[isalist] Re: Interesting question...

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Thu, 30 Mar 2006 20:51:03 -0600

http://www.ISAserver.org
-------------------------------------------------------

Steve,

The effect is the same in terms of source IP address. However, proxies
are going to "re-request" and so there's more than just address
replacement like there is with NAT (but you already knew that)

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

 

> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
> Sent: Thursday, March 30, 2006 7:53 PM
> To: ISA Mailing List
> Subject: [isalist] Re: Interesting question...
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> Showing my ignorance again...:(..I always thought NAT supplied the
> external IP to hide your internals...oh well, one learns something new
> every day about tcp stuff.....
> 
> S
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Thursday, March 30, 2006 9:51 PM
> To: ISA Mailing List
> Subject: [isalist] Re: Interesting question...
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> Nope - it's not. 
> NAT doesn't break the TCP connection; proxy does.
> 
> This is CERN proxy behavior; the upstream server is 
> blissfully ignorant
> of the "real" client IP.
> It *may * have access to such niceties as user-agent, but 
> those are not
> guaranteed.
> 
> -------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
> -------------------------------------------------------
>  
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Steve Moffat
> Sent: Thursday, March 30, 2006 17:31
> To: ISA Mailing List
> Subject: [isalist] Re: Interesting question...
> 
> You are correct, It's doing NAT.
> 
>  
> 
> S
> 
>  
> 
> ________________________________
> 
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Ball, Dan
> Sent: Thursday, March 30, 2006 8:26 PM
> To: ISA Mailing List
> Subject: [isalist] Interesting question...
> 
>  
> 
> I was trying to assist someone with logging traffic, and this is the
> explanation I got...
> 
>  
> 
> ----------Quote----------
> 
> Our network consists of a single Internet filter on the outisde
> 
> (Screendoor) with several ISA 2000 and 2004 servers behind it.  The
> client computer makes a request to a web site that will be blocked by
> screen door, it passes out the ISA server to Screendoor, Screendoor
> blocks it and the client ends up with a page could not be displayed
> message.  Of course Screendoor in that example doesn't know 
> what private
> ip address that request came from only the ISA server does, in my case
> the ISA 2004 server is configured in firewall/cache mode.  Because of
> the problem we had been having with screendoor allowing the 
> bad site to
> load if the user refreshed enough times we told screendoor to redirect
> the user to another site instead of just blocking them.  The 
> redirected
> site will be on our local web server.  What I was asking is 
> if we could
> embed a script of some sort on that local web site that would collect
> their private ip address as well as the local nds/ad username 
> and store
> it in a log file.  I'm trying to avoid requiring the users to login to
> the Internet separately from logging into the network and because the
> Internet filter is outside the firewall integrating it with 
> nds/ad isn't
> really an option either.  We're ultimately moving to a Dansguardian
> solution anyway and possibly several of them (inside each firewall and
> one possibly outside the firwall where Screendoor currently 
> sits) so it
> will become a mute point eventually anyway.
> 
> ----------End Quote----------
> 
>  
> 
> Am I correct to assume that all traffic coming out of the ISA server
> would be stripped of all identifying information, and the 
> server it was
> redirected to would only show the IP of the screendoor/ISA server?
> 
>  
> 
>  
> 
> 
> All mail to and from this domain is GFI-scanned.
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/  
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
> ISA Server Articles and Tutorials: 
> http://www.isaserver.org/articles_tutorials/ 
> ISA Server Blogs: http://blogs.isaserver.org/ 
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com 
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> 
> 
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

• Follow-Ups:
  • [isalist] Re: Interesting question...
    • From: Steve Moffat

Other related posts:

• » [isalist] Interesting question...
• » [isalist] Re: Interesting question...
• » [isalist] Re: Interesting question...
• » [isalist] Re: Interesting question...
• » [isalist] Re: Interesting question...
• » [isalist] Re: Interesting question...
• » [isalist] Re: Interesting question...
• » [isalist] Re: Interesting question...
• » [isalist] Re: Interesting question...
• » [isalist] Re: Interesting question...
• » [isalist] Re: Interesting question...
• » [isalist] Re: Interesting question...

1. Home
2. isalist
3. Archive
4. 03-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---