Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
ISA 2004 + firefox
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
ISA 2004 + firefox - 24.Jan.2006 6:57:32 PM
|
|
|
GM1980
Posts: 10
Joined: 24.Jan.2006
Status: offline
|
As far as I can tell my ISA server is configured correctly. My web filters and access policies work correctly in IE. The issue arises when an alternate browser is used. I have setup my automatic configuration script in firefox. When I launch the browser, I am prompted to authenticate. If I press cancel 3 times, it bypasses authentication and allows full web access without obeying any of the access policies. I do not want people to be able to bypass the proxy. Does anyone know how this can be fixed ?
< Message edited by GM1980 -- 24.Jan.2006 6:58:32 PM >
|
|
|
|
|
RE: ISA 2004 + firefox - 25.Jan.2006 2:38:07 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Tom - yes, Firefox supports Integrated authentication.
If you can bypass authentication and access the web, then it means that you have configured another rule to allow 'All Users', or Anonymous, access to the web. On the Internal Network Web Proxy properties, do you have the option enabled for "Require all users to authenticate"? You don't need it - I'm just curious if this is what is causing the authentication prompt when you try to retrieve WPAD.
|
|
|
|
|
RE: ISA 2004 + firefox - 25.Jan.2006 3:22:22 PM
|
|
|
GM1980
Posts: 10
Joined: 24.Jan.2006
Status: offline
|
I only have 4 rules configured 2 of which deny access to certain protocols and websites. 1 rule that allows an Active directory group access to the internet and the default deny everyone rule. I will take a look at the Internal Network Web Proxy properties.
My isa server is not my default gateway to the internet, it is setup as a single network adapter. Can this be the cause ?
< Message edited by GM1980 -- 25.Jan.2006 3:24:03 PM >
|
|
|
|
|
RE: ISA 2004 + firefox - 25.Jan.2006 3:30:28 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
Since the ISA is not used as a firewall (single NIC), users have the potential of bypassing it and getting out directly. You need to make sure that *only* ISA has a rule through the upstream firewall to prevent users circumnavigating the ISA.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: ISA 2004 + firefox - 25.Jan.2006 9:07:37 PM
|
|
|
GM1980
Posts: 10
Joined: 24.Jan.2006
Status: offline
|
Ok it seems that if some presses the cancel button on the authentication window, they are allowed access to the internet. The request i believe is logged under the user "anonymous" Unortunately changing network configuration (default gatway, etc) is not an option. Is there a way to deny "anonymous" access ? I thought the default rule was supposed to take care of this. I only have 1 rule allowing access and it requires the user to be part of an AD group to get authenticated.
|
|
|
|
|
RE: ISA 2004 + firefox - 25.Jan.2006 9:32:33 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: ClintD
Tom - yes, Firefox supports Integrated authentication.
If you can bypass authentication and access the web, then it means that you have configured another rule to allow 'All Users', or Anonymous, access to the web. On the Internal Network Web Proxy properties, do you have the option enabled for "Require all users to authenticate"? You don't need it - I'm just curious if this is what is causing the authentication prompt when you try to retrieve WPAD.
Hi Clint,
Great! I didn't know about that. I'm still a hard core IE fan :)
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: ISA 2004 + firefox - 25.Jan.2006 9:34:21 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: LLigetfa
Since the ISA is not used as a firewall (single NIC), users have the potential of bypassing it and getting out directly. You need to make sure that *only* ISA has a rule through the upstream firewall to prevent users circumnavigating the ISA.
Hi Les,
Indeed! That's what I keep trying to tell folks -- the unihomed ISA firewall can do a lot of things, but don't bring it, or any other unihomed Web proxy only device, into the network thinking its a security device.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: ISA 2004 + firefox - 25.Jan.2006 9:35:47 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: GM1980
Ok it seems that if some presses the cancel button on the authentication window, they are allowed access to the internet. The request i believe is logged under the user "anonymous" Unortunately changing network configuration (default gatway, etc) is not an option. Is there a way to deny "anonymous" access ? I thought the default rule was supposed to take care of this. I only have 1 rule allowing access and it requires the user to be part of an AD group to get authenticated.
Hi GM,
Are the users a member of that group?
Post some lines from the ISA firewall's log file regarding those connections.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: ISA 2004 + firefox - 25.Jan.2006 10:31:45 PM
|
|
|
GM1980
Posts: 10
Joined: 24.Jan.2006
Status: offline
|
Here is what I managed to find. I have the ISA server in a test environment with 3 PCs so there is not much in there. To add a twist to the issue, I only have this issue with firefox on Windows PCs and not G5 MACs. If I press cancel whenn prompted for authentication on the Mac running firefox, I get the expected 407 error page. In the log 172.23.220.204 is a Windows PC and 172.23.220.200 is the Mac. As far as I can see all the requests are denied, but the Windows PC is still allowed on the internet. I have setup my ISA server to use integrated authentication and set "Require all users to authenticate"?
172.23.220.204 anonymous Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8)
Gecko/20051111 Firefox/1.5 N 2006-01-25 21:16:37 MONGAZSRVISA -
mongazsrvisa 172.23.240.120 8080 1 472 4482 http GET
hxxp://mongazsrvisa/array.dll?Get.Routing.Script - 12229
- - - - 0x0 Denied
172.23.220.200 anonymous Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.10)
Gecko/20050716 Firefox/1.0.6 N 2006-01-25 21:17:49 MONGAZSRVISA -
[link=http://www.canada.com]www.canada.com[/link] 172.23.240.120 80 1 553 4529 http GET
hxxp://www.canada.com/montreal/montrealgazette/index.html - 12209
- - - - 0x0 Denied
172.23.220.200 anonymous Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.10)
Gecko/20050716 Firefox/1.0.6 N 2006-01-25 21:17:51 MONGAZSRVISA -
[link=http://www.canada.com]www.canada.com[/link] 172.23.240.120 80 1766 368 4529 http GET
hxxp://www.canada.com/favicon.ico - 12209
- - - - 0x80 Denied
< Message edited by Barbara Matysik Magro -- 13.May2008 11:12:51 AM >
|
|
|
|
|
RE: ISA 2004 + firefox - 25.Jan.2006 10:53:31 PM
|
|
|
GM1980
Posts: 10
Joined: 24.Jan.2006
Status: offline
|
Another discovery.
On my windows PC, I have setup firefox with my Automatic proxy configuration URL http://mongazsrvisa:8080/array.dll?Get.Routing.Script And it allows me to bypass the authentication window if I press cancel.
If I set the proxy manually in firefox by using the ISA server ip and port 8080 it uses integrated windows authentication and displays my logged on user name in the proxy log. I wonder if this is a firefox related issue ??
|
|
|
|
|
RE: ISA 2004 + firefox - 26.Jan.2006 12:32:56 AM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
I'm not seeing any anonymous browsing in the logs you posted. All I see is a get routing script request that is failing because you are forcing authentication on the network rule. You need to apply the reg entry in http://support.microsoft.com/default.aspx?scid=kb;en-us;885683
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: ISA 2004 + firefox - 26.Jan.2006 5:59:25 PM
|
|
|
GM1980
Posts: 10
Joined: 24.Jan.2006
Status: offline
|
Well I am not using auto discovery nor do I have the firewall client installed on my PCs.
I think the issue is with the routing script.
If I use it in firefox, I can bypass authentication by pressing cancel. But If I configure firefox with the server ip + port under manual configuration, everything seems to work fine. Am I missing something here ?
|
|
|
|
|
RE: ISA 2004 + firefox - 26.Jan.2006 10:04:44 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
Did you apply the reg entry?
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: ISA 2004 + firefox - 27.Jan.2006 5:00:48 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
Ja, but everyone reads the too much into the MS words (or not enough) and wrongly assume it does not apply to their situation.
I don't get it... I mean, it is a simple little reg entry... fully reversible... why the trepidation? Must be the usual disclaimer...
quote:
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: ISA 2004 + firefox - 27.Jan.2006 5:19:33 PM
|
|
|
GM1980
Posts: 10
Joined: 24.Jan.2006
Status: offline
|
Well I applied it and it did not resolve the issue with firefox. I can still press cancel and bypass authentication.
The website also states:
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in ISA Server 2004 Service Pack 1.
I have ISA SP1 installed on the server.
|
|
|
|
|
RE: ISA 2004 + firefox - 27.Jan.2006 5:30:43 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
quote:
This problem was first corrected in ISA Server 2004 Service Pack 1
Not really!
SP1 simply enables the reg entry to work. The reg entry is still needed.
You need to read the Additional installation instructions:
quote:
After you install the latest ISA Server 2004 service pack, set the value of the SkipAuthenticationForRoutingInformation registry entry to a value of 1 or to a higher value to skip authentication for routing information.
I jumped to the same wrong conclusion and ClintD set me straight.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: ISA 2004 + firefox - 27.Jan.2006 5:35:14 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
quote:
Well I applied it and it did not resolve the issue with firefox. I can still press cancel and bypass authentication
I never said that was what the fix was for. The fix is to do away with the log entry "GET http://mongazsrvisa/array.dll?Get.Routing.Script" that you posted.
You have yet to prove that FF is getting out without authentication. Show me the log enty that proves it.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: ISA 2004 + firefox - 27.Jan.2006 5:44:06 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: LLigetfa
Ja, but everyone reads the too much into the MS words (or not enough) and wrongly assume it does not apply to their situation.
I don't get it... I mean, it is a simple little reg entry... fully reversible... why the trepidation? Must be the usual disclaimer...
quote:
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
Hi Les,
I agree with you there. I think a lot of the problems are related to the fact that the KB article doesn't describe the problem in a way that the admins are interpreting them. Actually, I'd like to know why this isn't enabled by default.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
