Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Strage problem with upstream proxy
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Strage problem with upstream proxy - 19.Sep.2008 5:13:41 AM
|
|
|
mblum
Posts: 2
Joined: 19.Sep.2008
Status: offline
|
Hi,
we have an ISA Server 2006 with a configured Upstreamproxyserver for filtering purposes.
If I use a WebProxy configuration on the clients (either Firefox or IE) everything works fine. If I disable the WebProxy some URLs don't work any more (e.g. some links in Wikipedia or google).
The logs show that the URL sent to the Upstream Proxy is now modified by the ISA-Server, the hostentry is substituted by its IP which doesn't get a result if the called site is hosted on a http 1.1 Server with differt sites on one IP.
No difference if I use the ISA-Client or not.
Can anyone help or is this a bug ?
_____________________________
MBlum
|
|
|
|
|
RE: Strage problem with upstream proxy - 19.Sep.2008 10:42:59 AM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
It is not a bug.
It is working exactly the way it should because that is the way the technology works,...it is not ISA itself.
When you don't use the Web Proxy Service the Client will "fall back" to being a NAT Client,...and NAT only deals with IP#s,...so you get the IP#s.
I would think it would work fine with the Firewall Service (with the Firewall Client), but if it doesn't I'm not going to loose sleep over it.
So use the Web Proxy Service (proxy settings in browser) like you are supposed to do and it will work fine. When there is an upstream proxy the ISA becomes a "web proxy client" to the upstream proxy. That is the price you have to pay for using an upstream proxy. That is something that I personally would never want to do, but I do realize that some people aren't given a choice.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Strage problem with upstream proxy - 19.Sep.2008 11:15:06 AM
|
|
|
mblum
Posts: 2
Joined: 19.Sep.2008
Status: offline
|
I'm don't think this could be right.
If the ISA uses only NAT - why trying to send the URL to the Upstream Proxy ?
The requested URL shouldn't be modified in every case - NAT or not.
If the NAT system sends the requestet URL to the Webserver it modifies only the sent-from IP address - not the requestet http URL so why should this be different when using a Upstream Proxy ?
I think the flow with upstream proxy and no proxy entry at the client is something like this:
Client -> DNS -> send http request with original URL header to Target IP -> ISA Server redirects http request to proxy (and further on to uplink Proxy) -> ISA don't use requested URL to request the Site via upstream proxy: it uses the target IP and adds the path of the URL.
I think THIS IS a bug !! Perhaps someone used the wrong variable name :D.
|
|
|
|
|
RE: Strage problem with upstream proxy - 19.Sep.2008 12:25:06 PM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
I'm don't think this could be right.
I do.
If the ISA uses only NAT
No, it doesn't use only Nat.
Web Proxy Clients the ISA "proxys"
Firewall Clients the ISA "proxys"
SecureNAT Clients the ISA "NATs"
- why trying to send the URL to the Upstream Proxy ?
It doesn't "NAT" anything to the upstream proxy,...the NAT is between the Client and the ISA. The URL is simply sent to the upstream proxy as the ISA knows the URL to be.
The requested URL shouldn't be modified in every case - NAT or not.
If the NAT system sends the requestet URL to the Webserver it modifies only the sent-from IP address - not the requestet http URL so why should this be different when using a Upstream Proxy?
Right the URL is not modified,..and that is where you are missing what is happening. You have to ask your self,..."How is the ISA receiving the URL from the Client?"
I think the flow with upstream proxy and no proxy entry at the client is something like this:
Client -> DNS -> send http request with original URL header to Target IP -> ISA Server redirects http request to proxy (and further on to uplink Proxy) -> ISA don't use requested URL to request the Site via upstream proxy: it uses the target IP and adds the path of the URL.
No, the flow is:
Web Proxy Clients:
1. Client sends request to ISA without DNS resolution
2. ISA Resolves FQDN, determines destination is Internet
3. ISA passes URL to the Upstream proxy with the FQDN because it does
know the FQDN because the Client provided the FDN in the request.
Firewall Clients & SecureNAT Client
1. Client resolves FQDN to IP# via DNS
2. Client sends request to ISA with the URL containing the IP# and not the
FQDN
3. ISA determines destination is Internet
4. ISA does not know the FQDN because it was never given the FQDN by
the Client.
5. ISA passes URL to the Upstream proxy with an IP# in place of where the
FQDN used to be.
6. In you own words: "........ IP which doesn't get a result if the called site
is hosted on a http 1.1 Server with differt sites on one IP. "
I think THIS IS a bug !!
It is not a bug and it is not even ISA doing it.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
