• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Routing real addresses without Webproxy filter

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Routing real addresses without Webproxy filter Page: [1]
Login
Message << Older Topic   Newer Topic >>
Routing real addresses without Webproxy filter - 9.Oct.2008 3:30:59 AM   
abissum

 

Posts: 21
Joined: 18.Aug.2003
Status: offline
Hello,
I have a DMZ network with registered real IP addresses. I have a route relationship between this subnet and External. All packets BUT http are routed, but http is NAT-ed because of Web proxy filter. Is it possible for this DMZ network to access web using their own IPs, not the ISA server external IP?
Post #: 1
RE: Routing real addresses without Webproxy filter - 9.Oct.2008 9:38:09 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Server publsih them or create new protocols without the WPF binding.

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to abissum)
Post #: 2
RE: Routing real addresses without Webproxy filter - 10.Oct.2008 2:55:13 AM   
abissum

 

Posts: 21
Joined: 18.Aug.2003
Status: offline
Creating new protocol definition TCP 80 outbound with WebProxy Filter disabled and permitiing all protocols but Http (embedded Http with WPF enabled) did not help. When I access www.checkip.com from a computer in this assumably routed public address zone it shows external IP address of my ISA server but not the public IP address of the computer itself. Please help.

(in reply to Jason Jones)
Post #: 3
RE: Routing real addresses without Webproxy filter - 10.Oct.2008 11:29:37 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
1. Don't have "proxy settings" in the browsers of the machines in the DMZ

2. Don't have the Firewall Client installed on the machines in the DMZ

According to what you described, the ISA is acting as a LAN Router between the DMZ and the External,..so treat it like that.  If you treat it like a proxy, it is going to act like a proxy, no matter what the relationship is set to.


_____________________________

Phillip Windell

(in reply to abissum)
Post #: 4
RE: Routing real addresses without Webproxy filter - 10.Oct.2008 7:19:55 PM   
abissum

 

Posts: 21
Joined: 18.Aug.2003
Status: offline
Sure thing, I do not have proxy settings or FWC installed on any of these computers.
The only thing worked is disabling Web Proxy Filter globally for Http protocol at the Enterprise level. This workaround is quite unacceptable. I need to bypass WPF only for a routed public network.

< Message edited by abissum -- 10.Oct.2008 7:38:37 PM >

(in reply to pwindell)
Post #: 5
RE: Routing real addresses without Webproxy filter - 11.Oct.2008 4:53:35 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Did you define the custom HTTP protocol (without the filter) and then use this in a specific rule that is placed above all other native HTTP rules?

This blog entry may also be of use:

http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to abissum)
Post #: 6
RE: Routing real addresses without Webproxy filter - 13.Oct.2008 1:24:17 AM   
abissum

 

Posts: 21
Joined: 18.Aug.2003
Status: offline
Creating a new protocol definition TCP 80 without Web Proxy Filter enabled does not help even if I put it in the very first rule. No wonder - it is an overlapping protocol definition with the embedded Http protocol. The both use TCP 80 outbound. The only thing working is disabling WPF in Http protocol properties globally. This scenario is not suitable.
Dr. Shinder's book "Configuring ISA Server 2004", page 295, Controlling routing behavior with networking rules, Route
"Another key feauture of the route relationship is that the source IP address is always preserved (with the exception of Publishing rules, ...)."
I believe the word always does not correspond to reality.

(in reply to Jason Jones)
Post #: 7
RE: Routing real addresses without Webproxy filter - 16.Apr.2009 7:59:39 AM   
sthe

 

Posts: 36
Joined: 8.Dec.2005
Status: offline
I have the same problem.
Did you solve this?

(in reply to abissum)
Post #: 8
RE: Routing real addresses without Webproxy filter - 20.Apr.2009 9:01:05 AM   
student

 

Posts: 34
Joined: 2.Mar.2009
Status: offline
Please note that public and external IP address is the same.
The computers in your local network donot have public but
private IP addresses having a perticular range.

Your firewall is actually using the external IP address when
allowing you to access internet is because inorder to protect
your local network from any external threats of internet.
There must be a rule defined for http protocol in the ISA Server
for which NAT must be enabled.

Simply allow your ISA Server to function as it is without making any changes because ISA Server is actually acting as a guard to
protect your network from internet threats. If it doesnot show
the public IP address,then any hacker from internet can find out the IP addresses within your local network.

I hope this helps,

(in reply to abissum)
Post #: 9
RE: Routing real addresses without Webproxy filter - 21.Apr.2009 2:10:26 AM   
sthe

 

Posts: 36
Joined: 8.Dec.2005
Status: offline
In some scenarios you want that some connections dont get NAT'ed.
Our ISA acts as backend firewall, behind a Check Point FW 1 and we want that some traffic gets unchanged to some resources on DMZ on the Check Point Firewall.
But since the ISA acts as a Proxy, it doesnt seems that NAT can be disabled for http-traffic.

(in reply to student)
Post #: 10
RE: Routing real addresses without Webproxy filter - 21.Apr.2009 9:56:09 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
ISA uses the NAT term very "loosely".  In reality NAT and proxying are two completely different things.  The Firewall Service is a "winsock proxying service" and the Web Proxy Service is a "web proxying service".  Only the SecureNAT Service is a NAT'ing service.

The relationships with networks are called "routed" or "NAT" but that does not preclude proxying.  The web proxy service as far as I know will still "proxy" the request.  I'm not sure about the Firewall Service, it's possible that it still will as well.

To show the actual client IP when it hits the DMZ you will probsbly have to create a "new" protocol for HTTP and then do not associate the HTTP Filter with it,...and see what it does.

If the Firewall Client becomes a problem, then I don't know what to tell you.  I never use DMZs (don't believe they are nessessary 90% of the time) and if I did I would probably not use a Routed relationship, or at least I would not put myself into a position to expect the things that you are expecting. I guess if you just wanted "router behavor" between the LAN and DMZ you should have just used a LAN Router with a few ACLs instead of a Firewall Product like ISA.

_____________________________

Phillip Windell

(in reply to sthe)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Routing real addresses without Webproxy filter Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts