Welcome to ISAserver.org

Direct Access List Ignored

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> Direct Access List Ignored

Page: [1]

Message

<< Older Topic Newer Topic >>

Direct Access List Ignored - 12.Dec.2007 2:37:40 PM

apolloth

Posts: 14
Joined: 31.Aug.2004
Status: offline

We were recently required to use an application that, for whatever reason, doesn't get along with our ISA 2004 authentication. A logical step is to add the destination to the direct access list, which I've done. It doesn't seem to make any difference. I have confirmed that a PC loaded with the FWC and browser settings cannot connect with a "Proxy authentication required" error. If I disable proxy settings in IE it can connect, but our environment needs both.

I've aded the site to the domains list (using several different formats including *.domain.com/*), updated the firewall client, rebooted, deleted wpad locally, setup autoconfig via GPO, disabled FWC and or browser settings etc. I can't seem to bypass the proxy config using direct access no matter what configuration I try.

Any ideas? It all makes perfect sense. It just doesn't work. It appears to be ignoring the direct access list. Do I need a coresponding rule? I've got 'em, cause it works withotu browser settings.

Any info is appreciated.

Apolloth

Post #: 1

Featured Links*

RE: Direct Access List Ignored - 14.Dec.2007 4:00:32 AM

ianfermo

Posts: 234
Joined: 7.Nov.2004
From: Zamboanga, Philippines
Status: offline

Hi,

Can you just create a rule allowing all to that destination/site. Usually JAVA applications does not like authenticated rule for some reason. Just make it anonymous. Hope it helps

Cheers...

(in reply to apolloth)

Post #: 2

RE: Direct Access List Ignored - 14.Dec.2007 2:14:21 PM

apolloth

Posts: 14
Joined: 31.Aug.2004
Status: offline

I did create a rule allowing all traffic to that particular URL. I gave all users permissions, however that doesn't fix my issue with the direct access list. I would rather get this working instead of creating rules for every app/connection.

In the end the rule worked. I first re-wrote the web app as a desktop app to use the current user permissions, but this wasn't a long term solution. I ended up using the rule instead and locking it down as much as possible.

If anybody has any ideas about why the direct access list approach isn't working I'd appreciate any info.

Apolloth

(in reply to ianfermo)

Post #: 3

RE: Direct Access List Ignored - 19.Dec.2007 9:10:02 AM

abqtech

Posts: 216
Joined: 9.Mar.2004
Status: offline

do you need the firewall client to direct the requests to the ISA Server (firewall client control channel)? or do you want this particular traffic off of your ISA Server all together?

I can help with either, but need to know which route you need to go.

Please advise.

(in reply to apolloth)

Post #: 4

RE: Direct Access List Ignored - 19.Dec.2007 12:53:33 PM

Jason Jones

Posts: 2119
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

Have you got IP addresses in your direct access list?

Also check out you are using the correct format as provided here:

http://blogs.isaserver.org/pouseele/2006/07/21/solving-the-directly-access-these-servers-or-domains-issue-in-isa-server-2004-sp2/

Cheers

JJ

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to abqtech)

Post #: 5