IPSec Question

Discussion in 'Server Networking' started by Niki Blowfield, May 17, 2005.

  1. Hi

    We have 2 proxy servers in use on our network, the first is running ISA
    Server 2000 and a URL Filtering plugin. All clients point at this server.
    This server uses NT Authentication to ensure only valid users can access the
    internet

    Upstream from this proxy, we have a virus scanning proxy server, which in
    turn forwards requests to the internet

    This upstream proxy is the only IP address which is granted HTTP access to
    the internet

    We need to ensure this upstream proxy is secured against people entering the
    server name and port number into their IE6 Proxy settings, thus bypassing our
    secure filtering proxy server and its controls/logging

    The software that is running on the upstream proxy is a basic virus scanner,
    and cannot control who accesses it. Up until now we have been changing the
    port number periodically so its tough to guess

    We would like to use IPSec to secure comms so that only the downstream proxy
    has permissions to access the upstream proxy

    When I configure IPSec to secure comms in this fashion (deny All IP, permit
    IP from downstream proxy), at the Windows level, all looks fine, however,
    internet browsing immediately fails

    It appears that the downstream proxy does not strip the IP address of the
    client that was requesting HTTP

    The upstream proxy therefore appears to see the HTTP requests coming from
    the original client, rather than the downstream proxy that is actually making
    the requests

    Is there a way of IPSec allowing this kind of pass-through HTTP traffic, but
    not accepting direct connections from any IP other than the downstram proxy?

    Thanks,
    Mr. Niki Blowfield
     
    Niki Blowfield, May 17, 2005
    #1
    1. Advertisements

  2. Forget IPSec. Just put the upstream proxy in another subnet that is
    physically separated by the ISA Server (aka a Back-to-Back DMZ). Users
    won't be able to get to the thing without going through the ISA.

    [users] --> [ISA] --> [other proxy] --><internet>
     
    Phillip Windell, May 17, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.