Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Web proxy and authentication
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Web proxy and authentication - 17.Dec.2005 2:00:20 AM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
We are working with Surfcontrol here. We currently like it.
One of the features that we really want is the ability for name resolution.
To do this, Surfcontrol has a KB article where you go to your networks tab --> right click your internal network -->click the web proxy tab --> click the authentication tab --> and put a check in the "Require all users to authenticate"
Simple enough right?
Well the problem is, for whatever reason on random computers, they open up IE and a dialog box opens up asking for username, password and domain. This happens to some clients, and not to others.
Why is this happening and how can I fix it?
For now, i've had to clear the checkmark to get things working.
thecoffeeguy
|
|
|
|
|
RE: Web proxy and authentication - 17.Dec.2005 3:09:02 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
I'm guessing that you have these clients enabled for web proxy auto-discovery. This prompt is becuse ISA challenges the user for credentials for WPAD - this challenge is a 401 which IE will not autosupply credentials for (unless the server is in it's Trusted Site Zone). IE will autosupply creds for a 407 Proxy Auth Required which is what ISA normally returns when a client tries to access an external URL.
You can configure ISA to not challenge the user for credentials for WPAD with the registry key SkipAuthenticationForRoutingInformation.
|
|
|
|
|
RE: Web proxy and authentication - 17.Dec.2005 8:56:24 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
Thanks ClintD, i'll take a look at this.
Does it matter or not if you are using the Firewall client piece? I am currently not using it and most of my users workstations are Windows 2000.
Lastly, by doing the registry edit, does it still allow authentication to work (for Surfcontrol really. That is how we can get username resolutions in logs and such.)
One other thing: you mentioned something about putting a server in a trusted site zone. Is that the ISA Server itself, or web server on the internet?
Thanks for the help.
thecoffeeguy
|
|
|
|
|
RE: Web proxy and authentication - 18.Dec.2005 2:07:46 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
If you put the ISA Server in the Trusted Zone (or Intranet Zone) it should auto-supply credentials for this file. You're most likely getting the prompt when clients send the GET for this file. Once the URL is external, then ISA will send a 407 Proxy Auth Required to the client, which IE will auto-supply credentials for.
This issue affects both Web proxy and Firewall Clients (the aritlce implies it's only Firewall Clients that are affected) as the ISA doess't differentiate between external requests and WPAD requests and forces authentication for both -this registry key tells ISA that only this component - WPAD - can be retrived anonymously.
|
|
|
|
|
RE: Web proxy and authentication - 18.Dec.2005 5:40:41 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
quote:
ORIGINAL: ClintD
If you put the ISA Server in the Trusted Zone (or Intranet Zone) it should auto-supply credentials for this file. You're most likely getting the prompt when clients send the GET for this file. Once the URL is external, then ISA will send a 407 Proxy Auth Required to the client, which IE will auto-supply credentials for.
This issue affects both Web proxy and Firewall Clients (the aritlce implies it's only Firewall Clients that are affected) as the ISA doess't differentiate between external requests and WPAD requests and forces authentication for both -this registry key tells ISA that only this component - WPAD - can be retrived anonymously.
Thanks ClintD for the help. I do appreciate it.
Since name resolution is critical for us and our ability to use SurfControl, I will try putting the ISA Server into the trusted zone in IE (just put the FQDN for the ISA box? like isasrf04.mydomain.com?).
To sum up, are you saying the registry hack will not prompt the box to pop up, but at the same time, might affect the inability to get name resolutions? Sorry, my brain has been worked pretty good this weekend.
thecoffeeguy
|
|
|
|
|
RE: Web proxy and authentication - 18.Dec.2005 5:51:02 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
The reg mod will not affect authentication for any access other than wpad/wspad on localhost. It takes less than a minute to do and is fully reversible.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: Web proxy and authentication - 19.Dec.2005 6:56:49 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
quote:
ORIGINAL: LLigetfa
The reg mod will not affect authentication for any access other than wpad/wspad on localhost. It takes less than a minute to do and is fully reversible.
I'm going to give the registry mod a spin today, in hopes it solves that problem.
A few things i've noticed this morning, with authentication and the WPAD stuff.
1.) Still get a lot of lag with IE tries to autodetect when IE is first launched.
2.) If I put a check in the 'require all users to authenticate' in the web proxy settings on ISA, and I don't have the autodetect checked in IE, they get no outbound access at all. I'm assuming this is correct.
3.) Lastly, something odd here, but when I test on a few machins, setup the authentication and check the 'auto detect', for whatever reasons, if I try to go to a intranet website, it gets denied by ISA. It does this on some machines, and not others. It is baffling.
so my goals:
1. Get authentication portion working, so I can get name resolution in my logs for 'SurfControl'.
2. get the darned auto detect to not delay for so friggin long.
Any other info or advice anyone has?
thanks.
thecoffeeguy
|
|
|
|
|
RE: Web proxy and authentication - 19.Dec.2005 7:59:40 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
The autodetect lag via WPAD will only go away if you apply the hoxtfix mentioned elsewhere. This is the issue that Stefaan opened an incident on and AFAIK the fix is only for XP/SP2.
The workaround is not to set IE to autodetect but to set FWC to autodetect and then have it push the routing script instead.
I would never set 'require all users to authenticate' on the network rule and prefer to do it per-rule instead.
Sounds like you still have some exclusions to set in ISA to have local destinations go *direct*. These you will find on various tabs of internat network properties. You may need to better manage your zones through GPO and possibly your DNS suffix.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: Web proxy and authentication - 19.Dec.2005 8:09:38 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
quote:
ORIGINAL: LLigetfa
The autodetect lag via WPAD will only go away if you apply the hoxtfix mentioned elsewhere. This is the issue that Stefaan opened an incident on and AFAIK the fix is only for XP/SP2.
See, this is what is very odd. I have some users on Windows 2000 Pro, with autodetect checked and there is zero lag. As soon as they launch IE, they are set. Then I have other users who when I check 'autodetec't, I get the lag. It is very inconsistent and hard to figure out why one is working and why the other one is not working.
quote:
The workaround is not to set IE to autodetect but to set FWC to autodetect and then have it push the routing script instead.
I haven't rolled out the FWC yet. Partly because I have a test environment up with a few PC's and the FWC installed. I'm still working out the bugs (such as accessing internal web sites and accessing websites on ports other than 80 and 443, that are giving me fits.)
quote:
I would never set 'require all users to authenticate' on the network rule and prefer to do it per-rule instead.
Your speaking in ISA -->Firewall Policy--->rule-->users tab?
Never thought of that. I wonder if that will still work for Surfcontrol and get name resolution working properly.
Wouldn't happen to know by chance would you? :)
quote:
Sounds like you still have some exclusions to set in ISA to have local destinations go *direct*. These you will find on various tabs of internat network properties. You may need to better manage your zones through GPO and possibly your DNS suffix.
Yes. I need to roll out a few GPO's with IE settings. I think for the most part, I can get the internal web site issue fixed. The one that is giving me problems is accessing SSL web sites on a different port, other than 443.
I appreciate it.
thecoffeeguy
|
|
|
|
|
RE: Web proxy and authentication - 19.Dec.2005 8:29:02 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
Do you also have DNS WPAD? Might explain why YMMV.
Sorry, don't know SurfControl. Should be an easy test.
Look arout for SSL tunnel port extender scripts.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: Web proxy and authentication - 19.Dec.2005 8:33:05 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
quote:
ORIGINAL: LLigetfa
Do you also have DNS WPAD? Might explain why YMMV.
Yep. I created a CNAME for my ISA server.
In fact, I deleted the WPAD portion for DHCP after reading Tom's blog on DHCP versus DNS WPAD.
quote:
Look arout for SSL tunnel port extender scripts.
Just found it. I am going to use it.
Something is bugging me though. In reading Tom's book on ISA Server 2004, it was pretty specific in preventing people from looping through the ISA Server when clients make requests to local, intranet websites. Can that be the case too if it goes through different ports, on SSL?
Thanks,
thecoffeeguy
|
|
|
|
|
RE: Web proxy and authentication - 22.Dec.2005 6:45:29 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
Follow up here:
here is what I did to resolve the situation.
Basically, I used DNS instead of DHCP.
First thing I did was 'uncheck' the autodetect proxy settings.
Then, via a GPO, I set IE with the proxy server address (box below autodetect) and specified the ISA server by name. I proceeded to use advanced as needed and told IE to bypass the proxy for local addresses.
Since I have done that, I get "zero" lag when my users fire up IE while at the same time, they are all pointing to my proxy server allowing SurfControl to do its job.
On a side note, everytime I had a check in 'autodetect', I got the lag.
Moral of the story: Ditch DHCP and use DNS!
cheers,
thecoffeeguy
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
