• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Domain Controller traffic

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> General >> Domain Controller traffic Page: [1]
Message << Older Topic   Newer Topic >>
Domain Controller traffic - 25.Apr.2005 4:05:00 PM   


Posts: 20
Joined: 14.Sep.2004
From: San Angelo, TX
Status: offline
Background: We used to use our ISA Server 2004 server as a proxy server, but recently have purchased a different appliance for doing web filtering. We stil want to use the ISA server to publish certain internal websites and for VPN access, but do not want to use it as a web proxy. We have about 5000 computers in our school district that had the ISA address in the Proxy settings in IE (set through group policy and DHCP). We have now changed our Group Policy and DHCP so that clients are no longer getting the Proxy IP address.

For the most part, this has been successful. There are still the occassional client that for whatever reason has not got the change yet, but pretty much we are not seeing any legitimate web requests hitting the ISA box anymore. However, here is the problem. I am still seeing a lot of Web Proxy sessions open on the box. If I watch the realtime logging, I see a lot of requests from Internal clients going to "http://<domain contoller>/sysvol" and "http://<domain contoller>/netlogon". The HTTP methods I see the most are "OPTIONS" and "PROPFIND". I also see requests for "http://<file server>/<users home directory>".

Why would I still be seeing all this traffic hitting our ISA server? The only requests I would expect to see are those for our published websites and VPN traffic. And why does traffic to the netlogon share of our domain controller appear as a web request (http://)? Does anyone know what OPTIONS and PROPFIND mean?

All these requests show either Failed COnnection attempt or Denied connection, and I have disallowed access to ISA for proxy access anyway, but I am just curious why I am seeing all this traffic. Is it possible that the ISA server is just picking up some sort of broadcast traffic on our main router instead of actual requests intended for the ISA server itself? Is this normal? Is it anything I should be concerned about? Any ideas?

Post #: 1
RE: Domain Controller traffic - 27.Apr.2005 3:49:00 PM   


Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jack,

Pretty good questions. I've never noticed that type of traffic to DCs on non-local networks. I'll give it some testing and do some KB research and see with comes up.

Thanks for the heads up on this!

(in reply to jwilcox)
Post #: 2
RE: Domain Controller traffic - 27.Apr.2005 7:40:00 PM   


Posts: 13
Joined: 20.Apr.2005
From: Ottawa
Status: offline
I just had a remote user with Windows XP notice something simlar when browsing to a share. It was trying to connect on Port 80.

After investigation, it was realised the user unchecked the "Client for Microsoft Networks". It may be a simple as that. Something to look into.

(in reply to jwilcox)
Post #: 3
RE: Domain Controller traffic - 28.Apr.2005 5:11:00 PM   


Posts: 20
Joined: 14.Sep.2004
From: San Angelo, TX
Status: offline
I have some more information to add. I have done some testing and I have found out when this traffic is hitting the ISA Server. When a user logs into the client computer, I see on the ISA server requests for http://<dc> and http://<dc>/netlogon. Also, on a computer that has a printer map login script in Group Policy, I also see requests for http://<print server>. Also, whenever a remote share is accessed from the client computer, like opening the users home folder, I see a request for http://<file server>/<user directory>. Also, a proxy session is logged for every user every time this happens.

I tried changing the internal IP address of the ISA server and it no longer saw that traffic anymore. Also, no proxy sessions were ever logged except for when I purposely pointed my browser proxy settings to the new IP address.

So I'm not exactly sure what that tells me, but it does seem like it's not just some kind of broadcast traffic that's just inadvertently hitting the ISA server. Somehow, something is directing that traffic to that particular address - I just can't find where that is happening. And I can't understand why it is seeing it as port 80 traffic. Anwyay, I'll keep hammering away at this. Let me know if y'all find anything or have any ideas.


(in reply to jwilcox)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> General >> Domain Controller traffic Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts