• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Issue with ISA 2004 and Upstream Proxy

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Cache] >> General >> Issue with ISA 2004 and Upstream Proxy Page: [1]
Login
Message << Older Topic   Newer Topic >>
Issue with ISA 2004 and Upstream Proxy - 11.Jan.2006 5:45:05 AM   
joshg

 

Posts: 4
Joined: 11.Jan.2006
Status: offline
Hi All,

We have quite a large network with different departments accessing the internet though our ISA 2004 proxy servers. The ISA 2004 server (client LAN) that users point to is configured to redirect all requests to an upstream ISA 2004 server (DMZ). This does work however i have noticed on the client ISA 2004 server that ISA attempts to make a direct connection first, before sending to the upstream proxy. I'm not sure why this is as the server is configured to re-direct all traffic via a single web chain rule ( there are no other web chain rules).

In the log below you can see a couple of requests going to hotmail.com which are denied (and the user is anonymous). The next entries are the same user/request but this time the username is visible and it is correctly forwarded to the upstream proxy. This seems to happen to every initial connection to a web site

Anyone have any ideas?

172.80.70.210 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts; .NET CLR 1.1.4322; MSN Messenger 7.5.0311) N 23/11/2005 12:00:00 AM 30/12/1899 4:48:23 AM w3proxy CLTPRX01 - gateway.messenger.hotmail.com 172.80.66.11 8080 1 435 4528 http TCP POST http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com - - 12209 0x4 Web Access - Internal External 0x200 Denied
172.80.70.210 anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts; .NET CLR 1.1.4322; MSN Messenger 7.5.0311) N 23/11/2005 12:00:00 AM 30/12/1899 4:48:23 AM w3proxy CLTPRX01 - gateway.messenger.hotmail.com 172.80.66.11 8080 1 523 560 http TCP POST http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com - - 5 0x4 Web Access - Internal External 0xa80 Failed
172.80.70.210 CLT1\ehy Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts; .NET CLR 1.1.4322; MSN Messenger 7.5.0311) Y 23/11/2005 12:00:00 AM 30/12/1899 4:48:24 AM w3proxy CLTPRX01 - 172.80.201.12 172.80.201.12 8080 594 621 416 http TCP POST http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com application/x-msn-messenger Upstream 200 0x48000004 Web Access - Internal External 0xf80 Allowed
172.80.70.210 CLT1\ehy Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts; .NET CLR 1.1.4322; MSN Messenger 7.5.0311) Y 23/11/2005 12:00:00 AM 30/12/1899 4:48:25 AM w3proxy CLTPRX01 - 172.80.201.12 172.80.201.12 8080 704 344 555 http TCP POST http://207.46.1.12/gateway/gateway.dll?SessionID=333655001.26777 application/x-msn-messenger Upstream 200 0x48000004 Web Access - Internal External 0x780 Allowed

< Message edited by joshg -- 11.Jan.2006 5:46:47 AM >
Post #: 1
RE: Issue with ISA 2004 and Upstream Proxy - 11.Jan.2006 6:56:16 AM   
joshg

 

Posts: 4
Joined: 11.Jan.2006
Status: offline
Looks like i may have found the cause of the problem. The direct attemps in the log file appear to occur when the user options up the web browser for the first time and tries to access a web page and they are prompted for their username and password. ISA seems to write this request to its log file as user "anonymous" and it fails. Once the user enters their credentials and clicks OK the same request comes through again this time properly showing the users name and the request is accepted and sent to the upstream proxy.

I'm still playing around with this in the testlab but it looks like its it. I'm just not sure if there would be anyway from stopping that from happening?
 

(in reply to joshg)
Post #: 2
RE: Issue with ISA 2004 and Upstream Proxy - 11.Jan.2006 7:32:11 AM   
joshg

 

Posts: 4
Joined: 11.Jan.2006
Status: offline

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/faq-monitoring.mspx

Q. I have blocked anonymous access, but the logs show requests from anonymous users. Why?
A. The user sends an anonymous request. ISA Server responds with a 407 error and terminates the connection. An anonymous request is logged.
The user sends the same request with Keep-Alive and NTLM authentication user information. ISA Server responds again with a 407 error and with an authentication challenge. The connection is not terminated. Another anonymous request is logged.
The user sends the same request with the authentication response. Now the request is authenticated and served.
If anonymous log entries are followed by requests from an actual, authenticated user, the reason is probably this configuration. If not, check your configuration settings.


Damn looks like its normal behaviour

(in reply to joshg)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Cache] >> General >> Issue with ISA 2004 and Upstream Proxy Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts