Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: All user vs Internet group...?!?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: All user vs Internet group...?!? - 11.Sep.2005 3:30:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Al-Taee,
I think you are somewhat confused by the Windows Update issue.
There are some authentication issues in the ActiveX controls used by the Windows Update site. Therefore the KB states that you should allow anonymous access to certain URL's to workaround that limitation.
On the other hand, when you go interactively to the Windows Update site, you must have local adminstrator rights to perform the scanning and the updates. However, when the host is using the Automatic Update feature, the logged in user must *not* have local administrator.
Personally I have no experience with the Symantec Live Update feature, but in general many of the Update features do not support authenticated proxies. Therefore, I suggested you add those sites also to that specific anonymous access rule.
HTH,
Stefaan
|
|
|
|
|
RE: All user vs Internet group...?!? - 12.Sep.2005 9:35:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Stefaan,
Therefore the KB states that you should allow anonymous access to certain URL's to workaround that limitation.
OK, i made this rule and i dont know if my servers will update the windows without any login (i.e. without hitting the Alt+Ctrl+del).
When the host is using the Automatic Update feature, the logged in user must *not* have local administrator.
What thats mean? all my domain clients set the windows update to automatic everyday so is that mean users will get the update even if they dont have local administrator (now assume they login).
Personally I have no experience with the Symantec Live Update feature, but in general many of the Update features do not support authenticated proxies.
I used SAV as a Server / Client and thats solve my problem because the clients got the update from the DC server (SAV Server)without any rule.
Thanks,
Al-Taee
|
|
|
|
|
RE: All user vs Internet group...?!? - 12.Sep.2005 2:21:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Al-Taee,
Automatic Update runs as a service. So, nobody need to be logged in and if someone is logged in, he/she must not have administrator rights.
You can check that out in the ISA log. You should see connections to the Windows Update sites. Also, on the internal hosts itself, you can find a file 'WindowsUpdate.log' in the Windows directory. You can there verify if the Automatic Update Agent contacted successfully the Window Update servers.
HTH,
Stefaan
|
|
|
|
|
RE: All user vs Internet group...?!? - 13.Sep.2005 5:53:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Stefaan,
Automatic Update runs as a service. So, nobody need to be logged in and if someone is logged in, he/she must not have administrator rights.
Its On at all the servers and i will check the log files at the time and see the result.
HTH,
Al-Taee
|
|
|
|
|
RE: All user vs Internet group...?!? - 14.Sep.2005 5:14:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Stefaan,
I didnt get any access to the windows update access rule and i got these message from one of the server:
2005-09-14 10:01:45 1160 710
Report Uploading 1 events using cached cookie, reporting URL = http://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx
2005-09-14 10:02:10 1160 710
Report WARNING: Failed to upload events to the server with hr = c00ce509.
2005-09-14 10:02:10 1160 710 PT
WARNING: ReportEventBatch failure, error = 0x80244021, soap client error = 10, soap error code = 0, HTTP status code = 502
2005-09-14 10:02:10 1160 710
Report WARNING: Reporter failed to upload events with hr = 80244021.
And this from another server:
2005-09-14 10:00:09 1176 1ec
AU Forced install timer expired for scheduled install
Thanks.
|
|
|
|
|
RE: All user vs Internet group...?!? - 14.Sep.2005 12:31:00 PM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Stefaan,
For example, the only anonymous access rules should be those you require for server access to the Internet. Since servers typically (and should not) have logged on users, you need to create anonymous access rules to enable or deny connections from these servers (access control for servers is usually done by using source IP address). All other rules should require user authentication from either the Firewall client configuration, Web proxy client configuration, or both.
The 1st part is exactly close to what you said.
Note that another reason why your anonymous access rules are configured for servers only is that servers should not have the Firewall client software installed. Although they can be configured as Web proxy clients, if the servers require Web access when there is no logged on user, an authenticated access rule will cause the serverÆs attempt to connect to the Internet will fail.
I configure my servers as web proxy clients and sometimes I used the Internet for downloading some drivers but now I have anonymous access rules for windows update and the ordinary access rule so is that ok, iam little confuse?
Iam checking my XP client now and i have diffrent logs then in the servers so either the update just release or i have problem in the rules because i didnt see the windows update rule in the logging today, what do you think my freind?
Regards,
Al-Taee
|
|
|
|
|
RE: All user vs Internet group...?!? - 14.Sep.2005 3:50:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Al-Taee,
quote:
Hi Stefaan,
I didnt get any access to the windows update access rule and i got these message from one of the server:
2005-09-14 10:01:45 1160 710
Report Uploading 1 events using cached cookie, reporting URL = http://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx
2005-09-14 10:02:10 1160 710
Report WARNING: Failed to upload events to the server with hr = c00ce509.
2005-09-14 10:02:10 1160 710 PT
WARNING: ReportEventBatch failure, error = 0x80244021, soap client error = 10, soap error code = 0, HTTP status code = 502
2005-09-14 10:02:10 1160 710
Report WARNING: Reporter failed to upload events with hr = 80244021.
And this from another server:
2005-09-14 10:00:09 1176 1ec
AU Forced install timer expired for scheduled install
Thanks.
What do you see in the ISA logging?
HTH,
Stefaan
|
|
|
|
|
RE: All user vs Internet group...?!? - 14.Sep.2005 3:57:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Al-Taee,
quote:
Stefaan,
For example, the only anonymous access rules should be those you require for server access to the Internet. Since servers typically (and should not) have logged on users, you need to create anonymous access rules to enable or deny connections from these servers (access control for servers is usually done by using source IP address). All other rules should require user authentication from either the Firewall client configuration, Web proxy client configuration, or both.
The 1st part is exactly close to what you said.
Note that another reason why your anonymous access rules are configured for servers only is that servers should not have the Firewall client software installed. Although they can be configured as Web proxy clients, if the servers require Web access when there is no logged on user, an authenticated access rule will cause the serverÆs attempt to connect to the Internet will fail.
I configure my servers as web proxy clients and sometimes I used the Internet for downloading some drivers but now I have anonymous access rules for windows update and the ordinary access rule so is that ok, iam little confuse?
Iam checking my XP client now and i have diffrent logs then in the servers so either the update just release or i have problem in the rules because i didnt see the windows update rule in the logging today, what do you think my freind?
Regards,
Al-Taee
In order to use Windows Update you *must* allow anonymous access for those specific sites! So, if all internal servers and clients must be able to do that, *all* of them must have anonymous access to those sites.
Of course, another solution is to implement WSUS ( http://www.microsoft.com/wsus ). In that case, only the WSUS server must have anonymous access to the Windows Update sites.
HTH,
Stefaan
|
|
|
|
|
RE: All user vs Internet group...?!? - 15.Sep.2005 8:53:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
What do you see in the ISA logging?
The problem i didnt see my WindowsUpdate access rule in the logging, i check the logging at the time that the update suppose to start but nothing from these servers just some searching for DNS and other issues.
Thanks,
Al-Taee
|
|
|
|
|
RE: All user vs Internet group...?!? - 15.Sep.2005 5:32:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Al-Taee,
quote:
My rules order are as follows:
ISA monitor
Publishing SQL 2k3
Anonymous:
Protocol:http+https From:Internal To:Windwos sites Action:Allow Apply:All user + Internet users
Infrastructure rule
Deny website
Web access
Default rule
Remove the 'Internet users' from the rule. For anonymous access you should use 'All users' only.
HTH,
Stefaan
[ September 15, 2005, 05:33 PM: Message edited by: spouseele ]
|
|
|
|
|
RE: All user vs Internet group...?!? - 15.Sep.2005 5:35:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Al-Taee,
if you don't find it in the ISA log, then the request is never sent by the client or you have disabled the logging on that rule. So, I suggest you double check rule and the logging.
HTH,
Stefaan
|
|
|
|
|
RE: All user vs Internet group...?!? - 16.Sep.2005 2:33:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Stefaan,
I will remove the Internet group when i go to work Monday but is this influence the other access rules?
if you don't find it in the ISA log, then the request is never sent by the client or you have disabled the logging on that rule. So, I suggest you double check rule and the logging.
Well, i leave eveything to the defualt settings but i will check the rule and enable the logging if its not mark.
I have a problem with the mail security for exchange server and hope you could give a hint for that.
I installed mail security for the exchange server and before I was able to double click the shortcut and make any configuration I want but (I think) after the Web proxy work and my user become authenticated I couldn't able to open the program even with entering the user name and password thats promoted me for, the program page will still loading for nothing. When I cancel the action or prompt, I got the following page:
You are not authorized to view this page
You do not have permission to view this directory or page using the credentials that you supplied.
--------------------------------------------------------------------------------
Please try the following:
Contact the Web site administrator if you believe you should be able to view this directory or page.
Click the Refresh button to try again with different credentials.
HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.
Internet Information Services (IIS)
--------------------------------------------------------------------------------
Technical Information (for support personnel)
Go to Microsoft Product Support Services and perform a title search for the words HTTP and 401.
Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for topics titled Authentica
With this address at the address bar in IE:
http://Gci-exch-01:8081/
So do i need to enable a port or protocol because this is the 3rd time i install this program but with the same problem?
Thanks,
Al-Taee
|
|
|
|
|
RE: All user vs Internet group...?!? - 16.Sep.2005 7:24:00 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Al-Taee,
removing the Internet group from the anonymous access rule should not influence the other access rules. Check out my article http://www.isaserver.org/articles/ISA2004_AccessRules.html for more info.
For the exchange issue, I don't know what you are talking about. So, please start a new topic for that issue.
HTH,
Stefaan
|
|
|
|
|
RE: All user vs Internet group...?!? - 17.Sep.2005 5:27:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Stefaan,
A fast question regarding Tom's article and figure (4):
http://www.isaserver.org/tutorials/2004bestpractices-p1.html
About Configuring local addresses for Direct Access Direct Access allows Web proxy clients to bypass the Web proxy configuration to connect to resources configured for Direct Access.
Do i need to do what appear in figure (4) for windows update sites?
Thanks,
Al-Taee
|
|
|
|
|
RE: All user vs Internet group...?!? - 18.Sep.2005 5:32:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Stefaan,
How To enable logging for windows update rule?
Nothing happen even with apply the soultion of my last post.
See the log for ISA Server?
Event Type: Error
Event Source: Windows Update Agent
Event Category: Software Sync
Event ID: 16
Date: 9/18/2005
Time: 9:09:07 AM
User: N/A
Computer: GCI-ISA-01
Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.
One of MS. solutions suggest:
This behavior occurs because the Automatic Update service runs under the Local System account. The Local System account is not a member of the BackOffice Internet Users group and does not have permissions to use the Internet through ISA Server.
And to fix it, follow:
http://support.microsoft.com/default.aspx?scid=kb;en-us;838177
I always got this msg. in all my servers in windowsupdate.log:
Forced install timer expired for scheduled install
Thanks,
Al-Taee
|
|
|
|
|
RE: All user vs Internet group...?!? - 18.Sep.2005 2:16:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Al-Taee,
configuring direct access for the Windows Update sites won't help you. As far as I know, if the Windows update sites are reachable anonymously *and* the Windows Update client can act as a Web Proxy client it should work. Check out http://support.microsoft.com/kb/900935 for more info.
In any case, whether the Windows Update succeed or not, you should see at least the requests in the ISA logging.
BTW --- can you perform a Windows Update interactively (via IE)?
HTH,
Stefaan
|
|
|
|
|
RE: All user vs Internet group...?!? - 19.Sep.2005 4:57:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Stefaan,
It seems that I will spend my time just solving ISA problems! Yesterday I faced the same problem of All User. I mean I can access the Internet only if I add All User to the Client access rule.
The problem seems strange, I saw that my forwarder DNS server has been changed to 192.168.1.1 & 255.255.255.0 with allowing recursion enabled and thatÆs why I got many error pages and slow Internet services, right? I donÆt know how it changed but I can tell you that during the last week some of my ITs build a DNS server (192.168.1.1) in the lab but it was separate from my network and I donÆt know the relation and how the IP changed.
Now, I put back the right DNS forwarder and disable recursion but I canÆt access the Internet unless I add All User to the rule. I test the auto discovery option with FWCtool and it works but I canÆt get Internet with the error below.
Technical Information (for support personnel)
ò Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
ò IP Address: 10.127.1.1
ò Date: 9/19/2005 6:06:28 AM
ò Server: isa-01.GCI.GOV.IQ
ò Source: proxy
What I can see that the LAN card that connected to the Internet terminal is not active (no activity) and when I double click on it and close the message of multiple gateway appear even I only put one gateway on this LAN but donÆt appear with All User.
Thanks,
Al-Taee
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Wink]](/image/smiles/wink.gif)
![[Confused]](/image/smiles/confused.gif)
. ![[Razz]](/image/smiles/tongue.gif)
,![[Roll Eyes]](/image/smiles/rolleyes.gif)
![[Frown]](/image/smiles/frown.gif)
