oh man.. i thought the guru of gurus had a solution.. HA. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Tuesday, March 28, 2006 7:47 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: [ISAserver.org Discussion List] Re: webchaining. Hi Mike, Yep, that's a problem. Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross Sent: Tuesday, March 28, 2006 7:41 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: [ISAserver.org Discussion List] Re: webchaining. lets take this one step further. on my upstream proxy, i see the logs rolling by, and i see usernames and the IP address of the downstream proxy. ok, so that is what it is.. however, when viewing the monitoring tab on the downstream proxy, I only see 'anonymous' on every session. How could one correlate those 'anonymouses' with the actual user ID in the event that you need to trace back web activity to a user\IPaddress combo? i only have authentication required on the upstream proxy, otherwise, the users get prompted over and over to authenticate to get out to the web. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Tuesday, March 21, 2006 3:36 PM To: isalist@xxxxxxxxxxxxx Subject: [ISAserver.org Discussion List] Re: webchaining. Hi Mike, Listen here little feller: If the Web Proxy Filter handles the request, then the source IP address will always be the IP address of the ISA firewall. I'll stand by that until I have a chance to test it, or Jim tells me I'm wrong :) Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross Sent: Tuesday, March 21, 2006 3:18 PM To: isalist@xxxxxxxxxxxxx Subject: [ISAserver.org Discussion List] Re: webchaining. on my upstream proxy, the before the firewall, its set to Route, not NAT. if it was set to NAT, the upstream proxy's IP was shown. so, i was hoping my downstream would show the client IP ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Tuesday, March 21, 2006 2:58 PM To: isalist@xxxxxxxxxxxxx Subject: [ISAserver.org Discussion List] Re: webchaining. Yep, that is weird. Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross Sent: Tuesday, March 21, 2006 2:40 PM To: isalist@xxxxxxxxxxxxx Subject: [ISAserver.org Discussion List] Re: webchaining. ya know i think its just odd. right now my upstream proxy sends the client IP to the firewall.. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Tuesday, March 21, 2006 2:22 PM To: isalist@xxxxxxxxxxxxx Subject: [ISAserver.org Discussion List] Re: webchaining. You can't have it both ways. If you want to use the local Web proxy, you must accept the source IP address being that of the downstream ISA firewall. Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross Sent: Tuesday, March 21, 2006 2:18 PM To: isalist@xxxxxxxxxxxxx Subject: [ISAserver.org Discussion List] Re: webchaining. i want them to cache locally, but i want one place to watch the activity ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Tuesday, March 21, 2006 2:11 PM To: isalist@xxxxxxxxxxxxx Subject: [ISAserver.org Discussion List] Re: webchaining. What's the point of having them use the local proxy? Why not just configure the clients to connect directly to the upstream Web proxy and bypass proxy on the destination server? Turn off Web proxy support on the downstream and away you go. Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross Sent: Tuesday, March 21, 2006 2:06 PM To: isalist@xxxxxxxxxxxxx Subject: [ISAserver.org Discussion List] Re: webchaining. so basically i have to setup something to tail what's being entered into the MSDE database as the users hit the web, right? ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Tuesday, March 21, 2006 1:44 PM To: isalist@xxxxxxxxxxxxx Subject: [ISAserver.org Discussion List] Re: webchaining. Yes, but you won't have Web proxy chaining. You need a ROUTE Network Rule and no Web proxy services at the downstream. I.e., no local caching. Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross Sent: Tuesday, March 21, 2006 12:04 PM To: isalist@xxxxxxxxxxxxx Subject: [ISAserver.org Discussion List] Re: webchaining. any way to have it log the IP address of the actual client on the upstream ISA? it would make monitoring the clients so much easier. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Tuesday, March 21, 2006 11:49 AM To: isalist@xxxxxxxxxxxxx Subject: [ISAserver.org Discussion List] Re: webchaining. Hi Mike, That's expected and what's supposed to happen. Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross Sent: Tuesday, March 21, 2006 11:38 AM To: isalist@xxxxxxxxxxxxx Subject: [ISAserver.org Discussion List] webchaining. Another question. When I watch my logs on the upstream proxy, I see users coming thru with the IP address of the downstream proxy, not of the client they are on. Thoughts?