[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Follow-up, Re: Can anybody make any sense out of this? (it involves lack of DNS)
- From: Pete Helgren <pete@xxxxxxxxxx>
- To: HTTPAPI and FTPAPI Projects <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
- Subject: Re: Follow-up, Re: Can anybody make any sense out of this? (it involves lack of DNS)
- Date: Mon, 09 Jan 2012 11:16:04 -0700
In my case,FWIW, the ISA server is my gateway to the outside world. So
there is no way I can get to the Internet except by going through the
ISA server. The default configuration for ISA is to force
authentication of the user before any outside access is allowed. If I
would try to go to Google.com unauthenticated then ISA would return this
error to my browser:
Error Code: 403 Forbidden. The ISA Server denied the specified Uniform
Resource Locator (URL). (12202)
One way to fix that is to add a proxy setting to my browser. In my case
I set the proxy to 10.0.10.2 (the ISA server IP) and port 8080. The
next time I hit the google.com site I am prompted to authenticate and I
pass the user ID and password for my network. I can also use a
"firewall client" in Windows which connects and authenticates to the ISA
server for ALL network/internet activity. In my particular case I
bypass the proxy completely: I just tell ISA that any traffic from my
laptop (10.0.10.25) is allowed to pass to the Internet without having to
authenticate or proxy out.
In your case, there is no "firewall client" for the i so you are down to
two options. If the firewall requires you to authenticate or "proxy"
out, then you need to talk to the proxy at the correct port that it is
listening on. In my case the proxy listens on 8080 so I have to access
the proxy first at 10.0.10.2:8080 and authenticate. I am not familiar
with the internals but I guess that the IP address you contacted the
proxy from is then added to a list that allows traffic to flow freely to
the Internet at that point. So your conversation with the proxy is
first at the IP and port of the proxy server. Once authenticated, you
access the Internet directly without using the proxy address and port.
I am pretty sure that HTTPAPI uses the same mechanism as a "browser":
The initial contact with the proxy is at the proxy IP and port and then
from that point all of the conversations with the outside world are
"direct", that is, without specifying the proxy information (Scott would
have to verify this and I am sure the mechanics are much more involved).
The only alternative is to configure the firewall/proxy to allow traffic
to pass unfettered from a specific IP address (which is what I do).
There are *many* types of proxies that have many different uses. But if
the firewall is configured to pass all traffic to the proxy then there
are only the two ways above to satisfy it: Properly authenticate to it
or add a rule that bypasses it.
Pete Helgren
Value Added Software, Inc
www.petesworkshop.com
GIAC Secure Software Programmer-Java
On 1/9/2012 10:24 AM, James Lampert wrote:
> Thanks, and we still are. I'm struggling to understand how proxies,
> proxy ports, HTTP, and HTTPS work together at all, so don't be surprised
> if my questions reflect that.
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------