Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Require all users to authenticate
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Require all users to authenticate - 4.Sep.2008 9:24:18 AM
|
|
|
ldoodle
Posts: 70
Joined: 21.Mar.2005
From: England
Status: offline
|
Hiya,
When enabling 'Require all users to authenticate' on a network object, such as Internal, a warning pops up saying:
"Requiring all users to authenticate may block traffic to sites, such as Windows Update, that do not support user authentication. To ensure that you do not unintentionally block traffic so such sites, we recommend enforcing user authentication on firewall policy access rules and publishing rules, instead of selecting this check box."
How does one do this as I have no authenctication tabs on my access rules!
Thanks
_____________________________
Where there's will, there's always a way!
|
|
|
|
|
RE: Require all users to authenticate - 4.Sep.2008 2:04:43 PM
|
|
|
paulo.oliveira
Posts: 820
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline
|
Hi,
actually ISA is recommending you to enable authentication on the access rule, instead of all Internal Network.
To accomplish it you just have to remove the All Users group on the Condition and place All Authenticated Users or and AD user/group.
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: Require all users to authenticate - 5.Sep.2008 6:35:52 AM
|
|
|
royh
Posts: 284
Joined: 23.Feb.2007
From: Lebanon
Status: offline
|
Also keep in mind that SecureNat users can't authenticate! Set your users as WebProxy/FWclient if you want to authenticate them.
Thanks -
_____________________________
Roy Haddad,M.Sc
CCNA, MCSE 2003 Messaging & Security,C|EH
|
|
|
|
|
RE: Require all users to authenticate - 8.Sep.2008 5:47:58 AM
|
|
|
ldoodle
Posts: 70
Joined: 21.Mar.2005
From: England
Status: offline
|
How would having an 'inbetween' proxy server affect this?
We have a subscription to ScanSafe, which sits on a dedicated server and all our clients have this set as their proxy server in IE. A firewall rule then only allows http/https/ftp traffic from the proxy server.
Thanks
|
|
|
|
|
RE: Require all users to authenticate - 10.Sep.2008 6:27:04 PM
|
|
|
royh
Posts: 284
Joined: 23.Feb.2007
From: Lebanon
Status: offline
|
In this scenario ISA is not authenticating your users. Why don't you use your ISA as proxy instead of ScanSafe?
_____________________________
Roy Haddad,M.Sc
CCNA, MCSE 2003 Messaging & Security,C|EH
|
|
|
|
|
RE: Require all users to authenticate - 16.Sep.2008 10:14:39 AM
|
|
|
ldoodle
Posts: 70
Joined: 21.Mar.2005
From: England
Status: offline
|
Ignore my last post (to an extent).
ScanSafe was only on a dedicated server in the past as it was also acting as the proxy server. Now we have ISA, that will be doing the proxying, and ScanSafe is just configured as the upstream server.
Any how, i've now got it configured so it's registering usernames per access rule, so next question is what access rules can be changed over to All Authenticated User (as opposed to All Users).
I have the following that are currently set to All Users:
Network1 to Network2 - Site-to-Site VPN
Outbound DNS
VPN Clients to Internal
Outbound SMTP
Outbound Blackberry
Outbound Terminal Services
Come to think of it, can ALL outbound access rules be set to all authenticated users, even without the use of the Firewall Client?
Thanks
|
|
|
|
|
RE: Require all users to authenticate - 16.Sep.2008 1:21:08 PM
|
|
|
paulo.oliveira
Posts: 820
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline
|
Hi,
quote:
Come to think of it, can ALL outbound access rules be set to all authenticated users, even without the use of the Firewall Client?
No.
In my opinio these access rules can be changed:
Network1 to Network2 - Site-to-Site VPN - Can NOT!
Outbound DNS - Can NOT!
VPN Clients to Internal - CAN!
Outbound SMTP - Can NOT!
Outbound Blackberry - Donīt know how it works!
Outbound Terminal Services - CAN!
Keep in mind that some access rules donīt work with authentication, because it donīt have any user to authenticate, such as SMTP, DNS...
Regards,
Paulo Oliveira.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
