Re: Restrict Internet access to certain websites based on logged o
- From: "Lakha" <Lakha@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 15 Nov 2005 09:57:04 -0800
when you configure the browser settings on a client pc behind isa server -
that client becomes a webproxy client - so http connections will be proxied
via ISA server - proxying means that the isa server will send the http
request to the destination webserver,the http packets will be modified so
that the source address will be that of the external interface of the ISA
server, the reply packets sent from the website will have the the destination
address pointing to the external ip address of the ISA server then the packet
will be routed internally to the client. if ISA is your default gateway then
your clients are SecurNAT clients, out of the box the http traffic will be
natted by the default "Internet Access" rule.
if your external ip address is 172... then your http traffic will never get
on the internet because these are "private" address ranges.
So i do not want to nat, i want http traffic to pass through the ISA server
without being natted, only way to do this is to disable the web proxy filter,
and set a new network rule with a route relationship from internal to
external.
Now http traffic will not be natted.
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ts_proxy_traffic.mspx
--
Lakha
"Phillip Windell" wrote:
> "Lakha" <Lakha@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:CFBB218B-399C-48C1-BD5B-08ED3738A28C@xxxxxxxxxxxxxxxx
> > In my setup I have disabled the "web proxy filter" for http, reason being
> is
> > that i cannot have http traffic being natted - the external ip is 172..
> > (private - internet nonrouteable) so will never reach the internet from
> > inside our corporate network.
> > so at the moment http traffic is not natted.
>
> What does that mean? First the Web Proxy Serivce does not "nat" the
> traffic,..it "proxys" it. Second, without nat or proxying (one or the
> other) you are not going anywhere.
>
> > with no exceptions, the rules works, if i logon as a restricted user i am
> > denied access to all websites, and if i logon as a nonrestricted users i
> can
> > get onto any website.
>
> 1. Put the web proxy filter back the way it is supposed to be
> 2. Explain exactly how you created the Rules and the "order" they appear on
> the list
> 3. Explain this deal about the 172 address and why you think you need to do
> such strange things with it. Most likely it can be easily dealt with by
> just doing things right to start with.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/ISA2004_AccessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>
>
.
- Follow-Ups:
- Prev by Date: Re: SSL Listener doesn't see new certificate
- Next by Date: Re: ISA With Other Apps
- Previous by thread: SSL Listener doesn't see new certificate
- Next by thread: Re: Restrict Internet access to certain websites based on logged o
- Index(es):
Relevant Pages
|
