Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Need Usernames in Logs and Anonymous Access..
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Need Usernames in Logs and Anonymous Access.. - 21.Jan.2007 10:24:01 AM
|
|
|
stevcoll
Posts: 19
Joined: 21.Jan.2007
Status: offline
|
I have run into a problem where I need the following two things:
1) Usernames showing up in the logs for computers that are using ISA as a Proxy. All these computers are on a domain and use DHCP.
2) Anonymous Access using SecureNat for non-domain computers and PDA's which also use DHCP.
Of course the problem is I cannot seem to setup the firewall rules to force domain computers to authenticate yet also have anonymous access for non-domain computers.
It's either I have all anonymous entries in the logs, or no anonymous access at all..
I would definitely prefer using the proxy settings instead of the firewall client if possible.
< Message edited by stevcoll -- 21.Jan.2007 10:32:01 AM >
|
|
|
|
|
RE: Need Usernames in Logs and Anonymous Access.. - 22.Jan.2007 5:33:39 AM
|
|
|
aklimkin
Posts: 182
Joined: 28.Jun.2006
Status: offline
|
You definitely need to split the two clients (proxy and snat) over two distinct DHCP scopes. Then you create an access rule that allow anonymous clients with IP addresses from the limited range only. This is the only way you can allow snat clients to access the internet and ensure that proxy clients wouldn't go out via anonymous access rule without authentication.
_____________________________
Regards,
Andrew
|
|
|
|
|
RE: Need Usernames in Logs and Anonymous Access.. - 22.Jan.2007 7:48:08 AM
|
|
|
stevcoll
Posts: 19
Joined: 21.Jan.2007
Status: offline
|
Thanks I'll have to look into how to do that.
The only way I've figured out how to see users in the logs so far is to make all Domain clients use the Firewall Client, which is a disaster because it even lets regular users change the settings and I cannot hide the stupid icon for all users... Can't have students changing the firewall client settings so they are anonymous.
Although I really like ISA and some of it's features, it really is incredibly annoying that I keep running into these situations where I can either have one thing or the other. After finally realizing SecureNat wouldn't authenticate users at all, I went for the firewall client. Then I find out that ISA won't show domain names in the logs unless you're authenticating using the proxy method! Yet using the proxy method users won't authenticate unless you force them to using a rule... Which kills anonymous access... sigh
|
|
|
|
|
RE: Need Usernames in Logs and Anonymous Access.. - 22.Jan.2007 8:20:33 AM
|
|
|
stevcoll
Posts: 19
Joined: 21.Jan.2007
Status: offline
|
I'm not exactly sure what you meant by put the SecureNat clients on a different DHCP scope than the Proxy clients. I don't see how it's possible because all our computers are on one physical network.
All I'm really trying to accomplish is being able to have anonymous access for people who aren't part of the domain while at the same time making sure all users on the domain are authenticating (a domain policy forces them to use ISA as a proxy..) I wish there was a way to set up a rule for only SecureNat clients so I could force authentication for everyone else.
< Message edited by stevcoll -- 22.Jan.2007 8:29:11 AM >
|
|
|
|
|
RE: Need Usernames in Logs and Anonymous Access.. - 22.Jan.2007 8:26:02 AM
|
|
|
stevcoll
Posts: 19
Joined: 21.Jan.2007
Status: offline
|
quote:
ORIGINAL: adrian_dimcev
Hi Stevcoll,
if you want to restrict users access to FWC settings check this:
http://forums.isaserver.org/Restrict_Access_to_FWC/m_2002029448/tm.htm
Regards.
Yeah I saw that and thanks. But I'm running a Windows 2000 domain and I don't see the software restrictions option (apparently only came out with XP / 2003.)
In the meantime I'm using the 30-day trial of some ISA Plugin that resolves the IP addresses but it seems awfully silly that ISA only wants to show Domain names in the logs for Proxy clients (yet Proxy clients won't authenticate without a rule lol...)
< Message edited by stevcoll -- 22.Jan.2007 8:29:49 AM >
|
|
|
|
|
RE: Need Usernames in Logs and Anonymous Access.. - 22.Jan.2007 8:49:16 AM
|
|
|
stevcoll
Posts: 19
Joined: 21.Jan.2007
Status: offline
|
Let me explain the situation from a bigger perspective because I think I got carried away with details...
I setup ISA (edge firewall connected to DSL modem) mainly becuase the school I work for (around 100 total computers using a DSL connection) was using a crappy internet router and I had no visibility over who was using all the bandwidth and we also need to track domain user activity.
A big point is I don't want to sacrifice anonymous access. We have all sorts of people coming through using wireless access or connected to the network who aren't part of the domain. As for the domain users well we need to see their usernames and the domain names of the sites they visit in the logs. Thus the problem of-
1. SecureNat Clients cannot be authenticated. So the domain users have to be authenticated using the Firewall Client or connecting using the Proxy. The anonymous users have to connect this way (directly).
2. Firewall Client is the only way to get usernames in the logs while still having anonymous access. It sucks because the firewall settings can be changed by anyone including regular users. I can't setup a software policy restriction because I'm using a 2000 domain and that doesn't exist yet. Another poor point is ISA will not show website domain names and will instead show only IP addresses in the logs for users authenticating using the firewall client and SecureNat. The only way around this I have found is a $100 plugin I'm trialing.
3. Proxy Authentication will not show usernames in the logs because it only authenticates when it hits a firewall rule requiring it (and guess what, that kills anonymous access!!)
So I have a massive catch-22, or something along those lines. Anyway I'm sure one of you brainiacs has a solution for me :)
|
|
|
|
|
RE: Need Usernames in Logs and Anonymous Access.. - 22.Jan.2007 9:55:32 AM
|
|
|
Guest
|
Yes indeed to see the website domain names in logs you need a third-party solution.
From a security perspective it is very simple to accomplish what you want:
you should create separate security zones: one for your domain and one in which you should allow unauthenticated access to the internet: create a perimeter network in which you should put your wireless network(for non-domain members) and all non-domain members who require anuthenticated access to the internet. as expected your domain should be in the internal network
If you connect a non-domain member computer to your domain and have a rule with authentication in place a box should appear in the browser which is configured to use ISA as proxy promting you for credentials. so the he should still be able to access Internet if he has a domain account.
if you need the wireless network for domain members also then you should create two wireless networks: one which is in dmz and one on your internal network(this one should have encryption on it).
If all of above are not possible because you cannot afford such a change(money...) then there is a painfull and maybe problematic way of doing this: use reservation in dhcp based on MAC addresses for all the computers which requires authentication.
then create as suggested by Andrew two rules in which the unauthenticated one(this will match the rest of ip addresses from your dhcp scope maybe with a computer set) should be above the authenticated one(this should have in its "From" tab a computer set which will match the reservation made by you in dhcp).
But the best way(and the most secured way) is to have separate networks(and implicit different security zones) to fix your issue.
|
|
|
|
|
RE: Need Usernames in Logs and Anonymous Access.. - 22.Jan.2007 10:22:36 AM
|
|
|
Boedus
Posts: 146
Joined: 8.Sep.2006
Status: offline
|
quote:
ORIGINAL: adrian_dimcev
Yes indeed to see the website domain names in logs you need a third-party solution.
I was able on ISA 2004 to see the domain name visited with the field named : DestHost.
But on ISA 2006 I can only see the IP of the remote website, I assumed I had some DNS issue on my ISA and did not really paid attention.
So do you mean Microsoft has deliberatly turned this thing off ?
I would not be surprised but it means I got to implement some extra code to resolve domain name now in my PHP code.
_____________________________
WWW.ITCREME.COM - Online I.T. community
---------------------------------------------------------------------
As Jim Harrison use to say: "If we can't fix it, it ain't broken".
|
|
|
|
|
RE: Need Usernames in Logs and Anonymous Access.. - 22.Jan.2007 10:33:08 AM
|
|
|
stevcoll
Posts: 19
Joined: 21.Jan.2007
Status: offline
|
Yeah we certainly don't have the resources to create an entire second network including a second wireless infrastructure just to handle anonymous requests through ISA...
I know there's gotta be some method out there to do this. A way to set up a protocol or network object which represents SecureNAT users. As soon as I can find a way to separate SecureNAT users from the Proxy users I can setup a firewall rule to take care of them and then worry about authenticating Domain users in the next rule..
What about the fact that SecureNAT connects over port 80 while Proxied clients connect over 8080? Isn't that a way to differentiate?
|
|
|
|
|
RE: Need Usernames in Logs and Anonymous Access.. - 22.Jan.2007 10:34:31 AM
|
|
|
stevcoll
Posts: 19
Joined: 21.Jan.2007
Status: offline
|
quote:
ORIGINAL: Boedus
quote:
ORIGINAL: adrian_dimcev
Yes indeed to see the website domain names in logs you need a third-party solution.
I was able on ISA 2004 to see the domain name visited with the field named : DestHost.
But on ISA 2006 I can only see the IP of the remote website, I assumed I had some DNS issue on my ISA and did not really paid attention.
So do you mean Microsoft has deliberatly turned this thing off ?
I would not be surprised but it means I got to implement some extra code to resolve domain name now in my PHP code.
You can see the domain names in the logs only when the clients connect using the proxy method. SecureNAT clients and Firewall Clients will produce only IP addresses in the logs. What a pain in the ass.
|
|
|
|
|
RE: Need Usernames in Logs and Anonymous Access.. - 22.Jan.2007 10:54:11 AM
|
|
|
Boedus
Posts: 146
Joined: 8.Sep.2006
Status: offline
|
Alright ok thanks did not know
_____________________________
WWW.ITCREME.COM - Online I.T. community
---------------------------------------------------------------------
As Jim Harrison use to say: "If we can't fix it, it ain't broken".
|
|
|
|
|
RE: Need Usernames in Logs and Anonymous Access.. - 22.Jan.2007 11:01:24 AM
|
|
|
elmajdal
Posts: 5071
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
This is the best solution for you , offer by adrian :
quote:
But the best way(and the most secured way) is to have separate networks(and implicit different security zones) to fix your issue.
Why would you put untrusted visitors computer along with your trusted network ???
quote:
Yeah we certainly don't have the resources to create an entire second network including a second wireless infrastructure just to handle anonymous requests through ISA...
What extra resource ???
all you need is a max 30 $ for another network card and thats it !!!
you can install DHCP on your ISA server and then the DHCP server will spread the IP to both the Internal Network & the Perimeter Network ( this is where you securenat will be located)
For your Internal Network, install the Firewall client and configure it for AUTOMATIC CONFIGURATION . in this way even if any user changed the settings of the Firewall, he will not have internet access.
and ofcourse on ISA, configure yur rules to authenticate users from AD.
now for your Perimeter network, put ur access point on this network and follow this article : http://www.isaserver.org/tutorials/2004wirelessdmzpart1.html
and on ISA , create a rule for all users ( anonymouse )
In this way
1-you secured your Internal network from the risks that visitor computers might be infected with worms, viruses and so on .
2- the username and website will be logged
3- you forced authentication on your internal network and allowed anonymous connection on your perimeter network
4- all this for 30 $ and maybe less !!!
Note: some access points has the ability to function as a DHCP server.
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: Need Usernames in Logs and Anonymous Access.. - 22.Jan.2007 11:02:05 AM
|
|
|
Guest
|
Stev,
securenat clients means unauthenticated access: they need a rule set to all users.
your rules order is important:
if you have on top a rule comprising all the internal network with "all users" ISA will not process any more rules because it has found a match no matter of the bellow rules which applies to internal clients(for http for example).
Therefore that rule with all users must be match by their ip address(there isn't other solution) in order to differentiate: force some computers to authenticate for using Internet and others to connect directly.
about proxy clients: with that rule of above in place the only thing they should take adavantage will be caching(if enabled) because they will use too that rule.
I was guessing you could not use that setup.
I'm afraid there isn't other way: allow securenatclients access by ip and others with a rule set to use authentication.
To Boedus,
we were disscusing other subject here and Stev explained that himself.
< Message edited by adrian_dimcev -- 22.Jan.2007 12:18:54 PM >
|
|
|
|
|
RE: Need Usernames in Logs and Anonymous Access.. - 22.Jan.2007 11:04:28 AM
|
|
|
elmajdal
Posts: 5071
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
quote:
ORIGINAL: Boedus
I was able on ISA 2004 to see the domain name visited with the field named : DestHost.
But on ISA 2006 I can only see the IP of the remote website, I assumed I had some DNS issue on my ISA and did not really paid attention.
So do you mean Microsoft has deliberatly turned this thing off ?
I would not be surprised but it means I got to implement some extra code to resolve domain name now in my PHP code.
hi Boedus, check this : For Proxy clients that use SecureNAT, and Firewall Clients that cannot use the "automatic configuration" setting, ISA records each URL as an IP address only
Source : http://www.collectivesoftware.com
Product : LogHostname
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: Need Usernames in Logs and Anonymous Access.. - 22.Jan.2007 11:13:28 AM
|
|
|
Boedus
Posts: 146
Joined: 8.Sep.2006
Status: offline
|
thanks
_____________________________
WWW.ITCREME.COM - Online I.T. community
---------------------------------------------------------------------
As Jim Harrison use to say: "If we can't fix it, it ain't broken".
|
|
|
|
|
RE: Need Usernames in Logs and Anonymous Access.. - 22.Jan.2007 11:25:26 AM
|
|
|
stevcoll
Posts: 19
Joined: 21.Jan.2007
Status: offline
|
elmajdal,
I was assuming he meant a separate physical network. I'm definitely not the most knowledeable about networks, but how is what you say possible?
So I add an extra NIC so the ISA server. We only have one physical network which only uses hubs/switches, has no routers, and is completely on the range 193.168.0.1-193.168.0.255. Yes I know technically that's not an internal network but some other guy set it up. So after adding this NIC then what am I supposed to do? As for the WAPs well we have about 5 of them spread throughout three buildings connected to the same network.
Also how is DHCP supposed to work? How can it tell the difference between a Domain client and guest? Especially since I'm assuming you are talking about somehow implementing two separate networks on the same physical network.
Thanks for all your help
|
|
|
|
|
RE: Need Usernames in Logs and Anonymous Access.. - 22.Jan.2007 11:35:46 AM
|
|
|
elmajdal
Posts: 5071
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
have u read the article ??
Internet-------Router-------ISA -------193.168.0.x-------Internal Network
|
10.10.10.x
|
|
Untrusted Wireless Network
If you need to really understand such configuration in details, check this article: http://www.isaserver.org/tutorials/Creating-Multiple-Security-Perimeters-Multihomed-ISA-Firewall-Part1.html
read it the first time and read it again.
You might not use it all, but at least you will understand perfectly out from it how u can have multiple networks and have ISA authenticate or passes the required protocols through it.
quote:
Also how is DHCP supposed to work? How can it tell the difference between a Domain client and guest?
DHCP has nothing to do.
in your rules in ISA you will have:
For Internal Network :
Allow > Protocols> From Internal >To External > AD Users
For the perimeter network ( wireless network )
Allow > Protocols> From Perimeter >To External > All Users
HTH
< Message edited by elmajdal -- 22.Jan.2007 11:40:49 AM >
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: Need Usernames in Logs and Anonymous Access.. - 22.Jan.2007 11:54:52 AM
|
|
|
stevcoll
Posts: 19
Joined: 21.Jan.2007
Status: offline
|
Unfortunately it's not as simple as all guests are on wireless and all domain users are on wired. Half of the computers on wireless are part of the domain, and guests may need to plug in to the network. I'm sorry if I gave you guys the impression domain users would be using only a wired network and guests would use only a wireless network. The truth is the wireless network is made up of about 5 WAPs in three buildings all connected to the same network... and used for the domain much of the time.
I completely understand how separate networks can connect to ISA with multiple NICs but we don't have the resources to create the infrastructure for an entire separate network for the guests. It wouldn't just take one network card but we would need cabling, switches, more APs to create this second network.
At this point I'm just thinking about switching to static addresses again on the domain computers because I'm going to rip my head off. Then DHCP will only be going out to guests and I can setup a rule accordingly.
|
|
|
|
|
RE: Need Usernames in Logs and Anonymous Access.. - 22.Jan.2007 11:56:48 AM
|
|
|
Guest
|
Yes Stev,
Tarek is absolutely right and has described you very clear what I have said in a few words and indeed this is the most simple and cheapest way in getting this done(and secured).
make sure you read carefully the link he has provided to you about wireless dmz and those networks.
Even if you need another wireless AP you get get one for arround 100$(maybe less maybe more, up to you based on your number of clients).
So as suggested by Tarek investing between 30:150$(this deppends if you need another AP or not) maybe it does not mean so much(or maybe it does up to you again.)
Leave your network in place as it is. it will only serve your domain users(use encryption on wireless network to prevent unauthorized access to it)
put another nick on ISA.
this will connect to a perimeter network.
put here a AP which will serves your guests. if you need a wide range for coverage for this users you can buy more APs.
As I see the cost on all this will not be more than 500$.
A cost I agree but its all about the number of AP needed by you.
< Message edited by adrian_dimcev -- 22.Jan.2007 12:07:42 PM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
