http://www.ISAserver.org ------------------------------------------------------- This is Clear Lake, sorry to hear about the mishap :) Did you configure the downstream to use a specific account to auth to the upstream? Have you seen this: http://www.isaserver.org/tutorials/isaedukit.html Check out Chapter 7 and the section on Web proxy chaining. It's for ISA Server 2000, but the same principles apply. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross > Sent: Tuesday, March 28, 2006 8:47 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: [ISAserver.org Discussion List] Re: > webchaining. > > http://www.ISAserver.org > ------------------------------------------------------- > > Houston, > We have no joy on the burn.. Repeat.. No joy on the burn. > > When I enable authentication on the webproxy tab of the downstream > proxy, I chose only Integrated Auth (the upstream proxy was set for > integrated AND basic auth.. Don't flame me on that one.. Web filter we > use is hokey). > I not only got prompted by the downstream proxy, but when I went to a > new site, the upstream proxy prompted me. > > Turning the downstream's authentication to basic only, I get > prompted to > authenticate more than once when I pull up a site like www.msn.com > > Am I doing something wrong in my procedure? > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Michael Ross > Sent: Tuesday, March 28, 2006 8:41 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: [ISAserver.org Discussion List] Re: > webchaining. > > http://www.ISAserver.org > ------------------------------------------------------- > > So, if I enable authentication at the upstream AND downstream > proxies, a > user wont get prompted to authenticate over and over? Ill give it shot > now and let u know what happens. > If it works, that would give me one way to back track to the original > IP\User > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Thomas W Shinder > Sent: Tuesday, March 28, 2006 8:38 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: [ISAserver.org Discussion List] Re: > webchaining. > > http://www.ISAserver.org > ------------------------------------------------------- > > No, it shouldn't. At least it hasn't the last time I tested > and deployed > it. > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross > > Sent: Tuesday, March 28, 2006 8:26 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: [ISAserver.org Discussion List] Re: > > webchaining. > > > > http://www.ISAserver.org > > ------------------------------------------------------- > > > > Correct me if im wrong, but wont that cause multiple authentication > > boxes? > > > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of Jim Harrison > > Sent: Tuesday, March 28, 2006 8:18 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: [ISAserver.org Discussion List] Re: > > webchaining. > > > > http://www.ISAserver.org > > ------------------------------------------------------- > > > > Here's a Q forya: > > - why are you only authenticating on the upstream proxy? > > You should *always* authenticate closest to the user / > domain making > > the request. > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of Michael Ross > > Sent: Tuesday, March 28, 2006 5:41 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: [ISAserver.org Discussion List] Re: > > webchaining. > > > > lets take this one step further. > > on my upstream proxy, i see the logs rolling by, and i see > usernames > > and the IP address of the downstream proxy. > > ok, so that is what it is.. however, when viewing the > monitoring tab > > on the downstream proxy, I only see 'anonymous' on every session. > > How could one correlate those 'anonymouses' with the actual > user ID in > > > the event that you need to trace back web activity to a > user\IPaddress > > > combo? > > i only have authentication required on the upstream proxy, > otherwise, > > the users get prompted over and over to authenticate to get > out to the > > > web. > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of Thomas W Shinder > > Sent: Tuesday, March 21, 2006 3:36 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [ISAserver.org Discussion List] Re: webchaining. > > > > > > Hi Mike, > > > > Listen here little feller: > > > > If the Web Proxy Filter handles the request, then the source IP > > address will always be the IP address of the ISA firewall. > > > > I'll stand by that until I have a chance to test it, or Jim > tells me > > I'm wrong :) > > > > Tom > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org <http://www.isaserver.org/> > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > MVP -- ISA > > Firewalls > > > > > > > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross > > Sent: Tuesday, March 21, 2006 3:18 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [ISAserver.org Discussion List] Re: webchaining. > > > > > > on my upstream proxy, the before the firewall, its set to Route, > not > > NAT. > > if it was set to NAT, the upstream proxy's IP was shown. > > so, i was hoping my downstream would show the client IP > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > > Sent: Tuesday, March 21, 2006 2:58 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [ISAserver.org Discussion List] Re: webchaining. > > > > > > Yep, that is weird. > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org <http://www.isaserver.org/> > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > > MVP -- ISA Firewalls > > > > > > > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross > > Sent: Tuesday, March 21, 2006 2:40 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [ISAserver.org Discussion List] Re: > > webchaining. > > > > > > ya know i think its just odd. > > right now my upstream proxy sends the client IP to the > firewall.. > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > > Sent: Tuesday, March 21, 2006 2:22 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [ISAserver.org Discussion List] Re: > > webchaining. > > > > > > You can't have it both ways. If you want to use the > local Web proxy, > > you must accept the source IP address being that of the > downstream ISA > > > firewall. > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org <http://www.isaserver.org/> > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > <http://tinyurl.com/3xqb7> > > MVP -- ISA Firewalls > > > > > > > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross > > Sent: Tuesday, March 21, 2006 2:18 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [ISAserver.org Discussion List] Re: > > webchaining. > > > > > > i want them to cache locally, but i want one > place to watch the > > activity > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > > Sent: Tuesday, March 21, 2006 2:11 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [ISAserver.org Discussion List] Re: > > webchaining. > > > > > > What's the point of having them use the local > proxy? Why not just > > configure the clients to connect directly to the upstream Web proxy > > and bypass proxy on the destination server? Turn off Web > proxy support > > > on the downstream and away you go. > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > <http://www.isaserver.org/> > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > <http://tinyurl.com/3xqb7> > > MVP -- ISA Firewalls > > > > > > > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross > > Sent: Tuesday, March 21, 2006 2:06 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [ISAserver.org Discussion List] > > Re: webchaining. > > > > > > so basically i have to setup something > to tail what's being > > entered into the MSDE database as the users hit the web, right? > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > > Sent: Tuesday, March 21, 2006 1:44 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [ISAserver.org Discussion List] > > Re: webchaining. > > > > > > Yes, but you won't have Web proxy > > chaining. You need a ROUTE Network Rule and no Web proxy > services at > > the downstream. I.e., no local caching. > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > <http://www.isaserver.org/> > > Blog: > > http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > <http://tinyurl.com/3xqb7> > > MVP -- ISA Firewalls > > > > > > > > > > ________________________________ > > > > From: > > isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On > > Behalf Of Michael Ross > > Sent: Tuesday, March 21, 2006 > > 12:04 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [ISAserver.org > > Discussion List] Re: webchaining. > > > > > > any way to have it log the IP > > address of the actual client on the upstream ISA? it would make > > monitoring the clients so much easier. > > > > ________________________________ > > > > From: > > isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On > > Behalf Of Thomas W Shinder > > Sent: Tuesday, March 21, 2006 > > 11:49 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [ISAserver.org > > Discussion List] Re: webchaining. > > > > > > Hi Mike, > > > > That's expected and what's > > supposed to happen. > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > <http://www.isaserver.org/> > > Blog: > > http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > <http://tinyurl.com/3xqb7> > > MVP -- ISA Firewalls > > > > > > > > > > ________________________________ > > > > From: > > isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On > > Behalf Of Michael Ross > > Sent: Tuesday, March 21, > > 2006 11:38 AM > > To: > > isalist@xxxxxxxxxxxxx > > Subject: [ISAserver.org > > Discussion List] webchaining. > > > > > > Another question. > > > > When I watch my logs on > > the upstream proxy, I see users coming thru with the IP > address of the > > > downstream proxy, not of the client they are on. > > > > Thoughts? > > > > > > All mail to and from this domain is GFI-scanned. > > > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx