External secureNAT and Webproxy sessions in ISA 2006

Hi,
I am using ISA 2006 as frontend firewall (mixed mode). Number of external secureNAT and webproxy sessions are establishing in my server by unknown IP's and when i try to disconnect them, they created again and again. I want to know these type of sessions by external sources are normal from security point of view or potential security risk for my network. I need assistance to resolve this issue and to avoid such sessions in future.

Regards
uplAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
please provide a sample of the ip addresses / ports that you are seeing.

if you have any published services such as mail or web (OWA) for example then these count as secureNAT (MAIL) and webproxy (OWA) sessions
0
uplAuthor Commented:
IP addresses are
79.185.164.88
202.163.81.95
58.170.192.111
but i cann't find the port .
Yes i have published both mail and web (OWA) services.So that means whenever ISA server will receive an email, it will create a SecureNAT session and when user will access OWA, it will create a webproxy session by external source.
0
Keith AlabasterEnterprise ArchitectCommented:
In principle, yes. Of course, some of them will be nasty little 'buggers' but the ability to differentiate is limited at first glance. Make use of the ISA reports (In the gui, monitoring - reports) and see what traffic has been passing/arriving. You will see where the traffic has come from and can then take appropriate action by either blocking those IP's or domains as you wish.

I run a number of Sharepoint services that I publish and I get hundreds.... The web proxy ones are the web sessions - the Securenat are the mail ones (smtp is not a proxy traffic)

0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

uplAuthor Commented:
Thanks Keith. That means i should not worry about these sessions.
0
Keith AlabasterEnterprise ArchitectCommented:
Not quite - what it means is that they are a fact of life when you open firewall ports to the outside world. Reviewing your logs and reports is a standard part of any admins daily tasks. open the ISA gui - select monitoring - logging - edit the query from live to past 24 hours and apply - click start query. Sort by source ip and have a look at some of the traffic that has come in from external addresses - pick one or two of the sessions you noticed and see what that address was up to. Take action if you think it is necessary - remember to change the query back to live and reapply.

You won't be able to check everything - there isn't enough time - but you'll get a feel for what is going on.

Keith
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keith AlabasterEnterprise ArchitectCommented:
Thanks :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.