The best place to start is that I'm trying to troubleshoot an ISA Server 2004 issue for some of our customers.
We provide a service via the web and part of the content we deliver uses a Java Applet. For the most part it work fine through an ISA 2004 Proxy, apart from one single, but crucial function. Said function fails to work if their access rule for HTTPS has a condition that defines a a group of users other than All Users.
The way around it, is to create a specific access rule, with a specific URL as the destination over port 443 for all users. Understandably some of our customers are unhappy about having to put an anonymous access rule into their policy.
Now I've got chapter and verse from our developers as to how the Java Applet works, but I cannot believe that our issue is isolated.
Has anyone else found a way around similar issues?
I have had the same problem. It is my understanding that this is a common issue with running Java over port 443. The work around that you are using is the solution that we have been using. Our consultant indicated that this "feature/flaw" of Java was a known issue. Hope this is of some use.
Java runs as an anonymous user. If you log your session, when you attempt to access the SSL site, you will see that the username is anonymous. Since your access rules are based on users/groups being allowed access, java is blocked since it is using the anonymous user. That would explain why it works when the rule is set to allow all users. Hope this helps.
Sun JVM does NOT support integrated (NTLM) authentication. If you set your listener to Basic authentication only (is safe because you state you're using SSL) then you can appy the rule to something else than "all users". Yes, JVM will first try as anonymous, but will correctly respond to reply from ISA to authenticate. I'm on ISA 2006 and have it working. Would imagine it will work on 2004 as well but have no means to verify that right now.
Only downside is that users get prompted for Userid/PW twice (once by browser, once by JVM) Have not found a way around that yet.