Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Users prompted for authentication for HTTPS traffic
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Users prompted for authentication for HTTPS traffic - 23.Jan.2005 3:51:00 PM
|
|
|
myxiplx
Posts: 132
Joined: 16.Mar.2001
Status: offline
|
I've just installed ISA 2004 (upgrading from our old ISA 2000 server), and am having problems with it constantly asking users for Authentication for secure (https) sites.
All our users are Web Proxy clients (configured by WPAD). We are on a Windows 2000 domain and I've turned off the setting to 'require authentication' on the internal network. We have a very restrictive internet access policy. Access is restricted to set groups of users, limited protocols (http, https, ftp), to authorized sites only, and to authorised content only.
So yes, I went in at the deep end 
For HTTP and FTP I tracked the problem down the fact that none of the rules for these protocols were being applied - my content filters were a little over zealous !["[Smile]"](/image/smiles/smile.gif "\"\"") Once I solved that, the authentication dialog boxes stopped appearing. While this is now working, I still don't understand why ISA was asking for authentication rather than denying access.
For HTTPS I am still having problems. It still prompts for authorisation and I have to enter login details several times to get sites to load, and even after entering the details manually access seems to be intermittent. The only way I've been able to get ISA to allow HTTPS access has been to add a new rule granting HTTPS access to our allowed sites for all outbound traffic, with no protocol or content filtering rules in place. That has gotten things working for our users, but I would really like to lock this down much tighter.
First of all I would be very grateful for any suggestions as to what I may have missed in setting up HTTPS access, but I also think I need to configure SSL bridging to allow ISA to filter the traffic coming from these sites, but I am unsure exactly how to install the appropriate certificate on the ISA server. Will any certificate work? Our network policies already mean that every computer on our network has a certificate installed.
thanks,
Ross
[ January 24, 2005, 08:40 AM: Message edited by: myxiplx ]
|
|
|
|
|
RE: Users prompted for authentication for HTTPS traffic - 24.Jan.2005 6:23:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Ross,
Make sure you haven't enabled the "ask unauthenticated users to authenticate" option in the Web listener, as this generates spurious authentication prompts for Web Proxy clients.
HTH,
Tom
|
|
|
|
|
RE: Users prompted for authentication for HTTPS traffic - 25.Jan.2005 8:13:00 AM
|
|
|
myxiplx
Posts: 132
Joined: 16.Mar.2001
Status: offline
|
Nope, it's not that I'm afraid Tom.
ISA is doing something I really don't understand here...
Ross
|
|
|
|
|
RE: Users prompted for authentication for HTTPS traffic - 31.Jan.2005 4:38:00 PM
|
|
|
myxiplx
Posts: 132
Joined: 16.Mar.2001
Status: offline
|
Ok, I have finally fixed this. It was down to a misunderstanding on my part. I believed ISA 2004 could filter SSL traffic, but it appears that this is only for published servers and not for general internet access.
Tthe problem was because I was trying to use content filtering on a rule that applied to SSL traffic. ISA could not filter this traffic and was attempting to use a different rule and prompting for authentication.
I'm not entirely sure why ISA was prompting me for authentication instead of denying access to this page. I've written this up in detail below what happened and would appreciate any opinions on this.
thanks,
Ross
--------------------------
Simplifying hugely, our ISA server is essentially configured with two rules:
1. IT Staff - full outbound access
Users: IT staff only
Protocols: large list
Content: no restriction
2. Users - limited access
Users: Anyone
Protocols: HTTP, HTTPS, FTP
Content: Allowed content only
For normal internet access the above rules work fine, but SSL sites for some reason were prompting the users for authentication. Looking at the logs, it appeared that these connection attempts were being denied by the IT rule, instead of the staff rule as we would expect.
To confirm this, I created a new rule in between these two, granting access to HTTPS only, for all staff, to all destinations with no content filtering. This rule allows all staff to access SSL sites with no problems.
To me this implied that content filtering is somehow preventing our staff rule granting access to SSL sites. Why ISA is then attempting to use the IT rule I don't know, but that does explain the logon dialog box. Integrated authentication will fail since the user is not a member of the appropriate group, and ISA 2004 seems to be responding in a way that causes IE to display the standard logon dialog box.
Looking at the logs themselves, when access is granted, we see:
Destination IP Port Type Action User Site
192.168.1.27 443 SSL-tunnel Allowed Connection anonymous new.egg.com:443
192.168.1.27 443 SSL-tunnel Allowed Connection anonymous new.egg.com:443
192.168.1.27 443 SSL-tunnel Allowed Connection anonymous new.egg.com:443
192.168.1.27 443 SSL-tunnel Allowed Connection anonymous new.egg.com:443
217.145.227.180 443 SSL-tunnel Allowed Connection ROBINSONS\Ross Smith new.egg.com:443
And when denied:
Destination IP Port Type Action User Site
192.168.1.27 443 SSL-tunnel Allowed Connection anonymous new.egg.com:443
192.168.1.27 443 SSL-tunnel Allowed Connection anonymous new.egg.com:443
192.168.1.27 443 SSL-tunnel Allowed Connection anonymous new.egg.com:443
192.168.1.27 443 SSL-tunnel Allowed Connection anonymous new.egg.com:443
192.168.1.27 8080 HTTPS Denied Connection anonymous
This raises two concerns to me:
1. If ISA cannot use content filtering for HTTPS traffic then why can I create a rule that attempts to do this? How many other clashing features will the management interface allow me to configure, and what other problems could this cause down the line?
2. Why is ISA attempting to use a different rule and prompting for authentication instead of denying access? This goes against my understanding of ISA server 2004's default behaviour.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
