[isalist] Re: [ISAserver.org Discussion List] Re: webchaining.
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Tue, 28 Mar 2006 08:38:13 -0600
http://www.ISAserver.org
-------------------------------------------------------
No, it shouldn't. At least it hasn't the last time I tested and deployed
it.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
> Sent: Tuesday, March 28, 2006 8:26 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: [ISAserver.org Discussion List] Re:
> webchaining.
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Correct me if im wrong, but wont that cause multiple authentication
> boxes?
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Tuesday, March 28, 2006 8:18 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: [ISAserver.org Discussion List] Re:
> webchaining.
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Here's a Q forya:
> - why are you only authenticating on the upstream proxy?
> You should *always* authenticate closest to the user / domain
> making the
> request.
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Michael Ross
> Sent: Tuesday, March 28, 2006 5:41 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: [ISAserver.org Discussion List] Re:
> webchaining.
>
> lets take this one step further.
> on my upstream proxy, i see the logs rolling by, and i see
> usernames and
> the IP address of the downstream proxy.
> ok, so that is what it is.. however, when viewing the
> monitoring tab on
> the downstream proxy, I only see 'anonymous' on every session.
> How could one correlate those 'anonymouses' with the actual user ID in
> the event that you need to trace back web activity to a user\IPaddress
> combo?
> i only have authentication required on the upstream proxy, otherwise,
> the users get prompted over and over to authenticate to get out to the
> web.
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: Tuesday, March 21, 2006 3:36 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [ISAserver.org Discussion List] Re: webchaining.
>
>
> Hi Mike,
>
> Listen here little feller:
>
> If the Web Proxy Filter handles the request, then the source
> IP address
> will always be the IP address of the ISA firewall.
>
> I'll stand by that until I have a chance to test it, or Jim
> tells me I'm
> wrong :)
>
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA
> Firewalls
>
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
> Sent: Tuesday, March 21, 2006 3:18 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [ISAserver.org Discussion List] Re: webchaining.
>
>
> on my upstream proxy, the before the firewall, its set to Route,
> not NAT.
> if it was set to NAT, the upstream proxy's IP was shown.
> so, i was hoping my downstream would show the client IP
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Tuesday, March 21, 2006 2:58 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [ISAserver.org Discussion List] Re: webchaining.
>
>
> Yep, that is weird.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
> Sent: Tuesday, March 21, 2006 2:40 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [ISAserver.org Discussion List] Re:
> webchaining.
>
>
> ya know i think its just odd.
> right now my upstream proxy sends the client IP to the
> firewall..
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Tuesday, March 21, 2006 2:22 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [ISAserver.org Discussion List] Re:
> webchaining.
>
>
> You can't have it both ways. If you want to use the
> local Web proxy, you must accept the source IP address being
> that of the
> downstream ISA firewall.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
> Sent: Tuesday, March 21, 2006 2:18 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [ISAserver.org Discussion List] Re:
> webchaining.
>
>
> i want them to cache locally, but i want one
> place to watch the activity
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Tuesday, March 21, 2006 2:11 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [ISAserver.org Discussion List] Re:
> webchaining.
>
>
> What's the point of having them use the local
> proxy? Why not just configure the clients to connect directly to the
> upstream Web proxy and bypass proxy on the destination
> server? Turn off
> Web proxy support on the downstream and away you go.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
> Sent: Tuesday, March 21, 2006 2:06 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [ISAserver.org Discussion List]
> Re: webchaining.
>
>
> so basically i have to setup something
> to tail what's being entered into the MSDE database as the
> users hit the
> web, right?
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Tuesday, March 21, 2006 1:44 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [ISAserver.org Discussion List]
> Re: webchaining.
>
>
> Yes, but you won't have Web proxy
> chaining. You need a ROUTE Network Rule and no Web proxy
> services at the
> downstream. I.e., no local caching.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> <http://www.isaserver.org/>
> Blog:
> http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>
> ________________________________
>
> From:
> isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Michael Ross
> Sent: Tuesday, March 21, 2006
> 12:04 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [ISAserver.org
> Discussion List] Re: webchaining.
>
>
> any way to have it log the IP
> address of the actual client on the upstream ISA? it would make
> monitoring the clients so much easier.
>
> ________________________________
>
> From:
> isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thomas W Shinder
> Sent: Tuesday, March 21, 2006
> 11:49 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [ISAserver.org
> Discussion List] Re: webchaining.
>
>
> Hi Mike,
>
> That's expected and what's
> supposed to happen.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> <http://www.isaserver.org/>
> Blog:
> http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>
> ________________________________
>
> From:
> isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Michael Ross
> Sent: Tuesday, March 21,
> 2006 11:38 AM
> To:
> isalist@xxxxxxxxxxxxx
> Subject: [ISAserver.org
> Discussion List] webchaining.
>
>
> Another question.
>
> When I watch my logs on
> the upstream proxy, I see users coming thru with the IP address of the
> downstream proxy, not of the client they are on.
>
> Thoughts?
>
>
> All mail to and from this domain is GFI-scanned.
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
