RE: Web proxy or Firewall Client (to be or not to be)

• From: "Lesky Alfonso M." <leskyam@xxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 19 Feb 2003 00:43:37 -0500

I downloaded the Stefaan's article from the isaserver.org

I do not understand  when you write: ",but I vague recall a switch can
take place between HTTP tunneled and "SecureNAT" FTP based on browser
settings. If the SecureNAT FTP was activated by the config, that would
cause the denial."


Thanks for your time Thomas.


-----Original Message-----
From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Date: Tue, 18 Feb 2003 23:26:04 -0600
Subject: [isalist] RE: Web proxy or Firewall Client (to be or not to be)

> http://www.ISAserver.org
> 
> 
> Hi Alfonso,
> 
> I was assuming that the HTTP Redirector was configured to drop requests
> from SecureNAT and Firewall clients, as this forces SecureNAT and
> Firewall clients to be configured as Web Proxy clients and go through
> the Web Proxy service.
> 
> Although, even if the HTTP Redirector is enabled, it doesn't explain
> why
> a Web Proxy/SecureNAT client machine should have problems connecting to
> FTP sites via the Web Proxy service, but I vague recall a switch can
> take place between HTTP tunneled and "SecureNAT" FTP based on browser
> settings. If the SecureNAT FTP was activated by the config, that would
> cause the denial.
> 
> Thanks!
> Tom 
> 
> Thomas W Shinder
> www.isaserver.org/shinder 
> ISA Server and Beyond: http://tinyurl.com/1jq1
> Configuring ISA Server: http://tinyurl.com/1llp
> 
>  
>  
> 
> 
> -----Original Message-----
> From: Lesky Alfonso M. [mailto:leskyam@xxxxxxxxxxxxxxx] 
> Sent: Tuesday, February 18, 2003 11:05 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Web proxy or Firewall Client (to be or not to
> be)
> 
> 
> http://www.ISAserver.org
> 
> 
> Hi, Tom
> 
> It seems to be a problem related to the authentication, I have been 
> reading about it.
> this is from the ISA Server Help (isa.chm)
> 
> Theme: 'HTTP redirector filter'
> 
> "When the HTTP redirector filter passes a request from a Firewall
> client
> 
> to the Web Proxy service, the client's authentication information is 
> lost. Therefore, when the HTTP redirector filter is enabled and 
> configured to redirect to the Web Proxy service, requests from Firewall
> client is handled as unauthenticated. If unauthenticated access is not 
> allowed, such requests will be denied"
> 
> Remember when I said that if I configure the Rule to allow access to
> any
> 
> request or by IPs the problem dessapears?
> 
> By the way your articles at www.isaserver.org are very interesting.
> 
> Thanks again Thomas.
> 
> Saludos,
> 
> Lesky Alfonso M.
> 
> 
> -----Original Message-----
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Date: Tue, 18 Feb 2003 20:36:31 -0600
> Subject: [isalist] RE: Web proxy or Firewall Client (to be or not to
> be)
> 
> > http://www.ISAserver.org
> > 
> > 
> > Hi Alfonso,
> > 
> > Its interesting that when I configured a machine to be a SecureNAT
> > client and a Web Proxy client, then FTP connection failed to work.
> You
> > might want to check out Stefaan Pouseele's article on FTP over at
> > www.isaserver.org, I believe he covered the circumstances when FTP
> > requests from the browser are not sent through the Web Proxy service.
> > 
> > HTH,
> > Tom
> > 
> > Thomas W Shinder
> > www.isaserver.org/shinder 
> > ISA Server and Beyond: http://tinyurl.com/1jq1
> > Configuring ISA Server: http://tinyurl.com/1llp 
> > 
> > 
> > -----Original Message-----
> > From: Lesky Alfonso M. [mailto:leskyam@xxxxxxxxxxxxxxx] 
> > Sent: Tuesday, February 18, 2003 12:15 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Web proxy or Firewall Client (to be or not to
> > be)
> > 
> > 
> > http://www.ISAserver.org
> > 
> > 
> > Thanks Tom, your are right man, my clients are SecureNAT Clients.
> > 
> > I use DHCP and I have an option configured (003 Router), all of then 
> > pickup the default gateway when they startup, what do you advise to
> > me?.
> > 
> > Please I hope you find patient to forgive my ignorance and to answer
> > some 
> > more questions.
> > 
> > 1. RRAS Clients always appears with a Default gateway and they can
> > access 
> > ftp sites Why?
> > 
> > 2. What about if I need to PING some IPs or Names to test
> connectivity,
> > is a solution to add static routes to the clients?
> > 
> > 3. What is that message that apears telling me: 
> > 
> > ISA Server: extended error message : 
> > 200 Type set to I.
> > 200 PORT Command successful.
> > 550 Permission denied.
> > 
> > when I am accesing 'some' FTP sites?
> > 
> > 4. Do you remember when I wrote about a workstation with Win95 and IE
> > 3.0 
> > (with a default gateway)? And later it was updated to IE 4.0 and it
> was
> > accessing ok all the FTP sites, wuat about this?
> > 
> > As you can see this open a tree of new questions to me
> > 
> > Note.
> > I had been in isaserver.org and there are very good articles with
> your
> 
> > name. I download some of them like: "Issues with the Internet
> Explorer
> 
> > FTP Client" AND "The SecureNAT Client" By Thomas Shinder, both of
> them,
> > this name remember me someone who took me out a hurry!
> > 
> > Forgive my English it is no my default language.
> > 
> > Well, once again Thanks a lot Tom.
> > 
> > 
> > -----Original Message-----
> > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Date: Mon, 17 Feb 2003 21:31:37 -0600
> > Subject: [isalist] RE: Web proxy or Firewall Client (to be or not to
> > be)
> > 
> > > http://www.ISAserver.org
> > > 
> > > 
> > > Hi Alfonso,
> > > 
> > > OK, here's the test:
> > > 
> > > 1. Client is a machine configured as a Web Proxy client
> > > 
> > > 2. Firewall client software is DISABLED
> > > 
> > > 3. Default gateway is removed
> > > 
> > > 4. Browser configured to use PORT mode; that is, the option to use
> > PASV
> > > was not selected
> > > 
> > > When to ftp.microsoft.com I got the usual "you can only download"
> > > because the client is a Web Proxy client only, so that's OK.
> > Connected
> > > to the MS FTP site and downloaded a file. Then I checked the logs.
> No
> > > entry in the firewall log, and entries confirming my connections to
> > the
> > > MS FTP site.
> > > 
> > > So, you should have no entries in your firewall log when making
> these
> > > FTP requests. Your clients must be either Firewall or SecureNAT
> > > clients?
> > > 
> > > HTH,
> > > Tom
> > > 
> > > Thomas W Shinder
> > > www.isaserver.org/shinder 
> > > ISA Server and Beyond: http://tinyurl.com/1jq1
> > > Configuring ISA Server: http://tinyurl.com/1llp 
> > > 
> > > 
> > > -----Original Message-----
> > > From: Lesky Alfonso M. [mailto:leskyam@xxxxxxxxxxxxxxx] 
> > > Sent: Monday, February 17, 2003 8:53 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Web proxy or Firewall Client (to be or not
> to
> > > be)
> > > 
> > > 
> > > http://www.ISAserver.org
> > > 
> > > 
> > > 
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Exchange Server Resource Site: http://www.msexchange.org/
> > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
> > as:
> > > leskyam@xxxxxxxxxxxxxxx
> > > To unsubscribe send a blank email to
> > > $subst('Email.Unsub')
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > leskyam@xxxxxxxxxxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> leskyam@xxxxxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')

Other related posts:

• » Web proxy or Firewall Client (to be or not to be)
• » RE: Web proxy or Firewall Client (to be or not to be)
• » RE: Web proxy or Firewall Client (to be or not to be)
• » RE: Web proxy or Firewall Client (to be or not to be)
• » RE: Web proxy or Firewall Client (to be or not to be)
• » RE: Web proxy or Firewall Client (to be or not to be)
• » RE: Web proxy or Firewall Client (to be or not to be)
• » RE: Web proxy or Firewall Client (to be or not to be)
• » RE: Web proxy or Firewall Client (to be or not to be)
• » RE: Web proxy or Firewall Client (to be or not to be)
• » RE: Web proxy or Firewall Client (to be or not to be)
• » RE: Web proxy or Firewall Client (to be or not to be)
• » RE: Web proxy or Firewall Client (to be or not to be)
• » RE: Web proxy or Firewall Client (to be or not to be)
• » RE: Web proxy or Firewall Client (to be or not to be)
• » RE: Web proxy or Firewall Client (to be or not to be)
• » RE: Web proxy or Firewall Client (to be or not to be)
• » RE: Web proxy or Firewall Client (to be or not to be)

1. Home
2. isalist
3. Archive
4. 02-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---