[isalist] Re: [ISAserver.org Discussion List] Re: webchaining.
- From: "Michael Ross" <mross@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Tue, 28 Mar 2006 11:44:21 -0600
http://www.ISAserver.org
-------------------------------------------------------
Will it still enter that data into the msde database?
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Tuesday, March 28, 2006 11:28 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: [ISAserver.org Discussion List] Re: webchaining.
http://www.ISAserver.org
-------------------------------------------------------
Hi Mike,
Yes, you can do that. Change the logging format to .txt and then
uninstall the "Advanced Logging" by running the ISA add/remove process.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
> Sent: Tuesday, March 28, 2006 11:15 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: [ISAserver.org Discussion List] Re:
> webchaining.
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Here's what could help me out.
> Can I enable the downstream proxy to log to a text file? If I do that,
> would nothing get saved in the MSDE database?
> I could tail that txt file each day to watch where the users are
> going.
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: Tuesday, March 28, 2006 8:45 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: [ISAserver.org Discussion List] Re:
> webchaining.
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Hi Mike,
>
> Be careful. You need to configure the downstreams to use a specific
> account to auth to the upstream. The branch office users will not be
> authing with the upstream. The branch office ISA firewall itself will
> authenticating itself with the upstream -- the users won't.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
> > Sent: Tuesday, March 28, 2006 8:41 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: [ISAserver.org Discussion List] Re:
> > webchaining.
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > So, if I enable authentication at the upstream AND
> downstream proxies,
>
> > a user wont get prompted to authenticate over and over? Ill give it
> > shot now and let u know what happens.
> > If it works, that would give me one way to back track to
> the original
> > IP\User
> >
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thomas W Shinder
> > Sent: Tuesday, March 28, 2006 8:38 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: [ISAserver.org Discussion List] Re:
> > webchaining.
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > No, it shouldn't. At least it hasn't the last time I tested and
> > deployed it.
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >
> >
> >
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
> > > Sent: Tuesday, March 28, 2006 8:26 AM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: [ISAserver.org Discussion List] Re:
> > > webchaining.
> > >
> > > http://www.ISAserver.org
> > > -------------------------------------------------------
> > >
> > > Correct me if im wrong, but wont that cause multiple
> authentication
> > > boxes?
> > >
> > >
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Jim Harrison
> > > Sent: Tuesday, March 28, 2006 8:18 AM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: [ISAserver.org Discussion List] Re:
> > > webchaining.
> > >
> > > http://www.ISAserver.org
> > > -------------------------------------------------------
> > >
> > > Here's a Q forya:
> > > - why are you only authenticating on the upstream proxy?
> > > You should *always* authenticate closest to the user /
> > domain making
> > > the request.
> > >
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Michael Ross
> > > Sent: Tuesday, March 28, 2006 5:41 AM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: [ISAserver.org Discussion List] Re:
> > > webchaining.
> > >
> > > lets take this one step further.
> > > on my upstream proxy, i see the logs rolling by, and i see
> > usernames
> > > and the IP address of the downstream proxy.
> > > ok, so that is what it is.. however, when viewing the
> > monitoring tab
> > > on the downstream proxy, I only see 'anonymous' on every session.
> > > How could one correlate those 'anonymouses' with the actual
> > user ID in
> >
> > > the event that you need to trace back web activity to a
> > user\IPaddress
> >
> > > combo?
> > > i only have authentication required on the upstream proxy,
> > otherwise,
> > > the users get prompted over and over to authenticate to get
> > out to the
> >
> > > web.
> > >
> > > ________________________________
> > >
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Thomas W Shinder
> > > Sent: Tuesday, March 21, 2006 3:36 PM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [ISAserver.org Discussion List] Re: webchaining.
> > >
> > >
> > > Hi Mike,
> > >
> > > Listen here little feller:
> > >
> > > If the Web Proxy Filter handles the request, then the source IP
> > > address will always be the IP address of the ISA firewall.
> > >
> > > I'll stand by that until I have a chance to test it, or Jim
> > tells me
> > > I'm wrong :)
> > >
> > > Tom
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org <http://www.isaserver.org/>
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> > MVP -- ISA
> > > Firewalls
> > >
> > >
> > >
> > >
> > > ________________________________
> > >
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
> > > Sent: Tuesday, March 21, 2006 3:18 PM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [ISAserver.org Discussion List] Re: webchaining.
> > >
> > >
> > > on my upstream proxy, the before the firewall, its set to Route,
> > not
> > > NAT.
> > > if it was set to NAT, the upstream proxy's IP was shown.
> > > so, i was hoping my downstream would show the client IP
> > >
> > > ________________________________
> > >
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas
> W Shinder
> > > Sent: Tuesday, March 21, 2006 2:58 PM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [ISAserver.org Discussion List] Re: webchaining.
> > >
> > >
> > > Yep, that is weird.
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org <http://www.isaserver.org/>
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> > > MVP -- ISA Firewalls
> > >
> > >
> > >
> > >
> > > ________________________________
> > >
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
> > > Sent: Tuesday, March 21, 2006 2:40 PM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [ISAserver.org Discussion List] Re:
> > > webchaining.
> > >
> > >
> > > ya know i think its just odd.
> > > right now my upstream proxy sends the client IP to the
> > firewall..
> > >
> > > ________________________________
> > >
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas
> W Shinder
> > > Sent: Tuesday, March 21, 2006 2:22 PM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [ISAserver.org Discussion List] Re:
> > > webchaining.
> > >
> > >
> > > You can't have it both ways. If you want to use the
> > local Web proxy,
> > > you must accept the source IP address being that of the
> > downstream ISA
> >
> > > firewall.
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org <http://www.isaserver.org/>
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
> > > <http://tinyurl.com/3xqb7>
> > > MVP -- ISA Firewalls
> > >
> > >
> > >
> > >
> > > ________________________________
> > >
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
> > > Sent: Tuesday, March 21, 2006 2:18 PM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [ISAserver.org Discussion List] Re:
> > > webchaining.
> > >
> > >
> > > i want them to cache locally, but i want one
> > place to watch the
> > > activity
> > >
> > > ________________________________
> > >
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas
> W Shinder
> > > Sent: Tuesday, March 21, 2006 2:11 PM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [ISAserver.org Discussion List] Re:
> > > webchaining.
> > >
> > >
> > > What's the point of having them use the local
> > proxy? Why not just
> > > configure the clients to connect directly to the upstream
> Web proxy
> > > and bypass proxy on the destination server? Turn off Web
> > proxy support
> >
> > > on the downstream and away you go.
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > <http://www.isaserver.org/>
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
> > > <http://tinyurl.com/3xqb7>
> > > MVP -- ISA Firewalls
> > >
> > >
> > >
> > >
> > > ________________________________
> > >
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross
> > > Sent: Tuesday, March 21, 2006 2:06 PM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [ISAserver.org Discussion List]
> > > Re: webchaining.
> > >
> > >
> > > so basically i have to setup something
> > to tail what's being
> > > entered into the MSDE database as the users hit the web, right?
> > >
> > > ________________________________
> > >
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas
> W Shinder
> > > Sent: Tuesday, March 21, 2006 1:44 PM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [ISAserver.org Discussion List]
> > > Re: webchaining.
> > >
> > >
> > > Yes, but you won't have Web proxy
> chaining. You need a ROUTE
> > > Network Rule and no Web proxy
> > services at
> > > the downstream. I.e., no local caching.
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > <http://www.isaserver.org/>
> > > Blog:
> > > http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
> > > MVP -- ISA Firewalls
> > >
> > >
> > >
> > >
> > > ________________________________
> > >
> > > From:
> > > isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> > > Behalf Of Michael Ross
> > > Sent: Tuesday, March 21, 2006
> > > 12:04 PM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [ISAserver.org
> > > Discussion List] Re: webchaining.
> > >
> > >
> > > any way to have it log the IP
address of the actual client on
> > > the upstream ISA? it would make monitoring the clients so much
> > > easier.
> > >
> > > ________________________________
> > >
> > > From:
> > > isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> > > Behalf Of Thomas W Shinder
> > > Sent: Tuesday, March 21, 2006
> > > 11:49 AM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [ISAserver.org
> > > Discussion List] Re: webchaining.
> > >
> > >
> > > Hi Mike,
> > >
> > > That's expected and what's
> > > supposed to happen.
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > <http://www.isaserver.org/>
> > > Blog:
> > > http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
> > > MVP -- ISA Firewalls
> > >
> > >
> > >
> > >
> > > ________________________________
> > >
> > > From:
> > > isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> > > Behalf Of Michael Ross
> > > Sent: Tuesday, March 21,
> > > 2006 11:38 AM
> > > To:
> > > isalist@xxxxxxxxxxxxx
> > > Subject: [ISAserver.org
> > > Discussion List] webchaining.
> > >
> > >
> > > Another question.
> > >
> > > When I watch my logs on
> > > the upstream proxy, I see users coming thru with the IP
> > address of the
> >
> > > downstream proxy, not of the client they are on.
> > >
> > > Thoughts?
> > >
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> > > ------------------------------------------------------
> > > List Archives: //www.freelists.org/archives/isalist/
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server Articles and Tutorials:
> > > http://www.isaserver.org/articles_tutorials/
> > > ISA Server Blogs: http://blogs.isaserver.org/
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > > ------------------------------------------------------
> > > List Archives: //www.freelists.org/archives/isalist/
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server Articles and Tutorials:
> > > http://www.isaserver.org/articles_tutorials/
> > > ISA Server Blogs: http://blogs.isaserver.org/
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts: