Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Why ISA Allowes Anonymous access on User based rules
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Why ISA Allowes Anonymous access on User based rules - 17.Nov.2006 10:16:09 AM
|
|
|
jstruijk
Posts: 44
Joined: 7.Dec.2005
Status: offline
|
The following situation.
All Windows XP clients with FW Client, domain members.
ISA 2004 server, domain member, "Require all users to auth" is DISABLED and "Integrated auth" is ENABLED for the Internal network.
#1) Allow HTTPS from Internal to External for "Domain Personnel".
#2) Allow HTTPS from Internal to "HTTPS Allow List" for "Domain Students".
I have the following issue:
Whenever a loggedin Student tries to connect to any HTTPS site, i notice in our logfiles that it first "Allows access" to Anonymous based on rule #1.
This i find strange but not the right way. The client has FW client installed, is loggedin, but still it tries to connect using "Anonymous".
But the strangest thing is rule #1 ALLOWES this student access, while based on rule #1 it should BLOCK access.
What's this??
|
|
|
|
RE: Why ISA Allowes Anonymous access on User based rules - 17.Nov.2006 11:13:42 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi jstruijk,
check out Understanding the ISA 2004 Access Rule Processing .
When a client sent a web request, the client can't know in advance that ISA will require authentication. Therefore, the initial request is always sent anonymously.
When this request hit a rule that requires authentication, ISA will return the HTTP response "407 Proxy Authentication Required" and log an entry with the rule requiring the authentication and the error info "12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.".
Then the client will resent the web request but now with the requested credentials. At that point ISA check if the user belongs to the allowed User Set. If not, the next rule is evaluated. However, if the user can't authenticate at all, the request is denied.
HTH,
Stefaan
|
|
|
|
|
RE: Why ISA Allowes Anonymous access on User based rules - 20.Nov.2006 2:49:10 AM
|
|
|
jstruijk
Posts: 44
Joined: 7.Dec.2005
Status: offline
|
I completely understand Rule Processing, that's not the problem. I also know it tries to authenticate anonymously before authenticating with credentials.
What i don't understand is why it GRANTS anonymous access based on a rule that should NOT allow access.
Access should only be allowed to users contained to a specific group, wich doesn't contain anonymous.
When processing this rule, first it tries anonymous (as expected), it should deny access with a 407 responce and ask for user credentials.
IT DOESN'T, it grants access while it shouldn't
That's what i dont understand. "Require all users to auth" is DISABLED and "Integrated auth" is ENABLED for the Internal network.
|
|
|
|
|
RE: Why ISA Allowes Anonymous access on User based rules - 20.Nov.2006 6:58:01 AM
|
|
|
jstruijk
Posts: 44
Joined: 7.Dec.2005
Status: offline
|
Ok, i understand it partially.
I tested a user account who, based on group access should be denied access.
When accessing urls that where denied based on usergroups, it indeed first tries to access anonymously, but while it should denie access and ask for credentials, access is GRANTED??
Why? Anonymous isn't allowed based on the provided usergroup.
|
|
|
|
|
RE: Why ISA Allowes Anonymous access on User based rules - 20.Nov.2006 10:37:34 AM
|
|
|
elmajdal
Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
in the above link, i was refering to HTTPS logs, th username will be shown as anonymous.
whereas in ur case now, if u r blocking access to a specific website/s and the user is granted access to this website, then you have something wrong.
more details/snapshots will be helpful.
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: Why ISA Allowes Anonymous access on User based rules - 21.Nov.2006 5:20:22 AM
|
|
|
Guest
|
Hi jstruijk!
My friend you are missing the picture here.
The reason for this is that you are reading through lines.
Just take a look at the pictures you have posted.
What is allowed there?
From who to who?
The request comes from the client and goes to the ISA Server. The SSL connection is not started from the client. ISA starts the SSL connection for that client. So first ISA must established a SSL tunnel from the client to itself. It does that(so allowed) and check for user with the appropiate rule. If you would have posted the complete log you will see that the SSL tunnel is closed because authentication fails as Stefaan pointed out this very clear:
quote:
When this request hit a rule that requires authentication, ISA will return the HTTP response "407 Proxy Authentication Required" and log an entry with the rule requiring the authentication and the error info "12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.". .
If authentication will succeed, then ISA will start the SSL connection to the remote host.
If you look at an established SSL connection log you will see that first the connection is INITIATED(like many others connections), but the connection is initiated between the remote host and ISA.
Take a look yourself to this question with tools for monitoring traffic both on the client and on ISA(internal and external interface).
quote:
as Anonymous as it can not see the username due to encryption.
If so, how can you authenticate?
well, read the documentation available(hit google) if for some reasons you cannot do the monitoring yourself and you will see what's really going on.
ISA is the victim here 'cause you are blaming it for nothing.
From my experience I've learned that although there are many problems(bugs) with different equipments I must first blame myself and then the equipment.
< Message edited by adrian_dimcev -- 21.Nov.2006 5:27:28 AM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
