[isalist] Re: [ISAserver.org Discussion List] Re: webchaining.

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 28 Mar 2006 08:55:51 -0600

http://www.ISAserver.org
-------------------------------------------------------

This is Clear Lake, sorry to hear about the mishap :)

Did you configure the downstream to use a specific account to auth to
the upstream?

Have you seen this: http://www.isaserver.org/tutorials/isaedukit.html

Check out Chapter 7 and the section on Web proxy chaining. It's for ISA
Server 2000, but the same principles apply.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

 

> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
> Sent: Tuesday, March 28, 2006 8:47 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: [ISAserver.org Discussion List] Re: 
> webchaining.
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> Houston,
> We have no joy on the burn.. Repeat.. No joy on the burn.
> 
> When I enable authentication on the webproxy tab of the downstream
> proxy, I chose only Integrated Auth (the upstream proxy was set for
> integrated AND basic auth.. Don't flame me on that one.. Web filter we
> use is hokey).
> I not only got prompted by the downstream proxy, but when I went to a
> new site, the upstream proxy prompted me.
> 
> Turning the downstream's authentication to basic only, I get 
> prompted to
> authenticate more than once when I pull up a site like www.msn.com 
> 
> Am I doing something wrong in my procedure? 
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Michael Ross
> Sent: Tuesday, March 28, 2006 8:41 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: [ISAserver.org Discussion List] Re: 
> webchaining.
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> So, if I enable authentication at the upstream AND downstream 
> proxies, a
> user wont get prompted to authenticate over and over? Ill give it shot
> now and let u know what happens.
> If it works, that would give me one way to back track to the original
> IP\User 
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: Tuesday, March 28, 2006 8:38 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: [ISAserver.org Discussion List] Re: 
> webchaining.
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> No, it shouldn't. At least it hasn't the last time I tested 
> and deployed
> it.
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> 
>  
> 
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
> > Sent: Tuesday, March 28, 2006 8:26 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: [ISAserver.org Discussion List] Re: 
> > webchaining.
> > 
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >   
> > Correct me if im wrong, but wont that cause multiple authentication 
> > boxes?
> >  
> > 
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jim Harrison
> > Sent: Tuesday, March 28, 2006 8:18 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: [ISAserver.org Discussion List] Re: 
> > webchaining.
> > 
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >   
> > Here's a Q forya:
> > - why are you only authenticating on the upstream proxy?
> > You should *always* authenticate closest to the user / 
> domain making 
> > the request.
> > 
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Michael Ross
> > Sent: Tuesday, March 28, 2006 5:41 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: [ISAserver.org Discussion List] Re: 
> > webchaining.
> > 
> > lets take this one step further.
> > on my upstream proxy, i see the logs rolling by, and i see 
> usernames 
> > and the IP address of the downstream proxy.
> > ok, so that is what it is.. however, when viewing the 
> monitoring tab 
> > on the downstream proxy, I only see 'anonymous' on every session.
> > How could one correlate those 'anonymouses' with the actual 
> user ID in
> 
> > the event that you need to trace back web activity to a 
> user\IPaddress
> 
> > combo?
> > i only have authentication required on the upstream proxy, 
> otherwise, 
> > the users get prompted over and over to authenticate to get 
> out to the
> 
> > web.
> > 
> > ________________________________
> > 
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thomas W Shinder
> > Sent: Tuesday, March 21, 2006 3:36 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [ISAserver.org Discussion List] Re: webchaining.
> > 
> > 
> > Hi Mike,
> >  
> > Listen here little feller:
> >  
> > If the Web Proxy Filter handles the request, then the source IP 
> > address will always be the IP address of the ISA firewall.
> >  
> > I'll stand by that until I have a chance to test it, or Jim 
> tells me 
> > I'm wrong :)
> >  
> > Tom
> >  
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org <http://www.isaserver.org/>
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
> MVP -- ISA 
> > Firewalls
> > 
> >  
> > 
> > 
> > ________________________________
> > 
> >     From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
> >     Sent: Tuesday, March 21, 2006 3:18 PM
> >     To: isalist@xxxxxxxxxxxxx
> >     Subject: [ISAserver.org Discussion List] Re: webchaining.
> >     
> >     
> >     on my upstream proxy, the before the firewall, its set to Route,
> not 
> > NAT.
> >     if it was set to NAT, the upstream proxy's IP was shown.
> >     so, i was hoping my downstream would show the client IP
> > 
> > ________________________________
> > 
> >     From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> >     Sent: Tuesday, March 21, 2006 2:58 PM
> >     To: isalist@xxxxxxxxxxxxx
> >     Subject: [ISAserver.org Discussion List] Re: webchaining.
> >     
> >     
> >     Yep, that is weird.
> >      
> >     Thomas W Shinder, M.D.
> >     Site: www.isaserver.org <http://www.isaserver.org/> 
> >     Blog: http://blogs.isaserver.org/shinder/
> >     Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
> >     MVP -- ISA Firewalls
> > 
> >      
> > 
> > 
> > ________________________________
> > 
> >             From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
> >             Sent: Tuesday, March 21, 2006 2:40 PM
> >             To: isalist@xxxxxxxxxxxxx
> >             Subject: [ISAserver.org Discussion List] Re:
> > webchaining.
> >             
> >             
> >             ya know i think its just odd.
> >             right now my upstream proxy sends the client IP to the
> firewall..
> > 
> > ________________________________
> > 
> >             From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> >             Sent: Tuesday, March 21, 2006 2:22 PM
> >             To: isalist@xxxxxxxxxxxxx
> >             Subject: [ISAserver.org Discussion List] Re:
> > webchaining.
> >             
> >             
> >             You can't have it both ways. If you want to use the
> local Web proxy, 
> > you must accept the source IP address being that of the 
> downstream ISA
> 
> > firewall.
> >              
> >             Thomas W Shinder, M.D.
> >             Site: www.isaserver.org <http://www.isaserver.org/> 
> >             Blog: http://blogs.isaserver.org/shinder/
> >             Book: http://tinyurl.com/3xqb7
> > <http://tinyurl.com/3xqb7> 
> >             MVP -- ISA Firewalls
> > 
> >              
> > 
> > 
> > ________________________________
> > 
> >                     From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
> >                     Sent: Tuesday, March 21, 2006 2:18 PM
> >                     To: isalist@xxxxxxxxxxxxx
> >                     Subject: [ISAserver.org Discussion List] Re:
> > webchaining.
> >                     
> >                     
> >                     i want them to cache locally, but i want one
> place to watch the 
> > activity
> > 
> > ________________________________
> > 
> >                     From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> >                     Sent: Tuesday, March 21, 2006 2:11 PM
> >                     To: isalist@xxxxxxxxxxxxx
> >                     Subject: [ISAserver.org Discussion List] Re:
> > webchaining.
> >                     
> >                     
> >                     What's the point of having them use the local
> proxy? Why not just 
> > configure the clients to connect directly to the upstream Web proxy 
> > and bypass proxy on the destination server? Turn off Web 
> proxy support
> 
> > on the downstream and away you go.
> >                      
> >                     Thomas W Shinder, M.D.
> >                     Site: www.isaserver.org
> > <http://www.isaserver.org/> 
> >                     Blog: http://blogs.isaserver.org/shinder/
> >                     Book: http://tinyurl.com/3xqb7
> > <http://tinyurl.com/3xqb7> 
> >                     MVP -- ISA Firewalls
> > 
> >                      
> > 
> > 
> > ________________________________
> > 
> >                             From: isalist-bounce@xxxxxxxxxxxxx 
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
> >                             Sent: Tuesday, March 21, 2006 2:06 PM
> >                             To: isalist@xxxxxxxxxxxxx
> >                             Subject: [ISAserver.org Discussion List]
> > Re: webchaining.
> >                             
> >                             
> >                             so basically i have to setup something
> to tail what's being 
> > entered into the MSDE database as the users hit the web, right?
> > 
> > ________________________________
> > 
> >                             From: isalist-bounce@xxxxxxxxxxxxx 
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> >                             Sent: Tuesday, March 21, 2006 1:44 PM
> >                             To: isalist@xxxxxxxxxxxxx
> >                             Subject: [ISAserver.org Discussion List]
> > Re: webchaining.
> >                             
> >                             
> >                             Yes, but you won't have Web proxy
> > chaining. You need a ROUTE Network Rule and no Web proxy 
> services at 
> > the downstream. I.e., no local caching.
> >                              
> >                             Thomas W Shinder, M.D.
> >                             Site: www.isaserver.org
> > <http://www.isaserver.org/> 
> >                             Blog:
> > http://blogs.isaserver.org/shinder/
> >                             Book: http://tinyurl.com/3xqb7
> > <http://tinyurl.com/3xqb7> 
> >                             MVP -- ISA Firewalls
> > 
> >                              
> > 
> > 
> > ________________________________
> > 
> >                                     From:
> > isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
> > Behalf Of Michael Ross
> >                                     Sent: Tuesday, March 21, 2006
> > 12:04 PM
> >                                     To: isalist@xxxxxxxxxxxxx
> >                                     Subject: [ISAserver.org
> > Discussion List] Re: webchaining.
> >                                     
> >                                     
> >                                     any way to have it log the IP
> > address of the actual client on the upstream ISA? it would make 
> > monitoring the clients so much easier.
> > 
> > ________________________________
> > 
> >                                     From:
> > isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
> > Behalf Of Thomas W Shinder
> >                                     Sent: Tuesday, March 21, 2006
> > 11:49 AM
> >                                     To: isalist@xxxxxxxxxxxxx
> >                                     Subject: [ISAserver.org
> > Discussion List] Re: webchaining.
> >                                     
> >                                     
> >                                     Hi Mike,
> >                                      
> >                                     That's expected and what's
> > supposed to happen.
> >                                      
> >                                     Thomas W Shinder, M.D.
> >                                     Site: www.isaserver.org
> > <http://www.isaserver.org/> 
> >                                     Blog:
> > http://blogs.isaserver.org/shinder/
> >                                     Book: http://tinyurl.com/3xqb7
> > <http://tinyurl.com/3xqb7> 
> >                                     MVP -- ISA Firewalls
> > 
> >                                      
> > 
> > 
> > ________________________________
> > 
> >                                             From:
> > isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
> > Behalf Of Michael Ross
> >                                             Sent: Tuesday, March 21,
> > 2006 11:38 AM
> >                                             To:
> > isalist@xxxxxxxxxxxxx
> >                                             Subject: [ISAserver.org
> > Discussion List] webchaining.
> >                                             
> >                                             
> >                                             Another question.
> > 
> >                                             When I watch my logs on
> > the upstream proxy, I see users coming thru with the IP 
> address of the
> 
> > downstream proxy, not of the client they are on.
> > 
> >                                             Thoughts? 
> > 
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials: 
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > 
> > 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/  
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
> ISA Server Articles and Tutorials: 
> http://www.isaserver.org/articles_tutorials/ 
> ISA Server Blogs: http://blogs.isaserver.org/ 
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com 
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> 
> 
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts: