Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Anyone can get to the internet
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Anyone can get to the internet - 11.Jan.2004 8:15:00 PM
|
|
|
ralphyost
Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline
|
I am running ISA Server 2000 (came with Small Business Server 2000). I have the option selected to required authentication from unauthenticated users. However, this function is not working.
When I connect a new PC and simply configure IE to use LAN, I can get right out to the interent. I dont want this. All of my users are logging into my server. However, if anyone brings a laptop in and I dont know about it, this vulnerability gives them the ability to download interent content into our LAN.
Any help would be greatly appreciated.
Thanks.
Ralph Yost
Server and IT Admin,
Atlantic City Rescue Mission
Atlantic City, NJ
[ January 11, 2004, 08:16 PM: Message edited by: ralphyost ]
|
|
|
|
|
RE: Anyone can get to the internet - 12.Jan.2004 4:29:00 AM
|
|
|
Guest
|
>>to required authentication from unauthenticated users
Is namely "[\/] Ask unauthenticated users for identification" assumed?
"Ask" does not means "require". Feell the difference.
¦andatory authentication can be turned on ONLY via Protocol & Site and content rules that applied to USERs/GROUPs with the absence any ANONYMOUS/Client set applied rules .
See additionally the article about the mystery of HTTP redirector filter on this site.
|
|
|
|
|
RE: Anyone can get to the internet - 13.Jan.2004 8:10:00 PM
|
|
|
lmt737
Posts: 5
Joined: 9.Jan.2004
Status: offline
|
you say your users are logging into your server? running dhcp, active directory? if so, configure group policy, set ie to connect thru isa. when users log on to your network they will download policy and connect thru isa.
|
|
|
|
|
RE: Anyone can get to the internet - 13.Jan.2004 8:19:00 PM
|
|
|
ralphyost
Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline
|
Thanks for the reply. The problem is that if a PC is brought up on the network and is NOT logged in, then they are getting out through the ISA server. If a user logs in, then I have them covered with group policies for ALLOW INTERNET USERS and DENY INTERNET USERS groups that I created.
THe problem is for a PC NOT logged into the server.....
|
|
|
|
|
RE: Anyone can get to the internet - 13.Jan.2004 10:22:00 PM
|
|
|
lmt737
Posts: 5
Joined: 9.Jan.2004
Status: offline
|
sorry about that, misunderstood. so they get an ip from you and log onto laptops locally, then access internet? just tried it on my network, isa blocked me. so it may be your isa configuration.
you see laptop ip's in your log files?? been using isa for a month and very curious.
|
|
|
|
|
RE: Anyone can get to the internet - 13.Jan.2004 10:31:00 PM
|
|
|
ralphyost
Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline
|
Yes, that is the situation, as you just attempted to do with your laptop. I am not on site to be able to monitor it and I havent checked the log file yet. But it is definitely something that is in the configuration of my ISA Server. I have searched and searched and cant find it....hence this post to request help from those more experienced than I !
When people log onto the server, I am able to sucessfully control their access. I have created two user groups in Group Policy:
1. Deny Internet Access
2. Allow Internet Access
Each employee (server user) is a member of one of those groups. The "deny" group works when you log on. Also, the workstations all are running the Firewall client.
The rogue laptop situation is given an IP, which is OK, but it should not be allowed through the ISA server.....
|
|
|
|
|
RE: Anyone can get to the internet - 14.Jan.2004 5:04:00 AM
|
|
|
Guest
|
>>THe problem is for a PC NOT logged into the server.....
1) Are you sure that "PC NOT logged into the server" can reach Internet only via ISA?
2) Do you see the succcess anonymous connections in ISA Webproxy/Firewall logs?
3) What about direct connection availability?
|
|
|
|
|
RE: Anyone can get to the internet - 14.Jan.2004 1:26:00 PM
|
|
|
ralphyost
Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline
|
>1) Are you sure that "PC NOT logged into the server" can reach Internet only via ISA?
Yes, I am sure that the only way out to the Internet is through the ISA server. I have one server with two NICS. The first NIC is for the local subnet while the second NIC is for the broadband connection, which the ISA server is tied to.
>2) Do you see the succcess anonymous connections in ISA Webproxy/Firewall logs?
I have not yet examined this log. Will do it when I am there on Friday this week.
>3) What about direct connection availability?
??? I dont understand what is more direct than the LAN....
Thanks very much for your help !
R.
|
|
|
|
|
RE: Anyone can get to the internet - 14.Jan.2004 5:15:00 PM
|
|
|
lmt737
Posts: 5
Joined: 9.Jan.2004
Status: offline
|
make sure in your access policy- ip packet filters that dhcp is disabled if your using default config.
|
|
|
|
|
RE: Anyone can get to the internet - 16.Jan.2004 4:05:00 PM
|
|
|
ralphyost
Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline
|
Hi;
I just checked the DHCP client in ACCESS POLICY/IP PACKET RULES. It was enabled. I removed the ENABLE.
However, I can still get out to the internet without logging into the server.....????
|
|
|
|
|
RE: Anyone can get to the internet - 16.Jan.2004 6:49:00 PM
|
|
|
ralphyost
Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline
|
Aleks2:
I just checked the logs...Yes, I do see ANONYMOUS listed under CS-USERNAME with a lot of entries.
What does this mean? I see it for a lot of various IP addresses in my network.
Thanks for your help,
R.
|
|
|
|
|
RE: Anyone can get to the internet - 17.Jan.2004 8:15:00 AM
|
|
|
Guest
|
>> just checked the logs...Yes, I do see ANONYMOUS listed under CS-USERNAME with a lot of entries.
I have deals only with the ODBC ISA logs format.
But it is mainly the same.
>>What does this mean? I see it for a lot of various IP addresses in my network.
Occurence of unsuccessful ANONYMOUS is normal for ISA log.
Abnormal is ANONYMOUS connection with RESULT CODE=sucsess.
Look at log records with sucsess result code for ANONYMOUS and check the columns rule#1 and rule#2 to determine which Protocol rule and Site and contents rule are involved.
|
|
|
|
|
RE: Anyone can get to the internet - 17.Jan.2004 4:21:00 PM
|
|
|
ralphyost
Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline
|
Aleks2:
lets make sure we are talking about the same logs:
THe only logs I can find are located
C:\Program Files\Microsoft ISA Server\ISALogs
Then I see numerous text files with names such as
webextD20040117.log 798Kb
webextD20040116.log 3,064Kb
FWextD20040117.log 67Kb
FWextD20040116.log 136Kb
etc
etc
I dont see the RESULT CODE=sucsess or failure.
R.
|
|
|
|
|
RE: Anyone can get to the internet - 17.Jan.2004 7:40:00 PM
|
|
|
lmt737
Posts: 5
Joined: 9.Jan.2004
Status: offline
|
in isa logs, my experience is that anonymous is what it is, pop-ups are anonymous,unidentified users are anonymous, etc... there must be some kind of firewall or web service configuration issue. In isa right click access policy- click help- in right window pane click- controlling outgoing requests. you may have done this already, but i think the problem lies in there. like i said, i logged off my network logged in locally and tried to access internet, isa firewall stopped me. just not sure of my config compared to yours. i have had alot of help with my isa, it is not easy.
|
|
|
|
|
RE: Anyone can get to the internet - 17.Jan.2004 8:00:00 PM
|
|
|
ralphyost
Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline
|
IMT737:
One thing that you said that CANNOT be overstated:
"i have had alot of help with my isa, it is not easy. "
Ditto ! It toom me almost a month just to get it working properly, and only with help from this forum. I bought Tom Schinder's ISA book, but this stuff is still rocket science to me. I'm a slow learner, but I eventually get it. Its just a matter of time...a long time.
I went to the help screen you suggested. I understand the principles therein, but I cant find a problem or hole in my setup.
I am now trying to read and comprehend "The Mystery of the HTTP Redirector and Site&Content Rules" provided to me up above......
There's a pony in there somewhere !
R.
|
|
|
|
|
RE: Anyone can get to the internet - 17.Jan.2004 8:18:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi ralphyost,
the first thing we should know is how the client is configured: as a Web Proxy, Firewall or SecureNAT client? Knowing that answer will very likely narrow the scope of the problem area.
HTH,
Stefaan
|
|
|
|
|
RE: Anyone can get to the internet - 17.Jan.2004 9:13:00 PM
|
|
|
ralphyost
Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline
|
Hi Stefan;
thanks for your help. I really appreciate it. This ISA Server can be complicated...or IS complicated.
The web browser of the machines I want to block will be in its normal, out of the box configuration. That is, they will NOT be configured to use the proxy. Its just a plain, IE installation. Remember that this is a workstation that does NOT log into the server. If its Win2k or XP, if they do a local workstation login (not to the domain server) and they open the web browser, they are getting out to the internet.
I have read your article and the three articles you refer to in it about the HTTP redirector. I have tried to set the redirector to "REJECT HTTP from Firewall and SecureNAT clients". But when I test it from an un-authenticated user, he still gets out.
Thanks
R.
PS: My email is ralphyost@acrescuemission.org if you want to use it.
|
|
|
|
|
RE: Anyone can get to the internet - 17.Jan.2004 11:45:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi ralphyost,
if the HTTP Redirector is set to "REJECT HTTP from Firewall and SecureNAT clients" then the client must be acting as a Web Proxy client unless ISA is not the only gateway to the Internet! So, you should check out the ISA Web Proxy log to find out which rule allowed the request.
To get the most information out of the logfiles, I strongly recommend to enable the logging of *all* fields. In the MMC, go to the node Monitoring Configuration, then select Logs. In the details pane, right-click the applicable service and then click Properties. On the Fields tab, click Select All. Also, I recommend to set the log format to ISA format.
To understand what is logged, check out the ISA helpfile. There is a section called "Firewall and Web Proxy log fields", a must read. Additional information can be found in the following articles:
- http://support.microsoft.com/default.aspx?scid=kb;en-us;284818
- http://support.microsoft.com/default.aspx?scid=kb;en-us;193625
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winsock/winsock/windows_sockets_error_codes_2.asp
HTH,
Stefaan
|
|
|
|
|
RE: Anyone can get to the internet - 17.Jan.2004 11:59:00 PM
|
|
|
ralphyost
Posts: 64
Joined: 3.Dec.2001
From: Linwood, NJ USA
Status: offline
|
Stefaan:
Thanks for the guidance on setting the log files.
I am now remote from the server but have a remote connection to it. I changed the log files to the ISA Server format and selected all of the parameters.
I;ll be back there on Monday to work at it again, but will check on the log files over the weekend (remotely).
I dont bellieve there is any way out of the network except through ISA server. I have the standard 2 NIC configuration, one nic for local lan subnet and the other dedicated to the internet side. I think its pretty standard, and I dont know how any client on the LAN side could possibly connect to the "external side" NIC without going through the ISA server.
Thanks
R.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
