Re: Firewall client

• From: "Jim Harrison" <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 3 Dec 2001 11:45:26 -0800

The "127.0.0.1" in the c-IP field shows that your HTTP redirector did its
job and redirected a secureNAT or firewall request to the web proxy, but it
comes in (as expected) without credentials (anonymous).
You said that you've restricted web access to specific users.  When you use
the HTTP redirector, you lose all identity.
That's why it fails.

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
----- Original Message -----
From: "Periyasamy, Raj" <psraj@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, December 03, 2001 10:47
Subject: [isalist] Re: Firewall client


http://www.ISAserver.org


Jim,
I enabled Rule#1 and Rule#2 in the log file, restarted the server and tried
the access. This is what I find in the log file.
As you see the Ruel#1 and Rule#2 entries are blank in the WWW log. If I use
a proxy for the browser configuration, I can see these entries are Default
Proxy Rule, Allow Rule.


FW Log

10.254.6.120, periya, Iexplore.exe:3:5.0, Y, 12/3/2001, 13:25:39, fwsrv,
NJAISA01, -, www.pepsi.com, 164.109.43.179, 0, -, 0, 0, -, -, GHBN, -, -, -,
0, -, Default Proxy Rule, Allow rule, 4, 0

10.254.6.120, periya, Iexplore.exe:3:5.0, Y, 12/3/2001, 13:25:39, fwsrv,
NJAISA01, -, -, 164.109.43.179, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0,
-, Default Proxy Rule, -, 4, 4


WWW Log

127.0.0.1, anonymous, Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0),
N, 12/3/2001, 13:25:41, w3proxy, NJAISA01, -, www.pepsi.com, -, 80, 0, 0,
3833, http, -, GET, http://www.pepsi.com/, -, -, 403, -, -, -


Any Ideas,

Regards,
Raj



-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: December 01, 2001 3:40 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Firewall client


http://www.ISAserver.org


Still, the response indicates that ISA is refusing the request based on some
rule or the absence of it.
What does the WEB log show for those attempts?
If you don't get any "Rule#1" and "Rule#2" entries in that log, go to
Monitoring Configuration, Logs and edit the fields of the Web proxy log to
show you those.
That's how we'll know what ISA is using to deny those requests.
The firewall client can't authenticate through the HTTP redirector any
better than the secureNAT client can.  I'll bet that loss of identity is the
issue.

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
----- Original Message -----
From: "Periyasamy, Raj" <psraj@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Saturday, December 01, 2001 12:20
Subject: [isalist] Re: Firewall client


http://www.ISAserver.org


Jim,
I have a group InTERNET which has permissions to the ISA protocol rules
which allows access to the net. The ID I login is a member of this group.
With firewall clinet, either I need to setup proxy or I use teh auto config
script http://server:80/array.dll?Get.Routing.Script to get the browser
working. If I dont use either of the above I get 403 Forbidden.

Raj

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Friday, November 30, 2001 11:05 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Firewall client


http://www.ISAserver.org


What do you find in the ISA logs for those requests?
ISA returns a 403 when it:
1. has a rule  specifically denying the request
2. has no rule allowing the request

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
----- Original Message -----
From: "Periyasamy, Raj" <psraj@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, November 30, 2001 17:17
Subject: [isalist] Re: Firewall client


http://www.ISAserver.org


Jim,
I am running firewall client in my workstation.

Raj

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Friday, November 30, 2001 7:55 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Firewall client


http://www.ISAserver.org


You're disabling the client's ability to use the ISA proxy, yasilly.

Seriously, if the client isn't going to use the proxy, then is has to be a
secureNAT or firewall client.
What is in the FW or WEB logs for those requests?  There may also be a rule
getting in your way.

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
----- Original Message -----
From: "Periyasamy, Raj" <psraj@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, November 30, 2001 14:22
Subject: [isalist] Firewall client


http://www.ISAserver.org


May be this one is too basic..
My workstation is runnning F/W client. The browser is configured to use
proxy. It works fine. However, if I disable use proxy option the browser
fails. I get 403 forbidden error. What am I doing wrong?

Regards,
Raj

Other related posts:

• » Firewall client
• » Re: Firewall client
• » [isalist] Firewall client
• » [isalist] Re: Firewall client
• » [isalist] Re: Firewall client
• » [isalist] Re: Firewall client
• » [isalist] Re: Firewall client
• » [isalist] Re: Firewall client
• » [isalist] Re: Firewall client
• » Firewall client
• » Firewall client
• » Re: Firewall client
• » Firewall client
• » Re: Firewall client
• » Re: Firewall client
• » Re: Firewall client
• » Re: Firewall client
• » Re: Firewall client
• » Re: Firewall client
• » Re: Firewall client
• » Re: Firewall client
• » Re: Firewall client
• » Re: Firewall client
• » Re: Firewall client

1. Home
2. isalist
3. Archive
4. 12-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---