Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
VPN Clients cannot authenticate to Web Proxies
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
VPN Clients cannot authenticate to Web Proxies - 27.Jul.2007 10:04:09 AM
|
|
|
Arild
Posts: 8
Joined: 27.Jul.2007
From: Norway
Status: offline
|
Hi.
We have a ISA Server 2006 EE environment with both VPN servers and Web Proxies.
The VPN Servers are in one array, and the Web Proxies in another.
Both VPN- and Web Proxies are members in the same domain.
This is also the domain for the VPN clients.
We are using Windows groups in the rules on the Web Proxies to allow different Internet access for different users.
This means that the clients must be authenticated on the Proxy servers, and we use integrated windows authentication in IE for this.
This works fine as long as the clients are connected to the internal network.
If they connect via VPN it doesn't work at all.
When they try to access the Internet, they receive a logon box from the Proxy Server.
OK, integrated windows authentication doesn't work.
So they try to logon manually trough this logon box.
Does it work?
NO !
It is completely impossible to authenticate to the Proxy servers when connected through VPN !
I have monitored the traffic on the client side and on the proxies, and found the following:
The authentication sequence is exactly the same when connected through VPN, as when connected to the internal network.
The proxy servers challenges the clients to authenticate, and the clients responds correctly.
The problem is that the authentication information from the clients never reaches the proxy servers when they are connected through VPN.
It seems like the VPN servers for some reasen filters this information away, before passing the rest to the proxies.
The only rule implemented on the VPN Array is one that says "allow all protocols from VPN Clients to Internal".
Does anyone have a solution for this problem?
Proxy rules that gives "All Users" access is not an option.
Thanks.
|
|
|
|
RE: VPN Clients cannot authenticate to Web Proxies - 7.Aug.2007 5:59:04 AM
|
|
|
IanC
Posts: 237
Joined: 11.Jul.2007
From: UK
Status: offline
|
This works fine in my environment.
We have VPN and Proxy arrays in the same domain. They are both connected to the same back-end subnet (contains the DCs and users) but different front-end segments.
The Web proxy authentication method is integrated. Our VPN clients can connect to the internet no problem are not even presented with a user credentials dialog box.
|
|
|
|
|
RE: VPN Clients cannot authenticate to Web Proxies - 8.Aug.2007 5:07:30 AM
|
|
|
Arild
Posts: 8
Joined: 27.Jul.2007
From: Norway
Status: offline
|
quote:
ORIGINAL: IanC
This works fine in my environment.
We have VPN and Proxy arrays in the same domain. They are both connected to the same back-end subnet (contains the DCs and users) but different front-end segments.
The Web proxy authentication method is integrated. Our VPN clients can connect to the internet no problem are not even presented with a user credentials dialog box.
This was interesting IanC.
It seems like our environment is similar to yours.
Are you 100% sure that the access rules on the web proxies that gives VPN clients Internet access are restricted to spesific Windows groups and not giving "All users" access?
If you monitor the VPN clients (or servers) sessions on the web proxies - do you see their usernames, or do they appear as anonymous?
I opened a MS Support case on this one last week, but so far our problem is not solved.
Thanks.
< Message edited by Arild -- 8.Aug.2007 5:09:02 AM >
|
|
|
|
|
RE: VPN Clients cannot authenticate to Web Proxies - 10.Aug.2007 9:28:53 AM
|
|
|
IanC
Posts: 237
Joined: 11.Jul.2007
From: UK
Status: offline
|
Hi,
I've checked everything again. The access rule on the proxy array is definitely configured to allow a domain global group to which our VPN users belong.
In the log, we first get a connection attempt to port 8080 by anonymous denied as expected. Then another attempt to 8080 is initiated and access from our VPN client IP address to the external Web site on TCP port 80 is allowed. The username listed is Domain\VPNUser.
On the sessions tab, Domain\VPNUser is listed as a Web Proxy type.
I have tried numerous things to try and replicate your issue but without success. I am sure you will have checked the usual things such as making sure that "Require all users to authenticated" is not selected on the Web proxy tab.
Sorry I couldn't be more help. Let me know if you need me to check anything else.
Ian Currie
|
|
|
|
|
RE: VPN Clients cannot authenticate to Web Proxies - 10.Aug.2007 9:57:59 AM
|
|
|
pbbailey
Posts: 2
Joined: 5.Jun.2007
Status: offline
|
Check the VPN array to see if the HTTP filter is applied to the VPN users port 80 and 8080 traffic. I ran into this recently and it does prevent the successful logon in what appears to be the exact same scenario.
Basically, the filter masks the client's true IP address. Instead of getting the client's true IP address, the logon request appears to come from the internal interface of the VPN array member.
You can disable the filter at the VPN array level by creating a new protocol (I named mine HTTP - No filter) and assigning it port 80 and 8080. On your "allow VPN client access rule", deny the the default HTTP protocols and in a seperate rule, allow the your new HTTP-No filter protocol. You should find that your logons start working.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
