• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Anonymous access

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Anonymous access Page: [1]
Login
Message << Older Topic   Newer Topic >>
Anonymous access - 24.Feb.2011 1:28:27 AM   
william.spearman.ctr

 

Posts: 6
Joined: 2.Dec.2010
Status: offline
All,

I've inherited several Enterprise ISA 2006 servers. All configured with a single interface (cringe) and (so I've been told) installed to the same baseline.

It would appear from the firewall log files for one of the servers that connection attempts from the "Anonymous" user are being allowed through the firewall. There is a FW ACL to allow Anonymous connections to a wide range of sites (like CISCO.COM and many others) that allows the "All Users" user set. Does this mean that the Anonymous user is ALSO allowed? Is there a reason to have this ACL at all? The http/https rule allows access to the Domain Users user set. Does this not mean that after the two initial requests and the third request for authentication, tha the authenticated user will be allowed to connect regardless of the "Anonymous" web conneciton requirement? Domo for any enlightenment!
Post #: 1
RE: Anonymous access - 25.Feb.2011 7:41:58 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi William,

if the access rules are configured to All Users group, it means ISA is allowing any user, including anonymous. To make sure only authenticated users get access through ISA firewall, you must include a group from AD or RADIUS only.

The reason for some access rules allows anonymous access is that some websites, java applets in most cases, donīt work well with authentication proxies and keeping asking user to authenticate, even though the authentication already happend tranparently (in case of using Integrated Authentication).

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to william.spearman.ctr)
Post #: 2
RE: Anonymous access - 2.Apr.2011 5:53:14 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
Hi,

By default, the first connection attemp will always be anonymous, IF the connection required authentication, the attemp will will and the user will be asked for authentication and hence the user will send his credentials. However, if you have the Condition ALL Users, and the connection attempt was granted, the user will never be asked to authenticate.

Read this article to understand how ISA Server process its access rules : Understanding the ISA 2004 Access Rule Processing

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to william.spearman.ctr)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Anonymous access Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts