Welcome to ISAserver.org

User Sets is not working

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> User Sets is not working

Page: [1]

Message

<< Older Topic Newer Topic >>

User Sets is not working - 12.Jul.2005 11:13:00 PM

Arash

Posts: 2
Joined: 12.Jul.2005
Status: offline

Hi all,
I have a weird problem with ISA 2004, I could filter some protocols and get it work to apply to all users of my domain with "All Users" user set. but when i create a new user set and apply it as a condition to "Users" tab in property page of the Access role, it does not work properly!

do you know where is the problem, i think it can not talk to Active Directory correctly!

Post #: 1

Featured Links*

RE: User Sets is not working - 13.Jul.2005 11:41:00 AM

isawader

Posts: 420
Joined: 27.Apr.2005
Status: offline

Remember:
-SecureNAT clients can't authenticate.
-In order for the workstation to pass on the authentication information of currently logged on user, you need either firewall client installed or webproxy is configured on the browsers. I would recommend that you install the firewall client and configure the browsers to webproxy, if you haven't already.

Is ISA server member of the domain?

(in reply to Arash)

Post #: 2

RE: User Sets is not working - 22.Jul.2005 7:45:00 PM

ISAServerTools

Posts: 41
Joined: 22.Jul.2005
Status: offline

What you are probably experiencing is the following, which, in my opinion, is a bug in ISA Server 2004.

Basically what is happening is that any time an unauthenticated user (anonymous) attempts to access something and the attempt encounters a rule (either a deny rule or allow rule) which has anything other than "All Users" in the applies to users tab, the access attempt is denied.

If you have a combination of authenticated and securenat users you can easily recreate this problem by doing the following:

1. create a domain name set with www.yahoo.com
2. create a rule which applies to a particular authenticated user... such as DOMAIN\Domain Users which ALLOWS access to the domain name set created in step 1.
3. move this rule to the top of your firewall policy.
4. go to a securenat client (make sure there are no proxy settings in the browser) and try to access ANY site through your web browser... won't work.

If you use the monitoring feature in ISA Server 2004 to monitor activity from your securenat client, and attempt this again, you will see that the ALLOW rule you created in step 2 is DENYing access attempts to any domain. Why would an allow rule deny anything? Why would a rule which applies to DOMAIN\Domain Users EVER affect the traffic from an anonymous user? Has to be a bug.

In my opinion, if the rule does not match the request for any reason, it should fall through to the next rule, therefore, an access attempt from an unauthenticated user should never be allowed or denied by a rule which does not apply to "All Users".

Just my 2 cents worth...

(in reply to Arash)

Post #: 3

RE: User Sets is not working - 22.Jul.2005 9:53:00 PM

isawader

Posts: 420
Joined: 27.Apr.2005
Status: offline

I agree. The way ISA applies policies to a request is really convulated. Sometimes I see on the log that a deny rule allowing access if you don't use proxy.

(in reply to Arash)

Post #: 4

RE: User Sets is not working - 22.Jul.2005 10:07:00 PM

Arash

Posts: 2
Joined: 12.Jul.2005
Status: offline

Ok, so how do i know if a user is authenticated or unauthenticated, isn't if enough it they are signed on tp the DC with AD?
And how can I fix the bug? [Confused]

[ July 22, 2005, 10:09 PM: Message edited by: Arash Aghlara ]

(in reply to Arash)

Post #: 5

RE: User Sets is not working - 22.Jul.2005 10:16:00 PM

ISAServerTools

Posts: 41
Joined: 22.Jul.2005
Status: offline

To find out if your users are authenticating or not, just use the monitoring tool in ISA and make some HTTP requests. If the user name shows up as "anonymous", they aren't authenticated.

The quick and easy fix is to move all your rules which apply to "All Users" above any rules which apply to specific users or groups, but this won't work in some more complex examples.

For example, if I have a site I want to deny access to all users EXCEPT, for example, DOMAIN\Administrator, you can't do it with a mix of securenat and authenticated users no matter how you sequence the rules.

Simply put, microsoft needs to fix this.

(in reply to Arash)

Post #: 6