Results 1 to 5 of 5
  1. #1
    Untangler
    Join Date
    Apr 2009
    Posts
    60

    Default Untangle in front of ISA server.

    Hello.

    I have an ISA server already in place that is routing for a couple different subnets and NATing for the internet.

    I would like to place untangle in front of the ISA server.

    i.e. Internet (Public WAN) -> Untangle -> ISA -> subnets

    I have a couple questions.

    First of all, I want to do user identification so I am assuming that I will need to turn off NATing on ISA so that Untangle sees the real IP addresses. And then I will just create a third subnet between Untangle and ISA and allow untangle to do the NATing.

    If I configure it this way, then how will this effect ISA's caching ability. Lets say I have students and teachers in a school. I want to block myspace for students, but not for teachers. So, if ISA makes a request for a student and myspace is blocked, will the block page then be cached and if a teacher makes a request it will send the cached block page rather than the real myspace page? How will caching on the ISA box effect filtering also? Will Untangle still be able to block/filter every request even if ISA is caching some of the requests?

    Thanks for any info, and sorry for the long post.
    Last edited by appleoddity; 04-17-2009 at 10:36 PM.

  2. #2
    Master Untangler
    Join Date
    Dec 2008
    Location
    Dallas, TX
    Posts
    337

    Default

    I have not tried the configuration that you described. However, I don't think you would achieve the desired results with your configuration.

    Configured with ISA BEHIND Untangle as you described. Teacher requests myspace, Untangle allows the request, ISA caches it and page is displayed. Now student requests myspace, ISA is the first to see the request and provides the cached page to the student. Untangle has nothing to block as the request was served from the ISA cache and did not have to pass through Untangle. Untangle can not control traffic that does not pass through it.

    I think you will have to put Untangle BEHIND ISA to satisfy your criteria. Untangle would see the request BEFORE it got to ISA. If Untangle blocking criteria allows the page to be displayed it would then be served by ISA or retrieved from the Internet if it was not in the cached content.

    If somebody knows differently please feel free to offer a correction or even a confirmation.

  3. #3
    Untangler
    Join Date
    Apr 2009
    Posts
    60

    Default

    This leads to a second question.

    Lets say I put Untangle behind ISA. Can I setup four NICs, so that I can bridge two subnets?

    Discussing the other way, it seems that ISA would always make a request to the internet to see if the page is stale? Or to some how compare if it has changed? Which would allow Untangle to filter it.
    Last edited by appleoddity; 04-17-2009 at 11:04 PM.

  4. #4
    Master Untangler
    Join Date
    Dec 2008
    Location
    Dallas, TX
    Posts
    337

    Default

    Quote Originally Posted by appleoddity View Post
    This leads to a second question.

    Lets say I put Untangle behind ISA. Can I setup four NICs, so that I can bridge two subnets?

    Discussing the other way, it seems that ISA would always make a request to the internet to see if the page is stale? Or to some how compare if it has changed? Which would allow Untangle to filter it.
    In answer to the first question - yes, Untangle will support four NICs though I am not sure that is necessary. You could accomplish the same thing with a switch between Untangle and the router of each subnet or maybe even with three NICs in the Untangle box (one each for incoming traffic from each subnet and the other for the outgoing WAN traffic). I guess it depends on what kind of hardware you have available and whether or not you have to purchase hardware for the installation.

    You raise an interesting point about ISA checking for stale pages. What happens when a student requests myspace, ISA requests an Internet check for stale page and Untangle blocks the request? Does ISA return the stale page or the Untangle block page? I am not sure how it would work. However, I am about 99% sure it would work fine the other way.

  5. #5
    Master Untangler
    Join Date
    Dec 2008
    Location
    Dallas, TX
    Posts
    337

    Default

    Quote Originally Posted by itcinc View Post
    You raise an interesting point about ISA checking for stale pages. What happens when a student requests myspace, ISA requests an Internet check for stale page and Untangle blocks the request? Does ISA return the stale page or the Untangle block page? I am not sure how it would work. However, I am about 99% sure it would work fine the other way.
    I was thinking more about how this might act and here is my best guess....

    student requests myspace, ISA receives request, ISA requests an Internet check for stale page and Untangle lets the request complete successfully because the filter sees the request coming from ISA and not from the student and the requested page would be delivered to the student.

    This would negate all Untangle filtering and would not achieve the desired results.

    Disclaimer: This my worth and it comes with no warranty and no refund

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2