Re: Restrict Internet access to certain websites based on logged o

---

• From: "Lakha" <Lakha@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Fri, 18 Nov 2005 02:58:04 -0800

---

Hi Guys - thanks for your input so far.
This question asks specifically what I'm trying to achieve with ISA Server
2004 Regarding http, if a client is not a webproxy client (no proxy settings
configured in browser) and I have disabled the "web proxy filter" for http.
can my rules still work if I use "domain name sets" and "url sets", from an
article i've read it says that if you disable the web proxy filter, then isa
server 2004 no longer performs HTTP content inspection. so does this mean and
include urls/domain name sets and the properties you can set when you
configure HTTP for a rule? my problem is this: if i enable the "web proxy
filter" the ISA Server will proxy http requests, so the packets will then
have the src addr which is configured for the external interface but the
external ip in my setup is a private 172.. ip. so packets will never come
back from the internet. But if I disable the filter then I cannot use
url/domain name sets or configure HTTP (block extensions, signatures...etc),
well you can configure the options but they don't actually work when the
filter is disabled. Is there a work around for this problem. I want to be
able to inpsect http content etc/restrict access to certain websites but it
looks like that these features do not work when you disable the "web proxy
filter"??? Thanks.

--
Lakha


"Phillip Windell" wrote:

> "Lakha" <Lakha@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:D78B273A-458D-40FE-AF85-1415FCC9B24A@xxxxxxxxxxxxxxxx
> > when you configure the browser settings on a client pc behind isa server -
> > that client becomes a webproxy client - so http connections will be
> proxied
> > via ISA server - proxying means that the isa server will send the http
> > request to the destination webserver,the http packets will be modified so
> > that the source address will be that of the external interface of the ISA
>
> No they are not modified, they are eliminated,...what you are describing is
> NAT. Proxying is a totally different technology. The confusion is probably
> because ISA does both depending on which "service" you use. the Web Proxy
> Service and the Firewall Service are "proxying services", while the
> SecureNAT Service is a "nat service".
>
> But we are getting side-tracked here anyway. The reason I asked about the
> "172 thing" is because it may have something to do with your problem. I
> think you misunderstand what you are dealing with, and as a result taken
> incorrect measures which make an even bigger mess than you started with.
>
> > So i do not want to nat, i want http traffic to pass through the ISA
> server
> > without being natted, only way to do this is to disable the web proxy
> filter,
> > and set a new network rule with a route relationship from internal to
> > external.
>
> You cannot do that. A routing relationship from Internal to External will do
> nothing but stop everything in its tracks because RFC Private address will
> not function without either using NAT or Proxying (one or the other).
>
> > Now http traffic will not be natted.
> >
> http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ts_proxy_traffic.mspx
>
> You are misinterpreting what you are reading with that link.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/ISA2004_AccessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>
>
>
.

---

• References:
  • Re: Restrict Internet access to certain websites based on logged o
    • From: Lakha

• Prev by Date: Error 0x2740 With terminal after windows server 2003 SP1 on ISA server ..
• Next by Date: Re: Error 0x2740 With terminal after windows server 2003 SP1 on ISA server ..
• Previous by thread: Re: Restrict Internet access to certain websites based on logged o
• Next by thread: Re: ISA With Other Apps
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: SecureNAt ... disabling the web proxy filter stops the natting ... However it now means that the ISA server cannot act as a Web Proxy Cache ... all http traffic goes directly to the destination website and does ... (microsoft.public.isa) Re: SecureNAt ... the web proxy has nothing to do with the NAT / no NAT rule. ... on behalf of the client. ... Of course you can NAT or not NAT the http requests ... > However it now means that the ISA server cannot act as a Web Proxy Cache ... (microsoft.public.isa) Re: HTTPS Using Web Proxy ... Try as a securnat client with both the web proxy and fwc disabled. ... HTTP Method = ... Now I am getting the error code ... (microsoft.public.isa) Re: OWA/RPC over HTTP troubleshooting tips ... configured ISA Server to publish RPC over HTTP ... Does the issue only occur on the external users who attempt to access OWA ... confirm if you have configured ISA Server to publish RPC over HTTP. ... (microsoft.public.isa) Re: Restrict Internet access to certain websites based on logged o ... when you configure the browser settings on a client pc behind isa server - ... that client becomes a webproxy client - so http connections will be proxied ... on the internet because these are "private" address ranges. ... (microsoft.public.isa)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > ISA  > microsoft.public.isa  > 2005-11