You may have noticed that in certain cases, the Client Username field in the ISA firewall log has user names with question marks – (?) – after them:
Who are these questionable users?
These user names appear when you have a policy rule which allows All Users, and a Firewall Client (FWC) computer passes through that rule. Since the ISA policy doesn’t require authentication, ISA doesn’t perform authentication with the client. But During FWC channel establishment, the client computer sends the user name to the ISA computer. ISA knows what name the user claims to have, but ISA never verified it. To convey this situation, the user is displayed with a question mark.
So should you rely on these user names?
- If you’re suspecting malicious action, then you shouldn’t. An attacker can easily forge any user name he wants – he can simply create a local user with the desired name on his own computer, and connect while logged-on as that user.
- If not, then these user names may help. For example, if user X complains about connection problems, then you could look at the ISA log with a “Client username contains X” filter.
P.S. Real, authenticated user names appear with a domain prefix: DOMAIN\username.
ISA Server Sustained Engineering Team