RE: Help with the web proxy setup in ISA 2004
- From: "Roy Tsao" <roy_tsao@xxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Wed, 25 May 2005 20:43:56 -0600
Got it but the log shows the record as below:
Source Protocol Operation Desination IP Client Type
<FQDN> 0.0.0.0 HTTP Denied 192.168.X.X Web Proxy
(ISA Local IP) (anonymous)
<HOST> 192.168.X.X Unknown IP Com Initilized 192.168.X.X FCW
(Client IP)
I am sure FQDN points to ISA interal IP, any sugguestion?
Thanks,
Roy Tsao
> Your understanding is flawed.
> If your client is resolving the FQDN to the ISA external IP, then your
> deployment is horked.
> Make sure both names resolve to the same ISA internal IP.
>
> -----Original Message-----
> From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> Sent: Tuesday, May 24, 2005 10:07 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
>
> My ISA2K4 Box is SP1 patched, FW Client is also SP1ed.
> Since client shall be Webproxy client with authentication for
> HTTP(s)/FTP
> download connection as required by content filter (surfcontol), so
> autoproxy configuration shall be applied in addional to FW client.
> It is true that when autoconfiguration point to full FQDN,
> authentication
> window popup means autoproxy configuration is not download into client
> end but when change to simple host name, no popup anymore!
>
> My understanding is the configuration script is obtained through http,
> there must be a doubled authentication when address is FQDN before
> configuration is done:
> phase 1: web proxy client issue http request to ISA FQDN:8080
> authentication required and webproxy client can provide
> credentials
> phase 2: ISA box loopback to itself requesting for ISAFQDN:8080
> as agent for client, then authentication required, and
> ISA box pass it back to client (that's the reason of
> authentication popup).
> If it is correct for working merchanism, FQDN shall not be used
> because client setting has not been done and does not know how
> to bypass ISA proxy to obtain script.
>
> Thanks,
>
> Roy Tsao
>
>
>
> > Authentication is completely unrelated to simple vs. qualified names.
> > The only place that authentication breaks auto-configuration is for
> the
> > FW client and SP1 fixes this.
> >
> > -----Original Message-----
> > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> > Sent: Tuesday, May 24, 2005 9:12 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
> >
> > In case web proxy authentication is required, the auto-config web
> > proxy setting's address shall be changed at ISABox from URL with dot
> > into localhost name only i.e.: http://isalocal:8080...
> > Otherwise autoconfiguration does work. Authentication window pop-up
> > each time when open up new I/E session, and also local address will
> not
> > be by passed by ISA.
> >
> > > This is a multi-part message in MIME format.
> > >
> > > ------_=_NextPart_001_01C55FFF.5CB82194
> > > Content-Type: text/plain;
> > > charset="us-ascii"
> > > Content-Transfer-Encoding: quoted-printable
> > >
> > > Hi Tim,
> > > =20
> > > In order to use the settings you configured for Web Proxy Direct
> > Access
> > > in the ISA firewall console, you need to complete the process by
> > > configuring the Web proxy clients to use the autoconfiguration
> script.
> > > Autodiscovery will accomplish this just fine, or you can do it
> > manually
> > > or through Group policy.
> > > =20
> > > HTH,
> > > Tom
> > > www.isaserver.org/shinder <http://www.isaserver.org/shinder>=20
> > > Tom and Deb Shinder's Configuring ISA Server 2004
> > > http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>=20
> > > MVP -- ISA Firewalls
> > >
> > > =20
> > >
> > > ________________________________
> > >
> > > From: tim S [mailto:tim724342@xxxxxxxxx]=20
> > > Sent: Monday, May 23, 2005 8:15 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Help with the web proxy setup in ISA 2004
> > >
> > >
> > > http://www.ISAserver.org=20
> > > I have ISA 2004 on w2k3 and it's an edge firewall. I allow all
> > protocol
> > > from Internal to External (this will soon be changed). All three
> > client
> > > types are configured in each workstation. My Internal machines have
> > > problem accessing internal websites (No looping through firewall).
> If
> > I
> > > disable the proxy setting in the browser, workstations have no
> > problem.
> > > I check marked 'By pass addresses found in the Domain Tab" and also
> > > entered my internal domain name in the Web browser tab of "Internal"
> > > network properties. I still can't get the web proxy clients not to
> > > contact ISA for internal websites. If I use the computer name
> instead
> > > of http://some.http.address.local, everything works fine too. I was
> > > able to solve the problem (for the time being) by modifying the
> > "Allow
> > > all outbound traffic" rule with FROM: Internal and TO: Anywhere. I
> > had
> > > it preveoulsy as FROM: Internal and TO: External. I think my
> solution
> > is
> > > bit convulated. After reading Tom's book, I didn't want to install
> > > Ethereal on my firewall but Network monitor has a big learning
> curve.
> > > Your help is greatly appreciated.
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam? Yahoo! Mail has the best spam protection around=20
> > > http://mail.yahoo.com
> > > ------------------------------------------------------ List
> Archives:
> > > http://www.webelists.com/cgi/lyris.pl?enter=3Disalist ISA Server
> > > Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server
> > > FAQ: http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
> > > ------------------------------------------------------ Other
> Internet
> > > Software Marketing Sites: World of Windows Networking:
> > > http://www.windowsnetworking.com Leading Network Software Directory:
> > > http://www.serverfiles.com No.1 Exchange Server Resource Site:
> > > http://www.msexchange.org Windows Security Resource Site:
> > > http://www.windowsecurity.com/ Network Security Library:
> > > http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> > > http://www.ntfaxfaq.com
> > > ------------------------------------------------------ You are
> > currently
> > > subscribed to this ISAserver.org Discussion List as:
> > > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=3Disalist Report abuse
> to
> > > listadmin@xxxxxxxxxxxxx
> > >
> > >
> > > ------_=_NextPart_001_01C55FFF.5CB82194
> > > Content-Type: text/html;
> > > charset="us-ascii"
> > > Content-Transfer-Encoding: quoted-printable
> > >
> > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> > > <HTML><HEAD>
> > > <META http-equiv=3DContent-Type content=3D"text/html; =
> > > charset=3Dus-ascii">
> > > <META content=3D"MSHTML 6.00.2800.1498" name=3DGENERATOR></HEAD>
> > > <BODY>http://www.ISAserver.org<BR>
>
> http://www.ISAserver.org<BR>
> >
> >
> > > <DIV dir=3Dltr align=3Dleft><SPAN class=3D665252301-24052005><FONT =
> > > color=3D#0000ff=20
> > > size=3D2>Hi Tim,</FONT></SPAN></DIV>
> > > <DIV dir=3Dltr align=3Dleft><SPAN class=3D665252301-24052005><FONT =
> > > color=3D#0000ff=20
> > > size=3D2></FONT></SPAN> </DIV>
> > > <DIV dir=3Dltr align=3Dleft><SPAN class=3D665252301-24052005><FONT =
> > > color=3D#0000ff=20
> > > size=3D2>In order to use the settings you configured for Web Proxy =
> > > Direct Access=20
> > > in the ISA firewall console, you need to complete the process by =
> > > configuring the=20
> > > Web proxy clients to use the autoconfiguration script. Autodiscovery
> =
> > > will=20
> > > accomplish this just fine, or you can do it manually or through
> > Group=20
> > > policy.</FONT></SPAN></DIV>
> > > <DIV><FONT color=3D#0000ff size=3D2></FONT> </DIV>
> > > <DIV><SPAN class=3D665252301-24052005><FONT color=3D#0000ff=20
> > > size=3D2>HTH,</FONT></SPAN></DIV><B>
> > > <P align=3Dleft><FONT face=3D"Trebuchet MS" =
> > > size=3D2>Tom<BR></FONT></B><A=20
> > > href=3D"http://www.isaserver.org/shinder";><B><U><FONT =
> > > color=3D#0000ff><FONT=20
> > > face=3D"Trebuchet MS"=20
> > >
> >
> size=3D2>www.isaserver.org/shinder</FONT></B></U></FONT></A><BR><B><FONT
> > =
> > >
> > > face=3D"Trebuchet MS" size=3D2><FONT color=3D#004000>Tom and Deb =
> > > Shinder's Configuring=20
> > > ISA Server 2004</FONT><BR></FONT></B><A=20
> > > href=3D"http://tinyurl.com/3xqb7";><B><U><FONT
> color=3D#0000ff><FONT=20
> > > face=3D"Trebuchet MS"=20
> > >
> >
> size=3D2>http://tinyurl.com/3xqb7</FONT></B></U></FONT></A><BR><B><FONT=
> > 20
> > > face=3D"Trebuchet MS" size=3D2>MVP -- ISA =
> > > Firewalls</FONT></B><B></P></B>
> > > <DIV> </DIV><BR>
> > > <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr
> align=3Dleft>
> > > <HR tabIndex=3D-1>
> > > <FONT face=3DTahoma size=3D2><B>From:</B> tim S =
> > > [mailto:tim724342@xxxxxxxxx]=20
> > > <BR><B>Sent:</B> Monday, May 23, 2005 8:15 PM<BR><B>To:</B> =
> > > [ISAserver.org=20
> > > Discussion List]<BR><B>Subject:</B> [isalist] Help with the web
> proxy
> > =
> > > setup in=20
> > > ISA 2004<BR></FONT><BR></DIV>
> > > <DIV></DIV>http://www.ISAserver.org=20
> > > <DIV>I have ISA 2004 on w2k3 and it's an edge firewall. I
> allow
> > =
> > > all=20
> > > protocol from Internal to External (this will soon be
> > changed). All =
> > > three=20
> > > client types are configured in each workstation. My=20
> > > Internal machines have problem accessing internal websites
> > (No =
> > > looping=20
> > > through firewall). If I disable the proxy setting in
> > the =
> > >
> > > browser, workstations have no problem. I check
> > marked=20
> > > 'By pass addresses found in the Domain Tab" and also
> > entered =
> > > my=20
> > > internal domain name in the Web browser tab of "Internal"
> > network=20
> > > properties. I still can't get the web proxy
> > clients =
> > > not to=20
> > > contact ISA for internal websites. If I use the computer
> > name =
> > > instead=20
> > > of <A =
> > >
> >
> href=3D"http://some.http.address.local";>http://some.http.address.local</
> > A=
> > > >,=20
> > > everything works fine too. I was able =
> > > to solve the=20
> > > problem (for the time being) by modifying the "Allow all
> outbound
> > =
> > > traffic"=20
> > > rule with FROM: Internal and TO: Anywhere. I had it preveoulsy
> > as =
> > > FROM:=20
> > > Internal and TO: External. I think my solution is bit =
> > > convulated. =20
> > > After reading Tom's book, I didn't want to install Ethereal on my =
> > > firewall but=20
> > > Network monitor has a big learning curve. Your help is
> > greatly=20
> > > appreciated.</DIV>
> > > <P>__________________________________________________<BR>Do You =
> > > Yahoo!?<BR>Tired=20
> > > of spam? Yahoo! Mail has the best spam protection around=20
> > > <BR>http://mail.yahoo.com =
> > > ------------------------------------------------------=20
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> > ISA =
> > > Server=20
> > > Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server
> =
> > > FAQ:=20
> > > http://www.isaserver.org/pages/larticle.asp?type=3DFAQ=20
> > > ------------------------------------------------------ Other
> Internet
> > =
> > > Software=20
> > > Marketing Sites: World of Windows Networking: =
> > > http://www.windowsnetworking.com=20
> > > Leading Network Software Directory: http://www.serverfiles.com No.1
> =
> > > Exchange=20
> > > Server Resource Site: http://www.msexchange.org Windows Security =
> > > Resource Site:=20
> > > http://www.windowsecurity.com/ Network Security Library: =
> > > http://www.secinf.net/=20
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com=20
> > > ------------------------------------------------------ You are
> > currently =
> > >
> > > subscribed to this ISAserver.org Discussion List as: =
> > > tshinder@xxxxxxxxxxxxxxxxxx=20
> > > To unsubscribe visit =
> > > http://www.webelists.com/cgi/lyris.pl?enter=3Disalist Report=20
> > > abuse to listadmin@xxxxxxxxxxxxx</P>
> > ------------------------------------------------------<BR>
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist<BR>
> > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp<BR>
> > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ<BR>
> > ------------------------------------------------------<BR>
> > Other Internet Software Marketing Sites:<BR>
> > World of Windows Networking: http://www.windowsnetworking.com<BR>
> > Leading Network Software Directory: http://www.serverfiles.com<BR>
> > No.1 Exchange Server Resource Site: http://www.msexchange.org<BR>
> > Windows Security Resource Site: http://www.windowsecurity.com/<BR>
> > Network Security Library: http://www.secinf.net/<BR>
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com<BR>
> > ------------------------------------------------------<BR>
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > jim@xxxxxxxxxxxx<BR>
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist<BR>
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> ------------------------------------------------------<BR>
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist<BR>
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp<BR>
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ<BR>
> ------------------------------------------------------<BR>
> Other Internet Software Marketing Sites:<BR>
> World of Windows Networking: http://www.windowsnetworking.com<BR>
> Leading Network Software Directory: http://www.serverfiles.com<BR>
> No.1 Exchange Server Resource Site: http://www.msexchange.org<BR>
> Windows Security Resource Site: http://www.windowsecurity.com/<BR>
> Network Security Library: http://www.secinf.net/<BR>
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com<BR>
> ------------------------------------------------------<BR>
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx<BR>
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist<BR>
> Report abuse to listadmin@xxxxxxxxxxxxx
> </BODY></HTML>
> > >
> > > ------_=_NextPart_001_01C55FFF.5CB82194--
> >
> >
> > All mail to and from this domain is GFI-scanned.
>
>
> All mail to and from this domain is GFI-scanned.
Other related posts:
