[isalist] Re: Interesting question...

• From: "Ball, Dan" <DBall@xxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Thu, 30 Mar 2006 21:30:18 -0500

http://www.ISAserver.org
-------------------------------------------------------

Okay, thanks, I think that answers the questions I had.  

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Thursday, March 30, 2006 9:13 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Interesting question...

http://www.ISAserver.org
-------------------------------------------------------
  
What "information" are you referring to?
The original client IP is a goner either way and most of the client
headers are not guaranteed across each hop.

Redirection (when the client is even aware) is a client-side operation.
The server sends a 30x response and the client does what it feels like
with it.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Thursday, March 30, 2006 18:07
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Interesting question...

http://www.ISAserver.org
-------------------------------------------------------
  
But assuming that it NATs through the ISA, then hits an upstream filter
which then redirects it to another webserver, is the original
information still left when it hits that last server?

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Thursday, March 30, 2006 8:53 PM
To: ISA Mailing List
Subject: [isalist] Re: Interesting question...

http://www.ISAserver.org
-------------------------------------------------------
  
Showing my ignorance again...:(..I always thought NAT supplied the
external IP to hide your internals...oh well, one learns something new
every day about tcp stuff.....

S
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Thursday, March 30, 2006 9:51 PM
To: ISA Mailing List
Subject: [isalist] Re: Interesting question...

http://www.ISAserver.org
-------------------------------------------------------
  
Nope - it's not. 
NAT doesn't break the TCP connection; proxy does.

This is CERN proxy behavior; the upstream server is blissfully ignorant
of the "real" client IP.
It *may * have access to such niceties as user-agent, but those are not
guaranteed.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Thursday, March 30, 2006 17:31
To: ISA Mailing List
Subject: [isalist] Re: Interesting question...

You are correct, It's doing NAT.

 

S

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Thursday, March 30, 2006 8:26 PM
To: ISA Mailing List
Subject: [isalist] Interesting question...

 

I was trying to assist someone with logging traffic, and this is the
explanation I got...

 

----------Quote----------

Our network consists of a single Internet filter on the outisde

(Screendoor) with several ISA 2000 and 2004 servers behind it.  The
client computer makes a request to a web site that will be blocked by
screen door, it passes out the ISA server to Screendoor, Screendoor
blocks it and the client ends up with a page could not be displayed
message.  Of course Screendoor in that example doesn't know what private
ip address that request came from only the ISA server does, in my case
the ISA 2004 server is configured in firewall/cache mode.  Because of
the problem we had been having with screendoor allowing the bad site to
load if the user refreshed enough times we told screendoor to redirect
the user to another site instead of just blocking them.  The redirected
site will be on our local web server.  What I was asking is if we could
embed a script of some sort on that local web site that would collect
their private ip address as well as the local nds/ad username and store
it in a log file.  I'm trying to avoid requiring the users to login to
the Internet separately from logging into the network and because the
Internet filter is outside the firewall integrating it with nds/ad isn't
really an option either.  We're ultimately moving to a Dansguardian
solution anyway and possibly several of them (inside each firewall and
one possibly outside the firwall where Screendoor currently sits) so it
will become a mute point eventually anyway.

----------End Quote----------

 

Am I correct to assume that all traffic coming out of the ISA server
would be stripped of all identifying information, and the server it was
redirected to would only show the IP of the screendoor/ISA server?

 

 


All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx 


All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » [isalist] Interesting question...
• » [isalist] Re: Interesting question...
• » [isalist] Re: Interesting question...
• » [isalist] Re: Interesting question...
• » [isalist] Re: Interesting question...
• » [isalist] Re: Interesting question...
• » [isalist] Re: Interesting question...
• » [isalist] Re: Interesting question...
• » [isalist] Re: Interesting question...
• » [isalist] Re: Interesting question...
• » [isalist] Re: Interesting question...
• » [isalist] Re: Interesting question...

1. Home
2. isalist
3. Archive
4. 03-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---