[isalist] Re: [ISAserver.org Discussion List] Re: webchaining.
- From: "Michael Ross" <mross@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Wed, 29 Mar 2006 09:54:53 -0600
ok i followed your advice
i have it setup this way , and its working
the downside not listed here is that in the content filter logs, i see
the specific account that auth's with the updatream ISA web proxy.
i dont know of a way to correlate who was going where really, according
to the content filter rules.. ya know?
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Tuesday, March 28, 2006 8:26 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: [ISAserver.org Discussion List] Re: webchaining.
Hi Mike,
There is a way to deal with this and have the content filtering done
centrally.
You can force auth at the branches.
Configure the branch downstream proxies to use a specific account to
auth with the upstream ISA Web proxy.
The drawbacks are:
You don't have centralized reporting of user names -- that information
is contained at the branch office ISA firewalls. You'd have to have a
mechanism to consolidate that information (and to be honest, I don't
know how you would do it)
You can use granular user/group authentication to base your content
filtering on, since each branch would be configured with a single
account to auth to the upstream
I hope I'm wrong about this, but as I understand the situation, this has
been a long standing "feature" for which a DCR has been in for a LONG
time.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
Sent: Tuesday, March 28, 2006 8:13 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: [ISAserver.org Discussion List] Re:
webchaining.
i see.
perhaps i should not do web chaining and just have that ISA box
go direct to the internet, and put my webfilter on that box.
i dont think that will save me much in the way of bandwidth
though.. which was one of the goals of doing ISA.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Tuesday, March 28, 2006 8:12 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: [ISAserver.org Discussion List] Re:
webchaining.
Its means that part of the ISA firewall is broken and it won't
do what it you want it to do and what it should do and its a BIG problem
for a long time, so as Freud would say, we tend to be a bit "avoidant"
regarding the issue.
:)
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
Sent: Tuesday, March 28, 2006 8:04 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: [ISAserver.org Discussion List]
Re: webchaining.
Sensei Shinder,
Grasshopper mean no disrepect. Simply, just trying to
learn how to bend light to my will so I will be invisible to enemy. Be
one with the 7 layers...
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Tuesday, March 28, 2006 7:58 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: [ISAserver.org Discussion List]
Re: webchaining.
Grasshopper. When Master give to you answer obvious to
fools, what does that mean to respected pupal?
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
Sent: Tuesday, March 28, 2006 7:48 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: [ISAserver.org Discussion
List] Re: webchaining.
oh man.. i thought the guru of gurus had a
solution.. HA.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Tuesday, March 28, 2006 7:47 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: [ISAserver.org Discussion
List] Re: webchaining.
Hi Mike,
Yep, that's a problem.
Thomas W Shinder, M.D.
Site: www.isaserver.org
<http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
Sent: Tuesday, March 28, 2006 7:41 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: [ISAserver.org
Discussion List] Re: webchaining.
lets take this one step further.
on my upstream proxy, i see the logs
rolling by, and i see usernames and the IP address of the downstream
proxy.
ok, so that is what it is.. however,
when viewing the monitoring tab on the downstream proxy, I only see
'anonymous' on every session.
How could one correlate those
'anonymouses' with the actual user ID in the event that you need to
trace back web activity to a user\IPaddress combo?
i only have authentication required on
the upstream proxy, otherwise, the users get prompted over and over to
authenticate to get out to the web.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Tuesday, March 21, 2006 3:36 PM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org Discussion List]
Re: webchaining.
Hi Mike,
Listen here little feller:
If the Web Proxy Filter handles the
request, then the source IP address will always be the IP address of the
ISA firewall.
I'll stand by that until I have a chance
to test it, or Jim tells me I'm wrong :)
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
<http://www.isaserver.org/>
Blog:
http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
Sent: Tuesday, March 21, 2006 3:18 PM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org Discussion List]
Re: webchaining.
on my upstream proxy, the before the
firewall, its set to Route, not NAT.
if it was set to NAT, the upstream
proxy's IP was shown.
so, i was hoping my downstream would
show the client IP
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Tuesday, March 21, 2006 2:58 PM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org Discussion List]
Re: webchaining.
Yep, that is weird.
Thomas W Shinder, M.D.
Site: www.isaserver.org
<http://www.isaserver.org/>
Blog:
http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
Sent: Tuesday, March 21, 2006 2:40 PM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org Discussion List]
Re: webchaining.
ya know i think its just odd.
right now my upstream proxy sends the
client IP to the firewall..
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Tuesday, March 21, 2006 2:22 PM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org Discussion List]
Re: webchaining.
You can't have it both ways. If you want
to use the local Web proxy, you must accept the source IP address being
that of the downstream ISA firewall.
Thomas W Shinder, M.D.
Site: www.isaserver.org
<http://www.isaserver.org/>
Blog:
http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
Sent: Tuesday, March 21, 2006 2:18 PM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org Discussion List]
Re: webchaining.
i want them to cache locally, but i want
one place to watch the activity
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Tuesday, March 21, 2006 2:11 PM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org Discussion List]
Re: webchaining.
What's the point of having them use the
local proxy? Why not just configure the clients to connect directly to
the upstream Web proxy and bypass proxy on the destination server? Turn
off Web proxy support on the downstream and away you go.
Thomas W Shinder, M.D.
Site: www.isaserver.org
<http://www.isaserver.org/>
Blog:
http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
Sent: Tuesday, March 21, 2006 2:06 PM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org Discussion List]
Re: webchaining.
so basically i have to setup something
to tail what's being entered into the MSDE database as the users hit the
web, right?
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Tuesday, March 21, 2006 1:44 PM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org Discussion List]
Re: webchaining.
Yes, but you won't have Web proxy
chaining. You need a ROUTE Network Rule and no Web proxy services at the
downstream. I.e., no local caching.
Thomas W Shinder, M.D.
Site: www.isaserver.org
<http://www.isaserver.org/>
Blog:
http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
Sent: Tuesday, March 21, 2006 12:04 PM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org Discussion List]
Re: webchaining.
any way to have it log the IP address of
the actual client on the upstream ISA? it would make monitoring the
clients so much easier.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Tuesday, March 21, 2006 11:49 AM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org Discussion List]
Re: webchaining.
Hi Mike,
That's expected and what's supposed to
happen.
Thomas W Shinder, M.D.
Site: www.isaserver.org
<http://www.isaserver.org/>
Blog:
http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
Sent: Tuesday, March 21, 2006 11:38 AM
To: isalist@xxxxxxxxxxxxx
Subject: [ISAserver.org Discussion List]
webchaining.
Another question.
When I watch my logs on the upstream
proxy, I see users coming thru with the IP address of the downstream
proxy, not of the client they are on.
Thoughts?
Other related posts:
