Welcome to ISAserver.org

Client setup as a proxy&NAT

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client >> Client setup as a proxy&NAT

Page: [1]

Message

<< Older Topic Newer Topic >>

Client setup as a proxy&NAT - 6.Apr.2002 6:16:00 PM

skipster

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline

If I have a client that is setup, as both a Web Proxy, and a SNAT, and i want to block a protocal, or a web site for this client, should i do this by username or by ip address? Also does a rule allowing Anonymous apply first to these clients before any deny rules? I'm running AD, and all clients are SNAT clietns,and WEb Proxy clients, running WinXP

Thanks for any input
Skip

Post #: 1

Featured Links*

RE: Client setup as a proxy&NAT - 6.Apr.2002 7:18:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Skip,

Web Proxy and Firewall clients can be controlled by username. SNAT clients only by IP-address. So, it will be hard to get your rules right. [Wink]

As the clients are running WinXP, why not use the Firewall client? Is there a particular reason for not doing it?

Also, an Anonymous rule has precedence before any other rule, including deny rules.

Hope this helps,
Stefaan

(in reply to skipster)

Post #: 2

RE: Client setup as a proxy&NAT - 6.Apr.2002 10:46:00 PM

skipster

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline

Yes the reason I dont install the firewall client is because all the client machines need to VPN into a cisco 3000 VPN server that uses IPSEC. So I was wondering if i could still take advantage of the web cache, by setting the clients up as both SNAT & Web proxy

(in reply to skipster)

Post #: 3

RE: Client setup as a proxy&NAT - 6.Apr.2002 11:15:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Skip,

hmm... I see. If all clients are Web proxy clients, then for the protocols HTTP, HTTPS and FTP download you can control access by username. If the Cisco VPN client requires a SecureNAT client (although it is UDP encapsulated or NAT traversal compatibel) you can only control other protocols by IP-addresses. This is nearly not a workable solution in a DHCP environment.

However, it is my understanding that the Cisco VPN3000 concentrator also supports PPTP. Is that an option or must you use IPSec? If PPTP is an option, I believe PPTP passthrough is also supported by ISA with the Firewall client installed.

Hope this helps,
Stefaan

(in reply to skipster)

Post #: 4

RE: Client setup as a proxy&NAT - 7.Apr.2002 6:17:00 PM

skipster

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline

Thanks for getting back. In regards to the Cisco 3000 server, it is setup to only support IPSEC.

(in reply to skipster)

Post #: 5

RE: Client setup as a proxy&NAT - 7.Apr.2002 7:46:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Skip,

have you already tested the Cisco VPN client on a SecureNAT client? If that works OK, have you also tried it on a Firewall client? However, I'm not sure it *can* work on a Firewall client.

I regret I couldn't test it myself, but I think it all depends on which level in the protocol stack the IPSec client is implemented. Will the Firewall client redirect the request before the IPSec client can do his work? [Confused]

So, if you can do the tests and report back, you'll help a lot of people with the same problem. [Wink]

Hope this helps,
Stefaan

(in reply to skipster)

Post #: 6

RE: Client setup as a proxy&NAT - 7.Apr.2002 8:59:00 PM

skipster

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline

Check out http://www.isaserver.org/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=13;t=000495

and also http://www.isaserver.org/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=13;t=000503

All answer's are within, I hope this helps

(in reply to skipster)

Post #: 7

RE: Client setup as a proxy&NAT - 7.Apr.2002 10:41:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Skip,

I know very well those posts... [Razz]

But I still have no good technical explanation why it cann't work with the Firewall client, only some thoughts. Moreover, why does PPTP work with the Firewall client? Is there some special support for it in the Firewall client?

Figure taken from http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/reskit/intnetwk/part2/intch09.asp

I hope someday one of the guru's (Tom, Jim, Jez,...) could give us a good technical explanation [Wink]

Greetings,
Stefaan

[ April 07, 2002, 10:57 PM: Message edited by: spouseele ]

(in reply to skipster)

Post #: 8

RE: Client setup as a proxy&NAT - 7.Apr.2002 11:03:00 PM

skipster

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline

Nice Diagram [Wink]

I cant figure it out why it doesnt work with the firewall client as well. Im thinking it might be an authentification issue, because it should work with the firewall client. IF you find out why some day let us know, I will to

(in reply to skipster)

Post #: 9

RE: Client setup as a proxy&NAT - 8.Apr.2002 6:58:00 AM

tshinder

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline

Hey guys,

I'd like to know why it doesn't work with the Firewall client too [Razz]

I know that the "enable PPTP through the firewall" feature actually invokes some kind of application filter (which isn't documented). I'd do a trace of the connection and see what shows up. Until then, install the Firewall client and then disable it when you need to and make the client a SecureNAT client.

HTH,
Tom

(in reply to skipster)

Post #: 10

RE: Client setup as a proxy&NAT - 8.Apr.2002 4:19:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hey guys,

I've taken today a trace of a PPTP connection through the ISA with and without the Firewall client. I cann't see any difference between both, even for the PPTP control connection (TCP port 1723)! [Eek!]

So, I suspect there must be some special support in the Firewall client for PPTP.

Tom, do you come to the same conclusion?

BTW --- the Firewall client properties was set to always resolve DNS names locally (entry [Common Configuration] with parameter NameResolution=L).

Hope this helps,
Stefaan

(in reply to skipster)

Post #: 11

RE: Client setup as a proxy&NAT - 8.Apr.2002 8:43:00 PM

skipster

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline

Hey spousee I followed your post about how to get ISA to sync to an external time server, and it worked no problems. Now im trying to do the samething at a clients network, but i cant get it to work. I can get the ISA to sync just fine, but when i try to get the AD machine to sync with ISA, it keeps saying that the requested port is already in use. Any thoughts on this one

(in reply to skipster)

Post #: 12

RE: Client setup as a proxy&NAT - 12.Feb.2003 3:05:00 PM

rmatthewcole

Posts: 26
Joined: 12.Mar.2001
From: Auburn, AL USA
Status: offline

From the limited testing I have done, it seems that the firewall client does some screwy things with the winsock files. I would guess that the firewall client replaces the local machine winsock with a redirector that forwards the requests to the ISA Server. I know that Cisco is attempting to have direct control over the TCP/IP stack since none of the MS routing or ipconfig commands seem to indicate anything about the status of the Cisco VPN tunnel. So maybe the issue is the removal/modification of the winsock?

(in reply to skipster)

Post #: 13

RE: Client setup as a proxy&NAT - 12.Feb.2003 10:10:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi matthew,

as far as I know, the Firewall client is implemented as a Winsock Layered Service Provider (LSP). An LSP does *not* replace the actual WinSock library but hooks into it to enhance the functionality.

To learn more about how the Firewall client talks to the ISA server, check out my article http://www.isaserver.org/articles/Understanding_the_Firewall_Client_Control_Channel.html .

HTH,
Stefaan

(in reply to skipster)

Post #: 14