• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Denied as anonymous ?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> Denied as anonymous ? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Denied as anonymous ? - 28.Aug.2007 9:02:12 PM   
joebrug

 

Posts: 5
Joined: 28.Aug.2007
Status: offline
Hi all..

Running ISA 2004 and have some questions.  I'm not sure that our proxy server is set up properly.
We are using one NIC card (not sure if this is ideal or not) and a product called SurfControl running on top of ISA.  The main/only reason we use ISA+SurfControl is to monitor/block users access to certain web pages.  We have ISA set up for Integrated Authentication, however on occasion a lot of connections are being denied to users.  When this happens, I notice that they are showing up as "anonymous" instead of their domain account, as normal.  For example, one user was trying to view a real player file and was getting denied.  I turned on the logging and noted the following:


Denied Connection PROXY 8/28/2007 3:30:26 PM
Log type: Web Proxy (Forward)
Status: 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. 
Rule: 
Source: ( 172.16.30.4:0)
Destination: ( 172.16.1.11:80)
Request: GET http://www.le.state.ut.us/servlet/smil?sess=2006GS&ID=38114
Filter information: Req ID: 1672a655 
Protocol: http
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; (R1 1.5); .NET CLR 2.0.50727)
Object source: Processing time: 1
Cache info: 0x0 MIME type: 

From what I can tell, the ISA server is wide open.. the top rule in the Firewall Policy says "Allow - All Outbound Traffic - From All Networks - To All Networks - All users"

Any help?  I'm puzzled... if I have to reconfig some stuff please let me know.  Appreciate the help
Post #: 1
RE: Denied as anonymous ? - 28.Aug.2007 9:20:30 PM   
jmilito

 

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline
SurfControl requires authentication to work... Well...to track users. If authentication is off, not required, or fails, then the user will show up as anonymous and be blocked if you have not specifically created a rule to allow anonymous traffic. So...in my experience with SurfControl...it is the one blocking your connection.

With SurfControl you should require authentication in your ISA rules. Check this first. If this is not the case you will have some troubleshooting to do.

If you want to band-aide it until you get the authentication problems fixed create an anonymous allow rule for site categories you know are safe... i.e. kids sites, education sites, etc. This will at least allow your "mission criticals" to go through while you are trying to figure it out.

quote:

We are using one NIC card



Nope...not good. You lose a lot of functionality in this mode.

(in reply to joebrug)
Post #: 2
RE: Denied as anonymous ? - 28.Aug.2007 11:02:57 PM   
joebrug

 

Posts: 5
Joined: 28.Aug.2007
Status: offline
quote:

ORIGINAL: jmilito
So...in my experience with SurfControl...it is the one blocking your connection.

Okay, that would make sense..surfcontrol has been working for years for us with the current set up, been monitoring/logging/blocking via categories,  minus some of the errors we're talking about here

quote:

With SurfControl you should require authentication in your ISA rules. Check this first. If this is not the case you will have some troubleshooting to do.

I mentioned I am using Integrated Authentication in ISA options.  Are you talking about somewhere else?

quote:

one NIC card..Nope...not good. You lose a lot of functionality in this mode.

Like what? id love the proper setup

One other thing I noticed.  In the above error, it mentions 172.16.1.11:80 (our proxy server)..however we have ISA set up to be on port 8081.  I noticed today on a lot of the errors, it was port 80
Thanks again for your help!

(in reply to jmilito)
Post #: 3
RE: Denied as anonymous ? - 29.Aug.2007 6:43:22 AM   
jmilito

 

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline
quote:


From what I can tell, the ISA server is wide open.. the top rule in the Firewall Policy says "Allow - All Outbound Traffic - From All Networks - To All Networks - All users"


My guess was...if you are allowing All Users you are allowing anonymous users as well.

Double check your authentication requirements by following the instructions here:

http://kb.surfcontrol.com/display/1n/index.asp?c=&cpc=&cid=&cat=&catURL=&r=0.2770655

and here:

http://kb.surfcontrol.com/display/1n/index.asp?c=&cpc=&cid=&cat=&catURL=&r=0.2770655

Info on a unihomed ISA:

http://blogs.isaserver.org/shinder/2007/04/23/dont-ask-me-questions-about-unihomed-isa-firewalls/

quote:

I noticed today on a lot of the errors, it was port 80


Do you have IIS or anything else using port 80 installed on your ISA server?

(in reply to joebrug)
Post #: 4
RE: Denied as anonymous ? - 29.Aug.2007 11:08:23 AM   
jmilito

 

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline
Also something about troubleshooting authentication issues and ISA:

http://blogs.technet.com/isablog/archive/2007/07/18/isolating-problems-that-seem-to-be-related-to-isa-server-part-ii.aspx

(in reply to jmilito)
Post #: 5
RE: Denied as anonymous ? - 29.Aug.2007 1:53:13 PM   
joebrug

 

Posts: 5
Joined: 28.Aug.2007
Status: offline
I'm unable to see your SurfControl KB links, can you provide the document #'s?

Yes, Blackberry Enterprise Server is installed on the ISA box (dont ask me why, i didnt set it up), and I have a feeling that this might be answering on port 80.  havent been able to confirm.

(in reply to jmilito)
Post #: 6
RE: Denied as anonymous ? - 29.Aug.2007 2:01:31 PM   
jmilito

 

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline
Sorry they are:

Surfcontrol KB 1921, 1543, and 1173

(in reply to joebrug)
Post #: 7
RE: Denied as anonymous ? - 29.Aug.2007 2:25:10 PM   
joebrug

 

Posts: 5
Joined: 28.Aug.2007
Status: offline
Thanks J.

I did a little testing by stopping all of the BES services and port 80 was still "listening" from a PortQuery utility I used.  I stopped the Microsoft Firewall service from within ISA and upon another query, it took a while to respond, but eventually said "Port 80 FILTERED" instead of LISTENING. 

I've sent SurfControl an email, seeing if they have any ideas. 

(in reply to jmilito)
Post #: 8
RE: Denied as anonymous ? - 4.Sep.2007 2:29:25 PM   
joebrug

 

Posts: 5
Joined: 28.Aug.2007
Status: offline
Surfcontrol suggested that I turn off the Web Filter service of surfcontrol, which enforces the rules, etc.  Once this is off, it should just let all traffic through..
I tried this, and the ISA Server is still denying connections with anonymous.  Any other ideas?

(in reply to jmilito)
Post #: 9
RE: Denied as anonymous ? - 4.Sep.2007 2:40:24 PM   
jmilito

 

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline
1.  Install SP3 for 2004
2.  Run the latest ISA BPA tool
3.  As a test disable the authentication requirement under network configuration and create an all allow test rult and see if you can get out without a prompt.  You may need to either warn your end users or do this off hours.
4.  Check your monitor to see if you are getting a lot of blocked traffic to your domain controller.  This may indicate that you are blocking the protocols required for authentication.


Check here:
http://www.microsoft.com/technet/isa/2004/plan/unsupportedconfigs.mspx#Authentication

Additional Comment:
Try to find a new server for BES and see if there is some documentation out there to help you publish it through ISA.  You may need to investigate a dual-nic setup for this.  Not a priority at this point but you should consider.

(in reply to joebrug)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> Denied as anonymous ? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts