+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 32
*nix Thread, Squid to ISA pass original IP in Technical; Hi All, Can squid pass on the original IP address to a parent ISA server? At the moment in the ...
  1. #1

    Join Date
    Jun 2008
    Posts
    38
    Thank Post
    4
    Thanked 2 Times in 1 Post
    Rep Power
    13

    Squid to ISA pass original IP

    Hi All,

    Can squid pass on the original IP address to a parent ISA server? At the moment in the isa logs it shows all traffic originating from the squid server.

    The reason I ask is that websense is on the ISA server and I want to be able to monitor traffic from a particular IP on the guest network.

    Thanks

  2. #2

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    This is the purpose of the X-Fowarded-For header.

  3. #3

    Join Date
    Jun 2008
    Posts
    38
    Thank Post
    4
    Thanked 2 Times in 1 Post
    Rep Power
    13
    Does squid pass this on by default?

    Can ISA see this as the Client IP instead of the server?

  4. #4

    Join Date
    Oct 2008
    Posts
    214
    Thank Post
    2
    Thanked 11 Times in 11 Posts
    Rep Power
    22
    no, squid doesnt pass this on by default as sometimes you dont want your internal ips leaking onto the net.

    Follow X-Forwarded-For headers

  5. #5

    Join Date
    Jun 2008
    Posts
    38
    Thank Post
    4
    Thanked 2 Times in 1 Post
    Rep Power
    13
    I have added these two lines:

    acl localnet src 10.140.0.0/16
    follow_x_forwarded_for allow localnet

    But the original IP is still not shown on iSA?

  6. #6

    Join Date
    Jun 2008
    Posts
    38
    Thank Post
    4
    Thanked 2 Times in 1 Post
    Rep Power
    13
    are the two lines mentioned above correct?

  7. #7

    Join Date
    Oct 2008
    Posts
    214
    Thank Post
    2
    Thanked 11 Times in 11 Posts
    Rep Power
    22
    I'd need to look up some more but it seems that ISA doesnt natively support X-Fowarded-For headers

    This I find odd but certainly the wiki seems to suggest you need X-Forwarded-For for ISA Server and IIS in order to do so.

  8. #8

    Join Date
    Jun 2008
    Posts
    38
    Thank Post
    4
    Thanked 2 Times in 1 Post
    Rep Power
    13
    according to the wiki it is supported in isa 2004/2006

    X-Forwarded-For - Wikipedia, the free encyclopedia

  9. #9

    Join Date
    Oct 2008
    Posts
    214
    Thank Post
    2
    Thanked 11 Times in 11 Posts
    Rep Power
    22
    no, as I said:

    "Microsoft ISA Server 2004/2006 with Winfrasoft X-Forwarded-For for ISA Server"

    it is supported with the software I linked to i.e. not natively supported.

  10. #10

    Join Date
    Jun 2008
    Posts
    38
    Thank Post
    4
    Thanked 2 Times in 1 Post
    Rep Power
    13
    bugger! That is £1650 to forward on an IP address.

    Ok plan b!
    Last edited by skeep; 5th March 2010 at 08:35 AM.

  11. #11


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 850 Times in 672 Posts
    Rep Power
    196
    What is it you are actually trying to achieve? There may be more than one way around this

  12. #12

    Join Date
    Jun 2008
    Posts
    38
    Thank Post
    4
    Thanked 2 Times in 1 Post
    Rep Power
    13
    The squid server is on a guest network and this will be used by pupils and staff using their own equipment. We have websense installed on the ISA box and therefore need to monitor what pupils are looking at.

    This monitoring could be achieved at the squid end but it would be nice to have it all in one place.

    any ideas would be greatly received!

  13. #13
    Cools's Avatar
    Join Date
    Jan 2009
    Location
    Bedfordshire
    Posts
    498
    Thank Post
    24
    Thanked 62 Times in 57 Posts
    Rep Power
    25
    drop squid and use ISA only. or Drop ISA and use squid to do it all.
    i never did understand why you need 2 proxy/firewalls in place.

    or am i missing something..


    have a look at : http://aplawrence.com/Unix/squidlog.html or http://sarg.sourceforge.net/
    Last edited by Cools; 5th March 2010 at 09:38 AM.

  14. #14
    Iain's Avatar
    Join Date
    Oct 2006
    Location
    Warwickshire
    Posts
    188
    Thank Post
    28
    Thanked 93 Times in 53 Posts
    Rep Power
    32
    If you grab a copy of the ISA sdk, and a copy of visual c++ express it should be possible to write an isapi filter to capture the x-forwarded-for header and to write this to the log files instead using the SF_NOTIFY_LOG notification structure.

  15. Thanks to Iain from:

    skeep (8th March 2010)

  16. #15

    Join Date
    Jun 2008
    Posts
    38
    Thank Post
    4
    Thanked 2 Times in 1 Post
    Rep Power
    13
    To explain why im using squid, I have created a capture page so that when someone access a web page they get redirected to a login page this page then after completing authentication adds the IP to a text file and then reconfigure squid. It works really well, not sure if i could do the same with iSA?

SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. Replies: 11
    Last Post: 12th September 2014, 06:02 PM
  2. V - will it be as good as the original ?
    By mattx in forum General Chat
    Replies: 4
    Last Post: 21st May 2009, 02:00 PM
  3. Squid and ISA 2006
    By deanw83 in forum *nix
    Replies: 0
    Last Post: 6th January 2009, 10:10 PM
  4. Squid NTLM passthrough to parent ISA
    By _Jo_ in forum *nix
    Replies: 19
    Last Post: 12th November 2008, 05:25 PM
  5. What to do with your original PS2?
    By flashsnaps in forum Gaming
    Replies: 5
    Last Post: 24th April 2008, 12:50 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •