Why is the ISA "Destination Host Name" log field empty?

As you pore over your ISA logs looking for new and ever-more-interesting data, you may notice that the "Destination Host Name" field is empty for a great many log entries. This fact is likely to prompt the question: "When is this field populated?"

 

Because of the way traffic is handled for the various ISA clients, there are only two instances where you should expect to see this log field populated:

1. A Firewall client-enabled application makes a Winsock GetAddrInfo() or GxBy() call using the hostname or full-qualified domain name (FQDN) and the address is not already cached on the local host.
2. A Web Proxy client makes an initial request using hostname or FQDN.

The hostname used by SecureNAT client applications is not logged because ISA never has this information.

 

Also, ISA Server cannot include the hostname for every single log entry, because it's not maintained as part of the connection object (if it's even known; see above). So don't expect to see a destination hostname in every log entry.

 

This behavior is due to the way ISA clients make their requests to & through ISA. The ISA help discusses this and there is an article series on isaserver.org that goes into greater detail.

Comments

• Anonymous
  January 01, 2003
  Yes; where we have a 100 MbpS device operating.

• Anonymous
  August 21, 2006
  Hi Jim,
  Nice post! Thanks!
  Tom

• Anonymous
  August 22, 2006
  Is this right?
  
  "The ISA help discusses this and there is an article series on isatools.org that goes into greater detail"
  
  These aricles you mentioned are on the isaserver.org site or am i wrong?
  
  regards Marc
  
  

• Anonymous
  August 23, 2006
  <oops> - you're right - the articles are indeed on isaserver.org.
  ..guess which URL I type more often...?
  :-p

• Anonymous
  September 02, 2006
  Hi,
  
  this is FAQ, nice post,
  
  Thank you,

• Anonymous
  May 09, 2007
  Hello! Very interesting. Thank you.