Monitoring network with ISA server

Discussion in 'Capsa Network Analyzer' started by rivars, Jan 7, 2009.

Thread Status:
Not open for further replies.
  1. rivars

    rivars Registered Member

    Joined:
    Jan 7, 2009
    Posts:
    4
    Location:
    Little Rock, Arkansas
    I am trying to discover unauthorized web browsing on a network that has an ISA server. When I examine the logs it shows the unauthorized web sites being access, but the client address is always showing the ISA server and not the actual user. Is there a better way to scan network?
     
  2. Nelson

    Nelson Registered Member

    Joined:
    May 26, 2005
    Posts:
    36
    Interesting.

    I met the scenarios same to you a few days before.
    They can not access the web server through the ISA server.

    And I've checked the entire communication process.

    The ISA server access the web server with http (tcp port 80), and download the web information.
    The clients access the ISA proxy with http services on TCP port 8380 rather than port 80, and see the downloaded web context.

    see below:


    clientA
    clientB ------http1----> (8380)ISA-------http2------>(port 80) web server
    clientC


    You will not be able to find out who the client is unless you can capture the http1 communication on the left side of ISA server.
    As what you described, you got the http2 process on the right side. In this case, http2 just can not work out.

    The only solution is to get the http1. Try it if possible.


    Thanks for asking.
     
Thread Status:
Not open for further replies.