ISA 2004 Sessions - inconsistant FW client sessions

Discussion in 'Windows Small Business Server' started by Dale Networkguy, Aug 2, 2005.

  1. I've been getting acquanted with the new ISA 2004 interface and am perplexed
    by the "monitoring sessions". Many of the clients have multiple sessions
    showing various connectivity (intranet, internet, ...etc) and this is as
    expected. However, as I was connecting to the internet from my own
    workstation I could not find a FW client session in real time on the ISA
    interface (while remoting in from this workstation simultaneously); this is
    very strange as I have the FW client deployed and it is properly configured
    just the same as all the rest of the workstations. Furthermore, previous
    monitoring reports have shown records of FW client connection to the internet
    with my username (which I assume if from this same workstation but perhaps
    its from my remote RDP connection to manage the server. These same
    monitoring reports more frequently have Secure NAT (IP address)
    identification listed in the Top Web Users section rather than FW client
    (domain\username). This past Sunday's report listed two external IP
    addresses as being "Web Users" which looks kinda alarming! Perhaps though
    this is merely a record of RWW sessions. Is ISA working as its supposed to
    or is it allowing un-authenticated internet access?

    This is all very confusing to make sense of; if you have a better
    understanding of this please could you help clarify this? - TIA
     
    Dale Networkguy, Aug 2, 2005
    #1
    1. Advertisements

  2. Dale Networkguy

    Edward Tian Guest

    Hi Dale:
    Thank you for posting your questions!

    Sorry for the delay because I was performing some researches on your
    concern. I appreciate your understanding.

    If the user just accessed the internet web sites, it's expected that there
    is no FW session. The http/https based traffic goes through the server as
    proxy client method. We may see a 'web proxy' type sessions.

    The REAL information is stored in the ISA log. You can query the ISA log to
    check what traffic happed at that moment.

    Regarding your second question, if SecureNAT client is also configured as
    Web Proxy client at the same time, its internet web access will surely be
    logged in the monitoring report as being "Web Users". This is an expected
    behavior.

    Regarding your third question, this external IP may be a normal record of
    RWW/OWA session other than a malicious attack. You can query the log file
    to check what it has done during the session. (If it initiates a large
    amount of traffic, you may need to be on the stick.)

    To answer "Is ISA working as its supposed to or is it allowing
    un-authenticated internet access" you mentioned in the post, if we enable
    the checkbox "Require all users to authenticate", only the users in SBS
    Internet Users group can access the Internet. Then all un-authenticated
    access will be denied by ISA Server. (Note: SecureNAT will also unable to
    access the internet due to the fact that its credential can't be passed to
    ISA, although an Allow All/All/All rule is present.)

    I would like to provide some information in regard to three types of
    clients:
    1. Web Proxy client

    Web-proxy clients do not require that any client software be installed.
    You need only configure the ISA as the proxy server in Web browser setting.
    For example, if you are using IE, you can set the proxy in Internet
    Options | Connections | LAN Settings. Authentication information is passed
    by the Web browser. The name resolution is resolved by the ISA.

    Firewall and SecureNAT client computers can ALSO be Web-proxy clients at
    the same time if their browsers are so configured. Web Proxy client only
    supports the protocols HTTP, HTTPS and FTP.

    We strongly recommend you configure the Firewall Client and the SecureNAT
    client computers as the Web Proxy Client at the same time since this will
    bring the better network browsing performance from the Web Proxy Service.

    2. SecureNAT client

    SecureNAT client is the machine that its default gateway is the internal IP
    of the ISA server. SecureNAT client treats ISA as its gateway and all name
    resolution is resolved by the client itself.

    SecureNAT client doesn't support user authentication through ISA and it
    does also not support Secondary Connection. If you have applied some ISA
    rules on the user groups, SecureNAT client cannot pass it.

    If we configure the proxy settings in IE, the clients will work as a Web
    Proxy Client when opening IE to access Internet.

    So, we usually configure the non-Windows OS, such as Unix, as the SecureNAT
    client. For Windows clients, we do not recommend our customers do that.

    3. Firewall client

    We recommend our customer install Firewall client on the client machines if
    their ISA 2004 has multiple NICs. Firewall client can automatically pass
    the user-level authentication through the ISA in back-end; and it can also
    support other protocols, such as SMTP, POP3, than HTTP, HTTPS and FTP. The
    name resolution is resolved by ISA.

    If we configure the proxy settings in IE, the clients will work as a Web
    Proxy Client when opening IE to access Internet.

    The following information is for your reference:

    An established connection does not appear on the Sessions tab in ISA Server
    2004
    http://support.microsoft.com/default.aspx?scid=KB;EN-US;838129

    Thank you for your time and understand! :)
    Please let me know if anything is unclear, I am standing by to help you.

    Have a nice day!

    Best Regards
    Edward Tian(MSFT)
    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    | Thread-Topic: ISA 2004 Sessions - inconsistant FW client sessions
    | thread-index: AcWXG7BG1kuwD6eJSyGmxN5togBtXQ==
    | X-WBNR-Posting-Host: 216.68.185.67
    | From: =?Utf-8?B?RGFsZSBOZXR3b3JrZ3V5?=
    <>
    | Subject: ISA 2004 Sessions - inconsistant FW client sessions
    | Date: Mon, 1 Aug 2005 21:36:02 -0700
    | Lines: 20
    | Message-ID: <>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | Newsgroups: microsoft.public.windows.server.sbs
    | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:140652
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | I've been getting acquanted with the new ISA 2004 interface and am
    perplexed
    | by the "monitoring sessions". Many of the clients have multiple sessions
    | showing various connectivity (intranet, internet, ...etc) and this is as
    | expected. However, as I was connecting to the internet from my own
    | workstation I could not find a FW client session in real time on the ISA
    | interface (while remoting in from this workstation simultaneously); this
    is
    | very strange as I have the FW client deployed and it is properly
    configured
    | just the same as all the rest of the workstations. Furthermore, previous
    | monitoring reports have shown records of FW client connection to the
    internet
    | with my username (which I assume if from this same workstation but
    perhaps
    | its from my remote RDP connection to manage the server. These same
    | monitoring reports more frequently have Secure NAT (IP address)
    | identification listed in the Top Web Users section rather than FW client
    | (domain\username). This past Sunday's report listed two external IP
    | addresses as being "Web Users" which looks kinda alarming! Perhaps
    though
    | this is merely a record of RWW sessions. Is ISA working as its supposed
    to
    | or is it allowing un-authenticated internet access?
    |
    | This is all very confusing to make sense of; if you have a better
    | understanding of this please could you help clarify this? - TIA
    |
     
    Edward Tian, Aug 3, 2005
    #2
    1. Advertisements

  3. Edward,

    Thank you for your response. This advice doesn't work in SBS please test
    this out! The ISA server is on the same box as SharePoint, Exchange, IIS,
    ....etc in SBS.

    "if we enable the checkbox 'Require all users to authenticate', only the
    users in SBS
    Internet Users group can access the Internet. Then all un-authenticated
    access will be denied by ISA Server"

    (I will have to assume you are refering to the Authentication page of the
    Internal network Property Sheet for Web Proxy. This seems the only place
    where such a check box exists. If this gets checked than no intranet nor
    internet access functions in the SBS domain!)

    2. "SecureNAT client is the machine that its default gateway is the
    internal IP
    of the ISA server. SecureNAT client treats ISA as its gateway and all name
    resolution is resolved by the client itself."

    In SBS this is the default required configuration for all connected clients.
    If what you are saying is true than I would think ISA is being weakened by
    not utilizing the deployed FW client topology. In fact what would be the
    point of deploying the FW client at all if its going to be used only
    intermittently. Every client in this domain has the FW client installed.
    Still the "Web Users" statistics on the monitoring report show IP addresses
    (SecureNAT) moreso than the resolved user names. This renders the report
    much less readable to the non-technical minded owner of the company of whom
    the report needs to be meaningful.

    There is no configuration to specify that a client is solely a SecureNAT
    client at all; in fact there is now way to prevent a client from becoming a
    SecureNAT client in SBS (from what I have observered). If there is a way to
    force FW client only behavior this might be of great benefit.

    3. FW client - every machine has the FW client installed and configured
    identically. This includes the recommended preference of using ISA as the
    web proxy.
     
    Dale Networkguy, Aug 3, 2005
    #3
  4. If I remove a person from the Internet group...[a membership group ]
    they don't get access.

    According to the gang... what the ISA is doing is saying 'who are you'..
    and logging those first knocks on the door...then the user authenticates
    and saying "oh that's who you are and logging that"

    They log both entries and I've yet to figure out which one to shut up so
    I only get authenticated addresses.

    I cannot get the ISA gang to understand that their reporting model IS
    STUPID.

    There I said it.

    Download details: MSDEToText Tool for Internet Security and Acceleration
    (ISA) Server 2004:
    http://www.microsoft.com/downloads/...a0-e4ad-47c7-9961-5e22e65ca986&displaylang=en

    See if that helps any?
     
    Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP], Aug 4, 2005
    #4
  5. Dale Networkguy

    Edward Tian Guest

    Hi Dale:
    Thank you for your update.
    I am sorry that the information I provided before makes you confused.

    To answer your concern in regard to the checkbox 'Require all users to
    authenticate':
    By default, after we run CEICW Wizard, an Access Rule called 'SBS Internet
    Access Rule' is automatically created in order to allow the internal users
    to access internet. Specifically, this rule is applied to 'SBS Internet
    Users', which means the traffic initiated by unauthenticated user will be
    dropped by ISA2004. For example, a laptop user who doesn't join the domain
    won't be able to access the network due to the rule in spite of firewall
    client being installed. For those users, we can add an allow access rule
    which is applied to 'All users' instead of 'SBS Internet Users' (That means
    anonymous user can also access the internet). In this way, everything seems
    to be working perfectly.

    Then, after we enable the checkbox 'Require all users to authenticate'
    which doesn't allow the unauthenticated user to pass through ISA 2004, the
    user who is only a SecureNAT client or not a member of the 'SBS Internet
    Users' can no longer access the internet. (Firewall/Web Proxy client who is
    a domain member will work normally.)

    To answer the question why many IP addresses records are present in the
    monitoring report:
    By default, if a client is configured as a Web Proxy client, every time he
    accesses the internet web site, the credential information (including
    username) will be saved in ISA log. Then the monitoring report which is
    generated by the ISA log will contain a "domain/username" record. However,
    if there has an access rule in ISA 2004 which allows anonymous access (An
    anonymous rule means that "All Users" are applied to this rule instead of
    specific users), we will find only IP addresses are present in the "Web
    Users" statistics on the monitoring report. Let me explain to you:

    When an internal client (no matter firewall client, SecureNAT client or Web
    Proxy client) wants to access the internet web site, it will first send an
    anonymous request to the ISA server for web request. If there exists a
    corresponding Allow Anonymous rule, the request will be allowed and the
    client will be able to browse the internet web page with no difficulty.
    Unluckily, only IP address is saved in the ISA log due to the fact that
    this is only an anonymous request and no username/password information was
    sent to the ISA server. Then only IP addresses are present in the report
    without any luck. However, if there doesn't have such an anonymous rule,
    the server will request for a credential as a response. Afterwards the
    client will automatically send his credential to ISA server for
    authentication (if it's a Web Proxy client) and then be able to access the
    internet (if credential is available). In this situation, the
    domain/username information will be surely present in the "Web Users"
    statistics on the monitoring report.

    Hope this clarification is helpful. :)

    Please do let me know if anything is unclear. I look forward to hearing
    from you. Thank you.
    Have a nice day!

    Best Regards
    Edward Tian(MSFT)
    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    | Thread-Topic: ISA 2004 Sessions - inconsistant FW client sessions
    | thread-index: AcWYNkz+N9fRnX6LSiiWrYeLnoGSTQ==
    | X-WBNR-Posting-Host: 66.161.174.144
    | From: =?Utf-8?B?RGFsZSBOZXR3b3JrZ3V5?=
    <>
    | References: <>
    <>
    | Subject: RE: ISA 2004 Sessions - inconsistant FW client sessions
    | Date: Wed, 3 Aug 2005 07:19:03 -0700
    | Lines: 39
    | Message-ID: <>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | Newsgroups: microsoft.public.windows.server.sbs
    | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:141122
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | Edward,
    |
    | Thank you for your response. This advice doesn't work in SBS please test
    | this out! The ISA server is on the same box as SharePoint, Exchange,
    IIS,
    | ...etc in SBS.
    |
    | "if we enable the checkbox 'Require all users to authenticate', only the
    | users in SBS
    | Internet Users group can access the Internet. Then all un-authenticated
    | access will be denied by ISA Server"
    |
    | (I will have to assume you are refering to the Authentication page of the
    | Internal network Property Sheet for Web Proxy. This seems the only place
    | where such a check box exists. If this gets checked than no intranet nor
    | internet access functions in the SBS domain!)
    |
    | 2. "SecureNAT client is the machine that its default gateway is the
    | internal IP
    | of the ISA server. SecureNAT client treats ISA as its gateway and all
    name
    | resolution is resolved by the client itself."
    |
    | In SBS this is the default required configuration for all connected
    clients.
    | If what you are saying is true than I would think ISA is being weakened
    by
    | not utilizing the deployed FW client topology. In fact what would be the
    | point of deploying the FW client at all if its going to be used only
    | intermittently. Every client in this domain has the FW client installed.

    | Still the "Web Users" statistics on the monitoring report show IP
    addresses
    | (SecureNAT) moreso than the resolved user names. This renders the report
    | much less readable to the non-technical minded owner of the company of
    whom
    | the report needs to be meaningful.
    |
    | There is no configuration to specify that a client is solely a SecureNAT
    | client at all; in fact there is now way to prevent a client from becoming
    a
    | SecureNAT client in SBS (from what I have observered). If there is a way
    to
    | force FW client only behavior this might be of great benefit.
    |
    | 3. FW client - every machine has the FW client installed and configured
    | identically. This includes the recommended preference of using ISA as
    the
    | web proxy.
    |
     
    Edward Tian, Aug 4, 2005
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.