Discussion about article on How to Record URL and User Information (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Logging and Reporting



Message


tshinder -> Discussion about article on How to Record URL and User Information (5.Jul.2005 7:59:00 AM)

This thread is for discussing the article on How to Record URL and User Information in ISA 2004 Web Proxy Filter and Firewall Logs and Reports at http://www.isaserver.org/tutorials/2004recorduserinfo.html

Thanks!
Tom

[ July 07, 2005, 10:45 AM: Message edited by: tshinder ]




rok -> RE: Discussion about article on How to Record URL and User Information (6.Jul.2005 2:53:00 AM)

Great article.

Is it posible to record URL and User Information if ISA server is not a member of internal domain? We have only one ISA server and for security reasons it's not a member of internal domain (it's standalone server). So we use RADIUS authentication for Web proxy client.

Rok




tshinder -> RE: Discussion about article on How to Record URL and User Information (6.Jul.2005 8:12:00 AM)

Hi Rok,

I think you have it wrong. For security reasons, the ISA firewall SHOULD be a member of the domain.

There are a ton of limitations imposed by RADIUS, and the desultory logging is only one of them. Domain membership significantly enhances the ISA firewall's overall security posture, so in the vast majority of cases, it should be a domain member.

The only exception is when the ISA firewall doesn't need to be a domain member, such as a back to back ISA firewall deployment where the front-end ISA firewall doesn't need to be a domain member, since its protecting only DMZ hosts.

HTH,
Tom




Guest -> RE: Discussion about article on How to Record URL and User Information (6.Jul.2005 11:32:00 AM)

I know that for security reasons, the ISA server must be a Domain Member.

But, in my case, I have a slight different environment.

The users connect to my ISA server through a Cisco pix firewall into a DMZ (where the ISA server is).
We haven't enabled the domain membership on the ISA Server because I understand that is a security issue to have a domain member in a DMZ.

In this particular scenario, what solutions I have to begin logging users? I have to use another ISA server? perhaps making an Array?

Thanks for your time!




jkisa3 -> RE: Discussion about article on How to Record URL and User Information (6.Jul.2005 10:50:00 PM)

I have a parental controls network (seperate from my isa network) that I have my kids log into (it is a linksys parental control). How can I log what web sites they go to? Every thing goes through the ISA firewall however if I change the web proxy settings in IE they bypass the parental controls. Is there a way to have ISA log there web URLS also?




tshinder -> RE: Discussion about article on How to Record URL and User Information (6.Jul.2005 11:39:00 PM)

quote:
Originally posted by <Wolfgang>:
I know that for security reasons, the ISA server must be a Domain Member.

But, in my case, I have a slight different environment.

The users connect to my ISA server through a Cisco pix firewall into a DMZ (where the ISA server is).
We haven't enabled the domain membership on the ISA Server because I understand that is a security issue to have a domain member in a DMZ.

In this particular scenario, what solutions I have to begin logging users? I have to use another ISA server? perhaps making an Array?

Thanks for your time!

Hi Wolfgang,
That's a very interesting deployment, a back to back firewall config with the ISA firewall in front. While its a valid config, you should bring the more secure firewall, the ISA firewall, closest to the core assets, and let the PIX packet filter just use its packet filter features to filter out the "junk" traffic.

Thanks!
Tom




tshinder -> RE: Discussion about article on How to Record URL and User Information (6.Jul.2005 11:41:00 PM)

quote:
Originally posted by jk3:
I have a parental controls network (seperate from my isa network) that I have my kids log into (it is a linksys parental control). How can I log what web sites they go to? Every thing goes through the ISA firewall however if I change the web proxy settings in IE they bypass the parental controls. Is there a way to have ISA log there web URLS also?

Hi JK,
Why not use the ISA firewall to block the bad sites?

Thanks!
Tom




j2004 -> RE: Discussion about article on How to Record URL and User Information (10.Jul.2005 9:55:00 PM)

quote:
--------------------------------------------------------------------------------
Originally posted by <Wolfgang>:
I know that for security reasons, the ISA server must be a Domain Member.

But, in my case, I have a slight different environment.

The users connect to my ISA server through a Cisco pix firewall into a DMZ (where the ISA server is).
We haven't enabled the domain membership on the ISA Server because I understand that is a security issue to have a domain member in a DMZ.

In this particular scenario, what solutions I have to begin logging users? I have to use another ISA server? perhaps making an Array?

Thanks for your time!
--------------------------------------------------------------------------------

Hi Wolfgang,
That's a very interesting deployment, a back to back firewall config with the ISA firewall in front. While its a valid config, you should bring the more secure firewall, the ISA firewall, closest to the core assets, and let the PIX packet filter just use its packet filter features to filter out the "junk" traffic.

Thanks!
Tom

-

Tom, Have you considered that if this person is using isa in cache mode only etc. and doesn't need the other isa features (when used as firewall, publising box) hence doesn't care less for having it a domain memeber ? there is nothing wrong with having caching proxy server in a DMZ Tom, 1. In fact its excellent practice if it is to serve other networks aswell and doesn't need to be a member of the internal domain. 2. it can be well hardened aswell by disbling uneeded services, and hence also knows very little stuff about inside networks for any potential compromise to extract. I have deployed many Squid Box's in a DMZ in this scenario, now that ISA2004 can do radius auth for this type of proxy deployment many admins may migration from Squid to ISA2004. Its actually a very common scenario.

The guy just asked if the logging is still as good when setup this way, a good question. I suggest you just anwser the question instead of telling the poster how to design their network.

Sorry if this sounds like flaming, remember not everyone's environment is how MS or you want it to be. Example, many organisatiosn don't publish anything, and never will as they have no need, accept perhaps for smtp, in this case the PIX has a proven application smtp filter that can be attached to another external registered ip address/dns mx for publising to the inside box, and often a proxy server is placed in the dmz, so it can serve more than just a MS network behind the pix, with ISA2004 being able to authenticate using radius and perhaps better logging facility because of this feature, this is an attractive scenario for many organisations as this ins't t as easy to do on on standalone proxy servers.

regards

julian

[ July 10, 2005, 09:58 PM: Message edited by: j2004 ]




tshinder -> RE: Discussion about article on How to Record URL and User Information (11.Jul.2005 9:57:00 AM)

Hi Julian,

I just try to encourage best practices and the best type of deployments and security. I realize that there are misconceptions out there, and that there are political hacks that need to be dealt with, so that the ISA firewall isn't always deployed correctly or most securely. But I always assume that there is the goal, and try to help make it the most secure ISA firewall deployment possible.

Thanks!
Tom




AGJFritz -> RE: Discussion about article on How to Record URL and User Information (14.Jul.2005 10:13:00 PM)

Hi Tom,

I'm in the same boat as Wolfgang. We are using ISA in a DMZ to securely publish OWA. We just put in Secure Computing SmartFilter, and are using that on the ISA server, which is now our WebProxy server. It's not a domain member, and all that we allow in from the DMZ is the traffic necessary for the OWA operations. Is there a good way just to get usernames in the ISA Logs? It's allowing All Users access right now, and not Authenticated Users. I really don't want to have to have the users enter a UN/Password everytime they go to the web. Thanks!

-Andy

P.S. Great Article btw.




tshinder -> RE: Discussion about article on How to Record URL and User Information (15.Jul.2005 11:34:00 AM)

Hi Andrew,

Everytime I hear about one of these kind of deployments it breaks my heart.

Its like having a champion racehorse, but because some dolt somewhere said "that racehorse must run with only two legs", we have to amputate two of the horses legs. That's how much security you remove from the ISA firewall with these kind of deployments.

The only way the ISA firewall can record user names for forward and reverse Web proxy filter connections is to have users authenticate with the ISA firewall. The obvious and best way is to make the ISA firewall a domain member; the second best way is to use RADIUS authentication. But there are a lot of downsides of RADIUS authentication and a ton of upsides for making the ISA firewall a domain member.

Believe me -- someone will crack the "hardware" firewall long before they even touch the ISA firewall!

HTH,
Tom




Guest -> RE: Discussion about article on How to Record URL and User Information (26.Aug.2005 1:41:00 PM)

Maybe I missed it somewhere.... but how do I get a report showing me which users went to what websites? Do I need a third party tool?

They are configured as proxy clients.

Thanks




Rainman13 -> RE: Discussion about article on How to Record URL and User Information (9.Sep.2005 2:01:00 PM)

quote:
Originally posted by <Rainman13>:
Maybe I missed it somewhere.... but how do I get a report showing me which users went to what websites? Do I need a third party tool?

They are configured as proxy clients.

Thanks

Here is an more information:

I have a Windows 2003 domain, ISA 2004 w/ 2 NICs. All clients are webproxy clients and I am requiring authentication.

Based on what I've been reading, I think I'm just missing it.... a little help.




wishfly -> RE: Discussion about article on How to Record URL and User Information (14.Sep.2005 5:21:00 PM)

you can try netfee
http://www.netfeesoftware.com/NetFee/Index.htm




befire -> RE: Discussion about article on How to Record URL and User Information (8.Jun.2006 2:41:43 PM)

Dear Sir,
can i prevent ISA server 2004 from recording and monitoring the activities (sessions,url,IP,etc..) for a specific IP address or PC.

thank u




paleogryph -> RE: Discussion about article on How to Record URL and User Information (16.Jun.2006 9:01:30 PM)

I have a question and a comment.

Comment:
When I go to Monitoring > Logging > Start Query > it shows me in realtime what domain users are going to what url's.  Thats great, and what we wanted to get out of ISA.  I never had to enable the Firewall Client or Auto Discovery.  I enabled Web Proxy Clients and set IE to use the proxy via GP and set FF to use the proxy via all.js.  So I'm kind of confused about the article.  Perhaps I'm mis-reading something, but doesn't it indicate that Firewall Client and Auto Discovery must be enabled for logging to show the url matched with the user?


Question:
I see others on this board asking what I would consider is one of the most important questions about ISA, yet I haven't seen a definitive answer.  Perhaps the answer is here but I haven't found it yet.  The question is, how can the reporting (not logging) be set to show users matched with urls?  I have looked into the customizing of my daily reports, yet I haven't been able to get the daily reports to show such data.  I have seen others suggest third party software tools for this, yet I thought perhaps ISA has it's own way of doing this that I haven't discovered yet.  What I need is detailed user/url matching, with time/date/etc;  Is this only available via third party software?

thanks




seanofarrell -> RE: Discussion about article on How to Record URL and User Information (10.Jul.2006 10:06:18 PM)

Hi paleogryph ,
 
My question is exactly the same as yours. I have followed all steps as per the article but still dont get detailed username & urls in the ISA Reports. A managing director of a client company of mine wants to view the daily published reports and they dont make sense. It would be really really cool if I can get these reports working!
 
Thanks
 
Sean




a58strod -> RE: Discussion about article on How to Record URL and User Information (15.Mar.2007 11:19:08 AM)

I have the same question as the above 2 questions.  How do you get the information that is recorded into the log that shows what users have been to what sites on a REPORT without third party software???




mwilso09 -> split network between web proxy and securenat clients and want good logs! (5.Apr.2007 7:23:19 AM)

Tom,
This is a great article about authentication and logging.  I have a question I was hoping you could clarify for me.  I have read the article and played around with many of the settings.  I have also looked over the other articles about authentication and access policies that I can find...I hate being that guy who asks a question that is already clearly answered. 

My scenario is this....
Simple domain setup.  One 2K3 server is Domain Controller/DNS/DHCP among other things server based.  The other 2K3 is the ISA Server that is domain member and serves as a content filter for our network.  (I use bt-webfilter for content...but my question is related to ISA).  (2 NICS...one to internal network subnet, other to DSL router).

We are a school and all staff computers are Domain based (with XP) and so are our internet cafe public computers.  Student laptops (student owned) are non domain members (SecureNAT).  I broadcast WPAD autodiscovery and Web Proxy info, so my manual configuration is at a minimum. 

On ISA I have one rule to open up all protocols to External for All Users.  This allows traffic to pass to the bt-webfilter for filtering.  (I have other rules, but have disabled them all to work with this basic troubleshooting scenario.)

What I would like for ISA 2004 to do in a perfect world is to take authentication (integrated is turned on) from clients that can provide it and place it into the logs.  Then users that are SecureNAT only and are anonymous can place anonymous user info.  All securenat laptops have DHCP reservations, so if I am only getting IP info for them, then I can still resolve the IP to the student.  I cannot resolve IP to 'logged on user' from public workstations though. 

If I change the access policy to "all authenticated users" I get the user data I want in the logs, but then SecureNAT clients aren't allowed.  So then I thought, first create a policy allowing access for authenticated users and it will log, and then under that create a lower policy for ALL USERS, but the anonymous users don't get past the 1st policy.  As I understand from your and other articles, this is by design.

I hope this makes sense.  I would love to get user info from authenticated users and then IP info for anonymous.  It seems like there must be a way to do this.  Any input is HIGHLY appreciated from the man who knows all (or anyone else who can cast some light).

Thanks again!!

ps...
we have quite a few visitors so I don't want or need to do basic authentication for laptops, i want everyone to have access with minimum user interference.




conna -> RE: split network between web proxy and securenat clients and want good logs! (7.May2007 1:27:24 PM)

  I have the same need that seanofarrell and paleogryph are asking for.  Management wants the report to show what the users are browsing all day with their investment in ISA.  I created a new post so that this does not get buried.

http://forums.isaserver.org/Better_reports_what_users_browsed_what_websites/m_2002043909/tm.htm




Page: [1] 2   next >   >>