Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Web Proxy Clients Connection Timeout Issue
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Web Proxy Clients Connection Timeout Issue - 26.Nov.2007 8:41:15 AM
|
|
|
deluxe
Posts: 3
Joined: 26.Nov.2007
Status: offline
|
Hello people,
I use ISA 2006 in a single network adapter scenario as a web-proxy.
I installed ISA 2006 and everything is working properly apart from the Connection Timeout specified for Web proxy clients.
I have specified that a timeout should occur after 2 minutes of idle time, however this is simply not working.
I have linux thinclients that use the isa server as their proxy. The timeout should occur so that if someone forgets to logout, his session will be ended (and someone else who arrives at the terminal needs to authenticate himself instead of using the session from the last user).
The timeout specification i entered in my array under Networks > Properties > Web Proxy tab > Advanced, i set it to 120 seconds.
Nothing is happening however, whats even more odd is that when i go into Monitoring > Sessions and manually disconnect a session the client can just happily still surf the net, i would think the browser should popup with a new authentication window but it does not.
What am i doing wrong here? I'm no expert on ISA 
Thanks a million for any help guys!
Cheers.
|
|
|
|
|
RE: Web Proxy Clients Connection Timeout Issue - 27.Nov.2007 9:50:08 AM
|
|
|
abqtech
Posts: 216
Joined: 9.Mar.2004
Status: offline
|
The timeout you modifed and are referring to is for an web proxy connection. For example you make an http connection to www.somedomain.com and you click on a link in that site that causes the website to perform some type of DB Query or run some type of job that runs on the web site, but should at some point yeild a result/response to your web browsers request on that connection. ISA will allow that tcp connection to remain open for 120 seconds. Once that connection exceeds 120 seconds (or whatever time you configure) ISA will close that TCP connection if memory serves correctly a TCP RST will be sent by ISA to the client and server so that both ends of the connection are closed.
If your ISA Server has an authentication requirement (either on the Internal Network Web Proxy or the Access Rule) then each HTTP request that is proxied to ISA, will require a client side authentication response, so you really should not have any concerns about a user not logging out, because HTTP is a stateless protocol and ISA is not caching any client side authentication for web proxy clients, make sense?
|
|
|
|
|
RE: Web Proxy Clients Connection Timeout Issue - 28.Nov.2007 3:41:41 AM
|
|
|
deluxe
Posts: 3
Joined: 26.Nov.2007
Status: offline
|
Thanks very much for your response abqtech, much appreciated.
It certainly makes sense, i have a few questions however, you say that ISA requires a client side authentication response for each HTTP request that is proxied to ISA.
If i understand this correctly this would mean, in a real-world scenario, that when a user browses www.somedomain.com he is asked for his credentials, then the user browses to another website www.anotherdomain.com then ISA will require the client to authenticate once more. So for each website visited (ie for each HTTP request) ISA will require authentication?
If that is correct then this is not happening in our case. ISA asks for credentials only once when the browser opens for the first time. Each new site visited after that does not seem to require authentication. It shouldn't?
ISA will only ask for credentials once the current browser session is closed and a new one is opened.
I hope i'm making sense of this all.
So because ISA is not caching any client side authentication there will be no way for me to force somekind of disconnection of the authentication session after a certain period of idle time?
In the past our clients used the remote desktop protocol to automatically connect to a Terminal Server which would open up a browser and the browser would be redirected to ISA > asking for authentication. We had Terminal Server configured to end a certain session after so many minutes of idle time if i remember correctly.
Thanks again abqtech!
< Message edited by deluxe -- 28.Nov.2007 3:45:25 AM >
|
|
|
|
|
RE: Web Proxy Clients Connection Timeout Issue - 29.Nov.2007 11:21:15 AM
|
|
|
abqtech
Posts: 216
Joined: 9.Mar.2004
Status: offline
|
deluxe,
Before I get ahead of myself and continue speaking about how HTTP authentication works with web proxy clients and ISA, please let me know how the "http access rule" on your ISA server is configured.
And in respose to your first question:
So for each website visited (ie for each HTTP request) ISA will require authentication?
If you have an condition on an access rule in ISA for HTTP traffic that requires some type of user authentation (i.e. anything but All Users), then each HTTP connection through ISA will be prompted with an Proxy-Authenticate HTTP Header, and each of these will require a proper client response (i.e. a HTTP Header with theProxy-Authorization), prior to ISA allowing the proxy connection to the destination website.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
