Hi,
I'm looking at some web logs from ISA Server 2004 while working on a forensic case.
It's the first time that I need to look at ISA Server.
So I would like to ask some help on understanding a few things on the log file.
One strange thing I check on the log near the intrusion time, is that before that point all requests were being
directed to the external IP's through port 80, and after that point all requests are going to the server containing ISA Server and through port 8080.
Does this means that from this point on ISA acted as a proxy? If so, is there any options that could trigger
such action automatically or would have to be a manual operation?
Thanks in advance.
Checking ISA Server configs
October 23rd, 2013 11:21am
Hi,
Thanks for your post.
I think you want us to explain why the TMG works like you mentioned.
ISA/TMG has 3 types of client. They are Web proxy client, Firewall Client (named TMG client in TMG), SecureNAT client.
You can change the mode in according to your requirement.
Web Proxy: This type of client can only support HTTP-based protocol like HTTP, HTTPS, encapsulated FTP, etc. Under this mode, ISA/TMG works act as a proxy.
It assumes that client request a URL, client should have sent the request with the port 80. However, browser works under proxy mode, so client browser will encapsulate this request with port 8080(by default, you can change it) and send it to ISA/TMG rather than actual URL. After that, ISA/TMG will send a request for that URL with the original IP is itself.
Web proxy can be configured in browser. For example(In Internet Explorer):
- In IE, please find Tools and click into Internet Option
- Select Connection table.
- Click LAN Setting
- You can select manually configure web proxy or automatically configure.
For automatically configure web proxy, please refer to the link below:
http://technet.microsoft.com/en-us/library/cc995139.aspx
In addition, I will provide you some information about the client type of ISA/TMG
http://msdn.microsoft.com/en-us/library/ff823915(v=vs.85).aspx
Best Regards
Quan Gu
Free Windows Admin Tool Kit Click here and download it now
October 24th, 2013 4:25am
Hi,
Thanks for your answer.
I understand the concept of a proxy server without problems. But the config to use proxy in the clients must be done on the clients right?
What I need to understand is how in the logs until a point I see one IP always going directly by port 80 to the websites and after a point is going by port 8080 and by the ISA Server computer. What can cause this change? Would have to be manually changed or would it be any auto config?
Regards.
October 24th, 2013 5:52am
Hi,
As far as i know, if you are web proxy client, all the http-based traffic should be sent to TMG with port 8080.When you want to normally depoly web proxy client.
You need to configure on both the TMG and client site.
For client site, you can refer to the link i provided before.
For TMG site:
1. Click "Network" on the right
2. Double left-click "Internal" network
3. Select "Web proxy" and enable it
Best Regards
Quan Gu
Free Windows Admin Tool Kit Click here and download it now
October 24th, 2013 10:16pm
This topic is archived. No further replies will be accepted.
Other recent topics
