• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

FBA with single NIC

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Web Proxy] >> Unihomed >> FBA with single NIC Page: [1]
Login
Message << Older Topic   Newer Topic >>
FBA with single NIC - 27.Apr.2009 3:46:42 AM   
tstauffer2

 

Posts: 9
Joined: 29.Oct.2008
Status: offline
hello everybody ...
does anyone know about some limitations within an single-networked scenario regarding FBA ? Is FBA supported in this scenario ?

thanks
tom
Post #: 1
RE: FBA with single NIC - 27.Apr.2009 4:15:40 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Nope, FBA is fine with a single NIC deployment.

Single NIC does have other limtiations however:

http://technet.microsoft.com/en-us/library/cc302678.aspx

What are you trying to achieve?

Cheers

JJ 

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tstauffer2)
Post #: 2
RE: FBA with single NIC - 28.Apr.2009 11:00:35 AM   
tstauffer2

 

Posts: 9
Joined: 29.Oct.2008
Status: offline
Hi jason;
i have a very simple configuration:
i have an one-armed ISA with one webpublishing rule.
the webclient uses ISA as proxy-server on Port 80. the webpublishing rule forwards the request to the webserver depending on username and password.
(local uses on ISA server).
This works fine with HTTP Authentication in the listener. But not with HTML/FBA Authentication. I changed only the Authentication method within the listener.

there is no active directory or dns in this scenario.

Logging:

Denied Connection ISA2006 28.04.2009 16:56:43
Log type: Web Proxy (Reverse)
Status: 12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. 
Rule: web_publish
Source: (192.168.100.10)
Destination: (192.168.100.1:80)
Request: GET http://192.168.100.12/testweb/
Filter information: Req ID: 06c47754; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: http
User: anonymous

and then .... :

Denied Connection ISA2006 28.04.2009 16:56:43
Log type: Web Proxy (Reverse)
Status: 12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. 
Rule: web_publish
Source: (192.168.100.10)
Destination: (192.168.100.1:80)
Request: GET http://192.168.100.12/CookieAuth.dll?GetLogon?curl=httpZ3AZ2FZ2F192.168.100.12Z2FCookieAuth.dllZ3FGetLogon
Z3FcurlZ3DhttpZ5A3AZ5A2FZ5A2F192.168.100.12Z5A2FCookieAut
h.dllZ5A3FGetLogonZ5A3FcurlZ5A3DhttpZ5A5A3AZ5A5A2FZ5A5A2F
192.168.100.12Z5A5A2FtestwebZ5A5A2FZ5A26reasonZ5A3D0Z5A26f
ormdirZ5A3D3Z26reasonZ3D0Z26formdirZ3D3&reason=0&formdir=3

Filter information: Req ID: 06c4775a; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: http
User: anonymous

< Message edited by tstauffer2 -- 28.Apr.2009 11:06:38 AM >

(in reply to Jason Jones)
Post #: 3
RE: FBA with single NIC - 28.Apr.2009 11:56:09 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
What auth method are you using with FBA?

I assume you have enabled the "Allow authentication over HTTP" option?

It sounds like ISA is not domain joined?

What form error do you actually get?

I've done quite a few single-NIC FBA deployments for people who wanted ISA in a DMZ or as an internal authentication gateway and FBA behaved exactly the same as mulit-homed...My ISA Servers are always domain joined though...

Cheers

JJ

< Message edited by Jason Jones -- 28.Apr.2009 11:57:14 AM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tstauffer2)
Post #: 4
RE: FBA with single NIC - 28.Apr.2009 4:04:48 PM   
tstauffer2

 

Posts: 9
Joined: 29.Oct.2008
Status: offline
Jason,

quote:

What auth method are you using with FBA?

I assume you have enabled the "Allow authentication over HTTP" option?

It sounds like ISA is not domain joined?

What form error do you actually get? 
 


- Validation method is "Windows (Active Directory)"
  if i am using HTTP Authentication i use also "Windows" and it is working.

- yes "allow auth over http" is enabled

- no domain

- i get an error in IE: .
Error:  Server or DNS could not be found

-----

i have also no problems in a multihomed deployment. also without dns or ad.

which port did you use for proxy and which port did you use for the weblistener ?
it must be the same. is that right ? i am using 80 for both.

---
what du you think about this GET. Could this be the reason for the denied connection as shown below ? it is much too long...

Request: GET http://192.168.100.12/CookieAuth.dll?GetLogon?curl=httpZ3AZ2FZ2F192.168.100.12Z2FCookieAuth.dllZ3FGetLogon
Z3FcurlZ3DhttpZ5A3AZ5A2FZ5A2F192.168.100.12Z5A2F
CookieAuth.dllZ5A3FGetLogonZ5A3FcurlZ5A3DhttpZ5A5A3AZ5
A5A2FZ5A5A2F192.168.100.12Z5A5A2FCookieAuth.dllZ5A5A
3FGetLogonZ5A5A3FcurlZ5A5A3DhttpZ5A5A5A3AZ5A5A5A2F
Z5A5A5A2F192.168.100.12Z5A5A5A2FCookieAuth.dllZ5A5A5
A3FGetLogonZ5A5A5A3FcurlZ5A5A5A3DhttpZ5A5A5A5A3AZ
5A5A5A5A2FZ5A5A5A5A2F192.168.100.12Z5A5A5A5A2F
CookieAuth.dllZ5A5A5A5A3FGetLogonZ5A5A5A5A3FcurlZ5A
5A5A5A3DhttpZ5A5A5A5A5A3AZ5A5A5A5A5A2FZ5A5A5A
5A5A2F192.168.100.12Z5A5A5A5A5A2FCookieAuth.dllZ5A5
A5A5A5A3FGetLogonZ5A5A5A5A5A3FcurlZ5A5A5A5A5A3
DhttpZ5A5A5A5A5A5A3AZ5A5A5A5A5A5A2FZ5A5A5A5A5
A5A2F192.168.100.12Z5A5A5A5A5A5A2FCookieAuth.dllZ5A
5A5A5A5A5A3FGetLogonZ5A5A5A5A5A5A3FcurlZ5A5A5A5A5
A5A3DhttpZ5A5A5A5A5A5A5A3AZ5A5A5A5A5A5A5A2FZ5A5
A5A5A5A5A5A2F192.168.100.12Z5A5A5A5A5A5A5A2FCookie
Auth.dllZ5A5A5A5A5A5A5A3FGetLogonZ5A5A5A5A5A5A5A3Fc
urlZ5A5A5A5A5A5A5A3DhttpZ5A5A5A5A5A5A5A5A3AZ5A5A5
A5A5A5A5A5A2FZ5A5A5A5A5A5A5A5A2F192.168.100.12Z5A5
A5A5A5A5A5A5A2FCookieAuth.dllZ5A5A5A5A5A5A5A5A3FGetL
ogonZ5A5A5A5A5A5A5A5A3FcurlZ5A5A5A5A5A5A5A5A3DhttpZ

5A5A5A5A5A5A5A5A5A3AZ5A5A5A5A5A5A5A5A5A2FZ5A5A5A5
A5A5A5A5A5A2F192.168.100.12Z5A5A5A5A5A5A5A5A5A2FtestwebZ
5A5A5A5A5A5A5A5A5A2FZ5A5A5A5A5A5A5A5A26reasonZ5A5A5A
5A5A5A5A5A3D0Z5A5A5A5A5A5A5A5A26formdirZ5A5A5A5A5A5A
5A5A3D3Z5A5A5A5A5A5A5A26reasonZ5A5A5A5A5A5A5A3D0Z5A
5A5A5A5A5A5A26formdirZ5A5A5A5A5A5A5A3D3Z5A5A5A5A5A5A2
...........

(in reply to Jason Jones)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Web Proxy] >> Unihomed >> FBA with single NIC Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts