• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA 2006 Access Rule Issue - Blocking Anonymous User

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> ISA 2006 Access Rule Issue - Blocking Anonymous User Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA 2006 Access Rule Issue - Blocking Anonymous User - 29.Dec.2008 1:59:28 AM   
sgraham977

 

Posts: 3
Joined: 29.Dec.2008
Status: offline
I'm hoping someone can help me...we currently have an ISA 2006 server which is protecting our network from the outside world and have got a number of different rules in place on the firewall for this purpose.
 
One of the rules is to block a group called 'Blocked Users' from accessing anything externally.  This group has only got a few people in this group and the rule is to block only these people.  I have however, recently discovered that this rule is also blocking 'Anonymous' user somehow even though I haven't specified it to block the 'Anonymous' user.
 
This is causing some issues for us in that there are a couple of sites which use Java and use anonymous user to connect to it that are being blocked which is causing issues as we need to connect to these sites.  One of the sites is the VodaFone site (Australia) which is for mobile phones etc.
 
When I disable this particular rule it works fine but when I don't disable it just keeps displaying an isa 'authentication' dialog box and just doesn't work.
 
Any help would be appreciated.
Post #: 1
RE: ISA 2006 Access Rule Issue - Blocking Anonymous User - 29.Dec.2008 5:46:09 PM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
The reason why you are seeing ISA authentication prompt is that you are trying to access the website using local user credentials though you have selected the Integrated authentication on ISA web proxy. This requires you to login with Domain user to use it.

you Java issue which is sending annonymous requests can be resolved (Hopefully) by Allowing "Require All users to authenticate" on web proxy tab for internal interface

Remember, this will require all your client machines to be either Web proxy clients or Firewall Clients. You can not have SecureNAT clients accessing internet using this rule....







_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to sgraham977)
Post #: 2
RE: ISA 2006 Access Rule Issue - Blocking Anonymous User - 29.Dec.2008 8:12:23 PM   
sgraham977

 

Posts: 3
Joined: 29.Dec.2008
Status: offline
The reason we've got integrated authentication is because we want users to be able to browse the web without having to enter in their login details all the time.
 
I tried setting the option for 'Require all users to authenticate' but this didn't resolve the Java issue.
 
Is there anything else that I'm missing here for the Java site to work?  Do I need to change anything to allow Anonymous user?

(in reply to inderjeet)
Post #: 3
RE: ISA 2006 Access Rule Issue - Blocking Anonymous User - 30.Dec.2008 9:17:13 AM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
quote:

ORIGINAL: sgraham977

The reason we've got integrated authentication is because we want users to be able to browse the web without having to enter in their login details all the time.
 
I tried setting the option for 'Require all users to authenticate' but this didn't resolve the Java issue.
 
Is there anything else that I'm missing here for the Java site to work?  Do I need to change anything to allow Anonymous user?


I was able to re-produce the same issue in my test lab. Let me find a workaround

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to sgraham977)
Post #: 4
RE: ISA 2006 Access Rule Issue - Blocking Anonymous User - 30.Dec.2008 2:44:34 PM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
Run the ISA BPA in the following manner and send me the CAB file at isaissues@yahoo.com

ISA BPA can be downloaded and installed from the following location:
http://www.microsoft.com/downloads/details.aspx?FamilyID=d22ec2b9-4cd3-4bb6-91ec-0829e5f84063&DisplayLang=en

After installing this please run the ISA Data Packager from the Start, Programs, ISA Server, ISA Tools menu Select the ‘Collect data from one of the following repro scenarios’ radio button and select the ‘Basic Repro and Static Configuration’ option, select ‘Next’ and then ‘Start Data Collection’.

When the ISA Data Packager has initialized the various data captures you will be asked to press the Spacebar to start capturing data. This is going to capture a number of data outputs from a repro of the issue (Network traces, ISA tracing output, ISA logs) so before running this and pressing the spacebar please get set-up to repro the issue.

When you are ready to repro the issue press the spacebar, repro the issue and then press the spacebar again to stop the captures. If you can try to keep this the time you are capturing quite short that will help our analysis of the data.

The BPA will also gather config data from the ISA server that will help us understand your set-up and will output all the data captures to a file on the desktop called isapackage.cab.

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to sgraham977)
Post #: 5
RE: ISA 2006 Access Rule Issue - Blocking Anonymous User - 31.Dec.2008 2:36:52 PM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
Workaround:

You can add it to your bypass rule by going to Configuration > Networks > Internal > properties > web browser and add the *.vodafone.com.au to the "Directly access these servers or domains"

But still run the trace and send it to me before you apply the above workaround....


_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to sgraham977)
Post #: 6
RE: ISA 2006 Access Rule Issue - Blocking Anonymous User - 8.Jan.2009 1:31:19 AM   
sgraham977

 

Posts: 3
Joined: 29.Dec.2008
Status: offline
I'm a bit reluctant to send the information collected through the data collector for security purposes as I don't really want to be sending sensitive information around on the internet.
 
Will it function sufficiently using the workaround you suggested?

(in reply to inderjeet)
Post #: 7
RE: ISA 2006 Access Rule Issue - Blocking Anonymous User - 8.Jan.2009 11:25:57 AM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
Workaround is a workaround......so, you may try it and see if it works. Moreover, i understand ur concern. It's fine if you are not comfortable sending the data...

Contact Microsoft PSS to open a case for log analysis....

It might land up to me :)

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to sgraham977)
Post #: 8
RE: ISA 2006 Access Rule Issue - Blocking Anonymous User - 8.Jan.2009 12:52:52 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
Hi,

Check this : An ISA server or Forefront Threat Management Gateway server requests credentials when client computers in the same domain use Internet Explorer to access Web sites that contain Java programs

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to sgraham977)
Post #: 9
RE: ISA 2006 Access Rule Issue - Blocking Anonymous User - 8.Jan.2009 1:52:09 PM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
It's also doing the kind of same thing. The end goal is to allow access to the Java without getting user authenticated. When you used "All Users" in the users tab, ISA bypass the authentication

You may try using both and see which one works for you....

Hope that helps

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to elmajdal)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> ISA 2006 Access Rule Issue - Blocking Anonymous User Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts