I am trying to discover unauthorized web browsing on a network that has an ISA server. When I examine the logs it shows the unauthorized web sites being access, but the client address is always showing the ISA server and not the actual user. Is there a better way to scan network?

Interesting.

I met the scenarios same to you a few days before.
They can not access the web server through the ISA server.

And I've checked the entire communication process.

The ISA server access the web server with http (tcp port 80), and download the web information.
The clients access the ISA proxy with http services on TCP port 8380 rather than port 80, and see the downloaded web context.

see below:


clientA
clientB ------http1----> (8380)ISA-------http2------>(port 80) web server
clientC


You will not be able to find out who the client is unless you can capture the http1 communication on the left side of ISA server.
As what you described, you got the http2 process on the right side. In this case, http2 just can not work out.

The only solution is to get the http1. Try it if possible.


Thanks for asking.