I've installed Beta 2 of ISA 2004 to be used purely as a cache server, however I am having problems with the authentication. I've created a policy for web browsing with a specific group of users assigned to it and this works as I would expect. What I want to be able to do though is for a user from another domain, who isn't in the list of users, to be prompted for a username and password when they try to browse through the server. Instead they are just getting the page from ISA saying it can't retrieve the requested page. In ISA 2000 you could tell it to prompt for unauthenticated users, is this option still in 2004? Thanks in advance,
After turning on the option to "Ask unauthenticated users for identification" I noticed a problem with users running MSN Messenger. Although these users are authenticated on the domain and in the allowed users group, and as such can browse the internet, when I turn this option on Messenger will no log on, it says that incorrect logon details were supplied for the proxy server. When I disable the option to "Ask unauthenticated users for identification" they can log back onto Messenger again without problems. Has anyone else come across this? Am I doing something wrong here or could this possibly be a bug in the beta? Regards,
Further to my last post it appears that Messenger also cannot log on unless I have "All users" selected as being allowed, i.e. basically allowing anonymous users through. But even if I do have "all users" selected and then have "ask unauthenticated users for identification" selected it will still fail. Any ideas? Cheers,
The problem is that the wrong credentials get send by the MSN messenger to the firewall.
You should configure the Hotmail and MSN sites for Direct Access by including *.msn.com, *.passport.com and *.hotmail.com in the Domains tab. That way, apps will avoid the Web Proxy and use their Firewall or SecureNAT client config to reach those sites.
Its a MSN/Hotmail bug, not an ISA issue. That's why you need to configure the sites for Direct Access. You can leverage the Firewall client config if you're using a secure config. Otherwise, SecureNAT is avaialable.
Thanks for that Tom. I've now just created a separate Access policy, purely for those sites that MSN uses, that is set to allow "All Users" through. At least I can get an IP address logged for those people using Messenger. Do you know if this is something MS are aware of and intend to fix in Messenger? Regards,
Yes, there's even a KB on it. When you configure the sites for Direct Access, it always works a treat. Direct Access config for those sites is always standard procedure to make the ISA firewall transparent to clients.