i'm not particular with ISA but you might want to try installing the ISA monitoring tools, then capture & inspect the packets coming from the other proxy (Squid) and then based your signature from that exercise[1].
but i've realized that the advance user can simply dodge your signature matching filter by disabling such header or by altering the source code. well, at least you've raised the bar! hehehe. with regards to HTTP 1.0 & 1.1, read more about at [2]. [1] http://www.microsoft.com/technet/isa/2004/plan/httpfiltering.mspx#EXF [2] http://www.research.att.com/~bala/papers/h0vh1.html On 3/27/07, Junix Gaspar <[EMAIL PROTECTED]> wrote:
Actually, I am using ISA 2004, In one of the firewall rules of ISA , you right click on and there goes configure HTTP and on the header TAB, I just put block all headers with "X-Forwarded-For", "Via" and http 1.0 (although I dont get the reason why this last one should be blocked), out of curiousity, I just blocked it as well. Hayyy, kainis. But I configure a squid proxy server to test a "proxy" connection and even with that header blocking, it still works. Since I dont know much in using ethereal and/or other pocket sniffer that reads and analyze such HEADER, I'm kinda stuck and left thinking that maybe squid doesn't use put this X-Forwarded-For for its clients request to the parent proxy. hayyy more googling I guess. I will try this Header blocking in Squid. Hopefully I will it will yield a different result. ps, I am chaining ISA, dansguardian and squid and it works like a charm except for that rugue proxy being used against me. hayyy
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
