Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Require Authentication for Internal Network

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Firewall Client >> Require Authentication for Internal Network Page: [1]
Login
Message << Older Topic   Newer Topic >>
Require Authentication for Internal Network - 7.Aug.2008 2:29:38 PM   
krampot

 

Posts: 11
Joined: 20.Jun.2006
Status: offline 		Hello, I am in the testing phase of implementing an ISA 2006 Standard box as a Web Proxy and am running into some issues. My goal is to have all users on the Firewall Client, and use Collective Software's Captivate for anonymous guest users. I have 4 testing users with the firewall client installed, with Autodiscovery working.
First issue: When I turn Require Authentication on for Internal Network - Autodiscover breaks.
Second issue: I can only get Client Username information in the ISA logs when Require Authentication is on. If I turn it off, even Firewall Client users show up in the log as unauthenticated.

Can someone please help?
Post #: 1
RE: Require Authentication for Internal Network - 7.Aug.2008 3:03:52 PM   
krampot

 

Posts: 11
Joined: 20.Jun.2006
Status: offline 		1 other issue that is confusing me...
I am seeing in the ISA logs all of the other machines on our Internal network requesting wpad.dat from the ISA server periodically. what is strange about this is their machines shouldnt even know about ISA (they are being assigned an IP by DHCP by another machine on the network -not ISA- and their default gateway is NOT the ISA server.

Why would their machines be looking for wpad.dat? Some of these same users were getting login boxes on Internet Explorer for my ISA server, but they have never had the Firewall client installed and their default gateway is not pointed at ISA.

Even in 3 or 4 other cases, those users actually browsed the Internet through ISA (according to ISA logs) once I turned off Require Authentication on the Internal network, but their computers are clearly pointed at a different default gateway! What's going on!?

(in reply to krampot)
Post #: 2
RE: Require Authentication for Internal Network - 7.Aug.2008 3:41:55 PM   
krampot

 

Posts: 11
Joined: 20.Jun.2006
Status: offline 		Sorry for so many messages, I have figured out part of the issue.
I figured out how the clients were finding ISA. I did not realize that "Automatically detect settings" in IE would prompt the client to do a wpad DNS lookup. I have a wpad entry for my ISA.. so that makes sense how their machines were finding ISA and consequently getting a login box when I had require authentication enabled. Problem solved on that.

My remaining question then is: How do I default the Firewall client to authenticate to ISA if Require Authentication is turned off? My test machines with Firewall Client installed and working still show up as unauthenticated in the ISA logs unless I require authentication. Thanks for any help the community can provide.


(in reply to krampot)
Post #: 3
RE: Require Authentication for Internal Network - 7.Aug.2008 3:56:07 PM   
ferrix

 

Posts: 369
Joined: 16.Mar.2005
Status: offline 		If I am understanding correctly, you are trying to get SecureNAT authentication (via captivate) and also allow firewall client authentication on the same isa network segment.  I'm pretty sure this is destined to fail.

It's not possible for ISA to allow authenticating and anonymous users at the same time to the same source/destination.  No matter how you try to make it work, internally the web proxy just doesn't support it.

If you have questions about how to use Captivate feel free to open a support ticket at the CS web site.

(in reply to krampot)
Post #: 4
RE: Require Authentication for Internal Network - 7.Aug.2008 3:58:48 PM   
krampot

 

Posts: 11
Joined: 20.Jun.2006
Status: offline 		Actually, at the moment Captivate is outside of the scope. I have not installed it yet on ISA, that was kind of just a plan for down the road. I will keep this in mind, to not use it unless I separate the network. So ignore Captivate for now. My main goal is to resolve the logging issue where clients default to unauthenticated even with the Firewall client installed.

Thanks

(in reply to ferrix)
Post #: 5
RE: Require Authentication for Internal Network - 7.Aug.2008 4:15:08 PM   
ferrix

 

Posts: 369
Joined: 16.Mar.2005
Status: offline 		If anonymous access is allowed, then everything WILL be anonymous, and you can't change it on the clients. 

In ISA rules, you must remove "all users" and replace it with something more restrictive such as "all authenticated users".

(in reply to krampot)
Post #: 6
RE: Require Authentication for Internal Network - 7.Aug.2008 4:16:26 PM   
krampot

 

Posts: 11
Joined: 20.Jun.2006
Status: offline 		Understand! thanks for your help

(in reply to ferrix)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Firewall Client >> Require Authentication for Internal Network Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts