All Windows XP clients with FW Client, domain members. ISA 2004 server, domain member, "Require all users to auth" is DISABLED and "Integrated auth" is ENABLED for the Internal network.
#1) Allow HTTPS from Internal to External for "Domain Personnel". #2) Allow HTTPS from Internal to "HTTPS Allow List" for "Domain Students".
I have the following issue: Whenever a loggedin Student tries to connect to any HTTPS site, i notice in our logfiles that it first "Allows access" to Anonymous based on rule #1.
This i find strange but not the right way. The client has FW client installed, is loggedin, but still it tries to connect using "Anonymous". But the strangest thing is rule #1 ALLOWES this student access, while based on rule #1 it should BLOCK access. What's this??
When a client sent a web request, the client can't know in advance that ISA will require authentication. Therefore, the initial request is always sent anonymously.
When this request hit a rule that requires authentication, ISA will return the HTTP response "407 Proxy Authentication Required" and log an entry with the rule requiring the authentication and the error info "12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.".
Then the client will resent the web request but now with the requested credentials. At that point ISA check if the user belongs to the allowed User Set. If not, the next rule is evaluated. However, if the user can't authenticate at all, the request is denied.
I completely understand Rule Processing, that's not the problem. I also know it tries to authenticate anonymously before authenticating with credentials.
What i don't understand is why it GRANTS anonymous access based on a rule that should NOT allow access. Access should only be allowed to users contained to a specific group, wich doesn't contain anonymous.
When processing this rule, first it tries anonymous (as expected), it should deny access with a 407 responce and ask for user credentials. IT DOESN'T, it grants access while it shouldn't
That's what i dont understand. "Require all users to auth" is DISABLED and "Integrated auth" is ENABLED for the Internal network.
I tested a user account who, based on group access should be denied access. When accessing urls that where denied based on usergroups, it indeed first tries to access anonymously, but while it should denie access and ask for credentials, access is GRANTED??
Why? Anonymous isn't allowed based on the provided usergroup.
Iv made a partial snapshot where you can see the affected rule, together with the log entry.
As you can see, i am allowing access to group Personeel. I loggedin to a WIndows XP workstation with firewall client installed, with a user thats NOT MEMBER of AD group "Personeel" named "Gast01". I now understand it will show up as Anonymous as it can not see the username due to encryption.
But as you can see, the user anonymous is allowed access while it should be denied as "anonymous" or "gast01" are no member of "Personeel"
RE: Why ISA Allowes Anonymous access on User based rules - 21.Nov.2006 5:20:22 AM
Guest
Hi jstruijk! My friend you are missing the picture here. The reason for this is that you are reading through lines. Just take a look at the pictures you have posted. What is allowed there? From who to who? The request comes from the client and goes to the ISA Server. The SSL connection is not started from the client. ISA starts the SSL connection for that client. So first ISA must established a SSL tunnel from the client to itself. It does that(so allowed) and check for user with the appropiate rule. If you would have posted the complete log you will see that the SSL tunnel is closed because authentication fails as Stefaan pointed out this very clear:
quote:
When this request hit a rule that requires authentication, ISA will return the HTTP response "407 Proxy Authentication Required" and log an entry with the rule requiring the authentication and the error info "12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.".
. If authentication will succeed, then ISA will start the SSL connection to the remote host. If you look at an established SSL connection log you will see that first the connection is INITIATED(like many others connections), but the connection is initiated between the remote host and ISA. Take a look yourself to this question with tools for monitoring traffic both on the client and on ISA(internal and external interface).
quote:
as Anonymous as it can not see the username due to encryption.
If so, how can you authenticate? well, read the documentation available(hit google) if for some reasons you cannot do the monitoring yourself and you will see what's really going on. ISA is the victim here 'cause you are blaming it for nothing. From my experience I've learned that although there are many problems(bugs) with different equipments I must first blame myself and then the equipment.
< Message edited by adrian_dimcev -- 21.Nov.2006 5:27:28 AM >
what's the HTTP Status Code of that anonymous log entry? I bet it is "407"! So...
Also, if the client is configured as Web Proxy client than the authentication against the ISA server happens outside de SSL-tunnel (HTTP Connect method).
BTW --- take a NetMon or Wireshark trace on the ISA internal interface and you should see what is really happening on the wire! The ISA logging is only telling you half of the story.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Why ISA Allowes Anonymous access on User based rules 
Why ISA Allowes Anonymous access on User based rules - 
RE: Why ISA Allowes Anonymous access on User based rules - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread