• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1528
  • Last Modified:

External secureNAT and Webproxy sessions in ISA 2006

Hi,
I am using ISA 2006 as frontend firewall (mixed mode). Number of external secureNAT and webproxy sessions are establishing in my server by unknown IP's and when i try to disconnect them, they created again and again. I want to know these type of sessions by external sources are normal from security point of view or potential security risk for my network. I need assistance to resolve this issue and to avoid such sessions in future.

Regards
0
upl
Asked:
upl
  • 4
  • 2
1 Solution
 
Keith AlabasterEnterprise ArchitectCommented:
please provide a sample of the ip addresses / ports that you are seeing.

if you have any published services such as mail or web (OWA) for example then these count as secureNAT (MAIL) and webproxy (OWA) sessions
0
 
uplAuthor Commented:
IP addresses are
79.185.164.88
202.163.81.95
58.170.192.111
but i cann't find the port .
Yes i have published both mail and web (OWA) services.So that means whenever ISA server will receive an email, it will create a SecureNAT session and when user will access OWA, it will create a webproxy session by external source.
0
 
Keith AlabasterEnterprise ArchitectCommented:
In principle, yes. Of course, some of them will be nasty little 'buggers' but the ability to differentiate is limited at first glance. Make use of the ISA reports (In the gui, monitoring - reports) and see what traffic has been passing/arriving. You will see where the traffic has come from and can then take appropriate action by either blocking those IP's or domains as you wish.

I run a number of Sharepoint services that I publish and I get hundreds.... The web proxy ones are the web sessions - the Securenat are the mail ones (smtp is not a proxy traffic)

0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
uplAuthor Commented:
Thanks Keith. That means i should not worry about these sessions.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Not quite - what it means is that they are a fact of life when you open firewall ports to the outside world. Reviewing your logs and reports is a standard part of any admins daily tasks. open the ISA gui - select monitoring - logging - edit the query from live to past 24 hours and apply - click start query. Sort by source ip and have a look at some of the traffic that has come in from external addresses - pick one or two of the sessions you noticed and see what that address was up to. Take action if you think it is necessary - remember to change the query back to live and reapply.

You won't be able to check everything - there isn't enough time - but you'll get a feel for what is going on.

Keith
0
 
Keith AlabasterEnterprise ArchitectCommented:
Thanks :)
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now