http://www.ISAserver.org ------------------------------------------------------- No, it shouldn't. At least it hasn't the last time I tested and deployed it. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross > Sent: Tuesday, March 28, 2006 8:26 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: [ISAserver.org Discussion List] Re: > webchaining. > > http://www.ISAserver.org > ------------------------------------------------------- > > Correct me if im wrong, but wont that cause multiple authentication > boxes? > > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: Tuesday, March 28, 2006 8:18 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: [ISAserver.org Discussion List] Re: > webchaining. > > http://www.ISAserver.org > ------------------------------------------------------- > > Here's a Q forya: > - why are you only authenticating on the upstream proxy? > You should *always* authenticate closest to the user / domain > making the > request. > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Michael Ross > Sent: Tuesday, March 28, 2006 5:41 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: [ISAserver.org Discussion List] Re: > webchaining. > > lets take this one step further. > on my upstream proxy, i see the logs rolling by, and i see > usernames and > the IP address of the downstream proxy. > ok, so that is what it is.. however, when viewing the > monitoring tab on > the downstream proxy, I only see 'anonymous' on every session. > How could one correlate those 'anonymouses' with the actual user ID in > the event that you need to trace back web activity to a user\IPaddress > combo? > i only have authentication required on the upstream proxy, otherwise, > the users get prompted over and over to authenticate to get out to the > web. > > ________________________________ > > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Thomas W Shinder > Sent: Tuesday, March 21, 2006 3:36 PM > To: isalist@xxxxxxxxxxxxx > Subject: [ISAserver.org Discussion List] Re: webchaining. > > > Hi Mike, > > Listen here little feller: > > If the Web Proxy Filter handles the request, then the source > IP address > will always be the IP address of the ISA firewall. > > I'll stand by that until I have a chance to test it, or Jim > tells me I'm > wrong :) > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org <http://www.isaserver.org/> > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA > Firewalls > > > > > ________________________________ > > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross > Sent: Tuesday, March 21, 2006 3:18 PM > To: isalist@xxxxxxxxxxxxx > Subject: [ISAserver.org Discussion List] Re: webchaining. > > > on my upstream proxy, the before the firewall, its set to Route, > not NAT. > if it was set to NAT, the upstream proxy's IP was shown. > so, i was hoping my downstream would show the client IP > > ________________________________ > > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > Sent: Tuesday, March 21, 2006 2:58 PM > To: isalist@xxxxxxxxxxxxx > Subject: [ISAserver.org Discussion List] Re: webchaining. > > > Yep, that is weird. > > Thomas W Shinder, M.D. > Site: www.isaserver.org <http://www.isaserver.org/> > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > MVP -- ISA Firewalls > > > > > ________________________________ > > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross > Sent: Tuesday, March 21, 2006 2:40 PM > To: isalist@xxxxxxxxxxxxx > Subject: [ISAserver.org Discussion List] Re: > webchaining. > > > ya know i think its just odd. > right now my upstream proxy sends the client IP to the > firewall.. > > ________________________________ > > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > Sent: Tuesday, March 21, 2006 2:22 PM > To: isalist@xxxxxxxxxxxxx > Subject: [ISAserver.org Discussion List] Re: > webchaining. > > > You can't have it both ways. If you want to use the > local Web proxy, you must accept the source IP address being > that of the > downstream ISA firewall. > > Thomas W Shinder, M.D. > Site: www.isaserver.org <http://www.isaserver.org/> > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > <http://tinyurl.com/3xqb7> > MVP -- ISA Firewalls > > > > > ________________________________ > > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross > Sent: Tuesday, March 21, 2006 2:18 PM > To: isalist@xxxxxxxxxxxxx > Subject: [ISAserver.org Discussion List] Re: > webchaining. > > > i want them to cache locally, but i want one > place to watch the activity > > ________________________________ > > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > Sent: Tuesday, March 21, 2006 2:11 PM > To: isalist@xxxxxxxxxxxxx > Subject: [ISAserver.org Discussion List] Re: > webchaining. > > > What's the point of having them use the local > proxy? Why not just configure the clients to connect directly to the > upstream Web proxy and bypass proxy on the destination > server? Turn off > Web proxy support on the downstream and away you go. > > Thomas W Shinder, M.D. > Site: www.isaserver.org > <http://www.isaserver.org/> > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > <http://tinyurl.com/3xqb7> > MVP -- ISA Firewalls > > > > > ________________________________ > > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross > Sent: Tuesday, March 21, 2006 2:06 PM > To: isalist@xxxxxxxxxxxxx > Subject: [ISAserver.org Discussion List] > Re: webchaining. > > > so basically i have to setup something > to tail what's being entered into the MSDE database as the > users hit the > web, right? > > ________________________________ > > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > Sent: Tuesday, March 21, 2006 1:44 PM > To: isalist@xxxxxxxxxxxxx > Subject: [ISAserver.org Discussion List] > Re: webchaining. > > > Yes, but you won't have Web proxy > chaining. You need a ROUTE Network Rule and no Web proxy > services at the > downstream. I.e., no local caching. > > Thomas W Shinder, M.D. > Site: www.isaserver.org > <http://www.isaserver.org/> > Blog: > http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > <http://tinyurl.com/3xqb7> > MVP -- ISA Firewalls > > > > > ________________________________ > > From: > isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On > Behalf Of Michael Ross > Sent: Tuesday, March 21, 2006 > 12:04 PM > To: isalist@xxxxxxxxxxxxx > Subject: [ISAserver.org > Discussion List] Re: webchaining. > > > any way to have it log the IP > address of the actual client on the upstream ISA? it would make > monitoring the clients so much easier. > > ________________________________ > > From: > isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On > Behalf Of Thomas W Shinder > Sent: Tuesday, March 21, 2006 > 11:49 AM > To: isalist@xxxxxxxxxxxxx > Subject: [ISAserver.org > Discussion List] Re: webchaining. > > > Hi Mike, > > That's expected and what's > supposed to happen. > > Thomas W Shinder, M.D. > Site: www.isaserver.org > <http://www.isaserver.org/> > Blog: > http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > <http://tinyurl.com/3xqb7> > MVP -- ISA Firewalls > > > > > ________________________________ > > From: > isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On > Behalf Of Michael Ross > Sent: Tuesday, March 21, > 2006 11:38 AM > To: > isalist@xxxxxxxxxxxxx > Subject: [ISAserver.org > Discussion List] webchaining. > > > Another question. > > When I watch my logs on > the upstream proxy, I see users coming thru with the IP address of the > downstream proxy, not of the client they are on. > > Thoughts? > > > All mail to and from this domain is GFI-scanned. > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx