• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

proxy for exzternal range ( Pls. Dr tom )

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> proxy for exzternal range ( Pls. Dr tom ) Page: [1]
Login
Message << Older Topic   Newer Topic >>
proxy for exzternal range ( Pls. Dr tom ) - 14.Jan.2007 6:08:50 AM   
mekaneky

 

Posts: 95
Joined: 15.Feb.2006
Status: offline
Hello all ,

my network appear as

ADSL with private IP on lan port ( 10.0.0.1/24) >> swtich >>>  all work stations (10.0.0.x/24) one of them is ISA server 2006 SE on 2003 EE >>> internal clients with private range ( 192.168.1.x /24 )

step by step how to allow web proxy for internet explorer to allow these computers in the same range with ISA external NIC ( 10.0.0.x/24) to use cach for better web perfomance.
and also allow file share between these computers and ISA server itself.
Post #: 1
RE: proxy for exzternal range ( Pls. Dr tom ) - 15.Jan.2007 7:33:33 AM   
Guest
Hi Mekaneky,
your network setup doesn't look good at all(at least how you have described it).
what means "all work stations (10.0.0.x/24)" ?
what kind of protection do they require?
as far as I see the level of protection for them is probably near zero.
Why not add one more NIc to ISA and put them on a perimeter network on ISA?
then enable the web proxy for that network.
for what is needed the file sharing?
it is a big security issue that file sharing between ISA and those external clients.
if you want to share something from one external computer to internal computers you
should use vpn.

(in reply to mekaneky)
  Post #: 2
RE: proxy for exzternal range ( Pls. Dr tom ) - 18.Jan.2007 9:28:22 AM   
mekaneky

 

Posts: 95
Joined: 15.Feb.2006
Status: offline
hi adrian ,
 
security is not an big isuss in that network ,  plus as you see these workstations with private range ( 10.0.0.X ) behind router which it nat and that provide what i need of security.
 
about adding NIC to ISA server and add new network in ISA server , that is already what i have now , but problem that there is game called silkroad all users here playing it online and when computers behind ISA server it allow only one machine ,  when computers connected to router as gateway it work on all machine.
and about why i need to use proxy for them , that is to get faster web browsing.
about  network in range ( 192.168.1.X ) i do't want to make it connect direct to router cause i need to use application filter in it to pervent them from using sharewarez as imesh and bearshare.
 
so how do you think ? i cannot give up silkroad while it is not working behind ISA server as firewall , if it work i can make them as 2 network behind ISA  server.
for file sharing on ISA server i can use permession for each user.
generally my requirement is not related to security as it is related to perfomance and to solve that game problem.

(in reply to Guest)
Post #: 3
RE: proxy for exzternal range ( Pls. Dr tom ) - 18.Jan.2007 10:27:46 AM   
Guest
Interesting.
Using a firewall not for security reasons and not needing any other security than NAT.
The only recommandation I have is to make that game working behind ISA(obviously if it is possible, sorry I'm not familiar with it).
The rest described by you I consider it to be how should I say something that I would
not support or encourage so I will choose not to answer to those questions.
This configuration has some serios security issues. I do not want to make them
possible by explaining how to do them(or even if such a configuration might work).
I know that this is not helping you so may I make a suggestion:
From what I see you need a proxy server not a firewall.
Regards,
Adrian.

(in reply to mekaneky)
  Post #: 4
RE: proxy for exzternal range ( Pls. Dr tom ) - 19.Jan.2007 5:00:35 PM   
Boedus

 

Posts: 195
Joined: 8.Sep.2006
Status: offline
quote:

ORIGINAL: adrian_dimcev

Interesting.
Using a firewall not for security reasons and not needing any other security than NAT.
The only recommandation I have is to make that game working behind ISA(obviously if it is possible, sorry I'm not familiar with it).
The rest described by you I consider it to be how should I say something that I would
not support or encourage so I will choose not to answer to those questions.
This configuration has some serios security issues. I do not want to make them
possible by explaining how to do them(or even if such a configuration might work).
I know that this is not helping you so may I make a suggestion:
From what I see you need a proxy server not a firewall.
Regards,
Adrian.


He is using ISA in a Cyber Cafe apparently, this is the reason why he said security is not a big issue, which is almost true. He also said he wants to use ISA to work as Content Filtering and Proxy Server, which is legit to me.

Now I know this game, I have opened the required port on my ex ISA 2004 server (Dont remember the port number) and it was working ok. Now the fact one is working but not the others is a bit odd. I mean it routes the traffic or not.

Check your ISA Server logs, and use the real time loggin (Monitoring Tree, then Loggin Tab) and enable the following filter :

Filter by : Action
Condition : Equals
Value : Denied Connection, or Connection status to see what is going on.

(in reply to Guest)
Post #: 5
RE: proxy for exzternal range ( Pls. Dr tom ) - 20.Jan.2007 10:32:22 AM   
Guest
Hi Boedus!
mate, are you reading through lines?
quote:

He is using ISA in a Cyber Cafe apparently, this is the reason why he said security is not a big issue, which is almost true.

well how the follwoing sounds to you?
Just think I am a hacker and I'm searching for vulnerable hosts from where to lunch my attacks.
I'm going to make a stop at your Cyber Cafe.
From there I'm going to launch a series of attacks over some companies.
Next these companies will blame you for not taking any rael measure in securing you network for example like using a decent firewall and they will ask for compensations.
Also your customers in this case must have a decent level of protection.
Nice huh?
quote:

He also said he wants to use ISA to work as Content Filtering and Proxy Server, which is legit to me.

First one simple thing: ISA is not a proxy!
It can function as a "web" proxy firewall using its "Web Proxy Filter" which enables "Http Proxy and Cache".
What this means?
It means ISA can function as an application layer proxy firewall(awesome protection) using what in its world is called application filters or in Cisco world fixups where for the above example it is used the http filter. Also for improved performance it can cache too.
It has numerous application filters because it can handle numerous applications so it can functions as proxy for them too.
It is a huge difference between these terms.
Also because it is a firewall this means it is not a File Sharing Server.
It is no legitimate use on what he is describing.
You will not find any information how to do that for a simple reason: check my previous post.
In other words it is not supported.
A firewall is design to protect networks -> it will only serve the network it is protecting.
it is all about the way networks are defined in ISA.
From ISA help:
quote:

When Microsoft Internet Security and Acceleration (ISA) Server 2004 is installed, five networks are configured. The External network is one of these networks.
The External network includes all Internet Protocol (IP) addresses not explicitly included in any other network. Upon installation, the External network includes all addresses not in the Internal network, the IP address of the Local Host network (127.0.0.1), and the IP addresses of all other network adapters on the ISA Server computer.
The External network is generally considered an untrusted network.
For this reason, the network relationship to the External network would typically be configured as network address translation (NAT). This would allow clients on the source network to access the destination External network, but prevent the External network from accessing the source network.
The default Internal network is used by Microsoft Internet Security and Acceleration (ISA) Server 2004 to represent the primary default protected network. By default, system policy rules protect resources on the Internal network from all other networks (other than the Local Host network).
The Internal network is generally considered to contain trusted IP address ranges. For this reason, the default system policy allows the ISA Server computer to access services on the Internal network.
Perimeter network: A network set up separately from an organization's private network and the Internet. The advantage of a perimeter network is that it allows external users access to specific servers located in the perimeter network, while preventing access to the internal corporate network. A perimeter network is also known as DMZ, demilitarized zone, and screened subnet.

What are you trying to do for "legitimate use" is to force ISA to protect the external network.
It is a nonsense.
To get a faster web browsing there are many free proxies that do caching, as I suggested from the beginning.
For blocking those applications you can use ISA as long the computers belongs to one of ISA's protected network or use what it is called a filtering proxy on the computer that serves you as a proxy server.
My recommandation was and I repet to try to make that game behind ISA working.
For file sharing use a different server located on the network with those computers if
they still belong to ISA's external interface.
Knowing all these and still doing your way means you are on an unsupported configuration and you should figure it out yourself.

< Message edited by adrian_dimcev -- 20.Jan.2007 10:36:13 AM >

(in reply to Boedus)
  Post #: 6
RE: proxy for exzternal range ( Pls. Dr tom ) - 20.Jan.2007 5:01:59 PM   
mekaneky

 

Posts: 95
Joined: 15.Feb.2006
Status: offline
well how the follwoing sounds to you?
Just think I am a hacker and I'm searching for vulnerable hosts from where to lunch my attacks.
I'm going to make a stop at your Cyber Cafe.

you ignore that i explained all computers is using private IP and behind router which it NAT and also that router as it is build in firewall.

First one simple thing: ISA is not a proxy!

But it act as preoxy , or tell me how do you think about installing ISA using one NIC!!!!!

My recommandation was and I repet to try to make that game behind ISA working.

Didn't i explain if it can work behind ISA it will be better for me ???


(in reply to mekaneky)
Post #: 7
RE: proxy for exzternal range ( Pls. Dr tom ) - 20.Jan.2007 5:06:52 PM   
Boedus

 

Posts: 195
Joined: 8.Sep.2006
Status: offline
Well another understand issue here.

mekaneky said he does not really care about security, which means in essence external attacks. He knows he has ISA Firewall mechanisms even as a proxy only and this is enough for him.

When mekaneky also said he wants to provide file sharing from its ISA Server it means he does not have the means to buy another server.
And about the fact hackers could use PC to hack external ressources is just a matter of  PC configuration and some policies deployment mainly rather than the ISA Server itself. Some stuffs should be done on the firewall of course I agree but as soon as you open some ports to the external world, this is more a matter of being able to control PC configuration by disabling command line window, installaling programs, allowing only a pool of predefined binaries, ...

There was no need again trying to be smarter, you simply needed to listen up a little bit better.
This is what service is all about. This is not about trying to prove you are better, this is about proposing the best solution possible for your customer. Ideally he should have another server, I agree with you, but this is not the case, so. You deal with what you have and in the meantime you can let the guy know this is not ideal for such and such reason. But simply replying something like "You are a morron this is not the way ISA works" is not helping anybody.

And yes ISA is also a Proxy, and has always been a proxy server.
You are not obliged to use ISA as a real firewall (2 NICs at least).

And as you do not seem to be aware ISA can be installed as a Web Proxy or Caching server only using a single NIC.
Please refer to this article
http://www.microsoft.com/technet/isa/2006/networks.mspx

And stop insulting people this is really annoying now.

Enjoy

(in reply to Guest)
Post #: 8
RE: proxy for exzternal range ( Pls. Dr tom ) - 20.Jan.2007 6:57:47 PM   
Guest
Once again I have no intention in insulting you.
About the proxy mode ask Tom to give you the link how to use it.
I think he is the right man to give such an advice.
quote:

"You are a morron this is not the way ISA works"

I had never the intention in making such a comment and this insult is all yours.
quote:

There was no need again trying to be smarter

I'm not trying to be smarter: I have just pointed how things are working from ISA's help file.
I was trying to say that this is not a recommended setup so I do not support it and there aren't any articles about it because it is not supported.
If you are agreeing with him you can point him in the right direction instead being smarter in commenting my posts.
This is my opinion and I've bring some strong arguments to it.
This is one of the purpose of a forum: it is not only about giving an answer to a problem. You can give an advice, give an opinion...
Every little help counts.
Let's try to stop hijacking anymore threads.
If you have anything to say to me please do it in private(you can say anything you want I do not mind) with pm or e-mail.
Again:
Best regards,
Adrian

(in reply to Boedus)
  Post #: 9
RE: proxy for exzternal range ( Pls. Dr tom ) - 28.Jan.2007 12:39:22 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: Boedus

Well another understand issue here.

mekaneky said he does not really care about security, which means in essence external attacks. He knows he has ISA Firewall mechanisms even as a proxy only and this is enough for him.

When mekaneky also said he wants to provide file sharing from its ISA Server it means he does not have the means to buy another server.
And about the fact hackers could use PC to hack external ressources is just a matter of  PC configuration and some policies deployment mainly rather than the ISA Server itself. Some stuffs should be done on the firewall of course I agree but as soon as you open some ports to the external world, this is more a matter of being able to control PC configuration by disabling command line window, installaling programs, allowing only a pool of predefined binaries, ...

There was no need again trying to be smarter, you simply needed to listen up a little bit better.
This is what service is all about. This is not about trying to prove you are better, this is about proposing the best solution possible for your customer. Ideally he should have another server, I agree with you, but this is not the case, so. You deal with what you have and in the meantime you can let the guy know this is not ideal for such and such reason. But simply replying something like "You are a morron this is not the way ISA works" is not helping anybody.

And yes ISA is also a Proxy, and has always been a proxy server.
You are not obliged to use ISA as a real firewall (2 NICs at least).

And as you do not seem to be aware ISA can be installed as a Web Proxy or Caching server only using a single NIC.
Please refer to this article
http://www.microsoft.com/technet/isa/2006/networks.mspx

And stop insulting people this is really annoying now.

Enjoy


Hi Boedus,

With all that said, we definitely do NOT support or endorse "hork mode" single NIC or unsecure configurations on the ISAserver.org site. Microsoft will do it on their site because they want to sell product. We are more concerned with security and best configuration practices for the ISA Firewall. For that reason, most of us will advise people to avoid poor security practices, and do what is best.

The ISA Firewall is no longer a simpile Web proxy device. In ffact, its a firewall with a Web proxy filter bound to it, but the Web proxy features are always tertiary to the Firewall components of the system.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Boedus)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> proxy for exzternal range ( Pls. Dr tom ) Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts