Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Surfcontrol, ISA and unauthenticated users
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Surfcontrol, ISA and unauthenticated users - 10.Jan.2007 2:46:26 PM
|
|
|
rob.smith
Posts: 1
Joined: 10.Jan.2007
Status: offline
|
All,
I've had a pretty good search around this site now for a resolution to the issue that I currently have with ISA.
Essentially I run Surfcontrol 5.5 filtering traffic on a DL360 G4 running ISA 2004 SP2. Reporting is an essential feature of Surfcontrol, and one that we utilise heavily.
In order for Surfcontrol to properly log usernames (Versus just IPs) I have to tick the infamous 'Require all users to Authenticate' tick box on my only interface.
However, this now leaves me with issues relating to streaming media, and some Java applications which it seems, have no way of providing to the ISA, details of the currently logged on user. When I monitor the error I observe that all connections made with the 'Anonymous' user are denied, and If I remove the tick from the box that requires all users to authenticate it works perfectly (My Surfcontrol rules however do not!).
I'm really after a work-a-round of some sort to allow me to get around these issues that doesn't involve un-ticking the 'Require all users to Authenticate' box.
I'm not averse to maintaining a white list of sorts, but as these options is bound directly to the ISA's only interface I'm struggling to find a way to over-rule it. Any help therefore would be much, much appreciated!
Regards,
Rob
|
|
|
|
|
RE: Surfcontrol, ISA and unauthenticated users - 4.Oct.2007 11:22:24 AM
|
|
|
Lockstock
Posts: 9
Joined: 11.Sep.2007
Status: offline
|
Hi there,
I have exactly the same issue. Have been banging my head against a wall for months trying to sort it out. Did you ever get anywhere with it?
Cheers,
|
|
|
|
|
RE: Surfcontrol, ISA and unauthenticated users - 4.Oct.2007 1:02:30 PM
|
|
|
ferrix
Posts: 375
Joined: 16.Mar.2005
Status: offline
|
Is this "require all users" thing a known issue with Surf Control? Does their support offer a solution? That checkbox is evil, I'd ask for a fix from SC if I was you.
Otherwise you're stuck trying to do workarounds for what's already a bad situation.
|
|
|
|
|
RE: Surfcontrol, ISA and unauthenticated users - 5.Oct.2007 11:46:00 AM
|
|
|
Lockstock
Posts: 9
Joined: 11.Sep.2007
Status: offline
|
Cheers for the reply. The problem is that I get the same issue even when I disable/bypass SC. It all seems to stem aroun the connection being anon.
|
|
|
|
|
RE: Surfcontrol, ISA and unauthenticated users - 5.Oct.2007 11:51:23 AM
|
|
|
ferrix
Posts: 375
Joined: 16.Mar.2005
Status: offline
|
Welp, you've got me confused!
Your original post said that SC wasn't logging correctly, but now you say that the problem exists without SC. So I think it would be useful to narrow down what the problem is you're experiencing.
|
|
|
|
|
RE: Surfcontrol, ISA and unauthenticated users - 5.Oct.2007 11:56:35 AM
|
|
|
Lockstock
Posts: 9
Joined: 11.Sep.2007
Status: offline
|
Sorry, the original call wasn't mine. I am just desparate and suffering from the same issue. I see the same symptom if users aren't autenticating but that is not my issue. I have everything else working perfectly, it is just WMP on some news streaming sites. In particular the BBC with the company President likes.
|
|
|
|
|
RE: Surfcontrol, ISA and unauthenticated users - 5.Oct.2007 12:06:53 PM
|
|
|
ferrix
Posts: 375
Joined: 16.Mar.2005
Status: offline
|
Oh oops, I didn't notice the two posters; my fault for mis-reading the thread.
Anyway I still think you haven't described your issue very well. Don't assume you have the same thing as someone else... your case sounds like it's very specifically related to media player and some small set of sites.
Is wmp connecting anonymously? Is this denied by your policy rules? I don't know about wmp, but I assume it should be able to use IE proxy settings. Is the traffic not over HTTP but some other port? You need to do some analysis and troubleshooting.
In addition, consider using the firewall client.. It gives more flexibility for cooperation between workstations and ISA.
< Message edited by ferrix -- 5.Oct.2007 12:08:12 PM >
|
|
|
|
|
RE: Surfcontrol, ISA and unauthenticated users - 5.Oct.2007 12:07:10 PM
|
|
|
jmilito
Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline
|
Sounds like a case of the poorly coded Java...
I used to run a ISA 2004 box with SurfControl... We would have 200-300 active connections at any given time and a user base of almost 13,000 users. Needless to say I always struggled with the authentication and Java. The only way I found around it was to disable authentication for ALL, create an All User rule for my whitelisted sites, then require authentication for all other traffic, I also had to "whitelist" the same sites in SurfControl for non-authenticated users. This seemed to work back then for the most part...but it was an absolute pain to maintain as I was always updating the whitelist.
I recently moved jobs and I have heard they recently installed ISA 2006. They said the authentication problems between the Java, ISA, and SurfControl seem to have improved.
So...
1. Run the latest version of ISA BPA.
2. Next I would try disabling the authentication requirement, create a whitelist rule for All Users in ISA and SurfControl, then create a rule for all other HTTP, HTTPS traffic in ISA for authenticated users only. See how that works.
3. Call SurfControl and let them troubleshoot via remote support.
4. Try ISA 2006 in a test environment to see if it improves your situation.
|
|
|
|
|
RE: Surfcontrol, ISA and unauthenticated users - 8.Oct.2007 11:08:37 AM
|
|
|
Lockstock
Posts: 9
Joined: 11.Sep.2007
Status: offline
|
Hi there,
Hope you had a good weekend.
Basically, I am disabling the Surfcontrol services and with them failing safe, this leaves just ISA between the outside World and the users in question.
The problem seems to be that the streaming media site in question (bbc for the record) does not like an anonymous connection as, as soon as the client name reports as anon the connection is denied and the user receives a credential prompt for the ISA server.
Cheers,
|
|
|
|
|
RE: Surfcontrol, ISA and unauthenticated users - 8.Oct.2007 11:11:52 AM
|
|
|
Lockstock
Posts: 9
Joined: 11.Sep.2007
Status: offline
|
Hi there,
Cheers for taking the time to reply.
I am currently on ISA 2006. The problem seems to be independant of SC as the logon prompt still pops up even with the SC services stopped.
Although Media Player is the player of choice, I am going to try Real and see if that helps. If all else fails then I will go either the FW client route or the Whitelist route. Both taking the user away from standard builds but that might be the only way forward.
Cheers,
Byron.
|
|
|
|
|
RE: Surfcontrol, ISA and unauthenticated users - 8.Oct.2007 11:32:00 AM
|
|
|
jmilito
Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline
|
Are your clients using SecureNAT or the Web Proxy? That may make a difference.
Also check to see whether your media players have the correct network settings.
Check out this site...even though it is for 2004 you may find it's guidance useful.
http://www.microsoft.com/technet/isa/2004/plan/ts_client_rules.mspx
|
|
|
|
|
RE: Surfcontrol, ISA and unauthenticated users - 8.Oct.2007 11:38:41 AM
|
|
|
Lockstock
Posts: 9
Joined: 11.Sep.2007
Status: offline
|
When you say 'clients using secureNat or WebProxy, do you mean firewall clients? If so, we do not use MSFWC, cleints find the ISA box using WPAD.
The Media Player settings are all pretty standard. I will check that article and use GPO if changes need to be made.
Cheers again for your time and efforts.
Byron.
|
|
|
|
|
RE: Surfcontrol, ISA and unauthenticated users - 11.Oct.2007 4:59:39 AM
|
|
|
oboardman
Posts: 1
Joined: 11.Oct.2007
Status: offline
|
I have been battling over this problem for a while. I logged a call with Surfcontrol some months back but they were unable to assist (blaming ISA server).
I am all ears if there are any low maintenance work arounds out there.
Oliver
|
|
|
|
|
RE: Surfcontrol, ISA and unauthenticated users - 3.Dec.2007 12:36:02 PM
|
|
|
RedMachine
Posts: 29
Joined: 13.Aug.2001
From: Scotts Valley, CA, USA
Status: offline
|
You can turn off Forced Authentication on the internal object. You just need to set the rule to Authenticate.
From SurfControl standpoint the software doesn't have anything to do with Authentication. ISA provides the authentication and as such what it gets is all that it can use. So if ISA cannot authenticate niether will SurfControl.
An option is to disable Forced Authentication and not Authenticate on the Rule. You can then use the Enterprise User Monitor to gather usernames for SurfControl Rule enforcement and reports. See you Administrator guide to install EUM.
P.S. - The EUM with ISA only works with 5.5 version
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
