• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Proxy Server - Bypass proxy for local addresses

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Web Proxy] >> Web Proxy Client >> Proxy Server - Bypass proxy for local addresses Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Proxy Server - Bypass proxy for local addresses - 15.Oct.2007 12:25:05 PM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline
Context:
When we deployed the firewall client, the ISA server Internal Network Domains tab included all our internal domains, and within the Internal Network Web Browser tab we've accounted for our Internal Domains and Internal Addressing as well as additional domains and addresses that are supplied in the routing script so that we furnish a comprehensive "bypass ISA Server list" to our web proxy clients utilizing the routing script.  However we're running into a deficiency in how Internet Explorer is being configured by the firewall client (via the firewall client web browser settings | Enable web browser automatic configuration), where the browser is not being supplied any "exceptions" for the Proxy Server "bypass proxy server for local addresses" area.  

Problem:
Web proxy clients that inherit the Proxy Server settings (from Internet Explorer) do not inherit a "bypass list" and send all requests to ISA, even the requests for local (domain or addresses) resources. Is there a way to resolve this with ISA 2004 or ISA 2006?

In other words:
Is there a way for ISA Server or the firewall client to supply a bypass proxy server for local addresses list within Internet Explorer’s Proxy Server settings?
Post #: 1
RE: Proxy Server - Bypass proxy for local addresses - 15.Oct.2007 1:12:54 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
Hi,

check this : http://support.microsoft.com/kb/920715

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to abqtech)
Post #: 2
RE: Proxy Server - Bypass proxy for local addresses - 15.Oct.2007 1:15:43 PM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline
That KB is related to bypass/direct access problems with clients utilzing the routing script, which is not related to my post, the web proxy clients having this problem are just using the Proxy Server setting in I.E.

(in reply to elmajdal)
Post #: 3
RE: Proxy Server - Bypass proxy for local addresses - 15.Oct.2007 2:31:10 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
You want to allow certain addresses to not pass by ISA Server, then do this in the Direct Access as it is pointed in the article.

Why do you want to populate these addresses manually in the IE setting ?

is this what u r doing ? populating the address manually in the IE ?



_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to abqtech)
Post #: 4
RE: Proxy Server - Bypass proxy for local addresses - 16.Oct.2007 2:34:47 PM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline
Tarek,
I'd don't want to manually poplulate any settings in I.E. For several reasons
-It's a manually entry
-When the firewall client configures the web browser, any settings added in the LAN Settings (including "bypass proxy for local addresses") table are replaced by the Firewall Clients settings provided by ISA Server.

We've been using GPO to set the Proxy Server and bypass proxy server for local addresses, however from my testing with the firewall client set to configure the web browser, all the GPO settings are replaced with the Settings supplied by the firewall client.  Make sense?

I dont see how the "Direct Access" article accounts for the problem I'm seeing, and if it does, please excuse my oversight.


(in reply to elmajdal)
Post #: 5
RE: Proxy Server - Bypass proxy for local addresses - 5.Nov.2007 11:00:06 AM   
cjpalmer@gmail.com

 

Posts: 4
Joined: 5.Nov.2007
Status: offline
I am having a similar problem. I am trying to configure the ISA server with a list of defined "local" sites that the client shouldn't use the proxy for. I am not using the automatic configuration script. I am not currently using GPO to assign the settings. I am trying to get these issues worked out before I deploy the new ISA 2006 server. I am part of a much larger organization and they won't provide us with any kind of web monitoring or limitations. We are installing the ISA server so that we can do our own reporting and monitoring that our management have requested. There are a number of intranet sites that don't work if proxy is turned on. I have not deployed the firewall client (and I don't really want to at this point). If I manually enter the entry in the IE configuration, it works fine. I am trying to make this a server side solution instead of having to configure all of my clients individually.

I have gone into Configuration/Networks and edited the properties of my internal network. I have defined the whole 10/8 subnet as local/internal. I have added the domain names to both the 'Domains' and 'Web Browser' tabs. On 'Web Browsers' based on the KB article linked above, I tried adding the /* to the end of my addresses. I also tried putting https:// and http:// at the beginning. I have tried a number of other things, yet my client computer still gets the "Error Code: 502 Proxy Error" message when I try to go to the page.

I am starting to get frustrate with this. It looks like I am going to have to configure the bypasses on all the clients. There are about 3 settings that I see that all say it shouldn't be going there (i.e. Bypass proxy for local is checked, the IP of the destination is part of the 'internal' network, there are exceptions defined for the domain on both the Domains and Web Server tabs.)

Any help that you can provide would be greatly appreciated.

Thanks,
Charles

(in reply to abqtech)
Post #: 6
RE: Proxy Server - Bypass proxy for local addresses - 5.Nov.2007 11:23:25 AM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline
If you want to supply a "bypass domains and addresses" list to your web browser clients by ISA Server, you'll need to use:

Automatically Detect Settings (WPAD, requires additional DNS / DHCP configuration)
- and/or -
Use Automatic configuration script

Both can be set by a GPO.

That way you can manage and maintain the bypass list within ISA, and as long as your managing the bypass list (or direct access list) in ISA properly you should'nt run into any problems. 

If you're having specifc problems with either of the two options metioned above, please let me know what they are and I'll assist.

Thanks

(in reply to cjpalmer@gmail.com)
Post #: 7
RE: Proxy Server - Bypass proxy for local addresses - 5.Nov.2007 12:00:51 PM   
cjpalmer@gmail.com

 

Posts: 4
Joined: 5.Nov.2007
Status: offline
Am I misunderstanding some functionality somewhere? It seems to me that where I have configured the Internal Network (inlcuding Domains and Web Server) when a request comes from a client to the proxy for any of those domains/IPs, it should tell the client to go there directly and not go through the ISA. But what I am see is that it still tries to go through the ISA and the ISA denies it for some reason (I am assuming because it would have to go back in the internal interface to fullfil the request). Is my only option to somehow configure my clients IE settings so that it is bypassed at the client?

That doesn't seem very flexible to me. As far as my configuring of the clients, I will likely be using my login script to do it. With the company that bought us, it is somewhat difficult to get GPO created and configured correctly. As to the WPAD, I have never configured it but it appears that I would need to make a DNS entry as well as setup the actual script. I am not sure how to do that entirely, but I know the DNS entry can be somewhat problematic as I would have to contact Corporate to configure it and I am sure I don't want the other 5000+ people going through my proxy server when they screw it up...

Thanks,
Charles

(in reply to abqtech)
Post #: 8
RE: Proxy Server - Bypass proxy for local addresses - 5.Nov.2007 2:28:45 PM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline
On the ISA Server
Configure your Internet Network by:
<Addresses> tab
add the internal addresses for your network
Any applicable RFC 1918 addresses
10.0.0.0/8
192.168.0.0/16
172.16.0.0/12

<Domains> tab
Add the domains that belong to your internal network as well as domains that you want clients to access directly.
*.domain.com or just the specific subdomains you need i.e. www.domain.com, webmail.domain.com

<Web Browsers> tab
Adding the domains and address ranges in the Directly access these servers or domains.
Also make sure and check:
Bypass proxy server for web servers in this network
Directly access computers specified in the Domains tab
Directly access computers specified in the Address tab

Configure your web browser with the ISA Servers routing script:
http://isaserver.domain.com:8080/array.dll?Get.Routing.Script

Make Sense?

(in reply to cjpalmer@gmail.com)
Post #: 9
RE: Proxy Server - Bypass proxy for local addresses - 5.Nov.2007 2:36:55 PM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline
are you running ISA 2004 or ISA 2006? and what Service Packs are installed on your ISA Server?

(in reply to abqtech)
Post #: 10
RE: Proxy Server - Bypass proxy for local addresses - 6.Nov.2007 1:55:17 PM   
cjpalmer@gmail.com

 

Posts: 4
Joined: 5.Nov.2007
Status: offline
ISA 2006 with all the latest patches (including the console update).  I did everything you described in the previous except for setting up the routing script. So, to make the settings take effect on the clients that you make in the server, you have to go to Tools/ Internet Options/ Connection/ LAN Settings/ Check the 'Use automatic configuration script and provide the link you listed (fixed for my domain) in the resulting Address box. Or set that value by some other method (GPO, registry, etc.)

Am I understanding this correctly? If so, it is a server side fix that requires a client side component. I am testing now.

Charles

(in reply to abqtech)
Post #: 11
RE: Proxy Server - Bypass proxy for local addresses - 6.Nov.2007 7:05:33 PM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline
Charles,
In response to "Am I understanding this correctly?"  Yes.

what results does your testing yield?

(in reply to cjpalmer@gmail.com)
Post #: 12
RE: Proxy Server - Bypass proxy for local addresses - 7.Nov.2007 8:23:37 AM   
cjpalmer@gmail.com

 

Posts: 4
Joined: 5.Nov.2007
Status: offline
It seems to be working. I am just trying to figure out what registry settings are modified by checking that box. I know the following:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL

But just putting the correct value in that key doesn't seem to be working for me. I think I need to "check the box" as well, but I don't know where that is. I am disecting a Process Monitor capture now to see if I can find anything else, but I am not having any luck thus far.

Thanks for your assistance,
Charles

(in reply to abqtech)
Post #: 13
RE: Proxy Server - Bypass proxy for local addresses - 7.Nov.2007 11:15:59 AM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline
Charles,
If the string value of:
AutoConfigURL"="http://isaserver.domain.com:8080/array.dll?Get.Routing.Script
Is present in: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

It should properly populate I.E.'s autoconfig URL.

(in reply to cjpalmer@gmail.com)
Post #: 14
RE: Proxy Server - Bypass proxy for local addresses - 28.Nov.2007 11:53:47 PM   
nwigmore

 

Posts: 19
Joined: 28.Nov.2007
Status: offline
Hi there,

I have the same problem as Charles in that I want ISA to recognise that intranet sites that fall into my internal subnets should not be directed through the Web Proxy filter. I do not want to have to configure the routing script or the firewall client. I come from a Squid background and to do this is very simple as Squid recognises the intranet addresses and therefore does not pass the traffic out through the proxy, instead directing this direct the to intranet server.

Any help would be great.

thanks

(in reply to abqtech)
Post #: 15
RE: Proxy Server - Bypass proxy for local addresses - 29.Nov.2007 1:25:10 AM   
nwigmore

 

Posts: 19
Joined: 28.Nov.2007
Status: offline
I had an epiphany!!! Tested it and solved this problem.

Go to Configuration\Networks\Web Caching. Create a new Web Caching rule, select To "Internal Network" then Request Processing select "Retrieve requests directly from the specified destination". Apply this rule and all should work.



quote:

ORIGINAL: nwigmore

Hi there,

I have the same problem as Charles in that I want ISA to recognise that intranet sites that fall into my internal subnets should not be directed through the Web Proxy filter. I do not want to have to configure the routing script or the firewall client. I come from a Squid background and to do this is very simple as Squid recognises the intranet addresses and therefore does not pass the traffic out through the proxy, instead directing this direct the to intranet server.

Any help would be great.

thanks

(in reply to nwigmore)
Post #: 16
RE: Proxy Server - Bypass proxy for local addresses - 26.Jan.2009 2:47:54 PM   
chetton2000

 

Posts: 34
Joined: 12.Apr.2007
Status: offline
It's been a while since the last post but did you mean select "Web Chaining" rule?  I am trying to do the same thing.  Thanks.

(in reply to nwigmore)
Post #: 17
RE: Proxy Server - Bypass proxy for local addresses - 26.Jan.2009 6:12:36 PM   
nwigmore

 

Posts: 19
Joined: 28.Nov.2007
Status: offline
Hi there, Yes the Web Chaining is what you want from memory.

(in reply to chetton2000)
Post #: 18
RE: Proxy Server - Bypass proxy for local addresses - 27.Jan.2009 4:07:12 PM   
chetton2000

 

Posts: 34
Joined: 12.Apr.2007
Status: offline
This still doesn't seem to be working for me.  The internal website that I am trying to hit keeps getting caught by my ISA server.  However, it isn't affected if I uncheck the options in IE for:

Tools -> Internet Options -> LAN Settings -> “Use Automatic Configuration Script” & ”Automatically detect settings”

It looks like something with those options interferes with the cookie that my internal website is using and causes errors.  If those are unchecked, it works so it still seems like it is hitting my ISA server even though I want direct connection.  Any ideas?

(in reply to nwigmore)
Post #: 19
RE: Proxy Server - Bypass proxy for local addresses - 27.Jan.2009 5:18:18 PM   
nwigmore

 

Posts: 19
Joined: 28.Nov.2007
Status: offline
set IE to use your ISA server as a proxy and then add the url to the exceptions field in IE, this will make sure that you bypass the proxy (ISA) for that site. There is also an area in ISA that you can add in your intranet domains. Not sure where that is as then ISA will know what domains are local and should bypass these.

How many users do you have and are you simply using ISA as a proxy?

(in reply to chetton2000)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Web Proxy] >> Web Proxy Client >> Proxy Server - Bypass proxy for local addresses Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts