• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1217
  • Last Modified:

ISA 2004 User Reports

I run a weekly report on ISA 2004 showing top websites, top users, traffic,etc. However inside the Top Users for the company since we don't use the firewall client it list the internal ip addresses. The last 3 weeks within the Top Users there is an outside ip address listed as the number one user, all the other ip's are internal. How can ISA show an outside ip address as the top internal user? Any ideas?
 thanks
0
DFCRJ
Asked:
DFCRJ
  • 8
  • 6
1 Solution
 
maderosiaCommented:
This can be an IP address of a user that is using VPN. I noticed this by montioring VPN connections and the IP's that were connecting with.
Hope this helps.
0
 
Keith AlabasterEnterprise ArchitectCommented:
That is a fair point (assuming you are using VPN's) :)

Can you resolve the IP address to a recognisable address?
Remember also that the monitor does actually log all traffic. One of my hosted web sites regularly shows up in the top 10.
0
 
DFCRJAuthor Commented:
The address seems to be a mail server owned by our parent company. They are connected to us thru a frame and have a internal router in place to create the connection, but have been for a year and this has just shown up the past two weeks. The frame line is for emergencies and is not used on a regular basis, as a matter of fact we never use it. But the amount of traffic is high, 6 days on the report with a total to this ip address of 1.5g and users have asked why the internet is slower is what prompted me to investigate.

I dont understand why the ISA reports all traffic under internal users, this is the only outside ip that has shown up in the internal web users traffic, for that to happen the ip's must be part of the internal adapters, or so i thought.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
Keith AlabasterEnterprise ArchitectCommented:
Not sure if you run snmp on your routers etc. Do a search on Google for PTRG and download the freeware version. point it at the router and this will show you exactly how much traffic is passing through the router.

Also, get ethereal Its free. www.ethereal.com and monitor the traffic on the ISA subnet. Look and see if the parent has activated any routing protocols. If you have suddenly become part of their gateway etc, you could be acting as their mail relay.....
0
 
DFCRJAuthor Commented:
thanks, I'll do that first thing tomorrow when i get in and see whats going on.
0
 
Keith AlabasterEnterprise ArchitectCommented:
No problem. I'm on UK time so just post when your ready and I'll respond as soon as I get in from work. :)
0
 
DFCRJAuthor Commented:
ok, i've installed ethereal and tracked down the ip address, it is a mail server back to our parent co. I see several outbound emails from internal users.
0
 
Keith AlabasterEnterprise ArchitectCommented:
OK.

So this is one of your own sites which can hit your LAN through a frame relay connection? Does the frame connect outside of the ISA box  or from the inside of the ISA box? ie Is the frame connecting to the internal LAN therefore ISA would see this as internal traffic?
0
 
DFCRJAuthor Commented:
They placed a Cisco Router over here connected back to them through frame. From their Cisco router it is plugged into our switch. I placed routing statements on our ISA box to route any 192.168.0.0 traffic back to their internal Cisco router.
I can ping their 192 network, we are 10.60. and they of course can ping us. Thats it, no parent domain or additional forest setup within AD, just a single frame line connect, but it's been this way for well over a year without any problems.
Any internal traffic should by pass the ISA which is the default gateway, it should not be filtering it.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Absolutely.

Sure, so their Cisco router is seen by ISA as an external network rather than an internal one?
is the 192 network added/associated with the internal network in the Local address table (lat) when you look at the configuration - networks - internal - addresses within the ISA GUI?
0
 
DFCRJAuthor Commented:
yes, their 192 is added as an Internal address under the Networks tab.
I can say that their internal router has one ip address of 10.60.0.0 on myside to router 192 traffic back to them, on the other interface it's a 192 when i do a tracert.
0
 
Keith AlabasterEnterprise ArchitectCommented:
That is why it will be being shown in the internal user list. Why their traffic is coming through your link/frame is a different question of course :)
0
 
Keith AlabasterEnterprise ArchitectCommented:
One you will need to take up with the network admins at your parent site but i think you will find they have done something on their routing protocols that make your link a preferable route (in respect to routing metrics) than their own link.
0
 
DFCRJAuthor Commented:
I think your right, I certainly appreciate you taking this much time!
0
 
Keith AlabasterEnterprise ArchitectCommented:
Welcome. :)
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now