Let me just preface by saying I am fairly new to ISA in general. I've been doing windows administration for 5 years, but ISA is new territory for me. I have looked through these forums and pretty much all over, but have not found an answer that specifically addresses my problem. So here it is:
I'm running ISA 2004 with a single NIC. I set it up according the the Technet article outlining a single-NIC install. Proxy works well and most of my rules for web and content blocking work just fine. The exception here is any rule that I am relying on user groups for the condition. I am trying to add an an access rule that will allow specific users to send/receive IM traffic. I have a rule setup to ALLOW all IM protocols from Internal and Local Host to Internal that are a member of this group. When I look at the firewall logs, it shows the request as coming from Anonymous. Am I missing something when it comes to passing the integrated Windows authentication to ISA? I should also mention that I am not using the Firewall client. Is this an absolute must? Or can the authentication be sent without it?
The ISA firewall should be fully configured in firewall mode. You can put it behind the PIX, or better, in parallel. The ISA firewall provides a significantly higher level of stateful packet inspection and application layer inspection than the PIX, so using it in "hork mode" does your company a real disservice.
You also have a very limited support for protocols in hork mode, as you're finding out.
So is that to say that it is impossible to have windows integrated authentication work with my current configuration? Also, is it advisable/possible to run it with 2 adapters considering the configuration of my current infrastructure (Pix on perimeter and ISA acting as a "second layer")? Honestly if I can manage to use this as a proxy for restricting and monitoring content, blocking certain content types, blocking IM traffic, blocking streaming content, etc. then I'd be happy (assuming I can successfully use integrated security for my rule conditiions).
I appreciate you sending those links and will definitely take that info into consideration during my testing and for implementation. However, I think that maybe I haven't communicated my immediate problem and frustration clearly enough. Right now what I am struggling with is getting ISA to recognize who is sending the traffic. For instance, when I put an access rule in place to block IM traffic, I also placed another rule to allow administrators to be able to do this (the allow rule is after the deny rule in top-down order). When I apply changes and attempt to login to an IM client (with an account that is a member of the group in the conditions portion of the rule), I am still denied, and the ISA logs show that it came from an anonymous user instead of my user account. I don't understand why this is as I am using integrated authentication.
That's the point. Until you fully deploy the ISA firewall you won't have control over IM protocols, and you won't be able to deploy the Firewall client for transparent authentication for the protocols. "Hork Mode" (single NIC) is HTTP only.
Well, thus far in "hork" (what's the meaning behind that anyhow?) mode, I have been able to block IM traffic. The only problem I have come accross is adding other rules allowing it for specific user groups. Also, am I correct in taking from your last post that ISA will only see which user the traffic is coming from if the client machine is running the windows firewall client? Otherwise it will always see it as anonymous? If so, it sounds like the windows firewall client is my missing piece of the puzzle right?
I understand what you're saying about "hork" mode being HTTP only (I would assume that this at least reserves proxy functionality for those who only intend to use it for that), but shouldn't it still see the authentication properly in order to fully use the access rules to control access to url sets and networks based on user groups if desired?
Ok. Well, my traffic is showing up as anonymous when I'm using it as a web proxy as well. It seems like integrated authentication is not working at all. Is there something else I may be misssing besides the mode I'm running it in for right now?