RE: SecureNAt
- From: "Lakha" <Lakha@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 24 Oct 2005 05:46:02 -0700
Hi,
Many thanks for your help, disabling the web proxy filter stops the natting
which is perfect from a routing point of view as the http traffic is no
longer natted with the private 172.. external ip.
However it now means that the ISA server cannot act as a Web Proxy Cache
Server, all http traffic goes directly to the destination website and does
not get served from the cache.
So this fix while it does what I want it to do, compromises the proxy
feature of ISA Server 2004. I know that when you have a single adapter ISA
server, the web requests that proxy through this single adapter ISA server
have their source addresses modified so the request comes from the isa
server, which then fetches and passes the results to the original client.
I think with two network cards the ISA by default NAT's http traffic by
substituting the original ip src addr with the External Interface ip address
(in my case this is a 172 address, so the request never gets to the
internet). So my next question, Is it possible to force ISA Server 2004 to
use the internal interface ip address when it does the NAT substistution?
Many Thanks for your help..
--
Lakha
"Johnnie Mac" wrote:
> Hi,
> you need to disable the web proxy
> http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ts_proxy_traffic.mspx#appendix-a
>
> this should fix the problems.
>
> Regards
> John
>
> Appendix A: Disable the Web Proxy Filter
> To disable the Web Proxy filter for HTTP, do the following:
>
> 1.
> In ISA Server Management, click the Firewall Policy node.
>
> 2.
> On the Toolbox tab, click Protocols.
>
> 3.
> Expand All Protocols, right-click HTTP, and then click Properties.
>
> 4.
> Click the Parameters tab, and in Application Filters, clear Web Proxy
> Filter. Then click OK.
>
> 5.
> Click Apply to update the firewall policy.
>
> Note
> Requests from Web browsers (with proxy settings pointing to ISA Server)
> still go through the Web Proxy filter.
>
>
> --
> JohnnieMac
>
>
> "Lakha" wrote:
>
> > Hi All,
> > I want all the machines in our compnay go through ISA server 2004 firewall.
> > I have installed ISA server 2004, disabled the default internet access rule
> > (nat) and created a new network rule that routes traffic from all network to
> > all networks. So as far as I can see no NATting is configured. I have created
> > a new access policy rule that allows all traffic out.
> >
> > Routing from internal/localhost to external subnets seems to work find, but
> > when I use http protocol (try to get on the internet) the ISA server NAT's
> > the ip src address of the packet, and this being a private ip address 172...,
> > our main corporate firewall drops the packet.
> >
> > All machines by microsoft's defintion will be SecureNAT clients, because
> > their default gateway is set to point to the internal ip address of the ISA
> > server.
> > Even if i configure the client to be a webproxy client (point its browser to
> > the internal ip if the isa server), or even use the Firewall Client Software
> > http sessions are still NATted.
> >
> > So my question is this, Can you disable NATting on ISA Server 2004, all i
> > want is pure routing ?.
> >
> > Many Thanks.
> >
> > --
> > Lakha
.
- Follow-Ups:
- Re: SecureNAt
- From: ZVR
- RE: SecureNAt
- From: Johnnie Mac
- Re: SecureNAt
- References:
- RE: SecureNAt
- From: Johnnie Mac
- RE: SecureNAt
- Prev by Date: RE: SecureNAt
- Next by Date: Re: Block MSN Messenger in ISA Server 2004
- Previous by thread: RE: SecureNAt
- Next by thread: RE: SecureNAt
- Index(es):
Relevant Pages
|
Loading
