Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Anyone can get to the internet

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> General >> RE: Anyone can get to the internet Page: <<   < prev  1 [2] 3 4   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Anyone can get to the internet - 18.Jan.2004 6:03:00 AM   
Guest
 >>I dont see the RESULT CODE=sucsess or failure.

The RESULT CODE is numerical value. And they are different for WebProxy and Firewall. For WebProxy the value 200 or 20n (where n is any number) means success. For Firewall the value 200nn means success.

(in reply to ralphyost)
  Post #: 21
RE: Anyone can get to the internet - 19.Jan.2004 3:18:00 PM   
ralphyost

 

Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline 		Ok, now I understand better about the RESULT CODE.
The RESULT CODE I see is 407. THis is for the anonymous entries in the WEB log. However, one pattern I am noticing is that the only time I see ANONYMOUS is when its associated with other entries from the same IP address, which are legitimate network users (I can see their network logon name) in the CLIENT USERNAME FIELD.
I am still looking at these logs to better diagnose the situation....
Thanks
R.

(in reply to ralphyost)
Post #: 22
RE: Anyone can get to the internet - 19.Jan.2004 3:42:00 PM   
ralphyost

 

Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline 		Ok, here is some more information:
My ISA server machine has two NICS, one called INTERNAL and one called EXTERNAL.
The INTERNAL NIC
192.168.16.2
255.255.255.0
no default gateway
DNS Server: 192.168.16.2
Has the following components installed to it:
Client for MS Networks
QoS Packet Scheduler
File & Print Sharing
Network Monitor driver
TCP/IP

The EXTERNAL NIC is
192.168.1.1
255.255.255.0
192.168.1.2 (this IP of the Linksys NAT/Router BEFRS41 which is between the server and the cable modem)
WINS 192.168.16.2,
enable LMHOSTS lookup
enable NETBIOS of TCP/IP
----
Now the Workstation that I am testing this with, when logged locally only (not authenticated into the network), has the following IP info and can get through the firewall to the internet:
IP: 192.168.16.86
255.255.255.0
Gateway: 192.168.16.2
DHCP server: 192.168.16.2
DNS Server: 192.168.16.2
Primary WINS server: 192.168.16.2

Maybe this information will help. I think it shows that the rogue workstation is always going through the ISA Server, which is on 192.168.16.2 and is set to ASK UNAUTHENTICATED USERS FOR IDENTIFICATION.

(in reply to ralphyost)
Post #: 23
RE: Anyone can get to the internet - 19.Jan.2004 8:39:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi ralphyost,

result code 407 means: Proxy Authentication Required
quote:
This code is similar to 401 (Unauthorized), but indicates that the client must first authenticate itself with the proxy. The proxy MUST return a Proxy-Authenticate header field (section 14.33) containing a challenge applicable to the proxy for the requested resource. The client MAY repeat the request with a suitable Proxy-Authorization header field (section 14.34). HTTP access authentication is explained in "HTTP Authentication: Basic and Digest Access Authentication" [43].
What do you see next for the same client?

BTW --- you may post an excerpt of the log file here.

HTH,
Stefaan

(in reply to ralphyost)
Post #: 24
RE: Anyone can get to the internet - 19.Jan.2004 9:08:00 PM   
ralphyost

 

Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline 		Stefaan:
OK. here is some parts of the WEB log I cut and pasted. Many parts are not listed here (I hope I didnt post too much but am fearful of not providing enough information):
127.0.0.1 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 18:30:56 ACRMDELL - crl.verisign.com - 80 - 284 3373 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 403
127.0.0.1 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 18:30:56 ACRMDELL - crl.verisign.com - 80 - 284 3373 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 403
127.0.0.1 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 18:31:21 ACRMDELL - crl.verisign.com - 80 - 284 3373 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 403
127.0.0.1 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 18:31:21 ACRMDELL - crl.verisign.com - 80 - 284 3373 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 403
192.168.16.58 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AT&T CSM6.0) 2004-01-17 18:31:38 ACRMDELL - www.google.com - 80 - 282 4206 http GET http://www.google.com/ - 407
192.168.16.58 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AT&T CSM6.0) 2004-01-17 18:31:39 ACRMDELL - www.google.com - 80 - - 842 http GET http://www.google.com/ - 407
192.168.16.58 ACRM\SSZIEGLER Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AT&T CSM6.0) 2004-01-17 18:31:39 ACRMDELL - www.google.com 216.239.41.99 80 63 438 3949 http GET http://www.google.com/ Inet 200
192.168.16.58 ACRM\SSZIEGLER Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AT&T CSM6.0) 2004-01-17 18:31:40 ACRMDELL - www.google.com - 80 - 380 191 http GET http://www.google.com/images/logo.gif NotModified 0
192.168.16.58 anonymous UtilMind HTTPGet 2004-01-17 18:31:42 ACRMDELL - dst.trafficsyndicate.com - 80 - 350 4362 http GET http://dst.trafficsyndicate.com/TbInstConfig.asmx/GetXML?TbId=50047&TaskId=0&Cfg_ver=1.0.0.0&Dll_ver=2.0.0.176&Reg_ver=%regver&Power_U=1&TUID=V39FA2D8DE1D712C85EF61C588A303B8510235 3740375954464B414C54505937332B2D2B2F332D2D2B2D2D2D2D - 407
192.168.16.58 anonymous UtilMind HTTPGet 2004-01-17 18:31:43 ACRMDELL - dst.trafficsyndicate.com - 80 - 442 468 http GET http://dst.trafficsyndicate.com/TbInstConfig.asmx/GetXML?TbId=50047&TaskId=0&Cfg_ver=1.0.0.0&Dll_ver=2.0.0.176&Reg_ver=%regver&Power_U=1&TUID=V39FA2D8DE1D712C85EF61C588A303B8510235 3740375954464B414C54505937332B2D2B2F332D2D2B2D2D2D2D - 407
192.168.16.58 anonymous UtilMind HTTPGet 2004-01-17 18:31:43 ACRMDELL - dst.trafficsyndicate.com - 80 - 506 4362 http GET http://dst.trafficsyndicate.com/TbInstConfig.asmx/GetXML?TbId=50047&TaskId=0&Cfg_ver=1.0.0.0&Dll_ver=2.0.0.176&Reg_ver=%regver&Power_U=1&TUID=V39FA2D8DE1D712C85EF61C588A303B8510235 3740375954464B414C54505937332B2D2B2F332D2D2B2D2D2D2D - 407

192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:21:51 ACRMDELL - crl.verisign.com - 80 - 212 4236 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:21:51 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:21:51 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:21:51 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:21:51 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:21:51 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:21:52 ACRMDELL - crl.verisign.com - 80 - - 4446 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:21:52 ACRMDELL - crl.verisign.com - 80 - - 771 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:21:52 ACRMDELL - crl.verisign.com - 80 - - 4446 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:21:52 ACRMDELL - crl.verisign.com - 80 - - 771 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:21:52 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:21:52 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:07 ACRMDELL - crl.verisign.com - 80 - 211 4235 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:07 ACRMDELL - crl.verisign.com - 80 - - 771 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:07 ACRMDELL - crl.verisign.com - 80 - - 4446 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:07 ACRMDELL - crl.verisign.com - 80 - - 771 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:07 ACRMDELL - crl.verisign.com - 80 - - 4446 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:07 ACRMDELL - crl.verisign.com - 80 - - 771 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:07 ACRMDELL - crl.verisign.com - 80 - - 4446 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:07 ACRMDELL - crl.verisign.com - 80 - - 771 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:07 ACRMDELL - crl.verisign.com - 80 - - 4446 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:07 ACRMDELL - crl.verisign.com - 80 - - 771 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:07 ACRMDELL - crl.verisign.com - 80 - - 4446 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:07 ACRMDELL - crl.verisign.com - 80 - - 771 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:08 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:08 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:08 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:08 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:08 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:08 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:08 ACRMDELL - crl.verisign.com - 80 - - 4446 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:08 ACRMDELL - crl.verisign.com - 80 - - 771 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:08 ACRMDELL - crl.verisign.com - 80 - - 4446 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:08 ACRMDELL - crl.verisign.com - 80 - - 771 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:09 ACRMDELL - crl.verisign.com - 80 - - 4446 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:09 ACRMDELL - crl.verisign.com - 80 - - 771 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:09 ACRMDELL - crl.verisign.com - 80 - - 4446 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:09 ACRMDELL - crl.verisign.com - 80 - - 771 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:09 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:09 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - 212 4236 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 4486 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 4446 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 771 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 4446 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 771 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 4446 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 771 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 4446 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:22:10 ACRMDELL - crl.verisign.com - 80 - - 771 http GET http://crl.verisign.com/Class3CodeSigningCA2001.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:23:45 ACRMDELL - crl.verisign.com - 80 - 212 4236 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:23:45 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:23:45 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:23:45 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:23:45 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:23:45 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:23:45 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:23:45 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:23:45 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:23:45 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous LiveUpdate Engine COM Module 2004-01-17 19:23:45 ACRMDELL - customer.symantec.com - 80 - 145 4169 http GET http://customer.symantec.com/mysite.txt - 407
192.168.16.21 anonymous LiveUpdate Engine COM Module 2004-01-17 19:23:45 ACRMDELL - customer.symantec.com - 80 - 237 468 http GET http://customer.symantec.com/mysite.txt - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:23:46 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:23:46 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:23:46 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:23:46 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:23:46 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:23:46 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:23:46 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:23:46 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous Symantec LiveUpdate 2004-01-17 19:23:46 ACRMDELL - liveupdate.symantecliveupdate.com - 80 - - 4516 http GET http://liveupdate.symantecliveupdate.com/minitri.flg - 407
192.168.16.21 anonymous Symantec LiveUpdate 2004-01-17 19:23:46 ACRMDELL - liveupdate.symantecliveupdate.com - 80 - - 840 http GET http://liveupdate.symantecliveupdate.com/minitri.flg - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:23:46 ACRMDELL - crl.verisign.com - 80 - - 4448 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407
192.168.16.21 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 19:23:46 ACRMDELL - crl.verisign.com - 80 - - 772 http GET http://crl.verisign.com/Class3SoftwarePublishers.crl - 407

(in reply to ralphyost)
Post #: 25
RE: Anyone can get to the internet - 19.Jan.2004 9:46:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi ralphyost,

in one of your previous post you said that the internal host you are testing with was '192.168.16.86' but I don't see a single entry for this host (field Client IP or c-ip) in the posted log. Secondly, as recommended in one of my previous posts, you don't seem to have enabled the logging of *all* fields and you haven't set the log format to ISA format. I prefer this settings because they read more easely and I can import them in Excel without problems! [Big Grin]

So, enable the logging of all fields, set the log format to ISA format, make a new test and post *only* those entries belonging to the internal host you are testing from.

HTH,
Stefaan

(in reply to ralphyost)
Post #: 26
RE: Anyone can get to the internet - 19.Jan.2004 10:11:00 PM   
ralphyost

 

Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline 		Hi Stefaan:
Yes, I did set the log files as per your recommendation: I have ALL field and the format is the ISA Format. This is the way they are being provided by thte ISA Server. I find these logs at
C:\Program Files\Microsoft ISA Server\ISALOGS
The logs options page does not give me the opportunity to select another location. So I have no idea why these logs are formatted the way they are. INitially, they were txt format. When I changed them to ISA format, all I saw different was that it removed the column headings. ????

You are coorrect that the IP address of the machine I was testing on was 192.168.16.86
I will go back to the logs to see if I can find any entries from that machine.

(in reply to ralphyost)
Post #: 27
RE: Anyone can get to the internet - 19.Jan.2004 10:24:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi ralphyost,

changing the log format to ISA format does much more! First of all the seperator character is a comma (,) instead of a space ( ) and secondly empty fields are listed as a dash (-) instead of being skipped. [Cool]

Take note that changing the log format or the logged fields will only have effect for NEW logs!

HTH,
Stefaan

[ January 19, 2004, 10:27 PM: Message edited by: spouseele ]

(in reply to ralphyost)
Post #: 28
RE: Anyone can get to the internet - 19.Jan.2004 10:43:00 PM   
ralphyost

 

Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline 		Hi Stefaan:
I was at the server and testing on Sat. These logs (below) are from Sat. 1/17 and are entries that apply to 192.168.16.86, which is the test PC I was using. based on your last post, I suppose the new format will take place on SUNDAY as I didnt know to change it until SAT.
One interesting note: I logged onto the workstation locally as username "acrmuser" and I do not see any entries from that user name.
R.
ISA Web log :
192.168.16.86 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 14:04:16 ACRMDELL - crl.verisign.com - 80 - 209 4233 http GET http://crl.verisign.com/Class3CodeSigning2001.crl - 407
192.168.16.86 anonymous CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 14:04:16 ACRMDELL - crl.verisign.com - 80 - - 769 http GET http://crl.verisign.com/Class3CodeSigning2001.crl - 407
192.168.16.86 ACRM\rjyost CryptRetrieveObjectByUrl::InetSchemeProvider 2004-01-17 14:04:16 ACRMDELL - crl.verisign.com 12.158.80.10 80 313 437 77875 http GET http://crl.verisign.com/Class3CodeSigning2001.crl Inet 200
127.0.0.1 anonymous Symantec LiveUpdate 2004-01-17 14:04:33 ACRMDELL - liveupdate.symantecliveupdate.com - 80 - 342 3427 http GET http://liveupdate.symantecliveupdate.com/minitri.flg - 403

192.168.16.86 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:57:59 ACRMDELL - www.microsoft.com - 80 - 248 4259 http GET http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1 - 407
192.168.16.86 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:57:59 ACRMDELL - www.microsoft.com - 80 - - 808 http GET http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1 - 407
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:57:59 ACRMDELL - www.microsoft.com 207.46.144.188 80 250 476 609 http GET http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1 Inet 302
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:57:59 ACRMDELL - www.microsoft.com 207.46.144.188 80 78 234 644 http GET http://www.microsoft.com/windows/ie/ie5/download/ieupdate.htm Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:00 ACRMDELL - windowsupdate.microsoft.com 207.46.134.90 80 359 335 3581 http GET http://windowsupdate.microsoft.com/ Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:01 ACRMDELL - windowsupdate.microsoft.com 207.46.134.90 80 93 293 2382 http GET http://windowsupdate.microsoft.com/redirect.js Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:01 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.249.157 80 266 334 422 http GET http://v4.windowsupdate.microsoft.com/default.asp Inet 302
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:01 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.249.157 80 203 337 8409 http GET http://v4.windowsupdate.microsoft.com/en/default.asp Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:01 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.249.157 80 94 308 3846 http GET http://v4.windowsupdate.microsoft.com/shared/js/redirect.js Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:01 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.249.157 80 187 303 22477 http GET http://v4.windowsupdate.microsoft.com/shared/js/top.js Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:02 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.249.157 80 78 304 529 http GET http://v4.windowsupdate.microsoft.com/shared/js/top.vbs Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:02 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.249.157 80 78 332 1172 http GET http://v4.windowsupdate.microsoft.com/shared/js/survey.js?1/17/2004%2011:57:01%20AM Inet 200
192.168.16.86 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:02 ACRMDELL - v4.windowsupdate.microsoft.com - 80 - 413 4249 http GET http://v4.windowsupdate.microsoft.com/en/toc.asp?corporate=false& - 407
192.168.16.86 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:02 ACRMDELL - v4.windowsupdate.microsoft.com - 80 - - 973 http GET http://v4.windowsupdate.microsoft.com/en/toc.asp?corporate=false& - 407
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:02 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.249.157 80 234 419 4350 http GET http://v4.windowsupdate.microsoft.com/en/mstoolbar.asp?corporate=false& Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:02 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.245.126 80 265 641 7108 http GET http://v4.windowsupdate.microsoft.com/en/toc.asp?corporate=false& Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:02 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.249.157 80 94 423 1871 http GET http://v4.windowsupdate.microsoft.com/en/splash.asp?page=0&corporate=false& Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:02 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.245.126 80 94 399 1495 http GET http://v4.windowsupdate.microsoft.com/en/footer.asp Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:02 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.249.157 80 78 328 2665 http GET http://v4.windowsupdate.microsoft.com/shared/js/mstoolbar.js Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:02 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.245.126 80 156 316 9556 http GET http://v4.windowsupdate.microsoft.com/shared/js/toc.js Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:02 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.249.157 80 109 330 12601 http GET http://v4.windowsupdate.microsoft.com/shared/js/content.js Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:02 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.245.126 80 94 307 546 http GET http://v4.windowsupdate.microsoft.com/shared/css/footer.css Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:02 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.249.157 80 94 330 2063 http GET http://v4.windowsupdate.microsoft.com/shared/css/mstoolbar.css Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:02 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.249.157 80 78 336 883 http GET http://v4.windowsupdate.microsoft.com/shared/images/mstoolbar_ms.gif Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:02 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.245.126 80 109 337 6068 http GET http://v4.windowsupdate.microsoft.com/shared/images/mstoolbar_icp.gif Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:03 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.245.126 80 78 339 458 http GET http://v4.windowsupdate.microsoft.com/shared/images/mstoolbar_curve.gif Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:03 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.249.157 80 94 318 1587 http GET http://v4.windowsupdate.microsoft.com/shared/css/hcp.css Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:03 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.245.126 80 78 329 457 http GET http://v4.windowsupdate.microsoft.com/shared/images/toc_endnode.gif Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:03 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.249.157 80 78 318 1582 http GET http://v4.windowsupdate.microsoft.com/shared/css/toc.css Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:03 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.245.126 80 78 332 5472 http GET http://v4.windowsupdate.microsoft.com/shared/css/content.css Inet 200
192.168.16.86 ACRM\rjyost Industry Update Control 2004-01-17 19:58:03 ACRMDELL - windowsupdate.microsoft.com 207.46.134.90 80 79 230 339 http HEAD http://windowsupdate.microsoft.com/v4/iuident.cab?0401171958 Inet 200
192.168.16.86 ACRM\rjyost Industry Update Control 2004-01-17 19:58:04 ACRMDELL - wustat.windows.com 207.46.197.121 80 250 281 250 http GET http://wustat.windows.com/wutrack.bin?V=2&U=a21243dd3f9db140984a6d2529d59285&C=IU_SITE&A=n&I=&D=&P=5.0.893.2.0.1.0&L=en-US&S=s&E=00000000&M=&X=040117195804894 Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:04 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.245.126 80 79 422 3674 http GET http://v4.windowsupdate.microsoft.com/en/splash.asp?page=3&auenabled=true& Inet 200
192.168.16.86 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:04 ACRMDELL - v4.windowsupdate.microsoft.com - 80 - 332 4245 http GET http://v4.windowsupdate.microsoft.com/shared/images/arrow.gif - 407
192.168.16.86 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:04 ACRMDELL - v4.windowsupdate.microsoft.com - 80 - - 892 http GET http://v4.windowsupdate.microsoft.com/shared/images/arrow.gif - 407
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:04 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.245.126 80 78 334 993 http GET http://v4.windowsupdate.microsoft.com/shared/images/protect.gif Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:04 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.249.157 80 79 560 1413 http GET http://v4.windowsupdate.microsoft.com/shared/images/arrow.gif Inet 200
192.168.16.86 ACRM\rjyost Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 2004-01-17 19:58:04 ACRMDELL - v4.windowsupdate.microsoft.com 207.46.249.157 80 109 425 1819 http GET http://v4.windowsupdate.microsoft.com/en/news.asp?ln=en Inet 200

ISA FIREWALL LOG:

192.168.16.86 SYSTEM NDETECT.EXE:3:5.0 2004-01-17 14:04:15 ACRMDELL www.symantec.com - - 16 - - - - GHBN 13301 2526 0
192.168.16.86 SYSTEM LUCOMS~1.EXE:3:5.0 2004-01-17 14:04:34 ACRMDELL liveupdate.symantecliveupdate.com - - - - - - - GHBN 13301 2527 0
192.168.16.86 SYSTEM LUCOMS~1.EXE:3:5.0 2004-01-17 14:04:34 ACRMDELL - 64.124.29.228 80 16 - - 80 TCP Connect 0 2527 2142
192.168.16.86 SYSTEM LUCOMS~1.EXE:3:5.0 2004-01-17 14:04:34 ACRMDELL - 64.124.29.228 80 16 - 3427 80 TCP Connect 20001 2527 2142

192.168.16.86 SYSTEM NDETECT.EXE:3:5.0 2004-01-17 14:21:23 ACRMDELL www.symantec.com - - - - - - - GHBN 13301 2533 0
192.168.16.86 SYSTEM LUCOMS~1.EXE:3:5.0 2004-01-17 14:21:39 ACRMDELL liveupdate.symantecliveupdate.com - - - - - - - GHBN 13301 2534 0
192.168.16.86 SYSTEM LUCOMS~1.EXE:3:5.0 2004-01-17 14:21:39 ACRMDELL - 64.124.29.231 80 - - - 80 TCP Connect 0 2534 2144
192.168.16.86 SYSTEM LUCOMS~1.EXE:3:5.0 2004-01-17 14:21:39 ACRMDELL - 64.124.29.231 80 - - 3427 80 TCP Connect 20001 2534 2144

192.168.16.86 SYSTEM NDETECT.EXE:3:5.0 2004-01-17 14:41:31 ACRMDELL www.symantec.com - - - - - - - GHBN 13301 2540 0
192.168.16.86 SYSTEM LUCOMS~1.EXE:3:5.0 2004-01-17 14:41:45 ACRMDELL liveupdate.symantecliveupdate.com - - - - - - - GHBN 13301 2541 0
192.168.16.86 SYSTEM LUCOMS~1.EXE:3:5.0 2004-01-17 14:41:45 ACRMDELL - 63.211.178.93 80 - - - 80 TCP Connect 0 2541 2147
192.168.16.86 SYSTEM LUCOMS~1.EXE:3:5.0 2004-01-17 14:41:45 ACRMDELL - 63.211.178.93 80 16 - 3427 80 TCP Connect 20001 2541 2147

192.168.16.86 SYSTEM NDETECT.EXE:3:5.0 2004-01-17 15:40:06 ACRMDELL www.symantec.com - - - - - - - GHBN 13301 2571 0
192.168.16.86 SYSTEM LUCOMS~1.EXE:3:5.0 2004-01-17 15:40:21 ACRMDELL customer.symantec.com - - - - - - - GHBN 13301 2572 0
192.168.16.86 SYSTEM LUCOMS~1.EXE:3:5.0 2004-01-17 15:40:21 ACRMDELL - 198.6.49.225 80 - - - 80 TCP Connect 0 2572 2197
192.168.16.86 SYSTEM LUCOMS~1.EXE:3:5.0 2004-01-17 15:40:21 ACRMDELL - 198.6.49.225 80 16 - 3373 80 TCP Connect 20000 2572 2197
192.168.16.86 SYSTEM LUCOMS~1.EXE:3:5.0 2004-01-17 15:40:22 ACRMDELL liveupdate.symantecliveupdate.com - - - - - - - GHBN 13301 2572 0
192.168.16.86 SYSTEM LUCOMS~1.EXE:3:5.0 2004-01-17 15:40:22 ACRMDELL - 64.215.164.84 80 - - - 80 TCP Connect 0 2572 2198
192.168.16.86 SYSTEM LUCOMS~1.EXE:3:5.0 2004-01-17 15:40:22 ACRMDELL - 64.215.164.84 80 - - 3427 80 TCP Connect 20001 2572 2198

(in reply to ralphyost)
Post #: 29
RE: Anyone can get to the internet - 19.Jan.2004 11:14:00 PM   
ralphyost

 

Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline 		Stefaan:
I am suspecting that the ISA Server log is not catching the activity of the workstation I was testing with 192.168.16.86 The reason I suspect this is that today I connected that machine, let a user named "lewis" log on correctly through that machine. Then when Lewis left, I experiemented some more with unathenticated logon from that workstation. The ISA server logs do not show any record of 192.168.16.86 connecting, except when I properly logged onto the server as myself.
Just a thought.....
R.

(in reply to ralphyost)
Post #: 30
RE: Anyone can get to the internet - 20.Jan.2004 4:25:00 AM   
Guest
 >>I experiemented some more with unathenticated logon from that workstation. The ISA server logs do not show any record of 192.168.16.86 connecting, except when I properly logged onto the server as myself

ISA is unable to log if a client does not connect to... It's obvious.

Back to another way to Internet.

Run at client host
>tracert any.what.outside.isa
to verify that it is no way outside except ISA.

(in reply to ralphyost)
  Post #: 31
RE: Anyone can get to the internet - 20.Jan.2004 4:34:00 AM   
Guest
 PS: Your firewall allows anonymous access

192.168.16.86 SYSTEM LUCOMS~1.EXE:3:5.0 2004-01-17 15:40:22 ACRMDELL - 64.215.164.84 80 - - 3427 80 TCP Connect 20001 2572 2198

Turn on ALL log fields. Especially rule#1 and rule#2.

(in reply to ralphyost)
  Post #: 32
RE: Anyone can get to the internet - 20.Jan.2004 1:26:00 PM   
ralphyost

 

Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline 		Aleks2:
ALL log field are turned on. I checked it twice.
I see you highlighted SYSTEM and 2001 but you didnt eleborate as to why these are significant.
I saw these in the log before but did not comprehend anything unusual about them.

Good idea to run tracert on the workstation. I should have thought of that myself! I'll be there on Fri and will do it at that time (I am only there one day per week, but have remote connection capability to the server).
Thanks again for your help !

(in reply to ralphyost)
Post #: 33
RE: Anyone can get to the internet - 20.Jan.2004 1:31:00 PM   
Guest
 SYSTEM = anonymous for the case of ISA Firewall...
20001 = success.

Looks like you have a Protocol Rule allowing for anonymous or client adresses based access.

(in reply to ralphyost)
  Post #: 34
RE: Anyone can get to the internet - 20.Jan.2004 2:18:00 PM   
ralphyost

 

Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline 		Ok, here are the only protocol rules I have:
1. BackofficeInternetAccessProtocolRule
- Allow, all IP, applies only to the Back Office Internet Users Group (which is a Windows 2000 Group Policy group).
2. DENY IP Rule:
- Deny, All IP, applies only to the Deny Internet Access Users Group (which is a Windows 2000 Group Policy group).
3. There is an ALLOW ALL policy that is NOT enabled. Applies only to the Back Office Internet Users Group

Under SITE AND CONTENT RULES:
1. Back Office Internet Site and Content Rule:
- Allow, All destinations, applies only to the Back Office Internet Users Group
2. DENY GROUP:
Deny, all destinations, applies only to the Deny Internet Access Users Group

Where is the hole? I dont see it.....
R.

(in reply to ralphyost)
Post #: 35
RE: Anyone can get to the internet - 20.Jan.2004 3:12:00 PM   
pinball

 

Posts: 188
Joined: 8.Jul.2002
From: Dundee, Scotland
Status: offline 		Hi ralphyost,

In order to see what rule is allowing the users to get out, then you will need to enable all fields in the logs. To do this start your ISA Management program, expand the Monitoring Configuration section and then click on Logs, you should then on the right hand side of the screen have the list of the 3 different types of logs, one of the heading is Fields, that should have All listed, for all the logs, if not double click on the log name, click the Field tab, and tick all the boxes. You can stop certian fields being logged once the issue has been sorted out.

With regards to there being another route out the internet, pull the network cable from the external card on your ISA box, then try to access the Internet, a bit drastic maybe, but at least you will know wether or not the ISA is the only way out, it may save hours of troubleshooting.
HTH

(in reply to ralphyost)
Post #: 36
RE: Anyone can get to the internet - 20.Jan.2004 3:47:00 PM   
ralphyost

 

Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline 		Hi Pinball:
I do have ALL the fields selected. I have received this comment about all the log fields from several people in this thread. What is it in my logs that gives the impression that all the fields are not selected?
I even opened each log component and verified that all the fields were checked....and that ISA Server format is being used.
Thanks for your help..!
R. [Wink]

(in reply to ralphyost)
Post #: 37
RE: Anyone can get to the internet - 20.Jan.2004 4:49:00 PM   
pinball

 

Posts: 188
Joined: 8.Jul.2002
From: Dundee, Scotland
Status: offline 		Hi ralphyost,

The reason for saying about not all fields being selected is because the last two fields in the webproxy and firewall logs are Rule#1 and Rule#2, these tell you which protocol and site&content rule allowed the user access, so with these fields being logged, when you get one of your pc's that isn't supposed to have access connected to the internet these two fields will let you know what rule is causing the problem.

Do you have a website you could put a copy of your firewall log on temporarily, so we can take a look at it?

(in reply to ralphyost)
Post #: 38
RE: Anyone can get to the internet - 20.Jan.2004 4:55:00 PM   
ralphyost

 

Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline 		Hi:
You know, I saw that entry on some parts of the log, but not all entries. I will go retrieve some of it and post a few lines to show you. The Rules were not shown for all entries.
R.

(in reply to ralphyost)
Post #: 39
RE: Anyone can get to the internet - 20.Jan.2004 5:11:00 PM   
ralphyost

 

Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline 		Here are a few lines that show some log entries with the Rules and the ones with anonymous do not show the rule. ACRM\KAPETRECCA is a normal authenticated user.
R.

192.168.16.80, ACRM\KAPETRECCA, Symantec LiveUpdate, Y, 1/17/2004, 18:28:43, w3proxy, ACRMDELL, -, liveupdate.symantecliveupdate.com, 63.210.47.91, 80, 47, 436, 211, http, TCP, GET, http://liveupdate.symantecliveupdate.com/minitri.flg, text/plain, VCache, 304, 0x800106, BackOffice Internet Access Protocol Rule, BackOffice Internet Access Site and Content Rule
192.168.16.80, ACRM\KAPETRECCA, Symantec LiveUpdate, Y, 1/17/2004, 18:28:43, w3proxy, ACRMDELL, -, liveupdate.symantecliveupdate.com, 63.210.47.91, 80, 62, 337, 216, http, TCP, GET, http://liveupdate.symantecliveupdate.com/avenge$201.5$20microdefs2_microdefsb.dec_symalllanguages_livetri.zip, application/zip, VCache, 304, 0x800106, BackOffice Internet Access Protocol Rule, BackOffice Internet Access Site and Content Rule
192.168.16.80, ACRM\KAPETRECCA, Symantec LiveUpdate, Y, 1/17/2004, 18:28:44, w3proxy, ACRMDELL, -, liveupdate.symantecliveupdate.com, 63.210.47.91, 80, 16, 341, 216, http, TCP, GET, http://liveupdate.symantecliveupdate.com/avenge$201.5$20microdefs2_microdefsb.curdefs_symalllanguages_livetri.zip, application/zip, VCache, 304, 0x800106, BackOffice Internet Access Protocol Rule, BackOffice Internet Access Site and Content Rule
192.168.16.80, ACRM\KAPETRECCA, Symantec LiveUpdate, Y, 1/17/2004, 18:28:44, w3proxy, ACRMDELL, -, liveupdate.symantecliveupdate.com, 63.210.47.91, 80, 31, 299, 216, http, TCP, GET, http://liveupdate.symantecliveupdate.com/nav95_9.05_english_livetri.zip, application/zip, VCache, 304, 0x800106, BackOffice Internet Access Protocol Rule, BackOffice Internet Access Site and Content Rule
192.168.16.80, anonymous, Symantec LiveUpdate, N, 1/17/2004, 18:33:44, w3proxy, ACRMDELL, -, liveupdate.symantecliveupdate.com, -, 80, 0, 280, 4237, http, TCP, GET, http://liveupdate.symantecliveupdate.com/minitri.flg, -, -, 407, 0x0, -, -
192.168.16.80, anonymous, Symantec LiveUpdate, N, 1/17/2004, 18:33:44, w3proxy, ACRMDELL, -, liveupdate.symantecliveupdate.com, -, 80, 0, 0, 840, http, TCP, GET,