• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

firewall session

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> firewall session Page: [1]
Login
Message << Older Topic   Newer Topic >>
firewall session - 16.Jul.2001 4:01:00 PM   
mirciulica

 

Posts: 6
Joined: 16.Jul.2001
Status: offline
I have W'98 computers as firewall clients. When these clients connect to the ICQ servers I saw in ISA MMC/monitoring/Session just a anonymous firewall session instead to see the user name, besides the normal firewall session. Why ?
Post #: 1
RE: firewall session - 17.Jul.2001 4:11:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi mirciulica,

Are the machines also configured as SecureNAT clients?

Thanks!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/
Get It Here


(in reply to mirciulica)
Post #: 2
RE: firewall session - 18.Jul.2001 4:04:00 PM   
mirciulica

 

Posts: 6
Joined: 16.Jul.2001
Status: offline
Hi Tom,
I configured my machines as Secure NAT clients and there is no change. I have to add that my ISA server is a stand alone server in an workgroup without a DHCP Server . I have WĘ98 web proxy clients and firewall clients . I ask unauthentificated users for identification.
Hi Tom,
I configured my machines as Secure NAT clients and there is no change. I have to add that my ISA server is a stand alone server in an workgroup without a DHCP Server . I have WĘ98 web proxy clients and firewall clients . I ask unauthentificated users for identification.
For example when a user named paul connect to the internet and to icq or msn messenger from a firewall client machine I will see as sessions:
Session type User name Client computer Client address
Web session myISAserver/paul ------ 192.168.0.14
Firewall session ------- 192.168.0.14 192.168.0.14
Firewall session paul paul's computer 192.168.0.14
When Raquel connect to the internet and msn messenger or icq from a web proxy client machine I can see the following sessions:
Session type User name Client computer Client address
Web session myISAserver/raquel ------ 192.168.0.15
Firewall session ------- 192.168.0.15 192.168.0.15

Firewall sessions when I have web proxy clients is normal ?
I do not see anywhere some explanations about the sessions in different circumstances. Maybe you can clarify that in an article.
The second big problem I have with the reports. Even if I ask unauthentificated users for identification I saw unknown users and unknown protocols . I can understand there are unknown users ( see the above connections ), but ISA server let unknown protocols to pass? In the only protocol rule that I use, I checked some very specific protocols as http, https, ftp and so on .
Thanks,
Mircea

[This message has been edited by mirciulica (edited 18 July 2001).]


(in reply to mirciulica)
Post #: 3
RE: firewall session - 21.Jul.2001 5:18:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mircea,

If you are using ISA in standalone mode, make sure you have all the user accounts that need access configure in the local SAM of the ISA Server.

Only firewall and web proxy clients support authentication. Make sure that you either remove all anonymous access rules or force authentication for the Web Proxy service to prevent anonymous connections via HTTP.

That's a good question regarding the UNKNOWN protocols. I believe many of them are related to the connection for the firewall client control channel, but I can't say what all of them are, because there is no documentation yet regarding this issue.

HTH,
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/
Get It Here


(in reply to mirciulica)
Post #: 4
RE: firewall session - 23.Jul.2001 3:26:00 PM   
mirciulica

 

Posts: 6
Joined: 16.Jul.2001
Status: offline
Hi Tom !
Users are well configured in my local SAM of the ISA Server which is installed on a Windows 2000 member server. The problem is , whatever my machine is Firewall client or Web Proxy client, I have anonymous firewall connections when my users log on ICQ or MSN Mesenger. ThatĘs why my reports will show separate traffic for the same machine client and the same user ! For example , if my user Paul connect to the Internet and ICQ from the Web Proxy client machine with 192.168.0.14 IP address, I will see 2( TWO ) sessions and 2 separate columns in my report for that day ,one for myISASERVER/Paul and one for 192.168.0.14. Probably one column is for the web session and the second for the anonymous firewall session ą.But itĘs one user after all !
I forced authentification for the web proxy service and I have clients address sets for the protocole rule and site and content rule that I used. Are there any more settings to prevent anonymous connections via HTTP ?Thanks a lot, Mircea

[This message has been edited by mirciulica (edited 23 July 2001).]


(in reply to mirciulica)
Post #: 5
RE: firewall session - 1.Aug.2001 7:37:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mircea,

Another reason for anonymous connections showing up in the logs is that the initial HTTP connection is always anonymous. After the ISA Server has the chance to request credentials, the client can send them and the connection is no longer anonymous.

Sessions without a logged on user will only show the IP address, as will sessions from SecureNAT clients and connections that require the SecureNAT client (non-TCP/UDP protocols).

HTH,
Tom

------------------
http://www.isaserver.org/shinder/



Get It Here!


(in reply to mirciulica)
Post #: 6
RE: firewall session - 1.Aug.2001 12:15:00 PM   
mirciulica

 

Posts: 6
Joined: 16.Jul.2001
Status: offline
Hi Tom,
The problem is not with the HTTP connections. They are always authentificated. The problem are with the firewall connections. In some cases they are anonymous, e.g. when my user connects to the ICQ or MSN Messenger. I wondered maybe is that because I have an workgroup and not a domain. I upgraded to a domain and suddenly the MSN Messenger firewall connections have got authentificated, unfortunately the ICQ sessions has not. And also I see now in the protocols section of the reports that appear every protocol, includind ICQ 2000 and MSN Messenger . And most important very few anonymous users which is for the initial HTTP connection what I can understand !
But the logs show 3 columns for the traffic of the same user on the same machine. I understand one is for user and one is for machine, but why the third column?! Now for me, as network administrator, is quite difficult to count the traffic coming for a user logged to the domain from a single machine ( the most frequently situation for me ). The reports are quite useless then !
Another important problem is with the unknown protocols. Can ISA let pass traffic that I did not allowed ?
I give you more details, maybe it helps: I have a protocol rule for specific protocols (http, ftp, icq2000, msn messenger ) and a site and content rule for all sites but I asked for identification. My authentification method is integrated. My machine clients are W98 and W2000 but the operating systems doesnĘt matter because I have anonymous firewall sessions from both.
Sorry for my english which is not my native language and thanks for all your help. You have done a great job on this site !
Mircea

(in reply to mirciulica)
Post #: 7
RE: firewall session - 3.Aug.2001 7:48:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mircea,

That is a lot of questions

All members of the domain should be authenticated with the ISA Server. However, your Win98 machines might not have users that have authenticated during log on, which can cause your anonymous connections.

Now, if you have created protocol rules that do not allow anonymous access, then users that are not authenticated will not be able to access those protocols.

For example, if you created a protcol rule for ICQ and MSN messenger, and allowed only Authenticated Users to access that protocol, and you have NO anonymous access protocols in place that will allow the connection, then the users will be denied access.

If you want to see what's actually going on, check the log files. Import the log files into Excel and use a simple sort based on IP address or user name to get an idea of what's going on.

HTH,
Tom

------------------
http://www.isaserver.org/shinder/



Get It Here!


(in reply to mirciulica)
Post #: 8
RE: firewall session - 6.Aug.2001 3:41:00 PM   
mirciulica

 

Posts: 6
Joined: 16.Jul.2001
Status: offline
Hi Tom,
my users are all authentificated to the domain, otherwise they could not log to my ISA server which is also my DC. My question ( cause I have 1000 more! ) is why I have firewall sessions from web proxy clients and beside why they are anonymous? This is happend even if I install firewall client software on that machine or not...
And second ,how I must set up ISA server and my clients to see the total traffic from a user working on the same machine all the time ( as I see when I connect to the internet from my ISA Server, just one column ...).
Thank you very much indeed.
Mircea

(in reply to mirciulica)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> firewall session Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts