[isalist] Re: SurfControl/Direct Access...
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Tue, 22 Aug 2006 13:45:44 -0700
http://www.ISAserver.org
-------------------------------------------------------
Forget direct access.
Drop it alongside SurfControl.
Your internal hosts are using ISA to reach internal resources because:
1. you haven't configured your network address / domain list properly
2. you haven't configured the browsers to acquire the ISA proxy configuration
using either:
- auto-discovery (wpad)
..or
- configuration URL
3. you need to configure split DNS because they're using "public" URLs
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Ball, Dan
Sent: Tuesday, August 22, 2006 12:39
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SurfControl/Direct Access...
Okay, let's drop SurfControl from the list of possible suspects; it appears to
be a moot point in this issue, and is just clouding the issue... So, the next
questions is "why is local traffic passing through the ISA server?"...
To double-check my direct access settings, I went through these two tutorials,
and Tom's book...
http://www.isaserver.org/articles/2004directaccessp1.html
http://www.isaserver.org/articles/2004directaccessp2.html
Reviewing those articles reaffirms that direct access requires very little
setting changes, all of which have been present on my system all along. Going
back through the thread that Gregory posted showed one other thing that I
didn't do before (per Jim's recommendation), and that was to change the
DHCP-based wpad settings to DNS-based settings. I got that up and running last
night, and it appears to be working as expected, but the problem still exists.
The ISA server is on 10.20.1.1, the webserver is on 10.20.1.4, any traffic
coming from that same subnet destined for 10.20.1.4 passes through the ISA
server instead of bypassing it.
So, I guess my next step will be to go through the wpad and wspad files and
verify they are sending the right settings, check out the FWC setting to see if
there is anything in there that could be causing the problem (although, I
tested it on a computer w/o FWC, only proxy and it still did it), and run
through the rules again.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Roy Tsao
Sent: Tuesday, August 22, 2006 10:06 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SurfControl/Direct Access...
Oh...
As said by Dr. Shinder, direct access is purely a client manner not ISA nor SWF,
you may verift if you do set (deploy) a correct setting for direct accesss at
client side
or not.
The simplest way to verify if SWF monitors so called directed access is to
manually
set a WPC client by excluding address for direct access...
----- Original Message -----
From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Tuesday, August 22, 2006 7:11 PM
Subject: [isalist] Re: SurfControl/Direct Access...
Exactly, that is the way it is "supposed" to work, but the traffic
still shows up on the ISA server when it isn't supposed to.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
Sent: Tuesday, August 22, 2006 5:17 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SurfControl/Direct Access...
> Hi Dan,
>
> 1) If your client access the unwanted monitor site through ISA
> (ISA is a router between two subnet), you need to set unmonitored
> site at SWF
> 2) If your client can access the site by another route without need
> to go thourgh ISA, then you shall deploy direct access for
> client depending on client type (WPC or FWC). It has nothing to
> do with SWF setting.
> ----- Original Message -----
> From: "Ball, Dan" <DBall@xxxxxxxxxxx <mailto:DBall@xxxxxxxxxxx> >
> To: <isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx> >
> Sent: Tuesday, August 22, 2006 10:44 AM
> Subject: [isalist] Re: SurfControl/Direct Access...
>
>
>> http://www.ISAserver.org <http://www.ISAserver.org>
>> -------------------------------------------------------
>>
>> Yes they are.
>>
>> -----Original Message-----
>> From: isalist-bounce@xxxxxxxxxxxxx
<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Thomas W Shinder
>> Sent: Monday, August 21, 2006 10:31 PM
>> To: isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx>
>> Subject: [isalist] Re: SurfControl/Direct Access...
>>
>> http://www.ISAserver.org <http://www.ISAserver.org>
>> -------------------------------------------------------
>>
>> Are the Web proxy clients configured to use the autoconfiguration
>> script?
>>
>> Thomas W Shinder, M.D.
>> Site: www.isaserver.org <http://www.isaserver.org>
>> Blog: http://blogs.isaserver.org/shinder/
<http://blogs.isaserver.org/shinder/>
>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
>> MVP -- ISA Firewalls
>>
>>
>>
>>> -----Original Message-----
>>> From: isalist-bounce@xxxxxxxxxxxxx
<mailto:isalist-bounce@xxxxxxxxxxxxx>
>>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
>>> Sent: Monday, August 21, 2006 9:25 PM
>>> To: isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx>
>>> Subject: [isalist] Re: SurfControl/Direct Access...
>>>
>>> http://www.ISAserver.org <http://www.ISAserver.org>
>>> -------------------------------------------------------
>>>
>>> I've been digging through my archives for the last hour, and
>>> cannot find
>>> what I remember... Maybe it's just my old-age kicking in, and I'm
>>> remembering things that didn't happen...
>>>
>>> Anyways, I've gone through the Direct Access settings over
>>> and over, and
>>> cannot find what might be wrong. Only thing I can think of is the
>>> wpad/wspad settings...
>>>
>>>
>>> -----Original Message-----
>>> From: isalist-bounce@xxxxxxxxxxxxx
<mailto:isalist-bounce@xxxxxxxxxxxxx>
>>> [mailto:isalist-bounce@xxxxxxxxxxxxx]
>>> On Behalf Of Thomas W Shinder
>>> Sent: Monday, August 21, 2006 10:00 PM
>>> To: isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx>
>>> Subject: [isalist] Re: SurfControl/Direct Access...
>>>
>>> http://www.ISAserver.org <http://www.ISAserver.org>
>>> -------------------------------------------------------
>>>
>>> Hi Dan,
>>>
>>> For internal connections, Direct Access is entirely a client
function.
>>> ISA is never in the picture.
>>>
>>> Tom
>>>
>>> Thomas W Shinder, M.D.
>>> Site: www.isaserver.org <http://www.isaserver.org>
>>> Blog: http://blogs.isaserver.org/shinder/
<http://blogs.isaserver.org/shinder/>
>>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
>>> MVP -- ISA Firewalls
>>>
>>>
>>>
>>> > -----Original Message-----
>>> > From: isalist-bounce@xxxxxxxxxxxxx
<mailto:isalist-bounce@xxxxxxxxxxxxx>
>>> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
>>> > Sent: Monday, August 21, 2006 8:36 PM
>>> > To: isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx>
>>> > Subject: [isalist] Re: SurfControl/Direct Access...
>>> >
>>> > http://www.ISAserver.org <http://www.ISAserver.org>
>>> > -------------------------------------------------------
>>> >
>>> > That is what we were talking about, it IS configured for
>>> > direct access,
>>> > but no matter what I do the traffic shows up as passing
>>> > through the ISA
>>> > server. I seem to recall discussing this with you before,
>>> and it was
>>> > determined that SurfControl had basically disabled the Direct
>>> > Access.
>>> >
>>> > Geesh, now you got me wondering what was really said. I'll
>>> > have to dig
>>> > through my e-mail archives to find out what we talked about
>>> > last time...
>>> >
>>> > -----Original Message-----
>>> > From: isalist-bounce@xxxxxxxxxxxxx
<mailto:isalist-bounce@xxxxxxxxxxxxx>
>>> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
>>> > On Behalf Of Thomas W Shinder
>>> > Sent: Monday, August 21, 2006 8:12 PM
>>> > To: isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx>
>>> > Subject: [isalist] Re: SurfControl/Direct Access...
>>> >
>>> > http://www.ISAserver.org <http://www.ISAserver.org>
>>> > -------------------------------------------------------
>>> >
>>> > Hi Dan,
>>> >
>>> > To solve that problem you need to enable Direct Access to
>>> the internal
>>> > sites.
>>> >
>>> > Tom
>>> >
>>> > Thomas W Shinder, M.D.
>>> > Site: www.isaserver.org <http://www.isaserver.org>
>>> > Blog: http://blogs.isaserver.org/shinder/
<http://blogs.isaserver.org/shinder/>
>>> > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
>>> > MVP -- ISA Firewalls
>>> >
>>> >
>>> >
>>> > > -----Original Message-----
>>> > > From: isalist-bounce@xxxxxxxxxxxxx
<mailto:isalist-bounce@xxxxxxxxxxxxx>
>>> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
>>> > > Sent: Monday, August 21, 2006 6:56 PM
>>> > > To: isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx>
>>> > > Subject: [isalist] Re: SurfControl/Direct Access...
>>> > >
>>> > > http://www.ISAserver.org <http://www.ISAserver.org>
>>> > > -------------------------------------------------------
>>> > >
>>> > > Yes, that was the problem we were running into. Surfcontrol was
>>> > > "automatically" monitoring every user that browsed our published
>>> > > webserver from the Internet, making the saved history
>>> > > database useless.
>>> > > I'd go in and deselect all the external hostnames, tell
>>> > > SurfControl not
>>> > > to monitor them, and the next day I'd have a couple hundred
>>> > more to do
>>> > > it all over again. It proved to be quite tedious since
>>> I'd have to
>>> > > browse through that narrow list box to select all the
>>> > hostnames, stop
>>> > > the database, save the changes, and start it again.
>>> > >
>>> > > I finally fixed that by stopping it from monitoring port
>>> 80, now it
>>> > > monitors only port 8080, the proxy port. That seems to be
>>> > > working now,
>>> > > the only ones "automatically" monitored are the users using
>>> > the proxy,
>>> > > which is who we want to monitor anyways.
>>> > >
>>> > > But, that doesn't solve the problem I have now, the
>>> requests really
>>> > > "shouldn't" be passing through the ISA server in the first
>>> > > place if they
>>> > > are going to the webserver on the same internal subnet.
>>> > >
>>> > >
>>> > > -----Original Message-----
>>> > > From: isalist-bounce@xxxxxxxxxxxxx
<mailto:isalist-bounce@xxxxxxxxxxxxx>
>>> > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
>>> > > On Behalf Of Crockett, Gregory
>>> > > Sent: Monday, August 21, 2006 6:49 PM
>>> > > To: isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx>
>>> > > Subject: [isalist] Re: SurfControl/Direct Access...
>>> > >
>>> > > http://www.ISAserver.org <http://www.ISAserver.org>
>>> > > -------------------------------------------------------
>>> > >
>>> > > Add the sites to "unmonitored sites" found under the monitor
>>> > > application/monitored data tab. There, you should list all
>>> > > sites and ip
>>> > > addresses of all host that you do not want monitored. This
>>> > > includes web
>>> > > enabled devices (switches, etc.) that are accessed
>>> through isa from
>>> > > Internal to internal networks. If not, they (users either
>>> > > authenticated
>>> > > or unauthenticated) will eat at your license count.
>>> > >
>>> > > greg
>>> > >
>>> > > Sent from mobile Outlook.
>>> > >
>>> > > -----Original Message-----
>>> > > From: "Ball, Dan" <DBall@xxxxxxxxxxx <mailto:DBall@xxxxxxxxxxx>
>
>>> > > To: "isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx> "
<isalist@xxxxxxxxxxxxx <mailto:isalist@xxxxxxxxxxxxx> >
>>> > > Sent: 8/21/06 2:19 PM
>>> > > Subject: [isalist] SurfControl/Direct Access...
>>> > >
>>> > > Tom, what is the current status of Direct Access when used in
>>> > > conjunction with SurfControl? I remember you saying
>>> > > something about it
>>> > > before, but I can't find my e-mails on it. I was working with
>>> > > SurfControl quite a bit last week, trying to work out some of
>>> > > the bugs,
>>> > > and thought it would be really nice if I can get the local
>>> > web traffic
>>> > > to stop going through the ISA server also.
>>> > >
>>> > >
>>> > >
>>> > > I finally figured out a way to get it to stop monitoring
>>> > > users from the
>>> > > Internet, so that helps. SurfControl support seemed
>>> > surprised that it
>>> > > was doing that...
>>> > >
>>> > >
>>> > >
>>> > > ------------------------------------------------------
>>> > > List Archives: //www.freelists.org/archives/isalist/
<//www.freelists.org/archives/isalist/>
>>> > > ISA Server Newsletter:
>>> > http://www.isaserver.org/pages/newsletter.asp
<http://www.isaserver.org/pages/newsletter.asp>
>>> > > ISA Server Articles and Tutorials:
>>> > > http://www.isaserver.org/articles_tutorials/
<http://www.isaserver.org/articles_tutorials/>
>>> > > ISA Server Blogs: http://blogs.isaserver.org/
<http://blogs.isaserver.org/>
>>> > > ------------------------------------------------------
>>> > > Visit TechGenix.com for more information about our other sites:
>>> > > http://www.techgenix.com <http://www.techgenix.com>
>>> > > ------------------------------------------------------
>>> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
<http://www.isaserver.org/pages/isalist.asp>
>>> > > Report abuse to listadmin@xxxxxxxxxxxxx
<mailto:listadmin@xxxxxxxxxxxxx>
>>> > >
>>> > > ------------------------------------------------------
>>> > > List Archives: //www.freelists.org/archives/isalist/
<//www.freelists.org/archives/isalist/>
>>> > > ISA Server Newsletter:
>>> > http://www.isaserver.org/pages/newsletter.asp
<http://www.isaserver.org/pages/newsletter.asp>
>>> > > ISA Server Articles and Tutorials:
>>> > > http://www.isaserver.org/articles_tutorials/
<http://www.isaserver.org/articles_tutorials/>
>>> > > ISA Server Blogs: http://blogs.isaserver.org/
<http://blogs.isaserver.org/>
>>> > > ------------------------------------------------------
>>> > > Visit TechGenix.com for more information about our other sites:
>>> > > http://www.techgenix.com <http://www.techgenix.com>
>>> > > ------------------------------------------------------
>>> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
<http://www.isaserver.org/pages/isalist.asp>
>>> > > Report abuse to listadmin@xxxxxxxxxxxxx
<mailto:listadmin@xxxxxxxxxxxxx>
>>> > >
>>> > >
>>> > >
>>> > ------------------------------------------------------
>>> > List Archives: //www.freelists.org/archives/isalist/
<//www.freelists.org/archives/isalist/>
>>> > ISA Server Newsletter:
>>> http://www.isaserver.org/pages/newsletter.asp
<http://www.isaserver.org/pages/newsletter.asp>
>>> > ISA Server Articles and Tutorials:
>>> > http://www.isaserver.org/articles_tutorials/
<http://www.isaserver.org/articles_tutorials/>
>>> > ISA Server Blogs: http://blogs.isaserver.org/
<http://blogs.isaserver.org/>
>>> > ------------------------------------------------------
>>> > Visit TechGenix.com for more information about our other sites:
>>> > http://www.techgenix.com <http://www.techgenix.com>
>>> > ------------------------------------------------------
>>> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
<http://www.isaserver.org/pages/isalist.asp>
>>> > Report abuse to listadmin@xxxxxxxxxxxxx
<mailto:listadmin@xxxxxxxxxxxxx>
>>> >
>>> > ------------------------------------------------------
>>> > List Archives: //www.freelists.org/archives/isalist/
<//www.freelists.org/archives/isalist/>
>>> > ISA Server Newsletter:
>>> http://www.isaserver.org/pages/newsletter.asp
<http://www.isaserver.org/pages/newsletter.asp>
>>> > ISA Server Articles and Tutorials:
>>> > http://www.isaserver.org/articles_tutorials/
<http://www.isaserver.org/articles_tutorials/>
>>> > ISA Server Blogs: http://blogs.isaserver.org/
<http://blogs.isaserver.org/>
>>> > ------------------------------------------------------
>>> > Visit TechGenix.com for more information about our other sites:
>>> > http://www.techgenix.com <http://www.techgenix.com>
>>> > ------------------------------------------------------
>>> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
<http://www.isaserver.org/pages/isalist.asp>
>>> > Report abuse to listadmin@xxxxxxxxxxxxx
<mailto:listadmin@xxxxxxxxxxxxx>
>>> >
>>> >
>>> >
>>> ------------------------------------------------------
>>> List Archives: //www.freelists.org/archives/isalist/
<//www.freelists.org/archives/isalist/>
>>> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
<http://www.isaserver.org/pages/newsletter.asp>
>>> ISA Server Articles and Tutorials:
>>> http://www.isaserver.org/articles_tutorials/
<http://www.isaserver.org/articles_tutorials/>
>>> ISA Server Blogs: http://blogs.isaserver.org/
<http://blogs.isaserver.org/>
>>> ------------------------------------------------------
>>> Visit TechGenix.com for more information about our other sites:
>>> http://www.techgenix.com <http://www.techgenix.com>
>>> ------------------------------------------------------
>>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
<http://www.isaserver.org/pages/isalist.asp>
>>> Report abuse to listadmin@xxxxxxxxxxxxx
<mailto:listadmin@xxxxxxxxxxxxx>
>>>
>>> ------------------------------------------------------
>>> List Archives: //www.freelists.org/archives/isalist/
<//www.freelists.org/archives/isalist/>
>>> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
<http://www.isaserver.org/pages/newsletter.asp>
>>> ISA Server Articles and Tutorials:
>>> http://www.isaserver.org/articles_tutorials/
<http://www.isaserver.org/articles_tutorials/>
>>> ISA Server Blogs: http://blogs.isaserver.org/
<http://blogs.isaserver.org/>
>>> ------------------------------------------------------
>>> Visit TechGenix.com for more information about our other sites:
>>> http://www.techgenix.com <http://www.techgenix.com>
>>> ------------------------------------------------------
>>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
<http://www.isaserver.org/pages/isalist.asp>
>>> Report abuse to listadmin@xxxxxxxxxxxxx
<mailto:listadmin@xxxxxxxxxxxxx>
>>>
>>>
>>>
>> ------------------------------------------------------
>> List Archives: //www.freelists.org/archives/isalist/
<//www.freelists.org/archives/isalist/>
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
<http://www.isaserver.org/pages/newsletter.asp>
>> ISA Server Articles and Tutorials:
>> http://www.isaserver.org/articles_tutorials/
<http://www.isaserver.org/articles_tutorials/>
>> ISA Server Blogs: http://blogs.isaserver.org/
<http://blogs.isaserver.org/>
>> ------------------------------------------------------
>> Visit TechGenix.com for more information about our other sites:
>> http://www.techgenix.com <http://www.techgenix.com>
>> ------------------------------------------------------
>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
<http://www.isaserver.org/pages/isalist.asp>
>> Report abuse to listadmin@xxxxxxxxxxxxx
<mailto:listadmin@xxxxxxxxxxxxx>
>>
>> ------------------------------------------------------
>> List Archives: //www.freelists.org/archives/isalist/
<//www.freelists.org/archives/isalist/>
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
<http://www.isaserver.org/pages/newsletter.asp>
>> ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
<http://www.isaserver.org/articles_tutorials/>
>> ISA Server Blogs: http://blogs.isaserver.org/
<http://blogs.isaserver.org/>
>> ------------------------------------------------------
>> Visit TechGenix.com for more information about our other sites:
>> http://www.techgenix.com <http://www.techgenix.com>
>> ------------------------------------------------------
>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
<http://www.isaserver.org/pages/isalist.asp>
>> Report abuse to listadmin@xxxxxxxxxxxxx
<mailto:listadmin@xxxxxxxxxxxxx>
>>
>>
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
