Solved

ISA 2004 Standard logging

Posted on 2006-06-21
6
329 Views
Last Modified: 2013-11-16
I have read through several of the threads posted about ISA capturing usernames rather than IP addresses, but am still having difficulties getting this to work/understanding how to configure it.

Our setup is as follows:  2003 Server with ISA 2004 Standard, Single Network Adapter mode (this box is still in testing, so it can be changed) that is a member server on the domain. (2000 domain)  We are not using the FW client, but are piping people through the web-proxy in IE/Firefox.  This is not being used as a FW, but only as a proxy server.

90% of our employees are on Thin Clients and go through windows 2003 terminal servers.

Currently we are only seeing information about IP addresses, which wouldn't be that big of a deal except that all we see are the IPs from the server, so we can't exactly tell who the offender was.  Like others have said, there is so much confusing/conflicting information out about the capabilities of ISA that I needed to once again post this question.  The kicker seems to be the thin client aspect of the equation.  For the most part, when I mention that, people tell me that we won't be able to truly use AD integration on ANY proxy service.

Thoughts?  Is ISA the best choice for proxying, or is something like Linux/Squid a better choice given what I would like to see?  (pretty new to ISA if you couldn't tell!)
0
Comment
Question by:COSMTARFCU
  • 2
  • 2
6 Comments
 
LVL 3

Expert Comment

by:davidt67
ID: 16954076
For what reason do you need the usernames?
    Web Content Filtering, Protocol filtering, IP routing or just reporting web usage?  

You mention an 'offender' what is the offence?
    breach of acceptable usage policy in what category?
        productivity, security, bandwidth, inappropriate usage or content?

The best solution will depend on the objectives you are trying to achieve.

You can configure the web proxy component of ISA2004 to request authenticate details from anonymous connections.  
This can be done at various points, which works will depend on your environment.  

On its own ISA server won't do content filtering effectively, you will need an add-on product.  
Managed web services are worth considering as are appliance server solutions.  

If the server is a web cache only, I assume you have another firewall on the edge of your network of some description.
Is ISA chaining to this or just directing traffic straight through it?  

More details will help elicit more feedback

0
 

Author Comment

by:COSMTARFCU
ID: 16954200
David:

We just want a report of who is going where, and will be using something along the lines of websense or surfcontrol to then filter sites.  At this point, it is to mostly cover ourselves and show due dilligence so that we can go to someone and say, we had a complaint that you went to a site, and here's the record of you going there.  Make sense?  (it's also a way for me to show Sr. Management that we need something like websense)

We have a CISCO ASA firewall on the edge to protect for everything else, with IPS units on the DMZ and LAN, so we only really needed a Web Proxy system, hence not using ISA "firewall" capabilities.

What other information would help?
0
 
LVL 3

Expert Comment

by:davidt67
ID: 16957977
Well if you are going to user Websense and Surfcontrol they both have comprehensive reporting modules.  Personally, I prefer Websense which has a wide range of templates for its standard report generator.  You can also install an IIS add-on which allows drill-down reporting and real-time reporting.  

If you want reporting from ISA server 2004, you can either
Use standard text logging and process the resulting files through your favourite reporting tool or
Use enhanced logging which requires either MSDE on the ISA server or a backend SQL server, then use your favourite SQL reporting tools.  

Is the CISCO unit protecting you against malware, spyware and bandwidth saturation?
Both Websense and Surfcontrol will offer a broad range of protection, assuming of course that you ensure that users can't just bypass the ISA web proxy and access the Internet directly.
i.e. ensure that CISCO firewall only allows outbound traffic from your trusted servers and services.  

FYI, we use ISA2004 web caching only in branch offices, chaining upstream to ISA2004 array in HQ.  Websense filter plug-in on all ISA servers.  Websense policy server and logging SQL server at HQ.  Internet Traffic Inbound and Outbound is additionally filtered by Symantec, Surfcontrol & Messagelabs solutions.  

0
 

Author Comment

by:COSMTARFCU
ID: 16994290
Ok, I got this working.  Ended up in the firewall policy, I needed to add USERS only allowed from domain\group...

NOW, I have a different problem.  Things were working great, I was getting all the information I wanted, but then we started getting instances where everyone was prompted for a username/password.  I had to restart all of the services on the server, and reboot to get it to start taking requests again.  There are no errors in the event log, but there is an informational that says server disconnected the following client [IP] because its connection limit was exceeded.

But that warning doesn't come up everytime this happens.  Any ideas?
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 17183017
PAQed with points refunded (125)

DarthMod
Community Support Moderator
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now