RE: Web proxy or Firewall Client (to be or not to be)
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 17 Feb 2003 01:19:29 -0600
Hi Alfonso,
There should be no entries in your firewall logs, since the clients are
not configured as Web Proxy or SecureNAT clients. They should be
configured as Web Proxy clients only. To ensure that only Web Proxy
clients are able to access the Internet, configure the HTTP Redirector
to drop requests from SecureNAT and Firewall clients.
Then you can analyze the Web Proxy service logs to determine why the
client can and cannot access FTP sites. Make sure all fields are
enabled, so that you can tell which rule is alllowing/denying access.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Lesky Alfonso M. [mailto:leskyam@xxxxxxxxxxxxxxx]
Sent: Monday, February 17, 2003 1:01 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Web proxy or Firewall Client (to be or not to be)
http://www.ISAserver.org
Hi, thaks for your time.
Yes, the clients are logged onto the domain, I have reviewed the logs,
no
just Web proxy logs, the Firewall logs too.
Look at the Firewall log when a client request a FTP site:
192.168.60.2 - - 06:52:04 - 169.158.1.20
21
21 TCP Connect 13301 - S&C A Sitios ONAT
192.168.60.2 - - 06:52:04 - 169.158.1.20
21
21 TCP Connect 13301 - S&C A Sitios ONAT
Why with older vertions of IE I haven't problem with this?
Note.
One more data: RAS Clients can navegate FTP Sites.
-----Original Message-----
From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Date: Mon, 17 Feb 2003 00:26:46 -0600
Subject: [isalist] RE: Web proxy or Firewall Client (to be or not to be)
> http://www.ISAserver.org
>
>
> Hi Alfonso,
>
> You need to configure the clients as Web Proxy clients and you need to
> configure the HTTP Redirector to drop requests from Firewall client
and
> SecureNAT clients. At that point, only requests from Web Proxy clients
> will be accepted by the Web Proxy service.
>
> However, since you're not using the SecureNAT or Firewall client
> configurations, the ONLY way the clients will access external FTP
sites
> is via the Web Proxy service. Make sure the clients log onto the
domain
> so that they have credentials to the send the Web Proxy service.
>
> Review your Web Proxy logs for troubleshooting issues.
>
> HTH,
> Tom
>
> Thomas W Shinder
> www.isaserver.org/shinder
> ISA Server and Beyond: http://tinyurl.com/1jq1
> Configuring ISA Server: http://tinyurl.com/1llp
>
>
>
>
>
> -----Original Message-----
> From: Lesky Alfonso M. [mailto:leskyam@xxxxxxxxxxxxxxx]
> Sent: Sunday, February 16, 2003 11:40 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Web proxy or Firewall Client (to be or not to
> be)
>
>
> http://www.ISAserver.org
>
>
>
> Thanks, but It did not work.
>
> The clients making the request are not SecureNAT clients nor Firawall
> Clients. They are just trying to access FTP sites outsite the LAN with
> IE. Remember I wrote that IE versions up to 4.0 works fine.
>
> Saludos,
>
> Lesky Alfonso M.
>
>
> -----Original Message-----
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Date: Sun, 16 Feb 2003 23:13:59 -0600
> Subject: [isalist] RE: Web proxy or Firewall Client (to be or not to
> be)
>
> > http://www.ISAserver.org
> >
> >
> > Hi Alfonso,
> >
> > Configure the HTTP Redirector to drop requests from SecureNAT and
> > Firewall clients. Then require authentication.
> >
> > HTH,
> > Tom
> >
> > Thomas W Shinder
> > www.isaserver.org/shinder
> > ISA Server and Beyond: http://tinyurl.com/1jq1
> > Configuring ISA Server: http://tinyurl.com/1llp
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: Lesky Alfonso M. [mailto:leskyam@xxxxxxxxxxxxxxx]
> > Sent: Sunday, February 16, 2003 11:03 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Web proxy or Firewall Client (to be or not to be)
> >
> >
> > http://www.ISAserver.org
> >
> >
> > Hi, thanks for your time.
> >
> > Web Proxy Clients appears as Firewall Clients!!!???
> >
> > 1. I have ISA Server (SP1) installed on a w2k.
> > 2. The objects of the ISA are in the Active Directory
> > Schema.
> > 3. There are Two NICs on the ISA Server PC.
> >
> > When I configure a rule for FTP Access "Applied to any
> > request o to a group of IPs" everything is ok, but when I
> > Applie this rule to a especific group of users there is no
> > access and the Clients appears to be Firewall clients.
> > Some days ago I installed a computer with W95, IE 3.01 and
> > while nobody got access to FTP sites aoutside my network
> > that PC got it, I updated IE to version 4.0 and everything
> > OK, but que updated to IE 5.0, the situation was the same
> > for this PC too. When I install firewall client software
> > on workstatios no more problen with FTP access, but I
> > think taht is not the solution. This situation is diferent
> > with HTTP, I separate the rules (one for FTP & one for
> > HTTP) and I am applying the rule to the especific group of
> > users without problems.
> >
> > Does anyone know what is going on?
> >
> > Thanks for your time, again.
> >
> >
> > Saludos,
> >
> > Lesky Alfonso M.
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > leskyam@xxxxxxxxxxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> leskyam@xxxxxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
