Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
authentication prompts on single NIC
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
authentication prompts on single NIC - 19.Sep.2008 1:20:28 AM
|
|
|
adgroup
Posts: 130
Joined: 11.May2006
Status: offline
|
hi
I have ISA 2004 with SP3 on windows 2003 with Sp2. THere is only one NIC installed on ISA server.
Clients are configured as SECURENAT, WEB PROXY and FIREWALL CLIENT SOFTWARE.
we have Cisco 2811 router with ADSL port in front of ISA 2004. ISA default gateway is pointing to the Router. Internet (DSL) is connected on router.
LAN------------ISA 2004--------------Cisco Router---Internet
ISA NIC configuration are as follows.
IP Address: 10.1.1.10
subnet mask : 255.0.0.0
Default Gateway: 10.1.1.100 (Router's IP Address)
Primary DNS: 10.1.1.1 (Internal DNS)
Secondary DNS: 10.1.1.2 (Internal DNS)
3rd DNS: 202.163.96.3 (ISP DNS)
4th DNS: 202.163.96.4 (ISP DNS)
I have enable Forwarder in local dns to forward traffic to ISP dns but its not working.. Even I have created a rule in ISA server to allow DNS protocol from 10.1.1.1 and 10.1.1.2 to external by all users. But its not working.
PROBLEM:
USers are prompted to enter username and password repeatedly. sometimes they are not prompted, but once prompted. issue only resolved after the restart of ISA server.
ISA Server logs shows ANONYMOUS request from clients. I think the problem is in the authentication of users.or may be ISA is unable to query Domain controller.
After the ISA server restart the issue resolved and the logging shows proper username and the rules applied on them.
Any help ?
ADG
|
|
|
|
|
RE: authentication prompts on single NIC - 19.Sep.2008 5:51:32 AM
|
|
|
elmajdal
Posts: 5074
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
Hi,
With a Single Network adapter ISA Server, its works as a proxy server and support http/https/ftp.
read the limitations here :
quote:
Configuring ISA Server with a Single Network Adapter Configuration
Problem: There are a number of issues associated with the configuration of ISA Server on a computer with a single network adapter.
Cause: The causes include:
Multi-network firewall policy. In single network adapter mode, ISA Server recognizes itself (the Local Host network). Everything else is recognized as the Internal network. There is no concept of an External network. The Microsoft Firewall service and application filters operate only in the context of the Local Host network. (ISA Server protects itself no matter what network template is applied.) Because the Firewall service and application filters operate in the context of the Local Host network, you can use access rules to allow non-Web protocols to the ISA Server computer. This has implications for running applications located on the ISA Server computer.
Application layer inspection. Application level filtering does not function, except for Web Proxy Filter for Hypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS), and File Transfer Protocol (FTP) over HTTP.
Server publishing. Server publishing is not supported. Because there is no separation of Internal and External networks, ISA Server cannot provide the NAT functionality required in a server publishing scenario.
Firewall clients. The Firewall Client application handles requests from Winsock applications that use the Firewall service. In a single network adapter environment, this service is only available in the context of the Local Host network (protecting the ISA Server computer), and Firewall Client requests are not supported.
SecureNAT clients. SecureNAT clients use ISA Server as a router to the Internet, and SecureNAT client requests are handled by the Firewall service. In a single network adapter environment, this service is only available in the context of the Local Host network (protecting the ISA Server computer), and SecureNAT client requests are not supported.
Virtual private networking. Site-to-site virtual private networks (VPNs) are not supported in a single network adapter scenario. Remote client VPN access is supported in a single network adapter scenario.
source : http://technet.microsoft.com/en-us/library/cc302678.aspx
Read this : Configuring ISA Server 2004 on a Computer with a Single Network Adapter
< Message edited by elmajdal -- 19.Sep.2008 5:53:26 AM >
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: authentication prompts on single NIC - 20.Sep.2008 2:26:02 AM
|
|
|
adgroup
Posts: 130
Joined: 11.May2006
Status: offline
|
hi
thanx for your response.
Basically we use CISCO router for VPN between branch offices.
ADSL card in router is used for internet connectivity
LAN-----ISA------Router-----Internet----Router------ISA-----LAN
so could u please guide me what type configuration should i do in ISA so that both our internet and VPN traffic works properly.
In past when we don't have router configured, our configuration is as follows
LAN-----ISA*-------ADSL MODEM-----Internet
* we have two NICs configured in ISA one for internal and one which communicates with ADSL MODEM.which you can say EXTERNAL.
Now we have router involved. Current network settings are as follows.
LAN 10.0.0.X
ISA 10.1.1.10
Router: 10.1.1.200
Primary DNS: 10.1.1.100
Secondary DNS: 10.1.1.101
ISP DNS: 202.163.96.3
ISP DNS: 202.163.96.4
So could u please guide me in the above mentioned settings how can I use 2nd NIC in ISA.
VPN settings are on Router
ADSL card for internet connectivity is also configured on router.
Any help
ADG
|
|
|
|
|
RE: authentication prompts on single NIC - 22.Sep.2008 12:09:27 AM
|
|
|
adgroup
Posts: 130
Joined: 11.May2006
Status: offline
|
waiting for your response ..that how can i use two NICs on ISA ? keep in mind that I have only one LIVE ip address.which is given by isp to router which has ADSL port when connected.
Any help ??
ADG
< Message edited by adgroup -- 22.Sep.2008 12:11:45 AM >
|
|
|
|
|
RE: authentication prompts on single NIC - 26.Sep.2008 1:58:55 AM
|
|
|
adgroup
Posts: 130
Joined: 11.May2006
Status: offline
|
ok fine thianx for your response ...
So could u please tell me how can I use TWO NICs in ISA but VPN should be created using CISCO router but websites filteration should be done at ISA level.
LN settings:
IP 10.1.1.x
SM 255.0.0.0
D.G 10.1.1.10
Primary DNS: 10.1.1.100
Secondary DNS: 10.1.1.101
What should be the Settings of 2nd NIC.
Keep in mind that if i change the subnet on 2nd nic (Which I have to do) to communicate with Router. VPN will not be established because in the VPN settinfs we have defined that source should be 10.1.1.x.
Still confused ...
Any help
ADG
|
|
|
|
|
RE: authentication prompts on single NIC - 26.Sep.2008 9:46:16 AM
|
|
|
pwindell
Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
You can't use the Cisco for the VPN in that case. You have to use the ISA as the VPN Server,...which is more capable as a VPN Server (and less proprietary) than the Cisco device is anyway.
If you use the Cisco for VPN then the users will be VPNing into the DMZ and not the LAN and will still remain cut off ffrom the LAN unless you change the Network Relationship between Internal & External to "routed" instead of the default of "NAT". At that point you must be very diligent about the ISA Access Rules to prevent rendering the DMZ pointless and useless.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
