in firewall log not only when it has firewall client
> software installed, but when it configured with ISA server internal IP as
> its default gateway address (so-called SecureNAT client). So any non-http(s)
> traffic from the client to the Internet will have its track in firewall
> logs. Many apps also cannot act as web proxy client, so its http traffic
> also will pass through the firewall service.
>
> Regards,
> Andrew
>
> "banker2640" <banker2640@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:472C5764-603B-4837-A704-972FE93757C4@xxxxxxxxxxxxxxxx
> >I am looking at the correct logs. The firewall log I'm looking at is
> > FWSDyyyymmdd.log. I don't see the computers in the Sessions because I'm
> > not
> > monitoring it 24/7. I do have other things to do. So when I review the
> > Firewall logs I see that some computers are being logged in the firewall
> > log,
> > when I think they shouldn't because they don't even have the ISA Firewall
> > client installed.
> >
> > So does anyone know why some of my computers randomly show up in the ISA
> > Firewall log if they don't even have the ISA Firewall client installed
> > that
> > their workstations and the only programs that they are using is MS Office
> > products and IE?
> >
> > Thanks in adavance.
> > Mike
> >
> > "Phillip Windell" wrote:
> >
> >> You need to make sure the log you are looking at is the one you think it
> >> is.
> >> Examine the Sessions in the MMC to see what Service those machines come
> >> in
> >> under. you may just be getting the logs mixed up. Users cannot use the
> >> Firewall Service without the Firewall Client installed or the old Proxy
> >> Client installed (from the old Proxy2).
> >>
> >> --
> >>
> >> Phillip Windell [MCP, MVP, CCNA]
> >> www.wandtv.com
> >>
> >> "banker2640" <banker2640@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:561AC38E-15EF-4088-876A-246DB32CE75E@xxxxxxxxxxxxxxxx
> >> > Hi there,
> >> >
> >> > I understand that ISA is a Firewall, but why would a computer show up
> >> > in
> >> the
> >> > Firewall log file if it doesn't even have the firewall client installed
> >> > on
> >> > that computer?
> >> >
> >> > Thanks,
> >> > Mike
> >> >
> >> >
> >> >
> >> > "Sergio Fonseca [MVP]" wrote:
> >> >
> >> > > Hi,
> >> > >
> >> > > The ISA2000 is also a Firewall so it "reacts" to requests. It does
> >> > > not
> >> mean
> >> > > that there is a problem, just means that a request reached the ISA.
> >> > >
> >> > > Qualquer sugestao deve ser testada antes de aplicada - www.gupade.org
> >> > >
> >> > > "banker2640" <banker2640@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> > > news:04C3A357-6A99-4071-ACFD-D64FF4252F67@xxxxxxxxxxxxxxxx
> >> > > > Hello,
> >> > > >
> >> > > > Can someone tell me what makes an entry appear in the ISA Firewall
> >> Client
> >> > > > Log? The reason why I'm asking is because some of our computers
> >> > > > which
> >> do
> >> > > > not
> >> > > > have the firewall client installed, are appearing in the firewall
> >> > > > log.
> >> > > > What
> >> > > > could the users of these computers be doing to trigger an entry in
> >> > > > the
> >> > > > firewall log? Should we have the firewall client loaded? As far as
> >> > > > I
> >> know,
> >> > > > the users are not experiencing any problems. Are we causing an
> >> exposure
> >> > > > because we are on the log (ISA thinks we have a firewall) and thus
> >> thinks
> >> > > > we
> >> > > > are protected, but we are not?
> >> > > >
> >> > > > Thanks in advance for you suggestions.
> >> > > >
> >> > > > Mike
> >> > >
> >> > >
> >> > >
> >>
> >>
> >>
>
>
>
.

Relevant Pages

  • RE: ISA2004 client firewall slow webpage loading
    ... have you configured this new client as web proxy client? ... configure ISA server as your Proxy ... stop the Microsoft Firewall service. ...
    (microsoft.public.windows.server.sbs)
  • Re: Outbound VPN
    ... Your SBS client cannot establish PPTP VPN through ISA 2004. ... Chapter 6: ISA Server 2004 VPN Deployment Kit: Configuring the ISA Server ... 2004 Firewall for Outbound PPTP and L2TP/IPSec Access ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN Clients und VPN Zugriffe auf Notebooks
    ... In dem KB Artikel ist ein Dokument ... installing the firewall client on the VPN client machine. ... client will forward requests directly to the ISA Server firewall's internal ...
    (microsoft.public.de.german.isaserver)
  • Re: ISA rules?
    ... starting the Web Proxy service, ... client on the workstations is an odd situation. ... there is no facility to add the Firewall Client to a ... I recommend you to Remove ISA Server and Firewall ...
    (microsoft.public.windows.server.sbs)
  • User web browsing issue, W2K client
    ... ISA server returned a 403 error "The ISA server denies the specified URL ... client is installed and configured correctly on all machines. ... from IE generated entries in the Firewall client log rather than the Web ... IE proxy settings, the only solution I found was to clear all the local IE ...
    (microsoft.public.backoffice.smallbiz2000)