Welcome to ISAserver.org

Firewall Client only works for IE? What about Proxy?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> Firewall Client only works for IE? What about Proxy?

Page: [1]

Message

<< Older Topic Newer Topic >>

Firewall Client only works for IE? What about Proxy? - 8.Feb.2006 6:33:05 PM

MarcL

Posts: 13
Joined: 8.Feb.2006
Status: offline

Newbie here.. Taking a hands-on crash course in ISA, so if there are links I missed in my searches and this is a stupid question please point me in the right direction.

I have configured my HTTP/HTTPS/FTP rules for only "domain users". This seems to work fine, users are required to authenticate to the domain before they can get to the internet. However, I also made the same rule for "ping" but it does not work. If I change the PING rule to "all users", the PING works. Put it back to "domain users" and it fails.

It also seems like the authentication is not working to the proxy server. So, when other applications try to hit the proxy server (Like, the google video player for example) I get a Proxy Authentication error. If I remove the proxy settings, it works fine... But then I assume IE does not use the proxy.

Thanks

Post #: 1

Featured Links*

RE: Firewall Client only works for IE? What about Proxy? - 8.Feb.2006 7:27:45 PM

LLigetfa

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline

You need a crash course on the client types. THere are some very good tutorials on this site.

WP has limited support for limited protocols and authentication. That is where FWC fills in the gap but FWC, being a winsock replacement, does not handle all layers of the OSI model, as you found out with ping. Also, even though FWC can facilitate authentication, not all protocols support authentication. FWC cannot enable what the underlying protocol does not.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to MarcL)

Post #: 2

RE: Firewall Client only works for IE? What about Proxy? - 9.Feb.2006 5:57:56 PM

MarcL

Posts: 13
Joined: 8.Feb.2006
Status: offline

Got a link?

I found a few things that started to look good, but they led me down the wrong path. Maybe because they pre-date ISA 2004?

(in reply to LLigetfa)

Post #: 3

RE: Firewall Client only works for IE? What about Proxy? - 9.Feb.2006 6:27:49 PM

LLigetfa

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline

There are so many good articles. Trying to choose one is lake asking which of my children I like the best.

I suppose you need to start somewhere, so "Understanding the ISA 2004 Access Rule Processing" would be a good start.
http://www.isaserver.org/articles/ISA2004_AccessRules.html

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to MarcL)

Post #: 4

RE: Firewall Client only works for IE? What about Proxy? - 9.Feb.2006 8:58:57 PM

MarcL

Posts: 13
Joined: 8.Feb.2006
Status: offline

That article was not very useful.. It does go over the basics, but I think I got a decent handle on that.

Re-reading my initial question I see I failed to mention that I am using the Firewall client... Even with the client, PING will fail if I set it for only "domain users".

Being that things still work if I disable the Proxy on the client side, I am concluding (maybe incorrectly?) that the firewall client IS working because I only allow HTTP for "domain users", and it continues to work even with the proxy setting blank.

(in reply to LLigetfa)

Post #: 5

RE: Firewall Client only works for IE? What about Proxy? - 9.Feb.2006 9:35:57 PM

LLigetfa

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline

I already answered that for you.

quote:

FWC, being a winsock replacement, does not handle all layers of the OSI model, as you found out with ping. Also, even though FWC can facilitate authentication, not all protocols support authentication. FWC cannot enable what the underlying protocol does not.

What part of that should I elaborate on?

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to MarcL)

Post #: 6

RE: Firewall Client only works for IE? What about Proxy? - 9.Feb.2006 9:52:33 PM

MarcL

Posts: 13
Joined: 8.Feb.2006
Status: offline

The link you sent me says that the FW will do "all TCP/UDP based protocols".

But, based on your previous quotted statment, I guess it is not possible to do authentication for all protocols?

(in reply to LLigetfa)

Post #: 7

RE: Firewall Client only works for IE? What about Proxy? - 9.Feb.2006 10:30:50 PM

LLigetfa

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline

Feel free to get a second opinion.
Stefaan, Clint?

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to MarcL)

Post #: 8

RE: Firewall Client only works for IE? What about Proxy? - 9.Feb.2006 10:41:57 PM

MarcL

Posts: 13
Joined: 8.Feb.2006
Status: offline

Maybe it would be eaiser to find out what protocols the FWC *DOES* work with... Because I find now it does not work for IMAPS either.

Seems to me that it only works for HTTP/HTTPS/FTP.... Or, more likley I have something set up wrong!

(in reply to MarcL)

Post #: 9

RE: Firewall Client only works for IE? What about Proxy? - 10.Feb.2006 2:03:53 AM

Jason Jones

Posts: 2154
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

Tom's book covers the ISA client types very well...time to buy a copy

http://www.amazon.com/exec/obidos/ASIN/1931836191/isaserver/102-8067948-0138549

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to MarcL)

Post #: 10

RE: Firewall Client only works for IE? What about Proxy? - 13.Feb.2006 6:36:04 PM

patdurling

Posts: 6
Joined: 7.Jun.2005
From: California
Status: offline

Uh, all of you need to realize that Ping uses ICMP, not TCP/UDP.

This means the firewall client doesn't come into play in this situation.

_____________________________

Quis custodiet ipsos custodes?

(in reply to Jason Jones)

Post #: 11

RE: Firewall Client only works for IE? What about Proxy? - 13.Feb.2006 7:30:19 PM

LLigetfa

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline

quote:

Uh, all of you need to realize...

Are you implying that none of us do?

I thought I made that clear when I said that:

quote:

but FWC, being a winsock replacement, does not handle all layers of the OSI model, as you found out with ping

I assumed the OSI model was understood since the topic changed from "Ping" to "all TCP/UDP based protocols" and "authentication".

From there it moved on to IMAPS, so I see no reason now to go back to Ping.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to patdurling)

Post #: 12

RE: Firewall Client only works for IE? What about Proxy? - 21.Feb.2006 9:05:30 PM

patdurling

Posts: 6
Joined: 7.Jun.2005
From: California
Status: offline

Sorry LLigetfa. I read your replies a bit too quickly. I apologize

MarcL mentioned he is now having problems with IMAPs. Perhaps he believes the firewall client automatically enables these protocols?

MarcL, I am in no means trying to sound condescending. The basics are this: Application level protocols use the firewall client. You then need to create Allow Rules on the ISA server for those protocols.

So, for IMAPs, try enabling port 993 for all users, by making a firewall rule on your ISA server. If that works then limit the rule to whatever group you want to be able to use that protocol.

The Firewall client should work for other things too. Like MSN messenger or remote desktop to your home computer (as an example.) You simply allow the program (usually the port) from the Internal network to the External network for whatever group you want.

Let me know if I'm off base or if this helped at all.

(in reply to LLigetfa)

Post #: 13

RE: Firewall Client only works for IE? What about Proxy? - 22.Feb.2006 3:56:01 PM

MarcL

Posts: 13
Joined: 8.Feb.2006
Status: offline

Thanks..

I created a rule for the IMAP/IMAPS and it works fine if I allow "all users". However, if I set it for "domain users" it fails even when the user has the FWC (and it is working for HTTP/HTTPS).

(in reply to patdurling)

Post #: 14

RE: Firewall Client only works for IE? What about Proxy? - 22.Feb.2006 5:46:46 PM

patdurling

Posts: 6
Joined: 7.Jun.2005
From: California
Status: offline

OK, so let me ask a few questions.

Is the computer you are on a member of the same domain as the ISA Server? I believe it should for the firewall client to work with any rules requiring user authentication.

Is the "Domain Users" group you referred to a User you created on the ISA server and pointed to the Domain Users group in Active Directory? You should be making ISA Users and then associating those users with Active Directory user/group accounts. Then in your rules you allow those "ISA Users" access, not the Active Directory users/groups.

One thought I have is to try allowing "All Authenticated Users" instead of All Users or Domain Users. See if that works. If it does then we know authentication is working on your server. If it doesn't... dang, I'll have to think about it some more...

HTH

< Message edited by patdurling -- 23.Feb.2006 7:53:39 AM >

(in reply to MarcL)

Post #: 15