RE: ISA server not relaying clients IP to web server.
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 16 Sep 2005 10:59:58 -0500
Hi Matt,
What type of rule have you created to allow inbound connections to the
Web server running on the ISA firewall?
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: Matthew @ Telavoco [mailto:matthew@xxxxxxxxxxxx]
> Sent: Friday, September 16, 2005 10:56 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA server not relaying clients IP to
> web server.
>
> http://www.ISAserver.org
>
> Yes, your worst fears are true - the web server is running on
> the firewall.
>
> I know this is the wrong way to do things, but the situation
> has been forced
> upon me, and I've got to do what I can to get this working.
>
> You've just given me a thought -
>
> I have figured out a way to get it working - by having iis
> running on port
> 81, and having the listener bridge everything from port 80 to
> localhost:81.
>
> Lol, this is a nightmare.
>
> Thanks for your help Thomas.
>
> Matthew
>
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: 16 September 2005 16:48
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA server not relaying clients IP to
> web server.
>
> http://www.ISAserver.org
>
> The Web server is *running on the firewall*??? (please say no)
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
> > -----Original Message-----
> > From: Matthew @ Telavoco [mailto:matthew@xxxxxxxxxxxx]
> > Sent: Friday, September 16, 2005 10:45 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: ISA server not relaying clients IP to
> > web server.
> >
> > http://www.ISAserver.org
> >
> > There is no web publishing rule - this server is not meant
> > for external
> > access. When someone initially connects to my wireless access
> > point, my dhcp
> > server issues them and ip, and when they try to browse, "a
> > deny all http
> > access from internal network to external" rule redirects
> > any requests for external web sites to the web server running
> > on the same
> > machine. This web server provides these prospective users
> > with a VPN login
> > once
> > they've signed up for the service - VPN users are then given
> > access to the
> > intenet using an "allow VPN traffic" rule.
> >
> > However, when the clients are initially redirected to the IIS
> > server running on the same machine, the IP address of the
> > servers internal
> > network
> > interface is being used in place of the actual clients address.
> >
> > I am unable to create a listener as this would mean that two
> > programs are attempting to bind to port 80 to listen for
> > traffic (IIS and
> > web Listener).
> >
> > Hope this sheds more light on my dilemma.
> >
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: 16 September 2005 16:41
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: ISA server not relaying clients IP to
> > web server.
> >
> > http://www.ISAserver.org
> >
> > Hi Matt,
> >
> > Web Publishing Rule or Server Publishing Rule?
> >
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >
> >
> >
> > > -----Original Message-----
> > > From: Matthew @ Telavoco [mailto:matthew@xxxxxxxxxxxx]
> > > Sent: Friday, September 16, 2005 10:20 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: ISA server not relaying clients IP to
> > > web server.
> > >
> > > http://www.ISAserver.org
> > >
> > > Its ISA 2004, running on windows server 2003 enterprise
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > > Sent: 16 September 2005 16:15
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: ISA server not relaying clients IP to
> > > web server.
> > >
> > > http://www.ISAserver.org
> > >
> > > What firewall version?
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://spaces.msn.com/members/drisa/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Matthew @ Telavoco [mailto:matthew@xxxxxxxxxxxx]
> > > > Sent: Friday, September 16, 2005 10:07 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: ISA server not relaying clients IP to
> > > > web server.
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Does anyone have any more thoughts on this?
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Matthew @ Telavoco [mailto:matthew@xxxxxxxxxxxx]
> > > > Sent: 16 September 2005 00:13
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: ISA server not relaying clients IP to
> > > > web server.
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Thanks for the reply
> > > >
> > > > There is no web publishing rule - this server is not meant
> > > > for external
> > > > access. When someone initially connects to my wireless access
> > > > point, my dhcp
> > > > server issues them and ip, and when they try to browse, "a
> > > > deny all http
> > > > access from internal network to external" rule redirects
> > > any external
> > > > website requests to the web server running on the same
> > > > machine. This web
> > > > server provides these prospective users with a VPN login once
> > > > they've signed
> > > > up for the service - VPN users are then given access to the
> > > > intenet using an
> > > > "allow VPN traffic" rule.
> > > >
> > > > However, when the clients are initially redirected to the IIS
> > > > server running
> > > > on the same machine, the IP address of the servers
> > internal network
> > > > interface is being used in place of the actual clients address.
> > > >
> > > > I am unable to create a listener as this would mean that two
> > > > programs are
> > > > attempting to bind to port 80 to listen for traffic (IIS and
> > > > web Listener).
> > > >
> > > > Hope this sheds more light on my dilemma.
> > > >
> > > > Kind regards,
> > > >
> > > > Matthew Dendle
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > > Sent: 15 September 2005 23:11
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: ISA server not relaying clients IP to
> > > > web server.
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > This is what you get with web publishing (reverse proxy).
> > > > NAT has absolutely nothing to do with it.
> > > > You can change this behavior on a per-rule basis by selecting
> > > > "requests
> > > > appear to come from the original client" in the "To" tab of the
> > > > publishing rule.
> > > >
> > > > This setting requires that the published server use ISA as
> > > the default
> > > > route to the Internet.
> > > > Basic IP routing applies...
> > > >
> > > > -----Original Message-----
> > > > From: Matthew @ Telavoco [mailto:matthew@xxxxxxxxxxxx]
> > > > Sent: Thursday, September 15, 2005 2:48 PM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: ISA server not relaying clients IP to
> > > > web server.
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Its isa server 2004, running on windows 2003 Enterprise edition
> > > >
> > > > I just don't see why the client doesn't connect directly to
> > > > IIS, rather
> > > > than
> > > > going through the ISA servers NAT first. At least, I think
> > > > that's whats
> > > > happening - I cant see any other reason why it would use the
> > > > IP address
> > > > of
> > > > one of its own interfaces rather than just relaying the
> clients IP
> > > > instead.
> > > >
> > > > Any ideas folks?
> > > >
> > > >
> > > > Matthew Dendle
> > > > www.telavoco.com
> > > >
> > > > -----Original Message-----
> > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > > Sent: 15 September 2005 19:43
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: ISA server not relaying clients IP to
> > > > web server.
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > What ISA version - 2000 or 2004?
> > > >
> > > > -----Original Message-----
> > > > From: Matthew [mailto:matthew@xxxxxxxxxxxx]
> > > > Sent: Thursday, September 15, 2005 10:16 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] ISA server not relaying clients IP to
> > web server.
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Hello everyone,
> > > > I am hosting a website on the same machine as my ISA server.
> > > > The reason
> > > > for this is that my isa server is acting as a gateway for
> > a wireless
> > > > hotspot - users are redirected to my site, where they sign up
> > > > and get a
> > > > VPN client login, and are then able to connect to the
> > > > internet. This is
> > > > all working fine.
> > > >
> > > > However, I need to know what thier IP address is.
> > > > When they connect to the web application (written in
> ASP) thier Ip
> > > > address
> > > > always appears to be coming from the isa server itself,
> > and not the
> > > > clients IP. The clients IP is completely masked by the
> > NAT firewall
> > > >
> > > > (for those of you who are familiar with asp, the
> > > > server.requestvariables("CLIENT_IP") and "REMOTE_ADDR" and
> > > > "HTTP_X_FORWARDED_FOR" all return the address of the ISA
> > > > server, not the
> > > > client)
> > > >
> > > > Is there any way i could fix things so that the clients IP
> > > > will actually
> > > > be forwarded in the environment variables?
> > > >
> > > > Thanks folks
> > > >
> > > > Matthew Dendle
> > > >
> > > > ------------------------------------------------------
> > > > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org
> > > Discussion List as:
> > > > jim@xxxxxxxxxxxx
> > > > To unsubscribe visit
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >
> > > > All mail to and from this domain is GFI-scanned.
> > > >
> > > >
> > > > ------------------------------------------------------
> > > > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org
> > > Discussion List as:
> > > > matthew@xxxxxxxxxxxx
> > > > To unsubscribe visit
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >
> > > >
> > > > ------------------------------------------------------
> > > > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org
> > > Discussion List as:
> > > > jim@xxxxxxxxxxxx
> > > > To unsubscribe visit
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >
> > > > All mail to and from this domain is GFI-scanned.
> > > >
> > > >
> > > > ------------------------------------------------------
> > > > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org
> > > Discussion List as:
> > > > matthew@xxxxxxxxxxxx
> > > > To unsubscribe visit
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >
> > > >
> > > > ------------------------------------------------------
> > > > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org
> > > Discussion List as:
> > > > matthew@xxxxxxxxxxxx
> > > > To unsubscribe visit
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >
> > > >
> > > > ------------------------------------------------------
> > > > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion
> > > > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > > > To unsubscribe visit
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >
> > > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > matthew@xxxxxxxxxxxx
> > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > matthew@xxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> matthew@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
