Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Upstream proxy configuration
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Upstream proxy configuration - 6.Sep.2005 4:23:00 AM
|
|
|
x--
Posts: 9
Joined: 6.Sep.2005
Status: offline
|
Hi,
I am experimenting with ISA 2004.
Here is my test setup environment (Win2003, No SP1):
(1). Internal LAN 10.10.1.x/24 with Win2003 DC (DNS)
(2). Lower Proxy (Domain member) with two NICs (10.10.1.55, 192.168.2.3)
(3). Upper proxy (Stand-alone) with two NICs (192.168.2.2, 192.168.1.2)
(4). DSL Router (192.168.1.1)
Connectivity: (1) --> (2) -cross cable-> (3) --> (4) --> Internet
Prior to this, I had directly connected the Lower Proxy to the DSL router with necessary IP changes and everything was fine.
Now, with the above configuration, access from internal machines is horribly slow, but access from upper proxy is normal.
DNS setup:
All client machines configured to connect to internal DNS server which in turn is configured with forwarders pointing to my ISP.
I *cannot* do an nslookup and resolve any external domain name except from the Upper proxy. I think this is a problem.
Another observation:
Whenever a client (SNat, WP, FWClient) connects to a website, on my upper proxy I notice two connections one after another:
1. connection from Upper Proxy to Webserver and
2. connection from Lower Proxy to Webserver
It appears as if there are two separate connections and hence there is performance problem.
Can someone help?
Regards,
X
|
|
|
|
RE: Upstream proxy configuration - 9.Sep.2005 3:57:00 AM
|
|
|
RuiFiske
Posts: 92
Joined: 8.Dec.2004
From: London
Status: offline
|
Hi X,
That web chaining traffic doesn't look quite right.
There are three things you should check:
1. Have you configured the clients to use the lower proxy as their proxy server? It looks like they may not be, and they may still be connecting as SecureNAT clients (hence port 80), which is not the best way to handle this. If you need to roll this out, then you can use group policy.
2. What is the proxy setting for the Internal network? - this needs to allow proxying. My guess is that it is enabled on port 8080, which the default, but good to make sure.
3. On the chaining rule on the lower proxy, is it configured to pass all requests (Domain Name Set *) to an upstream proxy, or to fetch the pages directly? It should be passing them on to the upstream proxy.
There are some subtleties with ISA and DNS, which it is difficult to answer without understanding your network (and traffic) better. However, I would say that the Lower Proxy does not need to perform any name resolution, so you could probably disable this. If you configure your proxy settings correctly on the clients, then you probably won't see much traffic for DNS resolution from the internal DNS server either, certainly not for web traffic, as this will be handled by the upstream proxy. I am reluctant to say deny it, as there will be cases where you need the resolution, but keep an eye on it - you will find that there is surprisingly little DNS traffic, which is obviously a good thing.
Apologies for the delay in replying - I haven't been to the site for a couple of days.
Don't forget to rate me, if you've found this useful!
|
|
|
|
RE: Upstream proxy configuration - 12.Sep.2005 2:30:00 AM
|
|
|
x--
Posts: 9
Joined: 6.Sep.2005
Status: offline
|
hi YoY:
-------
Thanks for responding. My replies inline.
1. Have you configured the clients to use the lower proxy as their proxy server? It looks like they may not be, and they may still be connecting as SecureNAT clients (hence port 80), which is not the best way to handle this. If you need to roll this out, then you can use group policy.
(X): All client browsers have been configured to use proxy Lowerproxy on port 80 (I have change from the default!) Roll out is beyond scope right now.
2. What is the proxy setting for the Internal network? - this needs to allow proxying. My guess is that it is enabled on port 8080, which the default, but good to make sure.
(X): Answered above. Client configuration is stated above.
3. On the chaining rule on the lower proxy, is it configured to pass all requests (Domain Name Set *) to an upstream proxy, or to fetch the pages directly? It should be passing them on to the upstream proxy.
(X): Yes, it is configured to pass requests to upstream and plus this is authenticated by logging in to the upstream proxy local account. I can see this account apprear in the Client User field in the UpperProxy.
There are some subtleties with ISA and DNS, which it is difficult to answer without understanding your network (and traffic) better. However, I would say that the Lower Proxy does not need to perform any name resolution, so you could probably disable this. If you configure your proxy settings correctly on the clients, then you probably won't see much traffic for DNS resolution from the internal DNS server either, certainly not for web traffic, as this will be handled by the upstream proxy. I am reluctant to say deny it, as there will be cases where you need the resolution, but keep an eye on it - you will find that there is surprisingly little DNS traffic, which is obviously a good thing.
(X): DNS doesn't seem to cause any problem to me since I disabled DNS resolution prior to my last post. I was only wondering on what is the best rule for DNS from security perspective.
See my last post for the specific question.
Apologies for the delay in replying - I haven't been to the site for a couple of days.
Don't forget to rate me, if you've found this useful!
(X): I have already rated you!
![[Smile]](/image/smiles/smile.gif)
|
|
|
|
|
RE: Upstream proxy configuration - 12.Sep.2005 3:21:00 AM
|
|
|
RuiFiske
Posts: 92
Joined: 8.Dec.2004
From: London
Status: offline
|
Hi Again X,
Thanks for the extra information. It makes a bit more sense now.
Information on your traffic:
If you enforce authentication at the lower proxy, then you would expect to see the first exchange (deny on 80). What happens is that the browser tries to contact the proxy anonymously first, and is then sent an HTTP response (401 or 407) requesting authentication. The browser then sends its credentials back to the proxy. This is normal. You can get round it by configuring the browser to always send credentials, though I would say it is probably not worth doing that. You should then see traffic from client to internal interface of proxy immediately afterwards, which is authenticated, though you don't list it.
Lower to upper on 8080 looks fine - I usually create a custom protocol (HTTP Proxy), so this doesn't appear in the logs as unidentified traffic.
The last entry looks fine.
I will add nothing further about the DNS. Only the internal DNS needs access, so access to others can be safely disabled. I would recommend, however, that you monitor DNS traffic in the logs closely to ensure that there is not some other service that needs DNS traffic, which may be cut off by this. I do doubt that, though.
Good luck!
Regards,
|
|
|
|
|
RE: Upstream proxy configuration - 12.Sep.2005 5:23:00 AM
|
|
|
RuiFiske
Posts: 92
Joined: 8.Dec.2004
From: London
Status: offline
|
It looks like it!
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Wink]](/image/smiles/wink.gif)
