Re: Restrict Internet access to certain websites based on logged o
- From: "ZVR" <nospamever@xxxxxx>
- Date: Tue, 15 Nov 2005 13:18:21 -0500
"Lakha" <Lakha@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D78B273A-458D-40FE-AF85-1415FCC9B24A@xxxxxxxxxxxxxxxx
> when you configure the browser settings on a client pc behind isa server -
> that client becomes a webproxy client - so http connections will be
> proxied
> via ISA server - proxying means that the isa server will send the http
> request to the destination webserver,the http packets will be modified so
> that the source address will be that of the external interface of the ISA
> server
No packets will ever be "modified" by a proxy. You are really confusing
things here. What you're describing is a NAT service. A proxy works
differently - the original client does not attempt to contact the final
server in the first place. Instead it makes a request to the proxy server.
The proxy server then makes ANOTHER request to the final server, and when
the response comes it passes it back to the original client. Bottomline
there is never "direct" contact between a proxy client and the final server,
instead there are two separate connections, one from the originating client
to the proxy, and another from the proxy to the final server. Maybe you
should look up the definition of the word "proxy" in an English dictionary.
You are correct that the packets reaching the final server will have the
source IP pointing to the external IP of ISA, but that is because they
originated from ISA in the first place, not because ISA's web proxy service
"modified" them.
>, the reply packets sent from the website will have the the destination
> address pointing to the external ip address of the ISA server then the
> packet
> will be routed internally to the client.
No "routing" with the web proxy service. The web proxy service does not have
to maintain routing tables - see above.
> if ISA is your default gateway then
> your clients are SecurNAT clients, out of the box the http traffic will be
> natted by the default "Internet Access" rule.
Only if the web proxy filter is not active. That is why Phillip rightly
suggested you to re-renable that filter: that filter takes http packets from
clients that are not "web proxy" clients and redirects those requests
through the web proxy service.
> if your external ip address is 172... then your http traffic will never
> get
> on the internet because these are "private" address ranges.
If the web proxy filter is disabled, yes the traffic DOES get to the
Internet with an invalid (non-routable) source IP. The final server DOES get
the packets (unless a router drops them in the way), it's the REPLY that
doesn't come back. Since we're doing networking 101 class here let's get the
concepts straight first.
> So i do not want to nat, i want http traffic to pass through the ISA
> server
> without being natted, only way to do this is to disable the web proxy
> filter,
> and set a new network rule with a route relationship from internal to
> external.
If you do that ALL traffic will cease to be NAT'ed, not only http traffic.
If you're OK with that then so be it.
Virgil
.
- References:
- Prev by Date: Re: ISA With Other Apps
- Next by Date: Re: Clients Cannot Browse the Internet
- Previous by thread: Re: Restrict Internet access to certain websites based on logged o
- Next by thread: Re: Restrict Internet access to certain websites based on logged o
- Index(es):
Relevant Pages
|
Loading
