Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: All user vs Internet group...?!?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: All user vs Internet group...?!? - 26.Aug.2005 7:42:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Stefaan,
Iam sorry, i was mean i Can nslookup WPAD at the clients but i Cant test the DNS using FwcTool at the clients. Iam just thinking, do i need to setup the Fwctool at every client before i test the command because i only get the result on my computer(for testing both DHCP & DNS).
The ISA internal interface defined in the DNS manually.
So my problem now is WPAD not working in DNS? so Do i need to delete and create a new WPAD in DNS or you have better solution? I dont want to have only WPAD DHCP but i want them both in case any one of them stop for a reason.
Thanks,
Al-Taee
|
|
|
|
|
RE: All user vs Internet group...?!? - 27.Aug.2005 2:12:00 PM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Again,
On your workstation you can nslookup wpad *and* the fwctool confirms it. Right?
Yes, right
On the other workstations, you can nslookup wpad but the fwctool do not confirm it. Right?
Yes, right
On the other workstations, did you install the Firewall client and the FWCTool?
No, i didnt use FC at all. And i didnt install the FWCTool at the clients just on my PC
I think i need to install the Fwctool at the clients to make the test command work.
Thanks,
Al-Taee
|
|
|
|
|
RE: All user vs Internet group...?!? - 28.Aug.2005 1:10:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Al-Taee,
as far as I know the FWCTool package is just a self-extracting package of the commandline utility and the .doc file. So, no real install is needed and no registry keys and such are made.
From my experience, to use the fwctools command 'TestAutoDetect', the Firewall client must even not be installed. However, the host must be a domain member else you get the following response: code:
C:\fwctool>fwctool testautodetect /type:dns
FwcTool version 4.0.3439
Firewall Client for ISA Server 2004 support tool
Copyright (c) Microsoft Corporation. All rights reserved.
Action: Test the auto detection mechanism
Type: DNS
Detection details:
Timeout is set to 60 seconds
Locating WSPAD URL in DNS Server
Locating domain name in registry
Opening registry key:
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Querying registry value:
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domain
Registry value not found
Querying registry value:
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domain
Registry value not found
Locating domain name in DHCP information
Locating option 15 in DHCP
Reading network adapters information
DHCP option for domain name not found
Domain name not found
Resolving address:
wpad.
Domain name not found
WSPAD URL was not found in DNS Server
Failed to detect ISA Server
Result: The command failed and was not completed.
So, in contrast to the nslookup command, the fwctool determines the DNS domain by reading:
- the registry value 'HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domain' and this value is only set if the host is joined to a domain.
- reading the DHCP option 15 (DNS Domain Name).
If both are not defined, the DNS suffix list is not consulted.
HTH,
Stefaan
[ August 28, 2005, 01:23 PM: Message edited by: spouseele ]
|
|
|
|
|
RE: All user vs Internet group...?!? - 29.Aug.2005 4:12:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Stefaan,
All my clients are domain memeber and to make the "TestautoDetect" work the FWCTool must be installed at the clients, i just tried it.
The summary now is:
nslookup:
Wpad Work at all clients.
displaydns:
Wpad appear only at win. 2k3 SP1 and not at win. XP SP2 clients.
TestautoDetect:
wpad (DHCP): Work at all clients.
WPAD (DNS): Not work at all the clients.
Thanks,
Al-Taee
|
|
|
|
|
RE: All user vs Internet group...?!? - 29.Aug.2005 7:21:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
So why the WPAD not work?
Is delete and re-create the WPAD entry in the DNS is a solution?
Thanks,
Al-Taee
|
|
|
|
|
RE: All user vs Internet group...?!? - 29.Aug.2005 1:46:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Al-Taee,
you can try it but I don't think it will solve the problem because the nslookup of wpad works.
Can you post the complete output of the command 'fwctool testautodetect /type:dns' unmodified?
HTH,
Stefaan
|
|
|
|
|
RE: All user vs Internet group...?!? - 30.Aug.2005 2:35:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Stefaan,
Action: Test the auto detection mechanism
Type: DNS
Detection details:
timeout is set to 60 seconds
locating WSPAD URL in DNS server
Locating domain name in registry
operating registry key:
HKLM\System\CurrentcontrolSet\Services\Tcpip\Parameters
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domain
Domain name found:
GCI.GOV.IQ
Resolving address:
wpad.GCI.GOV.IQ.
Domain name not found
WSPAD URL was not found in DNS server
Failed to detect ISA Server
Result: The command failed and was not completed.
This what i got and i didnt delete wpad yet but i have this issue in the DNS regarding wpad.
Alias name written as: Wpad
FQDN as: Wpad.GCI.GOV.IQ
FQDN target host as: wpad.GCI.GOV.IQ
Thanks,
Al-Taee
|
|
|
|
|
RE: All user vs Internet group...?!? - 30.Aug.2005 2:24:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Al-Taee,
it looks that your wpad alias is not correctly defined in the DNS server.
Assuming your ISA server is called 'ISAsrv' then you should have a normal host record in your DNS zone 'GCI.GOV.IQ' which looks like
code:
ISAsrv Host(A) A.B.C.D
where A.B.C.D is the IP address of your ISA internal interface.
For the wpad alias you should create an Alias(CNAME) entry with wpad as the alias name and ISAsrv.GCI.GOV.IQ as FQDN for target host
code:
wpad Alias(CNAME) ISAsrv.GCI.GOV.IQ
For more info, check out the articles listed in the beginning of my article.
HTH,
Stefaan
|
|
|
|
|
RE: All user vs Internet group...?!? - 6.Sep.2005 2:28:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Stefaan,
I just check my win. 2k3 servers to see if its update the antivirus and i see that some of them doesnt work so i check the FwcTool and i found that only the DNS work while the DHCP not work (the server has static IP) but i have Internet on them except the SQL Server.
Is IE Enhanced security Configruation has a relation with auto-discovery?
When i put the auto. detect settings with proxy server, shall the Internet work if WPAD DNS stop work?
Thanks,
|
|
|
|
|
RE: All user vs Internet group...?!? - 9.Sep.2005 3:20:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Al-Taee,
Windows Update requires that your access rule allows anonymous access (all users). Check out http://support.microsoft.com/default.aspx?scid=kb;en-us;885819 for more info. So, whether the host is configured as Web Proxy, Firewall or SecureNAT doesn't matter at all.
I would *never* allow untrusted users over an untrusted wireless network on to my corporate network, even not for a minute. That's asking for trouble! So, I strongly recommend you split them of on another untrusted segment (3rd NIC in ISA).
HTH,
Stefaan
|
|
|
|
|
RE: All user vs Internet group...?!? - 10.Sep.2005 2:41:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Stefaan,
Windows Update requires that your access rule allows anonymous access (all users) whether the host is configured as Web Proxy, Firewall or SecureNAT doesn't matter at all.
So I have to login into the server to process the Windows Update, is what you said apply also apply to Symantec Antivirus Update?
By the way, well the ordinary domain user update their windows with this rule because you know that updating Windows or Antivirus required Admin privileges so hope this rule will make the update automatically?
Hope the new All User access rule will not affect the Internet access rule for Authenticated users?
I would *never* allow untrusted users over an untrusted wireless network on to my corporate network, even not for a minute.
So I will use a UTP cable to the laptops during their presence because I donĘt know if my supervisor will agree to add 3rd NIC or not?
Many Thanks,
Al-Taee
|
|
|
|
|
RE: All user vs Internet group...?!? - 10.Sep.2005 7:47:00 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Al-Taee,
1. Windows Update
as mentioned in http://support.microsoft.com/default.aspx?scid=kb;en-us;885819 you need to allow anonymous access to the following URL's:
- http://download.windowsupdate.com
- https://*.windowsupdate.microsoft.com
- http://*.windowsupdate.microsoft.com
- http://*.update.microsoft.com
You can accomplish that in 2 ways, either by creating an URL set or by creating a destination set. If you look now to the predefined destination set 'System Policy Allowed sites' you will notice that it covers the needed URL's. So, creating an access rule from 'Internal' to 'External' for the destination set 'System Policy Allowed sites' for 'All Users' should do the trick.
Likewise, if the internal hosts need access to the Symantec Antivirus Update URL's, create a new destination set for those domains and add it to the above rule.
Of course, remember that the order for the access rules is very important. For more info, check out my article http://www.isaserver.org/articles/ISA2004_AccessRules.html .
2. Untrusted Users
in my statement there are two entities: untrusted users and untrusted network. So, from a security point of view, it is bad practice to allow either of those entities direct access to your corporate network. Therefore, connecting the untrusted users by cable will *not* solve the fundamental security problem.
HTH,
Stefaan
|
|
|
|
|
RE: All user vs Internet group...?!? - 11.Sep.2005 3:38:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
1. Windows Update
I got this message for both ways you suggest:
install updates from this website, you must be logged on as an administrator or a member of the Administrators group on your computer. If you use Windows XP,
you can see if you are an administrator by going to User Accounts in Control Panel.
Note: If your computer is connected to a network,
network policy settings might also prevent you using this website.
Contact your system administrator for help with updates.
Its not work even with putting the access rule the first one but the good thing even with this rule for All user no one can access except the authenticated users, agree with this?
I just read this GP and i dont know if its has relation with windowsupdate. Go to
computer configuration - Administratives Templates - windows update - conf. Win. Update.
Likewise, if the internal hosts need access to the Symantec Antivirus Update URL's, create a new destination set for those domains and add it to the above rule.
Do you have the link for making live update for symantec or i have to make a new post for it. As you know that the live update bottom is inactive in all domain users that dont have privillages so do you know how to make it active or the rule can make the antivirus update without needs to active the tab in the program.
2. Untrusted Users connecting the untrusted users by cable will *not* solve the fundamental security problem. 2. Untrusted Users connecting the untrusted users by cable will *not* solve the fundamental security problem.
I follow your advice and put my laptop for anyone want to access the Internet and i agree with the peoples that its dangrous to make them use the Internet as untrusted user.
Thanks,
Al-Taee
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Frown]](/image/smiles/frown.gif)
![[Big Grin]](/image/smiles/biggrin.gif)
![[Smile]](/image/smiles/smile.gif)
![[Wink]](/image/smiles/wink.gif)
![[Roll Eyes]](/image/smiles/rolleyes.gif)
![[Razz]](/image/smiles/tongue.gif)
![[Eek!]](/image/smiles/eek.gif)
