• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Upstream proxy configuration

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Upstream proxy configuration Page: [1]
Login
Message << Older Topic   Newer Topic >>
Upstream proxy configuration - 6.Sep.2005 4:23:00 AM   
x--

 

Posts: 9
Joined: 6.Sep.2005
Status: offline
Hi,
I am experimenting with ISA 2004.
Here is my test setup environment (Win2003, No SP1):
(1). Internal LAN 10.10.1.x/24 with Win2003 DC (DNS)
(2). Lower Proxy (Domain member) with two NICs (10.10.1.55, 192.168.2.3)
(3). Upper proxy (Stand-alone) with two NICs (192.168.2.2, 192.168.1.2)
(4). DSL Router (192.168.1.1)

Connectivity: (1) --> (2) -cross cable-> (3) --> (4) --> Internet

Prior to this, I had directly connected the Lower Proxy to the DSL router with necessary IP changes and everything was fine.

Now, with the above configuration, access from internal machines is horribly slow, but access from upper proxy is normal.

DNS setup:
All client machines configured to connect to internal DNS server which in turn is configured with forwarders pointing to my ISP.
I *cannot* do an nslookup and resolve any external domain name except from the Upper proxy. I think this is a problem.

Another observation:
Whenever a client (SNat, WP, FWClient) connects to a website, on my upper proxy I notice two connections one after another:
1. connection from Upper Proxy to Webserver and
2. connection from Lower Proxy to Webserver

It appears as if there are two separate connections and hence there is performance problem.

Can someone help?

Regards,
X
Post #: 1
RE: Upstream proxy configuration - 6.Sep.2005 4:52:00 AM   
RuiFiske

 

Posts: 96
Joined: 8.Dec.2004
From: London
Status: offline
X,

You need to disable DNS resolution on the Lower Proxy. Indeed this will slow things down, as the Lower Proxy will try and resolve the name first, before passing the request onto the upper proxy. There are a number of ways to do this, but most sutable for you might be to try the "Disable Name Resolution" script from the MS website.

Also, your web chaining configuration is not mentioned. It seems as if you are not chaining, and your Lower Proxy is acting as a SecureNAT client to your Upper Proxy. You need to configure that chaining! (Network Configuration > Web Chaining)

Post here if you need further help - and don't try and be so mysterious. [Wink]

HTH

(in reply to x--)
Post #: 2
RE: Upstream proxy configuration - 6.Sep.2005 7:11:00 AM   
x--

 

Posts: 9
Joined: 6.Sep.2005
Status: offline
Thanks YoY.
That script really helped with the speed issue [Smile]

I have two areas which are currently gray.

1. Web chaining.

I forgot to mention in my last post. I already have Web chaining configured on my LowerProxy.
I specify my Upstream server to be 192.168.2.2 on port 8080. Plus I have given the appropriate credentials to communicate with UpperProxy.

(I have created a local account on the UpperProxy machine for the LowerProxy to log into)

Whenever a client machine tries to access a site, say google.com, here is what I see on the LowerProxy:
Client-->LowerProxy_Internal_IP:80 (DENIED, anonymous)
LowerProxy_ExternalIP -->UpperProxy_InternalIP:8080 (Unidentified Traffic, Initiated)
Client-->UpperProxy_InternalIP:8080 (Allowed, Authenticated user name)

Is this normal?

2. Rules for DNS on lower proxy.

Now I wonder what should be the most secure DNS rule
My current rule on LowerProxy allows DNS from
1. my Internal_DNS_server AND
2. my LowerProxy_External Interface
to
ISP_DNS_servers
for
ALLUsers.

I was thinking of removing access to ALLUsers and give only my defined set of users instead.

(in reply to x--)
Post #: 3
RE: Upstream proxy configuration - 9.Sep.2005 3:57:00 AM   
RuiFiske

 

Posts: 96
Joined: 8.Dec.2004
From: London
Status: offline
Hi X,

That web chaining traffic doesn't look quite right.

There are three things you should check:

1. Have you configured the clients to use the lower proxy as their proxy server? It looks like they may not be, and they may still be connecting as SecureNAT clients (hence port 80), which is not the best way to handle this. If you need to roll this out, then you can use group policy.

2. What is the proxy setting for the Internal network? - this needs to allow proxying. My guess is that it is enabled on port 8080, which the default, but good to make sure.

3. On the chaining rule on the lower proxy, is it configured to pass all requests (Domain Name Set *) to an upstream proxy, or to fetch the pages directly? It should be passing them on to the upstream proxy.

There are some subtleties with ISA and DNS, which it is difficult to answer without understanding your network (and traffic) better. However, I would say that the Lower Proxy does not need to perform any name resolution, so you could probably disable this. If you configure your proxy settings correctly on the clients, then you probably won't see much traffic for DNS resolution from the internal DNS server either, certainly not for web traffic, as this will be handled by the upstream proxy. I am reluctant to say deny it, as there will be cases where you need the resolution, but keep an eye on it - you will find that there is surprisingly little DNS traffic, which is obviously a good thing.

Apologies for the delay in replying - I haven't been to the site for a couple of days.
Don't forget to rate me, if you've found this useful!

(in reply to x--)
Post #: 4
RE: Upstream proxy configuration - 12.Sep.2005 2:30:00 AM   
x--

 

Posts: 9
Joined: 6.Sep.2005
Status: offline
hi YoY:
-------
Thanks for responding. My replies inline.

1. Have you configured the clients to use the lower proxy as their proxy server? It looks like they may not be, and they may still be connecting as SecureNAT clients (hence port 80), which is not the best way to handle this. If you need to roll this out, then you can use group policy.

(X): All client browsers have been configured to use proxy Lowerproxy on port 80 (I have change from the default!) Roll out is beyond scope right now.

2. What is the proxy setting for the Internal network? - this needs to allow proxying. My guess is that it is enabled on port 8080, which the default, but good to make sure.

(X): Answered above. Client configuration is stated above.

3. On the chaining rule on the lower proxy, is it configured to pass all requests (Domain Name Set *) to an upstream proxy, or to fetch the pages directly? It should be passing them on to the upstream proxy.

(X): Yes, it is configured to pass requests to upstream and plus this is authenticated by logging in to the upstream proxy local account. I can see this account apprear in the Client User field in the UpperProxy.

There are some subtleties with ISA and DNS, which it is difficult to answer without understanding your network (and traffic) better. However, I would say that the Lower Proxy does not need to perform any name resolution, so you could probably disable this. If you configure your proxy settings correctly on the clients, then you probably won't see much traffic for DNS resolution from the internal DNS server either, certainly not for web traffic, as this will be handled by the upstream proxy. I am reluctant to say deny it, as there will be cases where you need the resolution, but keep an eye on it - you will find that there is surprisingly little DNS traffic, which is obviously a good thing.

(X): DNS doesn't seem to cause any problem to me since I disabled DNS resolution prior to my last post. I was only wondering on what is the best rule for DNS from security perspective.
See my last post for the specific question.

Apologies for the delay in replying - I haven't been to the site for a couple of days.
Don't forget to rate me, if you've found this useful!

(X): I have already rated you!

[Smile]

(in reply to x--)
Post #: 5
RE: Upstream proxy configuration - 12.Sep.2005 3:21:00 AM   
RuiFiske

 

Posts: 96
Joined: 8.Dec.2004
From: London
Status: offline
Hi Again X,

Thanks for the extra information. It makes a bit more sense now.

Information on your traffic:

If you enforce authentication at the lower proxy, then you would expect to see the first exchange (deny on 80). What happens is that the browser tries to contact the proxy anonymously first, and is then sent an HTTP response (401 or 407) requesting authentication. The browser then sends its credentials back to the proxy. This is normal. You can get round it by configuring the browser to always send credentials, though I would say it is probably not worth doing that. You should then see traffic from client to internal interface of proxy immediately afterwards, which is authenticated, though you don't list it.

Lower to upper on 8080 looks fine - I usually create a custom protocol (HTTP Proxy), so this doesn't appear in the logs as unidentified traffic.

The last entry looks fine.

I will add nothing further about the DNS. Only the internal DNS needs access, so access to others can be safely disabled. I would recommend, however, that you monitor DNS traffic in the logs closely to ensure that there is not some other service that needs DNS traffic, which may be cut off by this. I do doubt that, though.

Good luck!

Regards,

(in reply to x--)
Post #: 6
RE: Upstream proxy configuration - 12.Sep.2005 4:15:00 AM   
x--

 

Posts: 9
Joined: 6.Sep.2005
Status: offline
Thanks YoY,

Do you mean, that all is well?
[Smile]
Let me try to incorporate your suggetions and see how things go.

-Sunil

(in reply to x--)
Post #: 7
RE: Upstream proxy configuration - 12.Sep.2005 5:23:00 AM   
RuiFiske

 

Posts: 96
Joined: 8.Dec.2004
From: London
Status: offline
It looks like it!

(in reply to x--)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Upstream proxy configuration Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts