[isalist] Re: Interesting question...
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Thu, 30 Mar 2006 17:50:59 -0800
http://www.ISAserver.org
-------------------------------------------------------
Nope - it's not.
NAT doesn't break the TCP connection; proxy does.
This is CERN proxy behavior; the upstream server is blissfully ignorant of the
"real" client IP.
It *may * have access to such niceties as user-agent, but those are not
guaranteed.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steve Moffat
Sent: Thursday, March 30, 2006 17:31
To: ISA Mailing List
Subject: [isalist] Re: Interesting question...
You are correct, It's doing NAT.
S
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Ball, Dan
Sent: Thursday, March 30, 2006 8:26 PM
To: ISA Mailing List
Subject: [isalist] Interesting question...
I was trying to assist someone with logging traffic, and this is the
explanation I got...
----------Quote----------
Our network consists of a single Internet filter on the outisde
(Screendoor) with several ISA 2000 and 2004 servers behind it. The client
computer makes a request to a web site that will be blocked by screen door, it
passes out the ISA server to Screendoor, Screendoor blocks it and the client
ends up with a page could not be displayed message. Of course Screendoor in
that example doesn't know what private ip address that request came from only
the ISA server does, in my case the ISA 2004 server is configured in
firewall/cache mode. Because of the problem we had been having with screendoor
allowing the bad site to load if the user refreshed enough times we told
screendoor to redirect the user to another site instead of just blocking them.
The redirected site will be on our local web server. What I was asking is if
we could embed a script of some sort on that local web site that would collect
their private ip address as well as the local nds/ad username and store it in a
log file. I'm trying to avoid requiring the users to login to the Internet
separately from logging into the network and because the Internet filter is
outside the firewall integrating it with nds/ad isn't really an option either.
We're ultimately moving to a Dansguardian solution anyway and possibly several
of them (inside each firewall and one possibly outside the firwall where
Screendoor currently sits) so it will become a mute point eventually anyway.
----------End Quote----------
Am I correct to assume that all traffic coming out of the ISA server would be
stripped of all identifying information, and the server it was redirected to
would only show the IP of the screendoor/ISA server?
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
