Hello, I have a DMZ network with registered real IP addresses. I have a route relationship between this subnet and External. All packets BUT http are routed, but http is NAT-ed because of Web proxy filter. Is it possible for this DMZ network to access web using their own IPs, not the ISA server external IP?
Creating new protocol definition TCP 80 outbound with WebProxy Filter disabled and permitiing all protocols but Http (embedded Http with WPF enabled) did not help. When I access www.checkip.com from a computer in this assumably routed public address zone it shows external IP address of my ISA server but not the public IP address of the computer itself. Please help.
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
1. Don't have "proxy settings" in the browsers of the machines in the DMZ
2. Don't have the Firewall Client installed on the machines in the DMZ
According to what you described, the ISA is acting as a LAN Router between the DMZ and the External,..so treat it like that. If you treat it like a proxy, it is going to act like a proxy, no matter what the relationship is set to.
Sure thing, I do not have proxy settings or FWC installed on any of these computers. The only thing worked is disabling Web Proxy Filter globally for Http protocol at the Enterprise level. This workaround is quite unacceptable. I need to bypass WPF only for a routed public network.
< Message edited by abissum -- 10.Oct.2008 7:38:37 PM >
Creating a new protocol definition TCP 80 without Web Proxy Filter enabled does not help even if I put it in the very first rule. No wonder - it is an overlapping protocol definition with the embedded Http protocol. The both use TCP 80 outbound. The only thing working is disabling WPF in Http protocol properties globally. This scenario is not suitable. Dr. Shinder's book "Configuring ISA Server 2004", page 295, Controlling routing behavior with networking rules, Route "Another key feauture of the route relationship is that the source IP address is always preserved (with the exception of Publishing rules, ...)." I believe the word always does not correspond to reality.
Please note that public and external IP address is the same. The computers in your local network donot have public but private IP addresses having a perticular range.
Your firewall is actually using the external IP address when allowing you to access internet is because inorder to protect your local network from any external threats of internet. There must be a rule defined for http protocol in the ISA Server for which NAT must be enabled.
Simply allow your ISA Server to function as it is without making any changes because ISA Server is actually acting as a guard to protect your network from internet threats. If it doesnot show the public IP address,then any hacker from internet can find out the IP addresses within your local network.
In some scenarios you want that some connections dont get NAT'ed. Our ISA acts as backend firewall, behind a Check Point FW 1 and we want that some traffic gets unchanged to some resources on DMZ on the Check Point Firewall. But since the ISA acts as a Proxy, it doesnt seems that NAT can be disabled for http-traffic.
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
ISA uses the NAT term very "loosely". In reality NAT and proxying are two completely different things. The Firewall Service is a "winsock proxying service" and the Web Proxy Service is a "web proxying service". Only the SecureNAT Service is a NAT'ing service.
The relationships with networks are called "routed" or "NAT" but that does not preclude proxying. The web proxy service as far as I know will still "proxy" the request. I'm not sure about the Firewall Service, it's possible that it still will as well.
To show the actual client IP when it hits the DMZ you will probsbly have to create a "new" protocol for HTTP and then do not associate the HTTP Filter with it,...and see what it does.
If the Firewall Client becomes a problem, then I don't know what to tell you. I never use DMZs (don't believe they are nessessary 90% of the time) and if I did I would probably not use a Routed relationship, or at least I would not put myself into a position to expect the things that you are expecting. I guess if you just wanted "router behavor" between the LAN and DMZ you should have just used a LAN Router with a few ACLs instead of a Firewall Product like ISA.