On ISA Array Reports and general questions

Hello,

On ISA Array Reports, I am noticing that I am unable to resolve IP addresses to host names for the web sites that my users are going to.  

In this example that I found on the web, you will notice that the top ten web sites show up in the form of a URL which is what I am looking for.  How can I make this change?
Example
http://www.dmh.go.th/helpdesk/report/isaLogs/Report%20JobWeekly%20-%20Web%20Usage.htm

For my web users, I am also noticing that the users show up as an IP address as opposed to there username.  Is there a way to change this behavior?

Lastly, I wanted to modify the objects types for ISA so that I can understand if users are downloading other files types that I am interested in knowing about.  Is there a way to add more objects types to ISA server?

Thank You
MCP
LVL 9
stressedout2004Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
Is ISA configured to use the internal dns servers only?  ie You have not put an external dns resolver into ANY of ISA's dns settings?
Are you using an 'all users' rule for the outbound http or an authenticaed group?
Assume you are on 2004 sp3 already?

Keith
0
stressedout2004Author Commented:
HI,

DNS
on NIC 1 the IP address is assigned by the ISP with DNS pointing to the public DNS servers assigned by the ISP.
on NIC 2 which is internal, the DNS points to my DC whoch uses DNS forwarders to my ISP
I am using th all users rule for outbound http
I have SP3 installed
0
Keith AlabasterEnterprise ArchitectCommented:
Thats a no-no. The isa ecternal nic should point to the internal dns also or be blank. The internal dns server then uses its forwarders to get to the ISP dns servers and resolves external addresses on isa's behalf.

You should also gave an outbound rule from internal_dns_servers to external for DNS

0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

stressedout2004Author Commented:
I now have the internal NIC pointing to the internal DNS servers and the External NIC is pointing the the internal DNS servers.  I also have a rule for DNS outbound Anywhere.

Whats next
0
Keith AlabasterEnterprise ArchitectCommented:
Sure we have covered this off in previous questions but lets give a bit more detail.

ISA has four modes of connecting with outbound clients although the SOCKS proxy is disabled by derfault.

1. SecureNAT - ISA is used as the default gateway or the client PC is set with routes to get all traffic to ISA's internal ip if there is no local route. Basically this is the equivalent of a pure firewall Traffic sent like this has no idea of what windows credentials are and has no mechanism to carry a username and password for example.

2. Webproxy - this is set in the proxy settings of the browser with the default being the ISA internal ip on port 8080. The browser does have the capability to carry windows username and pawword in its traffic.

3. ISA firewall client. This is used when the client is not a SecureAT client OR the user needs to carry a username and password with non-proxy traffic.

Lets take a few examples.
1. pc1 wants to send traffic from an ftp client to an external ftp server. The rule is set for all users. Fine, this will worj great and will log the ip in the log - job done.

pc1 wants to send traffic from an ftp client to an external ftp server. The rule is set for AD group ftp_users. Fails - the ISA has seen the traffic and also seen that only ftp-users can do this. ISA blocks the traffic and sends a call back to the client asking for his domain credentials. client looks all stupid and says 'what do you mean? I know nothing about credentials. ISA says - get stuffed then - game over.

pc1 wants to send traffic from an ftp client to an external ftp server. The rule is set for AD group ftp_users. Client has ISA firewall installed. client sends ftp traffic. ISA sees the traffic but also sees the rule is only allowed for ftp_users. ISA blocks the traffic and asks client for username/password credentials. ISA firewall client intercepts the request and says ' hey, I look after that and here are his credentials. ISA checks the credentials against the ftp_users group and says please proceed. Now i have the credentials i can put the username in the log rather than the IP address.

Last one that catches most people.....

pc1 wants to send traffic from an ftp client to an external ftp server. The rule is set for all users. Client has secureNAT, web proxy and ISA firewall client installed to cover the bases. Still gets ip address in the log. What gives?  

The reason is the All Users. All users means effectively accept anonymous requests. ie you do not care who it is as you let all users through. ISA thinks if you don't give a toss, why should I? I'll log the ip just for auditing purposes but won't bother asking the name as we don't care!!

Hopefully that may give a brief overview of some of the client complexities. Thats stacks more really but I'm not typing an opus here.

keith :)
0
stressedout2004Author Commented:
I like the response.  I surley do not want you to publish an Opus.  I fall unde this category
1. SecureNAT - ISA is used as the default gateway or the client PC is set with routes to get all traffic to ISA's internal ip if there is no local route. Basically this is the equivalent of a pure firewall Traffic sent like this has no idea of what windows credentials are and has no mechanism to carry a username and password for example.
So in a nut shell, do i stick the users in a different group group and call it a day or do I install the firewall client on those systems too?  Basically what do I have to do to get ISA to not give a toss and ask for the name.  Thaks for your time and energy!
0
Keith AlabasterEnterprise ArchitectCommented:
If it is web traffic only that you want to log by name (as per your question) then the users really need to have the web proxy set and the outbound rule that covers http/https etc set to an AD group for authentication. If the ISA is not a domain member then its the ISA firewall client.
0
stressedout2004Author Commented:
When you say web proxy are you refering to the web proxy setting that has to be configurded in my broswer settings for all clients?  Or is this a setting on ISA it self that neegs to be configurded..  This simple task is a real pain in the ass pardon my english.  thanks for thr help so far.. im fustrated at the moment
0
Keith AlabasterEnterprise ArchitectCommented:
Both lol - the web proxy is enabled as a filter in configuration - add-ins but set up in configuration - networks - internal - properties - web proxy. here you select whether uses on that network can use the proxy, the port number it will use (this is the port you put in the IE proxy settings). On the client the web proxy is the one you put on all clients in their browser proxy entries and must match the port number set on the ISA box - default is 8080
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
stressedout2004Author Commented:
Im going to try the web proxy out and publish another ISA question because you have answered all my questions and have been an excellent help.
0
Keith AlabasterEnterprise ArchitectCommented:
Thanks - and you're welcome

Keith
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.