Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Secure NAT clients and Web Proxy Authentication

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> SecureNAT Client >> Secure NAT clients and Web Proxy Authentication Page: [1]
Login
Message << Older Topic   Newer Topic >>
Secure NAT clients and Web Proxy Authentication - 6.Nov.2006 1:27:20 PM   
wasserja

 

Posts: 56
Joined: 4.Dec.2002
Status: offline 		I have my Internal Network setup to require authentication to use the web proxy but my secure nat clients are being asked for a password to use port 80.  How do I allow my secure nat clients to allow unauthenticated access over port 80?  All my clients have no gateway and are configured as web proxy clients and firewall clients.  I need my servers and other non-firewall clients (secure nat) clients to be able to access the web.  Please help.  Thanks.
Post #: 1
RE: Secure NAT clients and Web Proxy Authentication - 6.Nov.2006 5:19:51 PM   
wasserja

 

Posts: 56
Joined: 4.Dec.2002
Status: offline 		You know it's bad when you have to answer your own posts...

I turned off "require all clients to authenticate" on the web proxy and changed my Access rule to All Authenticated users instead of all Users.  Then I created a Client Set for my Secure NAT clients and allowed All Users HTTP access.  Unfortunately this didn't work because the Web Proxy Filter is enabled.  Disabling this helped, but caused other problems.  So I created a new protocal definition called HTTP no Filter without the Web Proxy Filter and assiged that to my Secure Nat client access rule.  Voila!  It works. Then I had to add DNS to the access rule since my DNS access was part of my other access rule which I had changed to Authenticated users.  What a mess!  Why does Microsoft even allow that option to require all users to authenticate if it doesn't work that well?  Hopefully things will go a little smoother now.

(in reply to wasserja)
Post #: 2
RE: Secure NAT clients and Web Proxy Authentication - 7.Nov.2006 5:36:36 AM   
elmajdal

 

Posts: 5071
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline 		i think no one answered cuz no one knew what u exactly want !!

first u say that u have securenat client ,
quote:

How do I allow my secure nat clients to allow unauthenticated access over
port 80?


then u say
quote:

All my clients have no gateway and are configured as web proxy clients and firewall clients.

No gateway means no securenat !!!


quote:

  I need my servers and other non-firewall clients (secure nat) clients to be able to access the web.


so u need authentication & anonymouse rules, ok:

1- anonymouse rules come above authenticated rules
2- so for securenat , configure ur clients gateway as ISA internal IP, then on ISA create a rule to allow ALL USERS , could be something like that

Allow > Protocols >From NAT_Clients > To External > All Users
 
where  NAT_Clients is a Computer Set containing all the IPs of the computers u dont require authentication


3- create a rule for authenticated users ( firewall/web proxy clients )

All > protocols >From Internal > To External > AD_Users

AD_Users is a user or a group that contains ur active directory users, or u can use authenticated users.

4- remove the option require all users to authenticate



_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to wasserja)
Post #: 3
RE: Secure NAT clients and Web Proxy Authentication - 7.Nov.2006 8:37:40 AM   
wasserja

 

Posts: 56
Joined: 4.Dec.2002
Status: offline 		That helps some.  Thanks for the clarification.  My servers and special clients are secure nat clients.  My regular DHCP clients are firewall clients and web proxy clients only.  We need the log the user information for everybody for the web proxy to be able to block certain domains, so turning on the authentication for everybody seemed to fix that problem, but caused all sorts of new ones.  I think we found a happy medium.  

(in reply to elmajdal)
Post #: 4
RE: Secure NAT clients and Web Proxy Authentication - 7.Nov.2006 12:18:16 PM   
elmajdal

 

Posts: 5071
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline 		so do u have any remaining issue or u r done ?

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to wasserja)
Post #: 5
RE: Secure NAT clients and Web Proxy Authentication - 7.Nov.2006 1:33:28 PM   
wasserja

 

Posts: 56
Joined: 4.Dec.2002
Status: offline 		For now I think I'm done.  Basically if you want to require authentication, don't do it globally for a network, do it by access rule; this will save you lots of headaches.

(in reply to elmajdal)
Post #: 6
RE: Secure NAT clients and Web Proxy Authentication - 7.Nov.2006 2:03:12 PM   
elmajdal

 

Posts: 5071
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:

Basically if you want to require authentication, don't do it globally for a network, do it by access rule; this will save you lots of headaches.


exactly, personally i never recommend enabling the option : require all users to authenticate.

Thanks for the follow up.

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to wasserja)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> SecureNAT Client >> Secure NAT clients and Web Proxy Authentication Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts