Re: Access published webservers with a proxy web client

Thanks for your answer phillip ... It gives me more indication about how isa
works with proxy
But let me explain you what is exacly my problem is (the previous post was a
king of "introduction" :)).

My proxy clients will not come from the internal network, but from the
EXTERNAL network (from the internet)!
As in ISA, you can't activate proxy web on the buildin EXTERNAL network, I
created a new network called "my proxy clients" regrouping all internet ip
(except my dmz and internal network subnet). A activated proxy web on this
network.
So in this case, the buildin "external" network is unusable (as external
network regroups all ips not defined in other network ... in my case, all
intenet ips are in "my proxy clients")

With this configuration, with proxy client comming from the "new" external
network i created, the clients do not take care of web publishing rules, as
I described in my previous post, and connects direclty to the webservers
(throught the "white list rule", as if they were in the internal network ...

So I get exacly the same problem as when proxy users where in the internal
network ...
I want my external proxy client to go throught web publication rule (as you
said, publishing rule only apply to external, so it should work - Except if
external proxy clients are not considered comming from the external ...) ...
Any Idea ?

This problem is making me crazy !

Thanks for your help,

Guillaume

"Phillip Windell" <@.> a écrit dans le message de news:
OnYJpI14GHA.4560@xxxxxxxxxxxxxxxxxxxxxxx
Internal Users are supposed to go out via normal Access Rules when the
target machines are in the DMZ or the Internet.

Internal Users are not suppose to use the ISA at all when the Website is
internal. The URL is supposed to resolve to the Private IP of the website
for them, which means they go directly to the site without ISA.

Publishing rules are *only* for external users going to the websites when
the websites are either in the DMZ or the Private LAN. However internal
users can use Web Pulishing Rules, and only Web Publishing Rules, if the
URL resolves to the external IP# of the ISA,...but this isn't the way it
is recommended.

It sounds to me like everything is working exactly the way it is supposed
to.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com





"Guillaume BRAUX" <v-gbraux@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:451c372c$0$5095$ba4acef3@xxxxxxxxxxxxxxxxx
Hello,

I am having a problem with ISA server 2004 and proxy web clients ...
I have my proxy clients on the internal network (proxy web activated) and
my servers on a DMZ network (internet is on the external network).

I published my different web servers with an HTTP listener on the port
80.

I also have a rule wich is a "white list" listing all allowed internet
website the user can access (source : intenal network / Destination : url
set of all sites alloweb).
In the white list, I have also included the url of the website I publish
mysfelf.

The problem is that proxy client DO NOT TAKE CARE OF THE WEBSERVER
PUBLISHING RULE ... They access diretly the webservers in the dmz (the
"white list" rule allow them to do it - only this rule is used when a
proxy client connect ... cf monitoring). So the different policies I
defined in the publishing rule do not apply to proxy client (path
translation, http to https translation ...). I can, if I want, disable
the publishing rule, it will still work, and I will gain access to my
webservers.

When I connect using a secure nat client (when i disable the proxy
configuration in internet explorer), it WORKS FINE and the rule applying
is the publishing rule, and I gain access to my webservers correclty.

I have to use a proxy server for my clients for authentification purposes
... Where is my mistake ? Why my proxy clients dont use the publishing
rule ? I need them to use this rule (as for secure nat clients), as the
publishing rule do a lot of path rewriting, needed by my webservers to
work corecly ...

Thanks for your help,

Guillaume





.

Relevant Pages

  • Access published webservers with a proxy web client
    ... I am having a problem with ISA server 2004 and proxy web clients ... ... I also have a rule wich is a "white list" listing all allowed internet ... the publishing rule do not apply to proxy client (path translation, ...
    (microsoft.public.isa)
  • RE: bypassing employers proxy to surf anonymously
    ... The proxy box) ... If he is on a company network and I'm ... from monitoring your traffic over that network. ... You have an option to go with a managed service (Cenzic ...
    (Pen-Test)
  • Rogue activity methodology (was: Tool to find hidden web proxy server)
    ... Suspects one or more of these IPs have setup a rogue proxy ... No indication if the internal network is switched or repeated ... So if he's running a class B, nmap is going to spend a whole lot of time ...
    (Pen-Test)
  • RE: 504 Proxy timeout only with SSL traffic
    ... Hi I setup an access rule as you requested and tried it with web proxy off on ... the DMZ network is considered External to the ... And can access all other HTTPS sites on the internet? ... that there may be something wrong with the proxy engine on the ISA, ...
    (microsoft.public.isa)
  • Re: Update: UDP 770 Potential Worm
    ... > the network immediately after the 'attack', ... were no packets indicating some form of replication. ... I noticed that the UDP ... > of the UDP datagrams is the IP address of the proxy? ...
    (Incidents)