On the ISA - Monitoring -  Session tab I see our internal clients as Secure NAT, Web Proxy and Firewall Client - identified with their IP addresses. All on the Internal Network - under the Source Network column.

 

But watching the tab over a period of time I see some other IP addresses defined under the Source Network as External. The Session Types are Secure NAT.

Some are displayed briefly and some are there for a while.

If I do an IP search for some of those with spamhaus.org I'm being informed that they are on some of the block lists.!

 

Is this something to worry about - are someone getting inside my network w/o me knowing - what can - or should - I do about this?

 

I'm not that proficient in going "behind the scenes" - so now I'm considering having M&M to login to my server to check if it's being abused.

OK maybe it will help to rephrase my question:

When viewing the sessions tab in ISA - am I supposed to see ONLY internal users and internal IP addresses there..?

Henri,

 

If you server is properly configured and you do not allow anonymous sessions on your web proxy I guess those IP addresses you see are trying to logon to your server using OWA. What ports do you see those connections?

 

When I installed the server I followed every step without altering anything - as far as I am aware of.

It is an all port scan - and ISA does not specify which port(s).

 

I am not really sure if anonymous access is enabled or not..? (the only user who needs access from outside the network is myself)

Would it be disabled by default at installation..?

Where do I check if it is enabled..?

If it is enabled - which steps do I need to perform to disable it..?

 

 

Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 14147
Date: 2008 05 04
Time: 19:36:22
User: N/A
Computer: XXXXX

Description: ISA Server detected routes through the network adapter Server Local Area Connection that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 192.168.16.11-192.168.16.11;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

 

Event Type: Warning
Event Source: Microsoft ISA Server Web Proxy
Event Category: None
Event ID: 23002
Date: 2008 05 04
Time: 19:23:32
User: N/A
Computer: XXXXX

Description: ISA Server was unable to decompress a response body from /DSS/Query?Type=Domain&Name=www.xxxxxxxx.com because the response was compressed by the UTF-8 method, which is not supported by ISA Server. This happens when a Web server is configured to supply responses compressed by the UTF-8 method regardless of the type of compression requested.
If you want ISA Server to block such responses, configure the policy rule's HTTP policy to block the Content-Encoding header in responses. Otherwise, such responses will be forwarded without decompression to the client and can be cached.
You can cancel or reduce the frequency of the alert generated by this event in ISA Server Management.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Hi Henri,

 

Is that IP that is listed at the first error by any change a VPN DHCP client? For the second error: EventID.Net:

http://www.eventid.net/display.asp?eventid=23002&eventno=7824&source=Microsoft ISA Server Web Proxy&phase=1

Marina,
It is our internal printer IP.

Krgds

Henri

Hi Henri,

 

Did you add the complete internal network range in ISA, network? Did you have a look at the other error for which I gave you a link?

Internal network in ISA shows the full range - yes. This is what was specified by the default installation.

 

I had a look at the link you supplied - but it still leaves me "in the blind" - I have no clue what to do about it.

 

I have finally decided to do a complete re-format and install the server from scratch - and this was done yesterday.

First thing I checked was monitoring the Session tab in ISA - and guess what: there are already external secureNAT sessions on and off..!

 

On our router I have disabled all ports except 25, 123 and 443.

Also port 80 is open but this is for our web-server which is outside the SBS network on its own network card.

I really don't see what the problem is:

Thanks Mariette - this was exactly the answers (explanations) I was looking for