RE: Web Client Requests

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Sat, 28 Jan 2006 07:05:03 -0800

Contrary to tribal knowledge, there's nothing special about the SBS
installation of ISA other than some rules that make me nauseous and
wizards that remove the burden of understanding.  The SBS version of ISA
is ISA Std Edition.

I think you're referring to disassociating the Web Proxy filter from the
HTTP protocol as is offered for some apps that can't authenticate at
all?

..which brings up my next point - while it's true that there are some
apps that think they have a direct link to their desired destination,
this technique should be the *last* line of defense; not the first.

--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------
-----Original Message-----
From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Saturday, January 28, 2006 5:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Web Client Requests

http://www.ISAserver.org

So then in the SBS world once we check the box that allows apps to
bi-pass the web proxy filter won't everything then bi-pass it? In the
first ISA, she says, she would allow unauthenticated access and
everything would then go through?

Amy

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Saturday, January 28, 2006 1:58 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Web Client Requests

http://www.ISAserver.org

I'm not clear on "basic and authenticated", since basic is an
authentication mechanism?  If you mean "basic and <anything else
offered>", it's up to the client to choose the strongest method it
supports (RFC 2617).

In the first "ISA, she say:", ISA advises the client what auth methods
it will accept )Negotiate, NTLM, Kerberos in my example).
In the second "Client, he say:", the client responds with the auth
method it wants to use.  In this response, the specified auth method
*must* be one of the options ISA previously presented, or ISA will
reject the auth attempt.

--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------
-----Original Message-----
From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Friday, January 27, 2006 5:31 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Web Client Requests

http://www.ISAserver.org

I'll probably get your post a day or two from now. They tend to come in
blobs. 20 messages today, 300 tomorrow. I find it difficult to keep
track of a thread. I don't even ask yahoo to send it out of their own
system. It gets delivered to my yahoo account! Maybe I should sign up
under a non-yahoo address and see if I have any better success.

I understand that the authentication process starts all over again. What
I'm asking is, if I enable basic and authenticated access for the
listener, what determines whether ISA will accept basic or authenticated
for a particular packet? 

Amy
 
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Friday, January 27, 2006 5:24 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Web Client Requests

http://www.ISAserver.org

sbs2k@xxxxxxxxxxxxxxx

The point is that:
1. the clients know diddly (and maybe even squat) about the way the
proxy is configured
2. unless the client is using proxy:keepalive in the client-to-proxy
connection, each request is an introduction between the client and the
proxy 

Thus, each new connection between the client and proxy incurs a new
authentication requirement and the ball starts bouncing all over again.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Friday, January 27, 2006 14:11
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Web Client Requests

Which forum? 

 

So here is where I get confused. If my web listener allows both
non-authenticated and authenticated requests, then why after I allow
non-authenticated access does ISA ever require authentication? Won't
everything then be accepted with authentication?

 

Amy

 

________________________________

From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx]
Sent: Friday, January 27, 2006 3:38 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Web Client Requests

 

Hey guys, im forwarding this message on behalf of Jim. He posted it to
another list and true to form it was too good an explanation not to
impart on the masses (or the cheesemakers).

 

This traces the path of your IE (or other) http requests and explains
why you will always see anonymous requests in your web logs. Thanks Jim

 

Greg Mulholland


>>>>>>>>>>>>>>

Correct - all web clients do exactly that.
This is also why the logs will forever contain anonymous requests even
if all you allow are authenticated connections, because ISA will log
those denied anonymous requests.

What you can't tell from the logs is what happens after that in detail.
This requires a bit of Netmon (or Ethereal, if you swing that way)
sleuthing.

Here's the bouncing ball:

** Client, he say:
GET http://www.isaserver.org/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
CLR 1.1.4322; InfoPath.1)
Host: www.isaserver.org
Proxy-Connection: Keep-Alive

** ISA, she say:
HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires
authorization to fulfill the request. Access to the Web Proxy service is
denied.  )
Via: 1.1 HEARTOFGOLD
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 4113 

..note - the ISA in this case (as in yours, probably) logged this
request as anonymous and responded saying that it allowed three
authentication methods: Negotiate, Kerberos and NTLM.  These are the
default auth methods for any ISA installation (including SBS).

** Client, he say:
GET http://www.isaserver.org/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
CLR 1.1.4322; InfoPath.1)
Host: www.isaserver.org
Proxy-Connection: Keep-Alive
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAB7IIogQABAAzAAAACwALACgAAAAFASgKAAAAD0ZPUkRQUkVGRUNUSE9N
RQ==

Note that the client chose NTLM auth and passed the first part of the
handshake in Base-64 encoding.  Not to worry, this isn't like Basic,
which is base-64 encoded plain text; this is base-64 encoded encrypted
information.  ISA also logs this request as anonymous.

** ISA, she say:
HTTP/1.1 407 Proxy Authentication Required ( Access is denied.  )
Via: 1.1 HEARTOFGOLD
Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAACAAIADgAAAAFgomiWWcfZe6QNCsAAAAAAAAAALQAtABAAAAABQLODgAA
AA9IAE8ATQBFAAIACABIAE8ATQBFAAEAFgBIAEUAQQBSAFQATwBGAEcATwBMAEQABAAiAGgA
bwBtAGUALgBqAGEAbABvAGoAYQBzAGgALgBvAHIAZwADADoAaABlAGEAcgB0AG8AZgBnAG8A
bABkAC4AaABvAG0AZQAuAGoAYQBsAG8AagBhAHMAaAAuAG8AcgBnAAUAIgBoAG8AbQBlAC4A
agBhAGwAbwBqAGEAcwBoAC4AbwByAGcAAAAAAA==
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 0  

Note that ISA also passed some NTLM data back to the client - this is
part and parcel to NTLM authentication even outside of HTTP

** Client, he say:
GET http://www.isaserver.org/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET
CLR 1.1.4322; InfoPath.1)
Host: www.isaserver.org
Proxy-Connection: Keep-Alive
Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAG4AAAAYABgAhgAAAAgACABIAAAACAAIAFAAAAAWABYAWAAAAAAA
AACeAAAABYKIogUBKAoAAAAPSABPAE0ARQBKAGkAbQBIAEYATwBSAEQAUABSAEUARgBFAEMA
VABunrbKxTfLxwAAAAAAAAAAAAAAAAAAAABNhP8BkKK3ZR1MXfC2h14+Q4IQaVlWRH8=


Note that the client passes the remaining part of the NTLM handshake -
if ISA can resolve the credentials passed by the client during this
process, all will be FD&H.

** ISA, she say:
HTTP/1.1 200 OK
Proxy-Connection: Keep-Alive
Connection: Keep-Alive
Content-Length: 40936
Via: 1.1 HEARTOFGOLD
Date: Fri, 27 Jan 2006 05:49:15 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: ASPSESSIONIDCCRRSRBC=EIBLFICAIMCPFBFCEKFFKBEA; path=/
Cache-control: private

This is where access is allowed (200 response).

You should note that I haven't included anything that may have been
passed in the HTTP body - it's not important to this discussion and only
makes for an unweildy thread.

--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!


All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

• » Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests

1. Home
2. isalist
3. Archive
4. 01-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---