RE: Web proxy or Firewall Client (to be or not to be)
- From: "Lesky Alfonso M." <leskyam@xxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 17 Feb 2003 21:52:39 -0500
Hi, Tom
Here you are the requested file, inside I send you a fragment of both,
Web Proxy and Firewall logs.
Thanks for your time again Tom.
Note.
The file is compressed.
-----Original Message-----
From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Date: Mon, 17 Feb 2003 19:21:49 -0600
Subject: [isalist] RE: Web proxy or Firewall Client (to be or not to be)
> http://www.ISAserver.org
>
>
> Hi Alfonso,
>
> That is correct. If the machine is configured as a Web Proxy client
> only, you should see connections only with the Web Proxy service. Then
> you can post your Web Proxy logs with the problematic entries and we
> can
> determine what the problem might be.
>
> Thanks!
> Tom
>
> Thomas W Shinder
> www.isaserver.org/shinder
> ISA Server and Beyond: http://tinyurl.com/1jq1
> Configuring ISA Server: http://tinyurl.com/1llp
>
>
> -----Original Message-----
> From: Lesky Alfonso M. [mailto:leskyam@xxxxxxxxxxxxxxx]
> Sent: Monday, February 17, 2003 1:39 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Web proxy or Firewall Client (to be or not to
> be)
>
>
> http://www.ISAserver.org
>
>
> Hi again.
>
> Let me ask you somthing
> I have a workstation with an internal IP: 192.168.60.x, I configure the
> IE to point to ISA Server 8080, there is not firewall client software
> in
>
> this workstation this is a Web Proxy Client. Right?
>
> I have configured the HTTP Redirector since you adviced to mi, but
> nothing.
>
> Saludos,
>
> Lesky Alfonso M.
>
>
> -----Original Message-----
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Date: Mon, 17 Feb 2003 01:19:29 -0600
> Subject: [isalist] RE: Web proxy or Firewall Client (to be or not to
> be)
>
> > http://www.ISAserver.org
> >
> >
> > Hi Alfonso,
> >
> > There should be no entries in your firewall logs, since the clients
> are
> > not configured as Web Proxy or SecureNAT clients. They should be
> > configured as Web Proxy clients only. To ensure that only Web Proxy
> > clients are able to access the Internet, configure the HTTP
> Redirector
> > to drop requests from SecureNAT and Firewall clients.
> >
> > Then you can analyze the Web Proxy service logs to determine why the
> > client can and cannot access FTP sites. Make sure all fields are
> > enabled, so that you can tell which rule is alllowing/denying access.
> >
> > HTH,
> > Tom
> >
> > Thomas W Shinder
> > www.isaserver.org/shinder
> > ISA Server and Beyond: http://tinyurl.com/1jq1
> > Configuring ISA Server: http://tinyurl.com/1llp
> >
> >
> > -----Original Message-----
> > From: Lesky Alfonso M. [mailto:leskyam@xxxxxxxxxxxxxxx]
> > Sent: Monday, February 17, 2003 1:01 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Web proxy or Firewall Client (to be or not to
> > be)
> >
> >
> > http://www.ISAserver.org
> >
> >
> > Hi, thaks for your time.
> >
> > Yes, the clients are logged onto the domain, I have reviewed the
> logs,
> > no
> > just Web proxy logs, the Firewall logs too.
> >
> > Look at the Firewall log when a client request a FTP site:
> >
> > 192.168.60.2 - - 06:52:04 -
169.158.1.20
> > 21
> > 21 TCP Connect 13301 - S&C A Sitios ONAT
> > 192.168.60.2 - - 06:52:04 -
169.158.1.20
> > 21
> > 21 TCP Connect 13301 - S&C A Sitios ONAT
> >
> > Why with older vertions of IE I haven't problem with this?
> >
> > Note.
> > One more data: RAS Clients can navegate FTP Sites.
> >
> >
> > -----Original Message-----
> > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Date: Mon, 17 Feb 2003 00:26:46 -0600
> > Subject: [isalist] RE: Web proxy or Firewall Client (to be or not to
> > be)
> >
> > > http://www.ISAserver.org
> > >
> > >
> > > Hi Alfonso,
> > >
> > > You need to configure the clients as Web Proxy clients and you need
> > to
> > > configure the HTTP Redirector to drop requests from Firewall client
> > and
> > > SecureNAT clients. At that point, only requests from Web Proxy
> > clients
> > > will be accepted by the Web Proxy service.
> > >
> > > However, since you're not using the SecureNAT or Firewall client
> > > configurations, the ONLY way the clients will access external FTP
> > sites
> > > is via the Web Proxy service. Make sure the clients log onto the
> > domain
> > > so that they have credentials to the send the Web Proxy service.
> > >
> > > Review your Web Proxy logs for troubleshooting issues.
> > >
> > > HTH,
> > > Tom
> > >
> > > Thomas W Shinder
> > > www.isaserver.org/shinder
> > > ISA Server and Beyond: http://tinyurl.com/1jq1
> > > Configuring ISA Server: http://tinyurl.com/1llp
> > >
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Lesky Alfonso M. [mailto:leskyam@xxxxxxxxxxxxxxx]
> > > Sent: Sunday, February 16, 2003 11:40 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Web proxy or Firewall Client (to be or not
> to
> > > be)
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > >
> > > Thanks, but It did not work.
> > >
> > > The clients making the request are not SecureNAT clients nor
> Firawall
> > > Clients. They are just trying to access FTP sites outsite the LAN
> > with
> >
> > > IE. Remember I wrote that IE versions up to 4.0 works fine.
> > >
> > > Saludos,
> > >
> > > Lesky Alfonso M.
> > >
> > >
> > > -----Original Message-----
> > > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > Date: Sun, 16 Feb 2003 23:13:59 -0600
> > > Subject: [isalist] RE: Web proxy or Firewall Client (to be or not
> to
> > > be)
> > >
> > > > http://www.ISAserver.org
> > > >
> > > >
> > > > Hi Alfonso,
> > > >
> > > > Configure the HTTP Redirector to drop requests from SecureNAT and
> > > > Firewall clients. Then require authentication.
> > > >
> > > > HTH,
> > > > Tom
> > > >
> > > > Thomas W Shinder
> > > > www.isaserver.org/shinder
> > > > ISA Server and Beyond: http://tinyurl.com/1jq1
> > > > Configuring ISA Server: http://tinyurl.com/1llp
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Lesky Alfonso M. [mailto:leskyam@xxxxxxxxxxxxxxx]
> > > > Sent: Sunday, February 16, 2003 11:03 PM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] Web proxy or Firewall Client (to be or not to
> > be)
> > > >
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > >
> > > > Hi, thanks for your time.
> > > >
> > > > Web Proxy Clients appears as Firewall Clients!!!???
> > > >
> > > > 1. I have ISA Server (SP1) installed on a w2k.
> > > > 2. The objects of the ISA are in the Active Directory
> > > > Schema.
> > > > 3. There are Two NICs on the ISA Server PC.
> > > >
> > > > When I configure a rule for FTP Access "Applied to any
> > > > request o to a group of IPs" everything is ok, but when I
> > > > Applie this rule to a especific group of users there is no
> > > > access and the Clients appears to be Firewall clients.
> > > > Some days ago I installed a computer with W95, IE 3.01 and
> > > > while nobody got access to FTP sites aoutside my network
> > > > that PC got it, I updated IE to version 4.0 and everything
> > > > OK, but que updated to IE 5.0, the situation was the same
> > > > for this PC too. When I install firewall client software
> > > > on workstatios no more problen with FTP access, but I
> > > > think taht is not the solution. This situation is diferent
> > > > with HTTP, I separate the rules (one for FTP & one for
> > > > HTTP) and I am applying the rule to the especific group of
> > > > users without problems.
> > > >
> > > > Does anyone know what is going on?
> > > >
> > > > Thanks for your time, again.
> > > >
> > > >
> > > > Saludos,
> > > >
> > > > Lesky Alfonso M.
> > > >
> > > >
> > > > ------------------------------------------------------
> > > > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Exchange Server Resource Site: http://www.msexchange.org/
> > > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion
> List
> > > as:
> > > > tshinder@xxxxxxxxxxxxxxxxxx
> > > > To unsubscribe send a blank email to
> > > > $subst('Email.Unsub')
> > > >
> > > > ------------------------------------------------------
> > > > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Exchange Server Resource Site: http://www.msexchange.org/
> > > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion
> List
> > > as:
> > > > leskyam@xxxxxxxxxxxxxxx
> > > > To unsubscribe send a blank email to
> > > > $subst('Email.Unsub')
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Exchange Server Resource Site: http://www.msexchange.org/
> > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
> > as:
> > > tshinder@xxxxxxxxxxxxxxxxxx
> > > To unsubscribe send a blank email to
> > > $subst('Email.Unsub')
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Exchange Server Resource Site: http://www.msexchange.org/
> > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
> > as:
> > > leskyam@xxxxxxxxxxxxxxx
> > > To unsubscribe send a blank email to
> > > $subst('Email.Unsub')
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > leskyam@xxxxxxxxxxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> leskyam@xxxxxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
Other related posts:
