Monitoring network with ISA server

Discussion in 'Capsa Network Analyzer' started by rivars, Jan 7, 2009.

Thread Status:
Not open for further replies.
  1. rivars

    rivars Registered Member

    Jan 7, 2009
    Little Rock, Arkansas
    I am trying to discover unauthorized web browsing on a network that has an ISA server. When I examine the logs it shows the unauthorized web sites being access, but the client address is always showing the ISA server and not the actual user. Is there a better way to scan network?
  2. Nelson

    Nelson Registered Member

    May 26, 2005

    I met the scenarios same to you a few days before.
    They can not access the web server through the ISA server.

    And I've checked the entire communication process.

    The ISA server access the web server with http (tcp port 80), and download the web information.
    The clients access the ISA proxy with http services on TCP port 8380 rather than port 80, and see the downloaded web context.

    see below:

    clientB ------http1----> (8380)ISA-------http2------>(port 80) web server

    You will not be able to find out who the client is unless you can capture the http1 communication on the left side of ISA server.
    As what you described, you got the http2 process on the right side. In this case, http2 just can not work out.

    The only solution is to get the http1. Try it if possible.

    Thanks for asking.
Thread Status:
Not open for further replies.