[isalist] Re: [ISAserver.org Discussion List] Re: webchaining.
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Tue, 28 Mar 2006 07:06:57 -0800
http://www.ISAserver.org
-------------------------------------------------------
Not if you disable auth at the upstream *or* you limit it to web
chaining credentials at the downstream proxy.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Michael Ross
Sent: Tuesday, March 28, 2006 6:26 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: [ISAserver.org Discussion List] Re: webchaining.
http://www.ISAserver.org
-------------------------------------------------------
Correct me if im wrong, but wont that cause multiple authentication
boxes?
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Tuesday, March 28, 2006 8:18 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: [ISAserver.org Discussion List] Re: webchaining.
http://www.ISAserver.org
-------------------------------------------------------
Here's a Q forya:
- why are you only authenticating on the upstream proxy?
You should *always* authenticate closest to the user / domain making the
request.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Michael Ross
Sent: Tuesday, March 28, 2006 5:41 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: [ISAserver.org Discussion List] Re: webchaining.
lets take this one step further.
on my upstream proxy, i see the logs rolling by, and i see usernames and
the IP address of the downstream proxy.
ok, so that is what it is.. however, when viewing the monitoring tab on
the downstream proxy, I only see 'anonymous' on every session.
How could one correlate those 'anonymouses' with the actual user ID in
the event that you need to trace back web activity to a user\IPaddress
combo?
i only have authentication required on the upstream proxy, otherwise,
the users get prompted over and over to authenticate to get out to the
web.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Tuesday, March 21, 2006 3:36 PM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org Discussion List] Re: webchaining.
Hi Mike,
Listen here little feller:
If the Web Proxy Filter handles the request, then the source IP address
will always be the IP address of the ISA firewall.
I'll stand by that until I have a chance to test it, or Jim tells me I'm
wrong :)
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA
Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
Sent: Tuesday, March 21, 2006 3:18 PM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org Discussion List] Re: webchaining.
on my upstream proxy, the before the firewall, its set to Route,
not NAT.
if it was set to NAT, the upstream proxy's IP was shown.
so, i was hoping my downstream would show the client IP
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Tuesday, March 21, 2006 2:58 PM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org Discussion List] Re: webchaining.
Yep, that is weird.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
Sent: Tuesday, March 21, 2006 2:40 PM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org Discussion List] Re:
webchaining.
ya know i think its just odd.
right now my upstream proxy sends the client IP to the
firewall..
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Tuesday, March 21, 2006 2:22 PM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org Discussion List] Re:
webchaining.
You can't have it both ways. If you want to use the
local Web proxy, you must accept the source IP address being that of the
downstream ISA firewall.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
Sent: Tuesday, March 21, 2006 2:18 PM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org Discussion List] Re:
webchaining.
i want them to cache locally, but i want one
place to watch the activity
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Tuesday, March 21, 2006 2:11 PM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org Discussion List] Re:
webchaining.
What's the point of having them use the local
proxy? Why not just configure the clients to connect directly to the
upstream Web proxy and bypass proxy on the destination server? Turn off
Web proxy support on the downstream and away you go.
Thomas W Shinder, M.D.
Site: www.isaserver.org
<http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
Sent: Tuesday, March 21, 2006 2:06 PM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org Discussion List]
Re: webchaining.
so basically i have to setup something
to tail what's being entered into the MSDE database as the users hit the
web, right?
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Tuesday, March 21, 2006 1:44 PM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org Discussion List]
Re: webchaining.
Yes, but you won't have Web proxy
chaining. You need a ROUTE Network Rule and no Web proxy services at the
downstream. I.e., no local caching.
Thomas W Shinder, M.D.
Site: www.isaserver.org
<http://www.isaserver.org/>
Blog:
http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From:
isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Michael Ross
Sent: Tuesday, March 21, 2006
12:04 PM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org
Discussion List] Re: webchaining.
any way to have it log the IP
address of the actual client on the upstream ISA? it would make
monitoring the clients so much easier.
________________________________
From:
isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: Tuesday, March 21, 2006
11:49 AM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org
Discussion List] Re: webchaining.
Hi Mike,
That's expected and what's
supposed to happen.
Thomas W Shinder, M.D.
Site: www.isaserver.org
<http://www.isaserver.org/>
Blog:
http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From:
isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Michael Ross
Sent: Tuesday, March 21,
2006 11:38 AM
To:
isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org
Discussion List] webchaining.
Another question.
When I watch my logs on
the upstream proxy, I see users coming thru with the IP address of the
downstream proxy, not of the client they are on.
Thoughts?
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
