Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
NAT for HTTPS/FTP on back-end ISA Server with 1:1 routing
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
NAT for HTTPS/FTP on back-end ISA Server with 1:1 routing - 27.Nov.2005 10:55:55 AM
|
|
|
wbplomp
Posts: 138
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline
|
When your ISA Server is a back-end firewall on you internal network and uses 1:1 routing to the next front-end firewall. All HTTP traffic is intercepted by the Web Proxy Filter and therefor NAT is used. But when HTTPS or FTP passes through it is routed directly tot the next firewall. Microsoft should change that behavior to NAT, or at least give us the option.
|
|
|
|
|
RE: NAT for HTTPS/FTP on back-end ISA Server with 1:1 r... - 27.Nov.2005 5:41:49 PM
|
|
|
wbplomp
Posts: 138
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline
|
Because on the external network I have a checkpoint firewall wich has 3 perimeter networks. These network hold Remote Sites and etc. That needs tot be routed 1:1.
|
|
|
|
|
RE: NAT for HTTPS/FTP on back-end ISA Server with 1:1 r... - 27.Nov.2005 5:57:43 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Boudewijn,
I still don't get the picture! If you need a ROUTE relationship for the inbound traffic, why do you want a NAT relationship for the outbound traffic. What problems would that solve?
quote:
All HTTP traffic is intercepted by the Web Proxy Filter and therefor NAT is used.
That statement is not technical correct because no NAT at all is used in that case. The Web Proxy component on ISA terminates the connection from the internal host and creates a brand new connection to the requested destination. Therefore the source IP address wil be the primary IP address assigned to the outgoing interface.
HTH,
Stefaan
|
|
|
|
|
RE: NAT for HTTPS/FTP on back-end ISA Server with 1:1 r... - 27.Nov.2005 6:46:16 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
Stefaan,
Don't know if you remember you getting me sorted out with my problem when I had a route rule and return packets for HTTPS and FTP were finding a different route back. I suspect that may be the case with Boudewijn, but he does not provide the details to be certain.
The solution for me was to make ISA NAT instead. Not ideal since my ISA is no longer a true firewall as there is an alternate route to circumnavigate it (privided the PIX lets it out) but the best I could do with what CorpIT would give me for subnets.
This subject is drifting off topic for the forum it is in, and probably a new one should be started in the proper forum.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: NAT for HTTPS/FTP on back-end ISA Server with 1:1 r... - 27.Nov.2005 8:29:19 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi L,
You do have the option to preserve the client IP address or replace it with the ISA firewall's address, if routing is an issue.
Am I missing something?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: NAT for HTTPS/FTP on back-end ISA Server with 1:1 r... - 28.Nov.2005 8:14:04 PM
|
|
|
wbplomp
Posts: 138
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline
|
Hi spouseele, LLigetfa and Tom,
Spouseele, ofcourse there is no real NAT by the HTTP filter, but in fact you get the same result. Forget the fact why I use 1:1 routing relationship on both internal and external network. That is because I use a complex Enterprise network with more than 5000 clients in a back-to-back firewall configuration. When HTTP, HTTPS and FTP is filtered HTTP has another behavior than HTTPS and FTP. When the request is being proxied for HTTP the address appears to be from ISA, but when HTTPS or FTP is filtered, the address appears to be from the client. Ofcourse this only occurs with SecureNAT Clients, in some situations you cannot use a Proxy Server setting. It's no big deal, but you need different configurations for HTTP and HTTPS on the next CheckPoint firewall that connects us to the internet.
LLigetfa, yes that is indeed the same problem.
Tom, what u mean is NAT, isn't it?
One thing is clear, ISA Server is a great product, you won't hear me complaining. :-)
Gr. Boudewijn
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
