Welcome to ISAserver.org

Thin Client Web Proxy'ing

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 General] >> General >> Thin Client Web Proxy'ing

Page: [1]

Message

<< Older Topic Newer Topic >>

Thin Client Web Proxy'ing - 29.Sep.2008 4:15:14 AM

timmyb12345

Posts: 2
Joined: 29.Sep.2008
Status: offline

Hi Guys,

Having a bit of trouble here and wondered if anyone had any ideas;

We run a thin client environment with staff using terminals to connect to a Citrix ICA server (we have 2 of them).

I am wanting to put all these clients through our ISA server (which is still being configured). However, I am unable to enforce firewall policies based on domain user groups because all traffic that is coming from the clients (in turn passing through one of our Citrix servers) are marked as anonymous usernames.

It seems that the traffic is not carrying the user credentials of the staff. I wondered if there is any way the ISA server can be configured to enable this?

Thanks

Post #: 1

Featured Links*

RE: Thin Client Web Proxy'ing - 30.Sep.2008 8:23:15 AM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Are the browsers configured as Web Proxy clients and are the users logging into the same domain that the firewall belongs to?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to timmyb12345)

Post #: 2

RE: Thin Client Web Proxy'ing - 8.Oct.2008 5:50:01 AM

timmyb12345

Posts: 2
Joined: 29.Sep.2008
Status: offline

The browsers are configured as Web Proxy. They pull the settings through a group policy which points all the connection information to the ISA server.

The Terminals, Citrix Servers and the ISA server are all on the same domain yes

(in reply to tshinder)

Post #: 3

RE: Thin Client Web Proxy'ing - 11.Oct.2008 9:50:45 AM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Timmy,

Hmmm. In a terminal server environment, if the client is logged on as a domain member, that user's credentials, when configured as a Web Proxy client, should be forwarded to the firewall.

I'd do a NetMon trace and see what's happening here.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to timmyb12345)

Post #: 4

RE: Thin Client Web Proxy'ing - 11.Oct.2008 1:02:46 PM

Jim Harrison

Posts: 232
Joined: 5.May2001
From: Redmond, WA
Status: offline

Remember; all initial web proxy requests will be anonymous.
You have to configure ISA to require authentication.
This is accomplished one (or both) of two ways:
1. configure the rules "User" tab for "autheticated users" (or specific users & groups); not "all users"
2. configure the web proxy listener to "requie all users to authenticate" (this blocks ALL anonymous requests)

Bear in mind that option #2 will likely break auto-updates, but you should be using WSUS anyway.

_____________________________

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
My ISAServer.org Stuff
My Site

(in reply to tshinder)

Post #: 5

RE: Thin Client Web Proxy'ing - 12.Oct.2008 9:20:45 AM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Jim,

Good point. I assumed that the rule is requiring authentication -- but you know what happens when you "assume"

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Jim Harrison)

Post #: 6