• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion of Anonymous Access article

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> Discussion of Anonymous Access article Page: [1] 2 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion of Anonymous Access article - 12.Aug.2003 4:59:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for the anonymous access article at http://isaserver.org/tutorials/disableanonoutbound.html.

Thanks!
Tom

[ August 12, 2003, 05:00 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion of Anonymous Access article - 12.Aug.2003 5:03:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The question came up why I disable the ask for authentication options. Good question! The reason why I disable it is that it can, at time, generate a lot of random authentication prompts, even after making the registry changes and hotfixes that are supposed to fix this issue.

HTH,
Tom

(in reply to tshinder)
Post #: 2
RE: Discussion of Anonymous Access article - 12.Aug.2003 8:55:00 PM   
JohnBullinger

 

Posts: 53
Joined: 25.Apr.2003
From: Texas
Status: offline
Very good article as always, one quick question though...

By disabling the Ask unauthenticated users for access does this allow any backdoors out of your network? Does it still force ISA to log everything as a user instead of anonymous??

I worked with Microsoft for a while getting my ISA server running and they told me to make sure I had that checked but could not say why.

Thanks

John

[ August 12, 2003, 08:55 PM: Message edited by: TheBull ]

(in reply to tshinder)
Post #: 3
RE: Discussion of Anonymous Access article - 12.Aug.2003 9:42:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi John,

As long as there are no anonymous access rules, there are NO unauthenticated backdoors out of the network. Outbound connections must be user authenticated, or IP address authenticated.

HTH,
Tom

(in reply to tshinder)
Post #: 4
RE: Discussion of Anonymous Access article - 12.Aug.2003 10:18:00 PM   
skipster

 

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
Hi Tom its been a while, since i have been on the site. Any how, what about protocal rules? If i have a protocal rule for http that allows any request, but i have a site and content rule that only allows domain users, then will this allow a user to browes the web without being athenticated?

Thanks again

Skip

(in reply to tshinder)
Post #: 5
RE: Discussion of Anonymous Access article - 13.Aug.2003 1:46:00 AM   
AHIT

 

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline
The combined effect of the 2 rules will be applied.
If the protocl is "allow anyone" and the S&C rules is "allow this user/group only" then the restrictive policy will take place.
as a further example.
You have NO protocl rules but a S&C rule by user/group. Yuo still cant get anywhere because the destiantion is allowed but there is no allowed protocol to get there. Hence, the more restrictive policy (o lack thereof with no protocol rule) takes place.

(in reply to tshinder)
Post #: 6
RE: Discussion of Anonymous Access article - 13.Aug.2003 5:12:00 PM   
skipster

 

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
Thanks Tolk for the good explanation. This clears up my confusion on this.

(in reply to tshinder)
Post #: 7
RE: Discussion of Anonymous Access article - 13.Aug.2003 5:47:00 PM   
terryjr

 

Posts: 5
Joined: 12.Aug.2003
From: UK
Status: offline
I tried unticking the 'Ask unauthenticated users for identification' and restarted the service, but now it displays 2 connections to the internet! 1 anonymous and 1 with the user credentials next to it, but both with the same client IP address?! Destination sets and protocol rules are configured on NT groups. What's going on?

(in reply to tshinder)
Post #: 8
RE: Discussion of Anonymous Access article - 13.Aug.2003 6:09:00 PM   
skipster

 

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
Read this part of Tom's article again.

The Web Proxy client does not automatically send user credentials to the Web Proxy service. The initial connection attempt is anonymous (anonymous meaning that no credentials are send along with the request). If the ISA Server firewallĘs Web Proxy service allows outbound HTTP, HTTPS, HTTP-tunneled FTP or Gopher to be sent anonymously, then the connection request is allowed and the forwarded to the Internet server.

If the ISA Server firewallĘs Web Proxy service is configured to require authentication, then the Web Proxy service denies the anonymous request and requests credentials from the Web Proxy client. The Web Proxy client sends credentials only after the Web Proxy service asks for them.

The Web Proxy client sends credentials to the Web Proxy service. The Web Proxy service authenticates the user and then determines if the user has permission to access the protocol or site. No permission, no access. If permission is granted the request is forwarded to the Internet server.

Note:
This is why you see anonymous requests in your Web Proxy log even when you have removed all anonymous access rules. The initial anonymous request is always recorded in the Web Proxy log.

(in reply to tshinder)
Post #: 9
RE: Discussion of Anonymous Access article - 13.Aug.2003 6:37:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Skip,

You get an A+ !

Thanks!
Tom

(in reply to tshinder)
Post #: 10
RE: Discussion of Anonymous Access article - 13.Aug.2003 6:48:00 PM   
SHealey

 

Posts: 60
Joined: 22.Jan.2002
From: denver
Status: offline
someone pointed out above that when you disable 'require authentication' you see two connections from each client listed under server/monitoring/sessions. It is odd why the anonymous session remains "open". If the "require authentication" is enabled then you never see the initial anonymous connection listed as a active session.

this seems odd to me.

(in reply to tshinder)
Post #: 11
RE: Discussion of Anonymous Access article - 13.Aug.2003 7:14:00 PM   
SHealey

 

Posts: 60
Joined: 22.Jan.2002
From: denver
Status: offline
also, something else that interests me. in the web logs. the last two fields are the rules. I will see my allow or deny rules the but mostly i see dashes. do the dashes mean no rule was applied and the request rejected? i see dashes when both data and no data is transmitted.

(in reply to tshinder)
Post #: 12
RE: Discussion of Anonymous Access article - 15.Aug.2003 3:18:00 PM   
policomp

 

Posts: 1
Joined: 15.Aug.2003
From: Venezuela
Status: offline
Disabling Anonymous Access in ISA Server 2000
We follow the procedure and we experimented two problems:
1 - The session kept open.
2 - The internal users could not access the internal web application that resides on de Server.
Please, would you explain me how to avoid this problems?
We are working under Small Business Server 2000.
Thank you very much for your assistant.
My e:mail is Policomp@cantv.net

(in reply to tshinder)
Post #: 13
RE: Discussion of Anonymous Access article - 15.Aug.2003 8:46:00 PM   
Guest
(Sorry, I first wote this up under a new topic)

Here is something interesting I found. But first, I'd like to describe my network and tell ya'll the experiences I've had with anonymous access rules.

Network setup: ISA Firewall, inside Win2k Server running AD, web, mail, ftp etc.. and also hosting my Internet registered domain name (in a different zone than my AD zone.)

Ok, I've read articles in the past about anonymous access rules. I've deleted all rules and created a rule that allowed only domain users to access the internet. It never worked for me. I could never access the internet. I just found out that DNS wouldn't resolve the names from my internal DNS server. So, I recreated my anonymous access rule and always wondered why it didn't work right.

So after reading this article, I decided to give it another shot. The article says you may need to create a rule for the servers that need access to the internet. Bingo! That was it.

Now I had two S&C rules. One allowing Domain Users access and one allowing my server access. Now I decided to create S&C rules to wack porn etc...

Now, I kept on getting random requests for authentication! Even on msn.com I would get 2 requests for authentication. I would cancel out of'em, but they kept on coming back. So, I deleted the S&C wack porn rule, and guess what? No more request for authentication. Recreated it and now it requests authentication.

Almost ready to recreate my anonymous S&C rule, I stumbled upon this. In the action of the wack porn S&C rule, I checked the redirect the http request option, and entered the home page of the internal web site.

No more requests for authentication.
So, my anonymous S&C rule is deleted forever. Thank goodness.

Just wondering if anybody has run across this. I'm not sure if it's a bug or what. But, can anyone confirm this, or is it just something weird I have in my setup that's making it behave this way. And I made sure that the "Ask unauthenticated users for identification" was unchecked.
Thank you for the recent article.

(in reply to tshinder)
  Post #: 14
RE: Discussion of Anonymous Access article - 17.Aug.2003 3:29:00 AM   
Guest
OK. I just posted the above post.

Well, now I have another problem with these crazy non-anonymous s&c rules.

Now every time I click on a *.wmv file on the net, a logon box comes up to try and authenticate me. I click cancel and the clip fails. I enter it and it works. BUT I DON'T WANT To enter credentials every time I want to view an online clip. I've configured Windows Media Player to both Auto Detect, Use settings from browser, and to hand enter the proxy, all with the same results.

If I reinstate my anonymous s&c rule, I'm able to view the clip with entering credentials.

Why does it want to authenticate me?
Somebody has got to know something about this.

Hope to hear from somebody.

(in reply to tshinder)
  Post #: 15
RE: Discussion of Anonymous Access article - 17.Aug.2003 3:59:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by policomp:
Disabling Anonymous Access in ISA Server 2000
We follow the procedure and we experimented two problems:
1 - The session kept open.
2 - The internal users could not access the internal web application that resides on de Server.
Please, would you explain me how to avoid this problems?
We are working under Small Business Server 2000.
Thank you very much for your assistant.
My e:mail is Policomp@cantv.net

Hi Policomp,

Internal users should not be looping back through the firewall to access internal resources. Make sure to configure internal sites for Direct Access.

HTH,
Tom

(in reply to tshinder)
Post #: 16
RE: Discussion of Anonymous Access article - 17.Aug.2003 4:01:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by <macruz>:
OK. I just posted the above post.

Well, now I have another problem with these crazy non-anonymous s&c rules.

Now every time I click on a *.wmv file on the net, a logon box comes up to try and authenticate me. I click cancel and the clip fails. I enter it and it works. BUT I DON'T WANT To enter credentials every time I want to view an online clip. I've configured Windows Media Player to both Auto Detect, Use settings from browser, and to hand enter the proxy, all with the same results.

If I reinstate my anonymous s&c rule, I'm able to view the clip with entering credentials.

Why does it want to authenticate me?
Somebody has got to know something about this.

Hope to hear from somebody.

Hi M,

What Site and Content Rule is issuing the request for credentials? Make sure to turn on Rule1 and Rule2 in the Web Proxy log.

HTH,
Tom

(in reply to tshinder)
Post #: 17
RE: Discussion of Anonymous Access article - 17.Aug.2003 6:27:00 AM   
Guest
If I reinstate my anonymous s&c rule I'm able to view online clips w/o entering credentials.

The s&c rule that's requesting authentication is the one that I created allowing domain users to access all destinations.

The ISA server is a member of the domain. IF that makes a difference.

(in reply to tshinder)
  Post #: 18
RE: Discussion of Anonymous Access article - 19.Aug.2003 12:12:00 AM   
Guest
Also, Real Player breaks with the non-anonymous S&C rule. Anybody else run into this problem?

(in reply to tshinder)
  Post #: 19
RE: Discussion of Anonymous Access article - 19.Aug.2003 1:17:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi M,

Read the article again and pay special attention to the client types.

Also, what is the EXACT configuration of your Site and Content rule. The EXACT config.

Finally, RealPlayer does not work with the Web Proxy service. You'll have to make it a firewall client.

HTH,
Tom

(in reply to tshinder)
Post #: 20

Page:   [1] 2 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> Discussion of Anonymous Access article Page: [1] 2 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts