From: San Angelo, TX
Background: We used to use our ISA Server 2004 server as a proxy server, but recently have purchased a different appliance for doing web filtering. We stil want to use the ISA server to publish certain internal websites and for VPN access, but do not want to use it as a web proxy. We have about 5000 computers in our school district that had the ISA address in the Proxy settings in IE (set through group policy and DHCP). We have now changed our Group Policy and DHCP so that clients are no longer getting the Proxy IP address.
For the most part, this has been successful. There are still the occassional client that for whatever reason has not got the change yet, but pretty much we are not seeing any legitimate web requests hitting the ISA box anymore. However, here is the problem. I am still seeing a lot of Web Proxy sessions open on the box. If I watch the realtime logging, I see a lot of requests from Internal clients going to "http://<domain contoller>/sysvol" and "http://<domain contoller>/netlogon". The HTTP methods I see the most are "OPTIONS" and "PROPFIND". I also see requests for "http://<file server>/<users home directory>".
Why would I still be seeing all this traffic hitting our ISA server? The only requests I would expect to see are those for our published websites and VPN traffic. And why does traffic to the netlogon share of our domain controller appear as a web request (http://)? Does anyone know what OPTIONS and PROPFIND mean?
All these requests show either Failed COnnection attempt or Denied connection, and I have disallowed access to ISA for proxy access anyway, but I am just curious why I am seeing all this traffic. Is it possible that the ISA server is just picking up some sort of broadcast traffic on our main router instead of actual requests intended for the ISA server itself? Is this normal? Is it anything I should be concerned about? Any ideas?
From: San Angelo, TX
I have some more information to add. I have done some testing and I have found out when this traffic is hitting the ISA Server. When a user logs into the client computer, I see on the ISA server requests for http://<dc> and http://<dc>/netlogon. Also, on a computer that has a printer map login script in Group Policy, I also see requests for http://<print server>. Also, whenever a remote share is accessed from the client computer, like opening the users home folder, I see a request for http://<file server>/<user directory>. Also, a proxy session is logged for every user every time this happens.
I tried changing the internal IP address of the ISA server and it no longer saw that traffic anymore. Also, no proxy sessions were ever logged except for when I purposely pointed my browser proxy settings to the new IP address.
So I'm not exactly sure what that tells me, but it does seem like it's not just some kind of broadcast traffic that's just inadvertently hitting the ISA server. Somehow, something is directing that traffic to that particular address - I just can't find where that is happening. And I can't understand why it is seeing it as port 80 traffic. Anwyay, I'll keep hammering away at this. Let me know if y'all find anything or have any ideas.