Hi Shawn, Ha! OK, didn't think about the ISA firewall being in "capon" mode ;-) Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Quillman Shawn (RBNA/CSA1) * [mailto:Shawn.Quillman@xxxxxxxxxxxx] Sent: Monday, August 09, 2004 11:57 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Using the firewall client to webproxy access upstream ISA server http://www.ISAserver.org If the internal ISAs are installed in cache mode then they would just sit on the internal subnet(s), same as the internal interface of ISAx. There would be regular routes to the internal interface of ISAx, thus the ability to bypass the internal ISAs. The problem in that scenario is that there's no access control on ISAx. -Shawn -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Monday, August 09, 2004 12:28 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Using the firewall client to webproxy access upstream ISA server http://www.ISAserver.org Hi Shawn, But how can the downstream clients get past the downstream ISA firewalls when TCP and UDP 1745 are not allowed outbound? Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Quillman Shawn (RBNA/CSA1) * [mailto:Shawn.Quillman@xxxxxxxxxxxx] Sent: Monday, August 09, 2004 11:17 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Using the firewall client to webproxy access upstream ISA server http://www.ISAserver.org I assume this is what you have, given the fact that pointing IE to the upstream server is actually letting them through: Internal ISA 1---- | DMZ | | Internal ISA 2------ ISAx --|-- ISAy -- Internet | | Internal ISA 3---- If so, create a client address set on ISAx to only allow incoming requests from the Internal ISAs. -Shawn -----Original Message----- From: Andy Greenhalgh [mailto:andy.greenhalgh@xxxxxxxxxxxxxxxxxxx] Sent: Monday, August 09, 2004 12:52 PM To: [ISAserver.org Discussion List] Subject: [isalist] Using the firewall client to webproxy access upstream ISA server http://www.ISAserver.org We have a back to back ISA server DMZ configuration. We run 3 internal ISA servers for 3 separate internal networks, Corporate, Education, and Public Library. The DMZ has a single connection to the internet. Each internal network has different content filtering requirements so the content filtering is installed on each internal ISA server. Some of our more technically able users are bypassing the content filtering by configuring Internet Explorer to use the uptstream ISA server IP address and using the firewall client to reach the upstream ISA server. Is there a configuration which can prevent this? Our users will still need to access some content using the firewall client. Andy Greenhalgh ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx