In the past, defending servers from password attacks originating through or from proxy servers has been problematic.
For proxy servers using single addresses the problem is incorrect identification of that address as uniquely connected with an attack. Such an interpretation leads to incorrectly locking out legitimate users who happen to be attempting to connect through the same proxy server.
The opposite side of this problem are proxy servers that use blocks of addresses. The best known example of this type is AOL. All subscribers to AOL services automatically use these proxy servers as their gateway to the internet. A concerted attack from such a server appears to be many unique connections from individual machines but are actually connection attempts from a single source. Another major block of users arriving through proxy servers are subscribers to broadband dsl and cable internet services.
As a response to this problem, the isapi authentication filter reverses previous practice and treats all class c subnets as potential proxy servers. By responding this way all of the internal mechanisms have been unified into a single direction. It is no longer necessary to treat proxy servers as a special case calling for unique handling. The result of this integration is efficient and accurate handling of all requests by the isapi authentication filter without regard to the request source.
Cross Site Partitioned Access Option
table of contents
full printable document
all rights reserved
design - eggworx.com