Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

strange entries in log table with respect to access rules.

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Logging and Reporting >> strange entries in log table with respect to access rules. Page: [1]
Login
Message << Older Topic   Newer Topic >>
strange entries in log table with respect to access rules. - 17.Sep.2007 1:31:48 AM   
adonald

 

Posts: 7
Joined: 10.Sep.2007
Status: offline 		Hi,

I have a question about access rules/logging. I have setup the following 3 test access rules -

The user i am logged in as is not a member of group1, but is a member of group2.

rule group1
1. allow, http/https protocol, internal, external, group1, all content

rule group2
2. allow, http/https protocol, internal, access, group2, all content

rule default rule
3, deny, all, all traffic, all networks, all networks, all users, all content

In the log, i see the following entries (i've stripped out the irrelevant stuff) -

clientusername, result code,  protocol, desthost, rule

anonymous, 407, http, www.google.com, group1
anonymous, 407, http, www.google.com, group1
domain\user, 200, http, www.google.com, group2.

The process behind the proxy authentication is correct and the ruleset IS being applied correctly, however the log (and i guess the decision making in ISA) looks incorrect.

Is the above actually correct, or should i see the following in the log -

anonymous, 407, http, www.google.com, default rule
anonymous, 407, http, www.google.com, default rule
domain\user, 200, http, www.google.com, group 2

Note that the 'rule' that allows the user according to ISA server is group1, but this user is not a member of this group. Only group2. The access rules do work as expected , eg, if i change rule 2 to deny, the user will be denied internet access based on it.

If i remove rule1, the log looks as i've written in the suggested logs.. eg, 2 anonymous entries denied by the default rule, but after authentication the group2 rule is in effect.

Am i just reading this wrong?

thanks for any help.

< Message edited by adonald -- 17.Sep.2007 1:33:07 AM >
Post #: 1
RE: strange entries in log table with respect to access... - 17.Sep.2007 2:34:34 AM   
adonald

 

Posts: 7
Joined: 10.Sep.2007
Status: offline 		nevermind. it is a known problem.

http://support.microsoft.com/kb/933718/

and here's the 'service pack'

http://support.microsoft.com/kb/939455

< Message edited by adonald -- 17.Sep.2007 2:43:07 AM >

(in reply to adonald)
Post #: 2
RE: strange entries in log table with respect to access... - 17.Sep.2007 5:04:04 AM   
elmajdal

 

Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline 		Hi,

little correction.

Not a Service Pack, its a Supportability Update package

Service Pack will be released later.

Thanks,
Tarek

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to adonald)
Post #: 3
RE: strange entries in log table with respect to access... - 19.Sep.2007 10:38:30 PM   
adonald

 

Posts: 7
Joined: 10.Sep.2007
Status: offline 		I wrote something here, but i still am not 100% sure why the logs look wrong.

< Message edited by adonald -- 19.Sep.2007 10:53:56 PM >

(in reply to elmajdal)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Logging and Reporting >> strange entries in log table with respect to access rules. Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts