• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Why ISA Allowes Anonymous access on User based rules

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Why ISA Allowes Anonymous access on User based rules Page: [1]
Login
Message << Older Topic   Newer Topic >>
Why ISA Allowes Anonymous access on User based rules - 17.Nov.2006 10:16:09 AM   
jstruijk

 

Posts: 71
Joined: 7.Dec.2005
Status: offline
The following situation.

All Windows XP clients with FW Client, domain members.
ISA 2004 server, domain member, "Require all users to auth" is DISABLED and "Integrated auth" is ENABLED for the Internal network.

#1) Allow HTTPS from Internal to External for "Domain Personnel".
#2) Allow HTTPS from Internal to "HTTPS Allow List" for "Domain Students".

I have the following issue:
Whenever a loggedin Student tries to connect to any HTTPS site, i notice in our logfiles that it first "Allows access" to Anonymous based on rule #1.

This i find strange but not the right way. The client has FW client installed, is loggedin, but still it tries to connect using "Anonymous".
But the strangest thing is rule #1 ALLOWES this student access, while based on rule #1 it should BLOCK access.
What's this??
Post #: 1
RE: Why ISA Allowes Anonymous access on User based rules - 17.Nov.2006 11:13:42 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi jstruijk,

check out Understanding the ISA 2004 Access Rule Processing .

When a client sent a web request, the client can't know in advance that ISA will require authentication. Therefore, the initial request is always sent anonymously.

When this request hit a rule that requires authentication, ISA will return the HTTP response "407 Proxy Authentication Required" and log an entry with the rule requiring the authentication and the error info "12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.".  

Then the client will resent the web request but now with the requested credentials. At that point ISA check if the user belongs to the allowed User Set. If not, the next rule is evaluated. However, if the user can't authenticate at all, the request is denied.

HTH,
Stefaan

(in reply to jstruijk)
Post #: 2
RE: Why ISA Allowes Anonymous access on User based rules - 20.Nov.2006 2:49:10 AM   
jstruijk

 

Posts: 71
Joined: 7.Dec.2005
Status: offline
I completely understand Rule Processing, that's not the problem. I also know it tries to authenticate anonymously before authenticating with credentials.

What i don't understand is why it GRANTS anonymous access based on a rule that should NOT allow access.
Access should only be allowed to users contained to a specific group, wich doesn't contain anonymous.

When processing this rule, first it tries anonymous (as expected), it should deny access with a 407 responce and ask for user credentials.
IT DOESN'T, it grants access while it shouldn't

That's what i dont understand. "Require all users to auth" is DISABLED and "Integrated auth" is ENABLED for the Internal network.

(in reply to spouseele)
Post #: 3
RE: Why ISA Allowes Anonymous access on User based rules - 20.Nov.2006 4:50:41 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
check this : Anonymouse Using an Authenticated Rule
as it might give u more idea about the topic

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to jstruijk)
Post #: 4
RE: Why ISA Allowes Anonymous access on User based rules - 20.Nov.2006 6:58:01 AM   
jstruijk

 

Posts: 71
Joined: 7.Dec.2005
Status: offline
Ok, i understand it partially.

I tested a user account who, based on group access should be denied access.
When accessing urls that where denied based on usergroups, it indeed first tries to access anonymously, but while it should denie access and ask for credentials, access is GRANTED??

Why? Anonymous isn't allowed based on the provided usergroup.

(in reply to jstruijk)
Post #: 5
RE: Why ISA Allowes Anonymous access on User based rules - 20.Nov.2006 10:37:34 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
in the above link, i was refering to HTTPS logs, th username will be shown as anonymous.

whereas in ur case now, if u r blocking access to a specific website/s and the user is granted access to this website, then you have something wrong.

more details/snapshots will be helpful.

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to jstruijk)
Post #: 6
RE: Why ISA Allowes Anonymous access on User based rules - 20.Nov.2006 11:14:08 AM   
jstruijk

 

Posts: 71
Joined: 7.Dec.2005
Status: offline
Iv made a partial snapshot where you can see the affected rule, together with the log entry.



As you can see, i am allowing access to group Personeel.
I loggedin to a WIndows XP workstation with firewall client installed, with a user thats NOT MEMBER of AD group "Personeel" named "Gast01". I now understand it will show up as Anonymous as it can not see the username due to encryption.

But as you can see, the user anonymous is allowed access while it should be denied as "anonymous" or "gast01" are no member of "Personeel"

I hope iv made my point now.

(in reply to jstruijk)
Post #: 7
RE: Why ISA Allowes Anonymous access on User based rules - 21.Nov.2006 5:20:22 AM   
Guest
Hi jstruijk!
My friend you are missing the picture here.
The reason for this is that you are reading through lines.
Just take a look at the pictures you have posted.
What is allowed there?
From who to who?
The request comes from the client and goes to the ISA Server. The SSL connection is not started from the client. ISA starts the SSL connection for that client. So first ISA must established a SSL tunnel from the client to itself. It does that(so allowed) and check for user with the appropiate rule. If you would have posted the complete log you will see that the SSL tunnel is closed because authentication fails as Stefaan pointed out this very clear:
quote:

When this request hit a rule that requires authentication, ISA will return the HTTP response "407 Proxy Authentication Required" and log an entry with the rule requiring the authentication and the error info "12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.". 
.
If authentication will succeed, then ISA will start the SSL connection to the remote host.
If you look at an established SSL connection log you will see that first the connection is INITIATED(like many others connections), but the connection is initiated between the remote host and ISA.
Take a look yourself to this question with  tools for monitoring traffic both on the client and on ISA(internal and external interface).
quote:

as Anonymous as it can not see the username due to encryption.

If so, how can you authenticate?
well, read the documentation available(hit google) if for some reasons you cannot do the monitoring yourself and you will see what's really going on.
ISA is the victim here 'cause you are blaming it for nothing.
From my experience I've learned that although there are many problems(bugs) with different equipments I must first blame myself and then the equipment.

< Message edited by adrian_dimcev -- 21.Nov.2006 5:27:28 AM >

(in reply to jstruijk)
  Post #: 8
RE: Why ISA Allowes Anonymous access on User based rules - 21.Nov.2006 3:25:51 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi jstruijk,

what's the HTTP Status Code of that anonymous log entry? I bet it is "407"! So...  

Also, if the client is configured as Web Proxy client than the authentication against the ISA server happens outside de SSL-tunnel (HTTP Connect method).

BTW --- take a NetMon or Wireshark trace on the ISA internal interface and you should see what is really happening on the wire! The ISA logging is only telling you half of the story.

HTH,
Stefaan

(in reply to Guest)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Why ISA Allowes Anonymous access on User based rules Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts