• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Local User Authentication

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Local User Authentication Page: [1]
Login
Message << Older Topic   Newer Topic >>
Local User Authentication - 15.Jan.2008 11:19:40 PM   
daz618

 

Posts: 12
Joined: 15.Jan.2008
Status: offline
We have a number of sites with local PC user accounts that are not members of the internet users group however are still allowed to access a short list of valid sites. This works fine. However when they enter a url that is not allowed they get prompted for a username/password to access the internet.


I have another access rule that allows domain users who are members of the internet users group full internet access.

I would like local users to get the redirect rule saying they are not a member of the internet users group contact the Helpdesk etc rather then just getting an authentication prompt. Any help would be appreciated.
Post #: 1
RE: Local User Authentication - 16.Jan.2008 9:01:44 AM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline
You can do this by creating a DENY rule based upon the following criteria:
Action: Deny (redirect HTTP requests to this web page) provide the URL to a webpage that indicates "they are not a member of the internet users group contact the Helpdesk".
Protocols: All outbound traffic (or just web protocols HTTP, HTTPS, if that's what your requirements are based upon)
From: Internal
To: External
Users: All Users | Exceptions: the User Set you've created for domain\internet users group.

And make sure that you account for the excess logging on your ISA Server if you chose to enable logging for this rule.  Obviosly you should enable logging until you ensure that the rule is working as expected.

Also make sure that you place this rule above all other access rules that require authentication, and below any rules that all the anonymous proxy access your environment requires.

(in reply to daz618)
Post #: 2
RE: Local User Authentication - 16.Jan.2008 5:52:06 PM   
daz618

 

Posts: 12
Joined: 15.Jan.2008
Status: offline
Thanks for the info, unfortuantely still the same authentication prompt when trying to go to a non valid site rather then the access denied page.

A little more information the local users are local administrators with blank passwords a no no i know but that what i have been given to work with. When the local administrator password is set to the same as the isa server this rule works fine. My problem is i cant reset the local admin password for all these users and in the short term they will have to stay blank. The isa servers local admin password cannot be set to blank.

Any other ideas for a work around? Thanks in advance.

(in reply to abqtech)
Post #: 3
RE: Local User Authentication - 16.Jan.2008 9:43:14 PM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline
my apologies I totally glossed over the fact that these are local users, rather than domain users...
Are these local users which are allowed to access the short list of sites are hitting an Access Rule that is configured for All Users?  If not, how is this Access rule configured?

(in reply to daz618)
Post #: 4
RE: Local User Authentication - 16.Jan.2008 10:09:19 PM   
daz618

 

Posts: 12
Joined: 15.Jan.2008
Status: offline
Yes these are local administrator/users set to access the valid sites url list using the access rule for 'All Users'.

(in reply to abqtech)
Post #: 5
RE: Local User Authentication - 16.Jan.2008 10:20:13 PM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline
Okay.  Are all your clients web proxy clients, or do you have any SecureNAT or Firewall cleints?

(in reply to daz618)
Post #: 6
RE: Local User Authentication - 16.Jan.2008 10:22:03 PM   
daz618

 

Posts: 12
Joined: 15.Jan.2008
Status: offline
All local users are anonymous/web proxy users other domain users are SecureNAT and Firewall.

(in reply to daz618)
Post #: 7
RE: Local User Authentication - 16.Jan.2008 10:23:36 PM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline
Also are you clients going to bypass ISA for the URL you want them re-directed to, or will that request be proxied by ISA? 

(in reply to abqtech)
Post #: 8
RE: Local User Authentication - 16.Jan.2008 10:26:23 PM   
daz618

 

Posts: 12
Joined: 15.Jan.2008
Status: offline
Request proxied if possible, either way is ok if we can get it to work.

(in reply to daz618)
Post #: 9
RE: Local User Authentication - 16.Jan.2008 10:36:43 PM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline
I have not tried this, but it makes sense to me at the moment.  You'll need two Access rules:

First the Deny Rule:
Deny_Anonymous_HTTP
Action: Deny (redirect HTTP requests to the Helpdesk URL)
Protocols: All outbound
from: Internal
To: External (execptions - add the small list of sites, either by adding them to a domain name set or URL Set)
Users: All Users

Next create the Allow rule, below the Deny Rule:
Allow_Anonymous_HTTP
Action: Allow
Protocols: HTTP, HTTPS (others if needed)
From: Internal
To: (the small list of sites, added to the domain name set or URL Set mentioned in the Deny exception list above.)
Users: All Users.

Try this and let me know... but please be aware of where this fits in your policy, it will need to be above any authenticated rules, and depending on where it's placed and what your secureNAT clients are doing may interfere with them.

Thanks

(in reply to abqtech)
Post #: 10
RE: Local User Authentication - 16.Jan.2008 11:08:23 PM   
daz618

 

Posts: 12
Joined: 15.Jan.2008
Status: offline
This works however blocks the internet users group access to all web sites.

Adding the Internet Users Group to the Exceptions of the deny rule causes the prompt to pop again for local users access non valid sites.

Thanks

(in reply to daz618)
Post #: 11
RE: Local User Authentication - 17.Jan.2008 9:58:15 AM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline
If you can identify the anonymous web proxy users by their IP address.  You could create a computer set and add each client IP into that computer set, and then use that computer set in the Rules:

First the Deny Rule:
Deny_Anonymous_HTTP
Action: Deny (redirect HTTP requests to the Helpdesk URL)
Protocols: All outbound (or just the protocols used in the Allow Rule)
from: Computer_Set_of_Anonymous_Users
To: External (execptions - add the small list of sites, either by adding them to a domain name set or URL Set)
Users: All Users

Next create the Allow rule, below the Deny Rule:
Allow_Anonymous_HTTP
Action: Allow
Protocols: HTTP, HTTPS (others if needed)
From: Computer_Set_of_Anonymous_Users
To: (the small list of sites, added to the domain name set or URL Set mentioned in the Deny exception list above.)
Users: All Users.

Let me know if that does the trick.  Otherwise you may be better off going with a 3rd party plug-in capable of authorization and content filtering, such as Websense.

< Message edited by abqtech -- 17.Jan.2008 10:00:38 AM >

(in reply to daz618)
Post #: 12
RE: Local User Authentication - 17.Jan.2008 5:33:48 PM   
daz618

 

Posts: 12
Joined: 15.Jan.2008
Status: offline
Ahh that seems to have fixed it. Thanks alot for you help much appreciated.

(in reply to daz618)
Post #: 13
RE: Local User Authentication - 17.Jan.2008 5:59:45 PM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline
daz618

glad I could help....

cheers!


(in reply to daz618)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Local User Authentication Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts