IPSec Question

Hi

We have 2 proxy servers in use on our network, the first is running ISA
Server 2000 and a URL Filtering plugin. All clients point at this server.
This server uses NT Authentication to ensure only valid users can access the
internet

Upstream from this proxy, we have a virus scanning proxy server, which in
turn forwards requests to the internet

This upstream proxy is the only IP address which is granted HTTP access to
the internet

We need to ensure this upstream proxy is secured against people entering the
server name and port number into their IE6 Proxy settings, thus bypassing our
secure filtering proxy server and its controls/logging

The software that is running on the upstream proxy is a basic virus scanner,
and cannot control who accesses it. Up until now we have been changing the
port number periodically so its tough to guess

We would like to use IPSec to secure comms so that only the downstream proxy
has permissions to access the upstream proxy

When I configure IPSec to secure comms in this fashion (deny All IP, permit
IP from downstream proxy), at the Windows level, all looks fine, however,
internet browsing immediately fails

It appears that the downstream proxy does not strip the IP address of the
client that was requesting HTTP

The upstream proxy therefore appears to see the HTTP requests coming from
the original client, rather than the downstream proxy that is actually making
the requests

Is there a way of IPSec allowing this kind of pass-through HTTP traffic, but
not accepting direct connections from any IP other than the downstram proxy?

Thanks,
Mr. Niki Blowfield

Forget IPSec. Just put the upstream proxy in another subnet that is
physically separated by the ISA Server (aka a Back-to-Back DMZ). Users
won't be able to get to the thing without going through the ISA.

[users] --> [ISA] --> [other proxy] --><internet>

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Niki Blowfield" <Niki (E-Mail Removed)> wrote in message
news:B6217DFA-CB8B-4662-B9BE-(E-Mail Removed)...
> Hi
>
> We have 2 proxy servers in use on our network, the first is running ISA
> Server 2000 and a URL Filtering plugin. All clients point at this server.
> This server uses NT Authentication to ensure only valid users can access
the
> internet
>
> Upstream from this proxy, we have a virus scanning proxy server, which in
> turn forwards requests to the internet
>
> This upstream proxy is the only IP address which is granted HTTP access to
> the internet
>
> We need to ensure this upstream proxy is secured against people entering
the
> server name and port number into their IE6 Proxy settings, thus bypassing
our
> secure filtering proxy server and its controls/logging
>
> The software that is running on the upstream proxy is a basic virus
scanner,
> and cannot control who accesses it. Up until now we have been changing the
> port number periodically so its tough to guess
>
> We would like to use IPSec to secure comms so that only the downstream
proxy
> has permissions to access the upstream proxy
>
> When I configure IPSec to secure comms in this fashion (deny All IP,
permit
> IP from downstream proxy), at the Windows level, all looks fine, however,
> internet browsing immediately fails
>
> It appears that the downstream proxy does not strip the IP address of the
> client that was requesting HTTP
>
> The upstream proxy therefore appears to see the HTTP requests coming from
> the original client, rather than the downstream proxy that is actually
making
> the requests
>
> Is there a way of IPSec allowing this kind of pass-through HTTP traffic,
but
> not accepting direct connections from any IP other than the downstram
proxy?
>
> Thanks,
> Mr. Niki Blowfield