Re: Excluding internal IPs from being proxied

From: A.Klimkin (aklimkin)
Date: 11/19/04 

Date: Fri, 19 Nov 2004 18:31:13 +0300

I see, Phillip.
And now please take a look at the following ISA web log excerpt (.80 is my
workstation, .1 is ISA2004 firewall and .210 is some internal host I'm
trying to get access to via its IP address):
192.168.0.80, MYDOMAIN\aklimkin, Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.0; .NET CLR 1.1.4322), -, 11/19/2004, 10:50:00, -, RWALL, -,
192.168.0.210,192.168.0.1, 8080, 1, 367, 1907, http, TCP, GET,
http://192.168.0.210/, -, -, 12202, 0x0, Default rule, -, Internal,
Internal, 0x80, Denied

This log entry says that since I do not have firewall policy that allows web
access from Internal to Internal, the request is denied. If I create the
appropriate rule, the request will be allowed.
But what I'm *really* talking about in my previous post is that the ISA
*correctly* treats the request as being destined to the internal network, as
it shown in the above log entry.
So I came to the conclusion that incorrect URL string parsing is not the
case. The point is the request should *never* be processed by web proxy
service since I confgured this via 'Bypass proxy for Web servers in this
network' web browser configuration option. And I discovered that this
configuration option does not work as it's intended to. And I found a
workaround that has been listed in previous post, too.
I don't say that my claims are absolutely right. If someone could perform
the same test on their environment, they could confirm or disprove my
conclusions. And then, of course, share with us their test results.

Regards,
Andrew

"Phillip Windell" <@.> wrote in message
news:OuLm3OkzEHA.2572@tk2msftngp13.phx.gbl...
> Yea. Like we were saying in the other posts, I think it is pretty simple.
> It is just seeing the "dots" in the IP# and interpreting it to be a FQDN
and
> trying to resolve it. I am not a programmer but I think the logic (which
> may be flawed) goes like this:
>
> If string contains "dots" then
> It is a FQDN, treat accordingly
> Else
> It is a Netbios Name, treat accordingly
> End if
>
>
> **Maybe it should really go like this:**
>
> If string contains "dots" then
> Test if it is a FQDN or IP#, Split sections between "dots"
> If all four sections are a number between 0 and 255 then
> It is an IP#, treat accordingly
> Else
> It is a FQDN, treat accordingly
> Else
> It is a Netbios Name, treat accordingly
> End if
>
>
> Again I am not a programmer and I have no idea how it is really coded, I
am
> only trying to describe what I think the behavor is.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
> "A.Klimkin" <aklimkin at mail dot ru> wrote in message
> news:%23UOmXbizEHA.3376@TK2MSFTNGP12.phx.gbl...
> > Hello NG!
> >
> > Latest ontopic conversations in this newsgroup prompted me to perform
some
> > additional testing, and I discovered the following interesting thing.
> > For me it seems that the 'Bypass proxy for Web servers in this network'
> web
> > browser configuration option for internal network object does not work
at
> > all. Whether this options is checked, or not - [for some **cking reason]
> you
> > cannot access the internal web resources via IP addresses. Web proxy log
> > contains appropriate 'Denied' entries clearly saying that requests to
> > internal net passes through the web proxy service.
> > I resolved the issue by entering the whole internal network IP range in
> the
> > 'Directly access this servers or domains:' list. After applying the
> firewall
> > policy changes, everything starts to work exactly as it should -
requests
> to
> > internal resources via IP address no more being passed to web proxy
> service
> > and directly hits the destination.
> > Could anyone confirm the same behavior with his ISA2004 environment?
> >
> > Regards,
> > Andrew
> >
> >
>
>

Relevant Pages

  • Re: SSL-Tunnel blocked?
    ... My guess is that something is being attempted that the Web Proxy Service ... My suggestion is to install the Firewall Client on the Workstation. ... the net into Powerpoint, ISA blocks the request, the output is shown ... I am guessing that since ISA cannot look at the traffic inside ...
    (microsoft.public.isa)
  • Re: [Full-Disclosure] Re: Empirical data surrounding guards and firewalls.
    ... The firewall is not content filtering, thus does not stop bad requests ... connection to a webserver. ... carrying an illegal object (an illegally formed request). ...
    (Full-Disclosure)
  • Re: VT: Michelle Gardner-Quinn body found
    ... large scratch across his neck; ... I would try an web proxy to open the site or even opening with another ... I do have a firewall I have to disable on ... and the NYTimes cw puzzle was free and in adobe acrobat. ...
    (alt.true-crime)
  • Re: Undo the Allow VP Client Connections Wizard
    ... Also the firewall and web proxy services were consuming double digit ... Everything started working again and processor time was back ... or started prior to running the "Allow VPN Client Connections Wizard". ...
    (microsoft.public.isa)
  • Re: Hacking into firewall
    ... Ajitesh, ... Basically a firewall can deny you access to web sites bythree different ... Block any request for certain IPs ... and don't let company users walkaround firewall restrictions, ...
    (microsoft.public.inetserver.iis.security)