• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SNAT CLients send URLS with IP address

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> SecureNAT Client >> SNAT CLients send URLS with IP address Page: [1]
Login
Message << Older Topic   Newer Topic >>
SNAT CLients send URLS with IP address - 24.Jul.2006 12:21:30 PM   
selsworthy

 

Posts: 14
Joined: 13.Mar.2003
From: Truro, Cornwall, UK
Status: offline
Hi - I'm trying to get ISA 2004 working as a transparent proxy and am having some issues with SNAT clients and certain web pages. Clients are configured with ISA as default gateway and external DNS servers. DNS works fine on clients and they can resolve any external address. WWW browsing is also ok for 50% of sites. However some sites do not load at all or load only parts of the page with the rest of the page being an error message. For example if the clients goes to www.hotmail.co.uk the hotmail login box will appear but the rest of the page does not load and gives the following error message:

http://213.200.95.125/c/hotmail/N/2057/signup.html?
INVALID HOSTNAME
Some aspects of the requested URL are incorrect - Name is unknown

If I manually configure the proxy server in the browser or install and enable the Firewall client then all works fine. I guess its to do with the browser sending the Http request with the URL containing the IP address of the website and not the domain name? Sadly the clients that will be using this ISA as a proxy will be public owned machines and so i will have no control over their browser settings or be able to install the firewall client. I must however route all their requests through the ISA server for content filtering and virus scanning purposes so thought SNAT would be the way to go.

Anybody know whats going on here or any other method of using ISA as a transparent proxy?

Thanks
Steve
Post #: 1
RE: SNAT CLients send URLS with IP address - 26.Jul.2006 3:15:11 PM   
selsworthy

 

Posts: 14
Joined: 13.Mar.2003
From: Truro, Cornwall, UK
Status: offline
I've found that If I unbind the web proxy filter from HTTP then SNAT clients can browse all sites fine. However this is not really an option as our ISA uses an upstream proxy for URL filtering and if i unbind the web proxy filter then HTTP traffic is not then sent to the upstream proxy and thus becomes unfiltered?!?

Any ideas??

(in reply to selsworthy)
Post #: 2
RE: SNAT CLients send URLS with IP address - 27.Jul.2006 2:06:42 PM   
selsworthy

 

Posts: 14
Joined: 13.Mar.2003
From: Truro, Cornwall, UK
Status: offline
Have now pinned this down to problems with ISA upstreaming to a Squid proxy but still don't know how to get around it We have to use the upstream Squid because it also provides our content filtering..

I have Toms 'Configuring ISA 2004' book and also another (ISA 2004 Unleashed) and they seem to say that when redirecting requests to upstream proxys the upstream server has to be an ISA? Is this really the case? I presumed that ISA just becomes a web proxy client of the upstream server and so it shouldn't matter what the upstream proxy is?

Can anyone help with this???


(in reply to selsworthy)
Post #: 3
RE: SNAT CLients send URLS with IP address - 13.Nov.2006 11:23:10 AM   
wasserja

 

Posts: 56
Joined: 4.Dec.2002
Status: offline
Have you been able to find a solution for this issue?

(in reply to selsworthy)
Post #: 4
RE: SNAT CLients send URLS with IP address - 20.Nov.2006 6:11:31 AM   
selsworthy

 

Posts: 14
Joined: 13.Mar.2003
From: Truro, Cornwall, UK
Status: offline
Thanks for responding wasserja

Sadly i haven't been able to find a solution to this yet - i currently have a call open with MS Premier support about it. The actual problem is that when ISA routes SNAT requests to an upstream server it places the original destination IP address (not URL) of the destination web server into the the HTTP GET command (i.e. GET http://195.43.51.12/ HTTP/1.1) instead of using the URL in the host header. It seems that many websites do not accept request in this format which is why we get Invalid Hostname errors. Microsoft are saying that this behaviour is by design but acknowledge the issue - Our ISP are saying that MS are not being RFC compliant - i'm just stuck in the middle!!!

The workarounds are to use web poxy/firewall clients or bypass the upstream proxy server. We can not use web proxy/firewall clients as the machines that are using the service are third party and unmanaged by my organisation and so we can not configure their machines. Bypassing the upstream proxy also bypasses our URL filtering mechanism which is also not an option for us at this stage.

Any ideas???

(in reply to wasserja)
Post #: 5
RE: SNAT CLients send URLS with IP address - 20.Nov.2006 8:37:40 AM   
wasserja

 

Posts: 56
Joined: 4.Dec.2002
Status: offline
I do have one idea that I think will work, but I'm not sure if I have the skills to know how to make it work.  If we can setup the linux firewall (one NIC) to transparent proxy using a redirect of port 80 to 8080 (for dansguardian) or 3128 (for squid) then we might be able to set the gateway of the ISA be the IP of the linux box.  Let all traffic pass through to the Internet but redirect port 80 to the proxy port on the Linux box.  This should still send the URL instead of the IP address because it won't be "an upstream proxy" according to ISA.  Does anyone know how to set this kind of thing up?  

(in reply to selsworthy)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> SecureNAT Client >> SNAT CLients send URLS with IP address Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts