Setting up your ISA Server to allow proper IIS logging is simpler than you think, although it's not what you might have expected to do. Allowing ISA server to pass the external IP addresses to the IIS log requires just a couple steps. ISA won't pass the external IP address to the IIS server, by default, so if you want to record the external IP addresses in your IIS log, you'll have to add a couple rules to ISA server.

The trick to getting ISA to log external IP addresses to IIS is to add a custom HTTP filter. The default HTTP filter comes with an application rule, WEB PROXY, enabled. That means, when applications try to access your website, the request will pass through the ISA server's web proxy, stamping its own IP address on the IIS log.

Create a new protocol filter, naming it HTTP Custom.



In the Primary Connection Informatin step, click New.



In the New Protocol Connection, enter port 80 in the from and to boxes. Click OK.



You should now see your new rule. Click next, until you are finished.

You've just created a new protocol, now, you're going to have to add a couple firewall rules. First, you must put the new protocol definition you just created into use. We're going to do this by creating an access rule, and Allowing traffic from port 80. You're probably wondering why we just setup this rule, when we already have an access rule for port 80. The simple answer is, the default rule has an application filter for WEB PROXY; the one we just created doesn't. That means that traffic on port 80 will bypass the WEB PROXY, keeping the addressing pure.

Create a new access rule, and name it something like Custom HTTP Access. Set the Rule Action to Allow.



In the Protocol step, use the drop down menu to select Selected Protocols. Click Add.



In the window that pops up, with the list of protocols, you'll see User Defined. Your custom HTTP protocol, that we just created in the previous section, should be in there. Select it. Click next, and fill out the rest of the information, to suit your needs.

Now that we've got our access rule setup, it's time to do something a little counter intuitive. We're going to have to create a rule that blocks HTML traffic. Specifically, though, we need to create a rule that shuts down the WEB PROXY from accepting traffic, for port 80. Let's begin.

In step 1, create a new access rule and name it something like Block HTTP Proxy. In step 2 set the Rule Action to DENY. In the protocol setup, use the drop down menu to select Selected Protocols. Click the Add button. In the window that pops up, you should see WEB. Expand the list and select HTTP. Add it to the list and close the Network Entries window.



In the New Access Protocol window, you should see Web. Expand it, and under that, you should see HTTP. Add it,  click next, and continue to setup your access rule to your needs.

This part of the rule is going to deny traffic from traveling through the HTTP WEB PROXY, which is what we want. Now, when clients connect on port 80, ISA will pass along the original client's IP address to the IIS log and not the IP address that the ISA server is listening on. Here is what it should look like, in the ISA rules list.



Be sure your Deny rule is below your Allow rule.



When you audit your ISA server's traffic,  the log type will change from WEB PROXY to Firewall Service, and the connection port of your clients will no longer read 0, there will now be a random, source port.