• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Windows Authentication Problems

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Cache] >> General >> Windows Authentication Problems Page: [1]
Login
Message << Older Topic   Newer Topic >>
Windows Authentication Problems - 10.Jul.2006 10:58:11 PM   
jleighton84

 

Posts: 7
Joined: 10.Jul.2006
Status: offline
Let me just preface by saying I am fairly new to ISA in general.  I've been doing windows administration for 5 years, but ISA is new territory for me.  I have looked through these forums and pretty much all over, but have not found an answer that specifically addresses my problem.  So here it is:

I'm running ISA 2004 with a single NIC.  I set it up according the the Technet article outlining a single-NIC install.  Proxy works well and most of my rules for web and content blocking work just fine.  The exception here is any rule that I am relying on user groups for the condition.  I am trying to add an an access rule that will allow specific users to send/receive IM traffic.  I have a rule setup to ALLOW all IM protocols from Internal and Local Host to Internal that are a member of this group.  When I look at the firewall logs, it shows the request as coming from Anonymous.  Am I missing something when it comes to passing the integrated Windows authentication to ISA?  I should also mention that I am not using the Firewall client.  Is this an absolute must?  Or can the authentication be sent without it? 

Thanks!
Post #: 1
RE: Windows Authentication Problems - 11.Jul.2006 5:26:30 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi J,

Why single NIC? That's what we call "hork mode" around here. That's why you see little guidance on this site for that config.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jleighton84)
Post #: 2
RE: Windows Authentication Problems - 11.Jul.2006 5:51:34 PM   
jleighton84

 

Posts: 7
Joined: 10.Jul.2006
Status: offline
We are using single NIC because this is mainly used for proxy services and content control.  We use a Cisco PIX solution for our perimiter security.  

(in reply to jleighton84)
Post #: 3
RE: Windows Authentication Problems - 12.Jul.2006 5:00:04 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi J,

The ISA firewall should be fully configured in firewall mode. You can put it behind the PIX, or better, in parallel. The ISA firewall provides a significantly higher level of stateful packet inspection and application layer inspection than the PIX, so using it in "hork mode" does your company a real disservice.

You also have a very limited support for protocols in hork mode, as you're finding out.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jleighton84)
Post #: 4
RE: Windows Authentication Problems - 12.Jul.2006 8:38:53 PM   
jleighton84

 

Posts: 7
Joined: 10.Jul.2006
Status: offline
So is that to say that it is impossible to have windows integrated authentication work with my current configuration?  Also, is it advisable/possible to run it with 2 adapters considering the configuration of my current infrastructure (Pix on perimeter and ISA acting as a "second layer")?  Honestly if I can manage to use this as a proxy for restricting and monitoring content, blocking certain content types, blocking IM traffic, blocking streaming content, etc. then I'd be happy (assuming I can successfully use integrated security for my rule conditiions).

Thanks!

(in reply to jleighton84)
Post #: 5
RE: Windows Authentication Problems - 13.Jul.2006 3:02:04 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi J,

Check out:

http://www.isaserver.org/tutorials/2004isapixdmz.html

and

http://www.isaserver.org/tutorials/Creating-Parallel-ISA-Firewall-Configuration-Netscreen-DMZ.html

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jleighton84)
Post #: 6
RE: Windows Authentication Problems - 13.Jul.2006 3:47:18 PM   
jleighton84

 

Posts: 7
Joined: 10.Jul.2006
Status: offline
I appreciate you sending those links and will definitely take that info into consideration during my testing and for implementation.  However, I think that maybe I haven't communicated my immediate problem and frustration clearly enough.  Right now what I am struggling with is getting ISA to recognize who is sending the traffic.  For instance, when I put an access rule in place to block IM traffic, I also placed another rule to allow administrators to be able to do this (the allow rule is after the deny rule in top-down order).  When I apply changes and attempt to login to an IM client (with an account that is a member of the group in the conditions portion of the rule), I am still denied, and the ISA logs show that it came from an anonymous user instead of my user account.  I don't understand why this is as I am using integrated authentication. 

Thanks,

Josh

(in reply to tshinder)
Post #: 7
RE: Windows Authentication Problems - 14.Jul.2006 5:18:43 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Josh,

That's the point. Until you fully deploy the ISA firewall you won't have control over IM protocols, and you won't be able to deploy the Firewall client for transparent authentication for the protocols. "Hork Mode" (single NIC) is HTTP only.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jleighton84)
Post #: 8
RE: Windows Authentication Problems - 14.Jul.2006 5:36:24 PM   
jleighton84

 

Posts: 7
Joined: 10.Jul.2006
Status: offline
Well, thus far in "hork" (what's the meaning behind that anyhow?) mode, I have been able to block IM traffic.  The only problem I have come accross is adding other rules allowing it for specific user groups.  Also, am I correct in taking from your last post that ISA will only see which user the traffic is coming from if the client machine is running the windows firewall client?  Otherwise it will always see it as anonymous?  If so, it sounds like the windows firewall client is my missing piece of the puzzle right? 

I understand what you're saying about "hork" mode being HTTP only (I would assume that this at least reserves proxy functionality for those who only intend to use it for that), but shouldn't it still see the authentication properly in order to fully use the access rules to control access to url sets and networks based on user groups if desired?

Thanks

(in reply to tshinder)
Post #: 9
RE: Windows Authentication Problems - 15.Jul.2006 7:33:11 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi J,

http://www.urbandictionary.com/define.php?term=Hork&defid=202266

Definition #5 and #9

HTH,
Tom

< Message edited by tshinder -- 15.Jul.2006 7:34:17 PM >


_____________________________

Thomas W Shinder, M.D.

(in reply to jleighton84)
Post #: 10
RE: Windows Authentication Problems - 19.Jul.2006 11:11:08 PM   
jleighton84

 

Posts: 7
Joined: 10.Jul.2006
Status: offline
Well.... thanks for the link I guess.  Can you offer any help for the rest of my last post??

(in reply to tshinder)
Post #: 11
RE: Windows Authentication Problems - 20.Jul.2006 4:21:14 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi J,

Hork mode doesn't support the Firewall client, and only supports HTTP. Since IM'er use many different protocols, you won't get integrated authentication except for Web proxy clients.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jleighton84)
Post #: 12
RE: Windows Authentication Problems - 20.Jul.2006 4:53:27 PM   
jleighton84

 

Posts: 7
Joined: 10.Jul.2006
Status: offline
Ok.  Well, my traffic is showing up as anonymous when I'm using it as a web proxy as well.  It seems like integrated authentication is not working at all.  Is there something else I may be misssing besides the mode I'm running it in for right now?

Thanks

(in reply to tshinder)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Cache] >> General >> Windows Authentication Problems Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts