Proxy Authentication (Full Version)

All Forums >> [ISA Server 2004 Cache] >> General


sentry -> Proxy Authentication (25.Mar.2008 12:52:23 AM)

Is it possible in ISA 2004 to get an authentication box to pop up when attempting to access the internet. The senario is we have a couple of POS computers that we don't want casual staff accessing the internet on. However when senior staff are sometimes working from these computers we would like them to be able to enter a username and password into a pop up box in Internet Explorer and be given access to the internet. I have noticed that the authentication appears to be integrated with the login account, is it possible to get around this??

gbarnas -> RE: Proxy Authentication (25.Mar.2008 10:25:16 AM)

Create a rule specific to the POS computers. Instead of your access rule being "authenticated users", create an AD group called Internet Users, add the users permitted to access the Internet from the POS systems to that group. Those users can then authenticate when needed, or have transparent access if they log on with their credentials. Other users will not be able to access the Internet from those systems at all.


sentry -> RE: Proxy Authentication (27.Mar.2008 4:53:40 AM)

Hi, Thanks for the response.

I have created the specific firewall rule with only allows AD group "Internet Users" access to protocols HTTP & HTTPS. This is blocking web traffic for the login which is used on the Point Of Sale computers. However there appears to be no way of providing a different username to the proxy server without logging off the user and logging on as a different user. This isn't practical as the generic login is required for the role the computer is performing. Is there a way to get the proxy server to prompt for a username and password when the user opens internet explorer and tries to browse external web content?

Jason Jones -> RE: Proxy Authentication (27.Mar.2008 7:12:58 AM)

You can change the default behaviour using the following article:

This will produce an authentication prompt when users are denied access and allow an alternate user to be defined...

However, if the POS runs under the same context as the user, I cannot see how you will be able to differentiate access rules between them??? Can you not run the POS application under a speciifc user/service account to allow you to differentiate  between the POS system and the actual user logged on?

Another option is to restrict access to a specific destination set that is required for the POS system - this will allow the POS to work, but restrict access to other web sites when they share the same user ID. If the user then tries to browse to other website they will be denied and the above change should produce an authentication prompt. So in theory you will have two rules as follows:

Rule 1: Allow web access for the POS system and limit to certain destinations - this will also be applied to the logged on user if using a shared account
Rule 2: Allow web access to all other websites for senior users by using a specific group



sentry -> RE: Proxy Authentication (6.Apr.2008 6:07:13 PM)


What is described in the msdn article is exactly what I would like to happen. However I am not a programmer, is this easy to implement or will it need some programming knowledge?

Jason Jones -> RE: Proxy Authentication (7.Apr.2008 5:54:55 PM)

Just copy the sample code into a .vbs file and run it [;)]

sentry -> RE: Proxy Authentication (8.Apr.2008 2:07:26 AM)

Thanks Jason,

Everything is working correctly now. Thanks heaps for the help.

Page: [1]