ISA 2004 Standard logging

Posted on 2006-06-21
Medium Priority
Last Modified: 2013-11-16
I have read through several of the threads posted about ISA capturing usernames rather than IP addresses, but am still having difficulties getting this to work/understanding how to configure it.

Our setup is as follows:  2003 Server with ISA 2004 Standard, Single Network Adapter mode (this box is still in testing, so it can be changed) that is a member server on the domain. (2000 domain)  We are not using the FW client, but are piping people through the web-proxy in IE/Firefox.  This is not being used as a FW, but only as a proxy server.

90% of our employees are on Thin Clients and go through windows 2003 terminal servers.

Currently we are only seeing information about IP addresses, which wouldn't be that big of a deal except that all we see are the IPs from the server, so we can't exactly tell who the offender was.  Like others have said, there is so much confusing/conflicting information out about the capabilities of ISA that I needed to once again post this question.  The kicker seems to be the thin client aspect of the equation.  For the most part, when I mention that, people tell me that we won't be able to truly use AD integration on ANY proxy service.

Thoughts?  Is ISA the best choice for proxying, or is something like Linux/Squid a better choice given what I would like to see?  (pretty new to ISA if you couldn't tell!)
Question by:COSMTARFCU
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Expert Comment

ID: 16954076
For what reason do you need the usernames?
    Web Content Filtering, Protocol filtering, IP routing or just reporting web usage?  

You mention an 'offender' what is the offence?
    breach of acceptable usage policy in what category?
        productivity, security, bandwidth, inappropriate usage or content?

The best solution will depend on the objectives you are trying to achieve.

You can configure the web proxy component of ISA2004 to request authenticate details from anonymous connections.  
This can be done at various points, which works will depend on your environment.  

On its own ISA server won't do content filtering effectively, you will need an add-on product.  
Managed web services are worth considering as are appliance server solutions.  

If the server is a web cache only, I assume you have another firewall on the edge of your network of some description.
Is ISA chaining to this or just directing traffic straight through it?  

More details will help elicit more feedback


Author Comment

ID: 16954200

We just want a report of who is going where, and will be using something along the lines of websense or surfcontrol to then filter sites.  At this point, it is to mostly cover ourselves and show due dilligence so that we can go to someone and say, we had a complaint that you went to a site, and here's the record of you going there.  Make sense?  (it's also a way for me to show Sr. Management that we need something like websense)

We have a CISCO ASA firewall on the edge to protect for everything else, with IPS units on the DMZ and LAN, so we only really needed a Web Proxy system, hence not using ISA "firewall" capabilities.

What other information would help?

Expert Comment

ID: 16957977
Well if you are going to user Websense and Surfcontrol they both have comprehensive reporting modules.  Personally, I prefer Websense which has a wide range of templates for its standard report generator.  You can also install an IIS add-on which allows drill-down reporting and real-time reporting.  

If you want reporting from ISA server 2004, you can either
Use standard text logging and process the resulting files through your favourite reporting tool or
Use enhanced logging which requires either MSDE on the ISA server or a backend SQL server, then use your favourite SQL reporting tools.  

Is the CISCO unit protecting you against malware, spyware and bandwidth saturation?
Both Websense and Surfcontrol will offer a broad range of protection, assuming of course that you ensure that users can't just bypass the ISA web proxy and access the Internet directly.
i.e. ensure that CISCO firewall only allows outbound traffic from your trusted servers and services.  

FYI, we use ISA2004 web caching only in branch offices, chaining upstream to ISA2004 array in HQ.  Websense filter plug-in on all ISA servers.  Websense policy server and logging SQL server at HQ.  Internet Traffic Inbound and Outbound is additionally filtered by Symantec, Surfcontrol & Messagelabs solutions.  


Author Comment

ID: 16994290
Ok, I got this working.  Ended up in the firewall policy, I needed to add USERS only allowed from domain\group...

NOW, I have a different problem.  Things were working great, I was getting all the information I wanted, but then we started getting instances where everyone was prompted for a username/password.  I had to restart all of the services on the server, and reboot to get it to start taking requests again.  There are no errors in the event log, but there is an informational that says server disconnected the following client [IP] because its connection limit was exceeded.

But that warning doesn't come up everytime this happens.  Any ideas?

Accepted Solution

DarthMod earned 0 total points
ID: 17183017
PAQed with points refunded (125)

Community Support Moderator

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses
Course of the Month14 days, 12 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question