From: Burlington, VT
ISA Server 2004 Enterprise
All Firewall rules are being logged --- with the last Firewall rule being:
Rule name: HTTP Access
Type: Array Access Policy
Log requests matching this rule
Protocols: All outbound Traffic
To: External, Internal
Users: Domain Internet Users
Content Types: All content types
All end users are running XP, with their browser (IE) configured to use the ISA as it's proxy server.
All users who are allowed Internet Access are a member of the Windows Group: Domain Internet User Group
Since it looks like the browser tries to make an Anonymous connection to the requested site first (12209) before using the authenticated login for that user, I'm getting "dual entries" in my logs -- an example would be:
10.194.80.106, anonymous, Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322), N, 7/21/2006, 11:01:50, w3proxy, ISA2, -, www.oldnavy.com, 10.33.24.21, 8080, 1, 475, 4516, http, TCP, GET, http://www.oldnavy.com/Asset_Archive/ONWeb/content/0000/405/901/assets/footer_sundaysad_off.gif, -, -, 12209, 0x0, HTTP Access, -, Internal, External, 0x880, Denied, 7/21/2006 15:01:50
then followed by the attempt, using the authenticated user account:
10.194.80.106, FAHC\Mxxxxxx, Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322), Y, 7/21/2006, 11:01:51, w3proxy, ISA2, -, www.oldnavy.com, 22.214.171.124, 80, 390, 571, 2908, http, TCP, GET, http://www.oldnavy.com/Asset_Archive/ONWeb/content/0000/405/901/assets/footer_sundaysad_off.gif, image/gif, VCache, 304, 0x800000, HTTP Access, -, Internal, External, 0xd80, Allowed, 7/21/2006 15:01:51
thus, creating a "duplicate" entry in the log. (we'll ignore that it's for Shopping!)
I don't care to log the internal-to-external, non-authenticated-anonymous attempts -- PLUS, a typical daily log for us is just topping 2GB PER DAY.
If I can resolve this, I can cut my log file size by about 50%
How can I prevent this specific "anonymous" entry from being logged? Would I create a Deny rule before my last rule (HTTP Access) and tell the rule to NOT log access from that rule? If so, how would I identify this "anonymous" user?
Fletcher Allen Health Care