Getting User Names in ISA Firewall Logs and Reports
A question that’s come up time and time again on the ISAserver.org Web boards and mailing list is "how do I get user names to appears in the ISA firewall’s logs and reports?"
The answer is very simple: configure your clients as Web proxy and Firewall clients.
User names will not appear in the ISA firewall’s logs and reports when you configure the client systems as only SecureNAT clients. The reason for this is that there must be some mechanism in place for the client to send username information to the ISA firewall. Since the SecureNAT client is just a network layer client to the ISA firewall, and since there is are no provisions (or fields, if you prefer) in the layer 1-4 headers for user information, then its easy to come to the conclusion that it’s not possible for a machine configured as only a SecureNAT client to send user information to the ISA firewall that can be used in logs and reports.
Be aware that this isn’t an ISA firewall issue. All firewalls must live in the real world of the TCP/IP protocol stack -- there is no magic that will somehow let a network layer client miraculously send user information without bringing additional application components into play.
The Firewall client is a generic Winsock proxy that accepts network calls from Winsock applications on the client system and forwards them to the ISA firewall. During the forwarding process, the Firewall client on the client system also sends the user name of the user logged onto the Firewall client enabled machine to the ISA firewall (the Firewall client also forwards the application name used by the user and that is also logged). In addition to providing user and application information to the ISA firewall, the Firewall client works with the ISA firewall’s Firewall service to negotiate complex protocols that require secondary inbound and/or outbound connections.
The Web proxy client is not a separate piece of software installed on the client operation system. Like the SecureNAT client, no software needs to be installed on the Web proxy system. A Web proxy client is a machine that has its browser configured to be a Web proxy client. The configuration varies with type of Web browser, but for Internet Explorer its done in a dialog box like that seen below.
If you’ve chosen to make your ISA firewall array part of the domain, then you’ll benefit from transparent integrated authentication with the ISA firewall. That is to say, users will not need to enter credentials to authenticate with the ISA firewall since they are sent transparently. However, if you’ve been duped into not joining your ISA firewalls to the domain, then users will need to explicitly enter their credentials -- which slows down work and increases user dissatisfaction and without any measurable security benefits.
Thomas W Shinder, M.D.
MVP -- ISA Firewalls