ISA 2004 Standard logging
I have read through several of the threads posted about ISA capturing usernames rather than IP addresses, but am still having difficulties getting this to work/understanding how to configure it.
Our setup is as follows: 2003 Server with ISA 2004 Standard, Single Network Adapter mode (this box is still in testing, so it can be changed) that is a member server on the domain. (2000 domain) We are not using the FW client, but are piping people through the web-proxy in IE/Firefox. This is not being used as a FW, but only as a proxy server.
90% of our employees are on Thin Clients and go through windows 2003 terminal servers.
Currently we are only seeing information about IP addresses, which wouldn't be that big of a deal except that all we see are the IPs from the server, so we can't exactly tell who the offender was. Like others have said, there is so much confusing/conflicting information out about the capabilities of ISA that I needed to once again post this question. The kicker seems to be the thin client aspect of the equation. For the most part, when I mention that, people tell me that we won't be able to truly use AD integration on ANY proxy service.
Thoughts? Is ISA the best choice for proxying, or is something like Linux/Squid a better choice given what I would like to see? (pretty new to ISA if you couldn't tell!)
Our setup is as follows: 2003 Server with ISA 2004 Standard, Single Network Adapter mode (this box is still in testing, so it can be changed) that is a member server on the domain. (2000 domain) We are not using the FW client, but are piping people through the web-proxy in IE/Firefox. This is not being used as a FW, but only as a proxy server.
90% of our employees are on Thin Clients and go through windows 2003 terminal servers.
Currently we are only seeing information about IP addresses, which wouldn't be that big of a deal except that all we see are the IPs from the server, so we can't exactly tell who the offender was. Like others have said, there is so much confusing/conflicting information out about the capabilities of ISA that I needed to once again post this question. The kicker seems to be the thin client aspect of the equation. For the most part, when I mention that, people tell me that we won't be able to truly use AD integration on ANY proxy service.
Thoughts? Is ISA the best choice for proxying, or is something like Linux/Squid a better choice given what I would like to see? (pretty new to ISA if you couldn't tell!)
ASKER
David:
We just want a report of who is going where, and will be using something along the lines of websense or surfcontrol to then filter sites. At this point, it is to mostly cover ourselves and show due dilligence so that we can go to someone and say, we had a complaint that you went to a site, and here's the record of you going there. Make sense? (it's also a way for me to show Sr. Management that we need something like websense)
We have a CISCO ASA firewall on the edge to protect for everything else, with IPS units on the DMZ and LAN, so we only really needed a Web Proxy system, hence not using ISA "firewall" capabilities.
What other information would help?
We just want a report of who is going where, and will be using something along the lines of websense or surfcontrol to then filter sites. At this point, it is to mostly cover ourselves and show due dilligence so that we can go to someone and say, we had a complaint that you went to a site, and here's the record of you going there. Make sense? (it's also a way for me to show Sr. Management that we need something like websense)
We have a CISCO ASA firewall on the edge to protect for everything else, with IPS units on the DMZ and LAN, so we only really needed a Web Proxy system, hence not using ISA "firewall" capabilities.
What other information would help?
Well if you are going to user Websense and Surfcontrol they both have comprehensive reporting modules. Personally, I prefer Websense which has a wide range of templates for its standard report generator. You can also install an IIS add-on which allows drill-down reporting and real-time reporting.
If you want reporting from ISA server 2004, you can either
Use standard text logging and process the resulting files through your favourite reporting tool or
Use enhanced logging which requires either MSDE on the ISA server or a backend SQL server, then use your favourite SQL reporting tools.
Is the CISCO unit protecting you against malware, spyware and bandwidth saturation?
Both Websense and Surfcontrol will offer a broad range of protection, assuming of course that you ensure that users can't just bypass the ISA web proxy and access the Internet directly.
i.e. ensure that CISCO firewall only allows outbound traffic from your trusted servers and services.
FYI, we use ISA2004 web caching only in branch offices, chaining upstream to ISA2004 array in HQ. Websense filter plug-in on all ISA servers. Websense policy server and logging SQL server at HQ. Internet Traffic Inbound and Outbound is additionally filtered by Symantec, Surfcontrol & Messagelabs solutions.
If you want reporting from ISA server 2004, you can either
Use standard text logging and process the resulting files through your favourite reporting tool or
Use enhanced logging which requires either MSDE on the ISA server or a backend SQL server, then use your favourite SQL reporting tools.
Is the CISCO unit protecting you against malware, spyware and bandwidth saturation?
Both Websense and Surfcontrol will offer a broad range of protection, assuming of course that you ensure that users can't just bypass the ISA web proxy and access the Internet directly.
i.e. ensure that CISCO firewall only allows outbound traffic from your trusted servers and services.
FYI, we use ISA2004 web caching only in branch offices, chaining upstream to ISA2004 array in HQ. Websense filter plug-in on all ISA servers. Websense policy server and logging SQL server at HQ. Internet Traffic Inbound and Outbound is additionally filtered by Symantec, Surfcontrol & Messagelabs solutions.
ASKER
Ok, I got this working. Ended up in the firewall policy, I needed to add USERS only allowed from domain\group...
NOW, I have a different problem. Things were working great, I was getting all the information I wanted, but then we started getting instances where everyone was prompted for a username/password. I had to restart all of the services on the server, and reboot to get it to start taking requests again. There are no errors in the event log, but there is an informational that says server disconnected the following client [IP] because its connection limit was exceeded.
But that warning doesn't come up everytime this happens. Any ideas?
NOW, I have a different problem. Things were working great, I was getting all the information I wanted, but then we started getting instances where everyone was prompted for a username/password. I had to restart all of the services on the server, and reboot to get it to start taking requests again. There are no errors in the event log, but there is an informational that says server disconnected the following client [IP] because its connection limit was exceeded.
But that warning doesn't come up everytime this happens. Any ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Web Content Filtering, Protocol filtering, IP routing or just reporting web usage?
You mention an 'offender' what is the offence?
breach of acceptable usage policy in what category?
productivity, security, bandwidth, inappropriate usage or content?
The best solution will depend on the objectives you are trying to achieve.
You can configure the web proxy component of ISA2004 to request authenticate details from anonymous connections.
This can be done at various points, which works will depend on your environment.
On its own ISA server won't do content filtering effectively, you will need an add-on product.
Managed web services are worth considering as are appliance server solutions.
If the server is a web cache only, I assume you have another firewall on the edge of your network of some description.
Is ISA chaining to this or just directing traffic straight through it?
More details will help elicit more feedback