The question came up why I disable the ask for authentication options. Good question! The reason why I disable it is that it can, at time, generate a lot of random authentication prompts, even after making the registry changes and hotfixes that are supposed to fix this issue.
Very good article as always, one quick question though...
By disabling the Ask unauthenticated users for access does this allow any backdoors out of your network? Does it still force ISA to log everything as a user instead of anonymous??
I worked with Microsoft for a while getting my ISA server running and they told me to make sure I had that checked but could not say why.
As long as there are no anonymous access rules, there are NO unauthenticated backdoors out of the network. Outbound connections must be user authenticated, or IP address authenticated.
Hi Tom its been a while, since i have been on the site. Any how, what about protocal rules? If i have a protocal rule for http that allows any request, but i have a site and content rule that only allows domain users, then will this allow a user to browes the web without being athenticated?
Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline
The combined effect of the 2 rules will be applied. If the protocl is "allow anyone" and the S&C rules is "allow this user/group only" then the restrictive policy will take place. as a further example. You have NO protocl rules but a S&C rule by user/group. Yuo still cant get anywhere because the destiantion is allowed but there is no allowed protocol to get there. Hence, the more restrictive policy (o lack thereof with no protocol rule) takes place.
Posts: 5
Joined: 12.Aug.2003
From: UK
Status: offline
I tried unticking the 'Ask unauthenticated users for identification' and restarted the service, but now it displays 2 connections to the internet! 1 anonymous and 1 with the user credentials next to it, but both with the same client IP address?! Destination sets and protocol rules are configured on NT groups. What's going on?
The Web Proxy client does not automatically send user credentials to the Web Proxy service. The initial connection attempt is anonymous (anonymous meaning that no credentials are send along with the request). If the ISA Server firewallĘs Web Proxy service allows outbound HTTP, HTTPS, HTTP-tunneled FTP or Gopher to be sent anonymously, then the connection request is allowed and the forwarded to the Internet server.
If the ISA Server firewallĘs Web Proxy service is configured to require authentication, then the Web Proxy service denies the anonymous request and requests credentials from the Web Proxy client. The Web Proxy client sends credentials only after the Web Proxy service asks for them.
The Web Proxy client sends credentials to the Web Proxy service. The Web Proxy service authenticates the user and then determines if the user has permission to access the protocol or site. No permission, no access. If permission is granted the request is forwarded to the Internet server.
Note: This is why you see anonymous requests in your Web Proxy log even when you have removed all anonymous access rules. The initial anonymous request is always recorded in the Web Proxy log.
someone pointed out above that when you disable 'require authentication' you see two connections from each client listed under server/monitoring/sessions. It is odd why the anonymous session remains "open". If the "require authentication" is enabled then you never see the initial anonymous connection listed as a active session.
also, something else that interests me. in the web logs. the last two fields are the rules. I will see my allow or deny rules the but mostly i see dashes. do the dashes mean no rule was applied and the request rejected? i see dashes when both data and no data is transmitted.
Disabling Anonymous Access in ISA Server 2000 We follow the procedure and we experimented two problems: 1 - The session kept open. 2 - The internal users could not access the internal web application that resides on de Server. Please, would you explain me how to avoid this problems? We are working under Small Business Server 2000. Thank you very much for your assistant. My e:mail is Policomp@cantv.net
RE: Discussion of Anonymous Access article - 15.Aug.2003 8:46:00 PM
Guest
(Sorry, I first wote this up under a new topic)
Here is something interesting I found. But first, I'd like to describe my network and tell ya'll the experiences I've had with anonymous access rules.
Network setup: ISA Firewall, inside Win2k Server running AD, web, mail, ftp etc.. and also hosting my Internet registered domain name (in a different zone than my AD zone.)
Ok, I've read articles in the past about anonymous access rules. I've deleted all rules and created a rule that allowed only domain users to access the internet. It never worked for me. I could never access the internet. I just found out that DNS wouldn't resolve the names from my internal DNS server. So, I recreated my anonymous access rule and always wondered why it didn't work right.
So after reading this article, I decided to give it another shot. The article says you may need to create a rule for the servers that need access to the internet. Bingo! That was it.
Now I had two S&C rules. One allowing Domain Users access and one allowing my server access. Now I decided to create S&C rules to wack porn etc...
Now, I kept on getting random requests for authentication! Even on msn.com I would get 2 requests for authentication. I would cancel out of'em, but they kept on coming back. So, I deleted the S&C wack porn rule, and guess what? No more request for authentication. Recreated it and now it requests authentication.
Almost ready to recreate my anonymous S&C rule, I stumbled upon this. In the action of the wack porn S&C rule, I checked the redirect the http request option, and entered the home page of the internal web site.
No more requests for authentication. So, my anonymous S&C rule is deleted forever. Thank goodness.
Just wondering if anybody has run across this. I'm not sure if it's a bug or what. But, can anyone confirm this, or is it just something weird I have in my setup that's making it behave this way. And I made sure that the "Ask unauthenticated users for identification" was unchecked. Thank you for the recent article.
RE: Discussion of Anonymous Access article - 17.Aug.2003 3:29:00 AM
Guest
OK. I just posted the above post.
Well, now I have another problem with these crazy non-anonymous s&c rules.
Now every time I click on a *.wmv file on the net, a logon box comes up to try and authenticate me. I click cancel and the clip fails. I enter it and it works. BUT I DON'T WANT To enter credentials every time I want to view an online clip. I've configured Windows Media Player to both Auto Detect, Use settings from browser, and to hand enter the proxy, all with the same results.
If I reinstate my anonymous s&c rule, I'm able to view the clip with entering credentials.
Why does it want to authenticate me? Somebody has got to know something about this.
quote:Originally posted by policomp: Disabling Anonymous Access in ISA Server 2000 We follow the procedure and we experimented two problems: 1 - The session kept open. 2 - The internal users could not access the internal web application that resides on de Server. Please, would you explain me how to avoid this problems? We are working under Small Business Server 2000. Thank you very much for your assistant. My e:mail is Policomp@cantv.net
Hi Policomp,
Internal users should not be looping back through the firewall to access internal resources. Make sure to configure internal sites for Direct Access.
quote:Originally posted by <macruz>: OK. I just posted the above post.
Well, now I have another problem with these crazy non-anonymous s&c rules.
Now every time I click on a *.wmv file on the net, a logon box comes up to try and authenticate me. I click cancel and the clip fails. I enter it and it works. BUT I DON'T WANT To enter credentials every time I want to view an online clip. I've configured Windows Media Player to both Auto Detect, Use settings from browser, and to hand enter the proxy, all with the same results.
If I reinstate my anonymous s&c rule, I'm able to view the clip with entering credentials.
Why does it want to authenticate me? Somebody has got to know something about this.
Hope to hear from somebody.
Hi M,
What Site and Content Rule is issuing the request for credentials? Make sure to turn on Rule1 and Rule2 in the Web Proxy log.