Hello forum, I have to decommission few ISA servers because our project team implemented TMG in our environment. The ISA version is 2004 and the traffic logging is done on a different box with SQL 2005. Which means that all server, service/application or
user generated traffic first hits ISA boxes and data is logged in SQL server. Now, I ran a query on SQL boxes to see if there are servers or applications still accessing old ISA servers and found that many still are using that route. The query I ran is
select clientusername,Max(logtime)
from webproxylog
where logtime > '2014-03-04'
Group by Clientusername
Outcome is a list of servers and users accessing old ISA servers, please see below
| clientusername | TimeStamp |
| Domain\USER1 | 12/03/2014 9:42 |
| Domain\USER2 | 10/03/2014 8:29 |
| Domain\SERVER1$ | 12/03/2014 6:33 |
| Domain\SERVER2$ | 7/03/2014 23:05 |
| Domain\SERVER3$ | 7/03/2014 23:09 |
| Domain\SERVER4$ | 7/03/2014 22:18 |
| Domain\SERVER10$ | 12/03/2014 0:15 |
| Domain\SERVER12$ | 6/03/2014 13:00 |
| Domain\SERVER21$ | 9/03/2014 15:05 |
| Domain\USER46$ | 6/03/2014 7:17 |
| Domain\SERVER22$ | 5/03/2014 17:25 |
| Domain\SERVER73$ | 12/03/2014 9:11 |
| Domain\SERVER14$ | 5/03/2014 17:31 |
So I logged on to few servers to check proxy settings. The server list comprise of Windows 2003 and 2008 R2 boxes. On a handful of servers I found proxy, under IE settings but on others I didn't find any proxy settings (under IE). Then I tried proxcfg.exe
(pre 2008) and netsh winhttp show proxy (post 2008) but I got following results, please see below.
C:\proxycfg
Microsoft (R) WinHTTP Default Proxy Configuration Tool
Copyright (c) Microsoft Corporation. All rights reserved.
Current WinHTTP proxy settings under:
HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
WinHttpSettings :
Direct access (no proxy server).
C:\netsh winhttp show proxy
Current WinHTTP proxy settings:
Direct access (no proxy server).
I have also looked at registry keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings but found nothing of relevance. Checked IE settings and found no proxy configuration. I know that these boxes are still using old proxy servers because they show up when I query ISA logs.
I tried few network sniffing tools but the trouble is that those servers and applications\users are not accessing the server all the time. How can I verify what data is being passed through ISA? I have date & time but not the reason. How can I check which application or service is using proxy and on which port? Thanks again.