Why is the ISA "Destination Host Name" log field empty?

As you pore over your ISA logs looking for new and ever-more-interesting data, you may notice that the "Destination Host Name" field is empty for a great many log entries. This fact is likely to prompt the question: "When is this field populated?"

 

Because of the way traffic is handled for the various ISA clients, there are only two instances where you should expect to see this log field populated:

  1. A Firewall client-enabled application makes a Winsock GetAddrInfo() or GxBy() call using the hostname or full-qualified domain name (FQDN) and the address is not already cached on the local host.
  2. A Web Proxy client makes an initial request using hostname or FQDN.

The hostname used by SecureNAT client applications is not logged because ISA never has this information.

 

Also, ISA Server cannot include the hostname for every single log entry, because it's not maintained as part of the connection object (if it's even known; see above). So don't expect to see a destination hostname in every log entry.

 

This behavior is due to the way ISA clients make their requests to & through ISA. The ISA help discusses this and there is an article series on isaserver.org that goes into greater detail.