Problem with a rule (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> General



Message

Gman1108 -> Problem with a rule (15.May2008 4:12:53 PM)

Hi all,

I've postred this somewhere else on the forum, but no one could help. Cann someone from here give me some help? Or maybe point me in the right direction?

First post here, amd also a newbie with ISA. I've created many firewall access rules and objects too. But anything too advanced, then i'm outa my depth.Here goes...

I've got ISA 2004. It's being used as a web proxy for our LAN users. So far so good.

But, i've got a rule that's been place since day one that captures users on the LAN and points them to 'external' for web access. I've set the users to 'authenticated Users'. We've got Surf Control looking after the 'white list' of sites they can access.

Now, all is fine, but for some reason when we want to listen to internet radio, here UK, we can get to the site, then navigate to the iPlayer (BBC) but that's as far as we get.

There's no error as such, it just doesn't do anything.

By looking at the monitor on the ISA, I can see the request hitting the web access rule and all is good, it allows the reuest.

But, once we get to the part that enables you to press play, I see a denied connection on the ISA monitor. I've noticed that when the ISA allows the connection, it shows the user name, but when it denies the connection it shows the use as 'anonymous'.

Why is this, it's the same user from the same pc. I don't get it.

For your info, I've got two ISAs in line and when I point this pc to the other ISA it works just fine.

Can anyone of you guys please offer me some advise as to where I might need to start looking?

Thanks very much.



pwindell -> RE: Problem with a rule (16.May2008 2:19:25 PM)

The "internet radio" probably requires the Firewall Client to be installed.  It is probably using protocols beyond HTTP/HTTPS.  Your media player most likely needs to not use the browser's proxy settings.  In Windows Media Player this is done by setting it to "none" instead of "browser".

The denied anonymous entries are probably not the problem. They are always there.  Some things attempt to connect first without credentials (anonymous) until the ISA denies them and askes for credentials,..they then present the credentials on the second attempt and continue on.

Having back-to-back ISAs can futher complicate things. I can't help you there,..I do not,..and probably never will,...run a back-to-back DMZ.



Gman1108 -> RE: Problem with a rule (19.May2008 5:32:00 AM)

Hi Phillip,

Thanks for your advise on this.

Thing is, it was working up until recently, yet nothing's been changed.

But, when i point the pc to the second ISA (closest to the external lines, if you like) it works just fine.

When i check which this uses, it's the rule that states 'All Users' and not 'Authenticated Users'.

I've checked to make sure this person is logged onto the domain correctly and that he's not been ignoring change netwrok passwords etc, and all is just fine.

Do you have any other thoughts i could try?

Thanks.



pwindell -> RE: Problem with a rule (19.May2008 9:23:24 AM)

A client cannot "use" the outermost ISA without litterally moving the Client into the DMZ segment between the ISA. If you haven't done that then you probably did not create the situation that you thought you created.

The two ISAs operated independently and there is no way that users can use the outermost ISA the same way they use the innermost ISA,..so that way one ISA behaves really doesn't have much to do with the way that the other one does.

Because Clients can operate as Web Proxy Clients, Firewall Clients, and SecureNAT Clients all at the same time and use one function or the other at any given moment that varies with what function is actually being performed (and how)  you have to really keep track of what you are doing in each situation.

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc




Gman1108 -> RE: Problem with a rule (19.May2008 4:17:37 PM)

Thanks for the links, very useful...i'll take a good look.



Page: [1]