From: Chandler, AZ
We have been running ISA Server 2000 since 2003 and we are trying to upgrade to ISA Server 2006 std. We tried the migration several times (2000 to 2004 to 2006), but ended up with corruption problems on the Firewall rules. We did a clean install of 2006 and manually configured all of the firewall rules. The access piece to outside Web sites seems to be working OK. I am not sure how I should set up the authentication for domain users. Users are assigned domain accounts and passwords, but we do not join their PCs to the domain. On 2000, a user gets a pop up login box to their first Web site access and they enter their account name and password. They do not need to enter login creditials again for accesses to other Web sites. The ISA server is set up with two network interfaces and we are using NAT for accesses to non-Web sites.
I would like to duplicate the operation of 2006 the same as 2000, but the authentication settings are different. Does anyone have any recommendations on where/what the authentication settings should be? On 2000, for the Web listener, we have both the Basic and Integrated boxes checked. All user PCs are set up to point to the ISA Web Proxy server on port 8080. I want to set up the authentication such that any new PC attached to the network will not be able to get Web access without entering a valid account and password.
ISA firewall configured as a forward proxy webserver with integrated authentication?
It depends on the configuration of your infrastructure, and be sure to look again at your diagram within your organization. Quite frankly i am not sure, there are many possibilities (LDAP or Radius). This document should enlighten you: ISA 2006 authentication http://technet.microsoft.com/en-us/library/bb794722.aspx "When ISA Server is configured to require authentication, because a publishing rule applies to a specific user set or All Authenticated Users, or a Web listener is configured to Require all users to authenticate, ISA Server validates the credentials before forwarding the request." Then read this one: "Customizing HTML Forms in ISA Server 2006" http://technet.microsoft.com/en-us/library/bb794733.aspx
Both of these docs should hopefully help you to do what you need to do without restructuring your organization.
And for a configuration, may I suggest this link, if this is of any help:
From: Chandler, AZ
Thanks for the info. I will take a look at all 3 articles that you referenced. I don't think we would need LDAP or Radius for authentication since we are not using those methods with our current ISA Server 2000. I am assuming that I need to make all authentication changes under: configuration/networks/internal/Web Proxy/Authentication
Under Firewall Policy/Network Objects, I see a Web Listener tab, but I assuime that is for configuring the Web listener for incoming requests from the Internet.
It seems that my options center around the options for Basic, Integrated, or both and the user type of "all users" or "authenticated users" under the Firewall Policy for HTTP access.
Am I missing anything else that I should be looking at?