• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion of Anonymous Access article

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> RE: Discussion of Anonymous Access article Page: <<   < prev  1 [2] 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Discussion of Anonymous Access article - 20.Aug.2003 9:35:00 PM   
Guest
Well it seems that WMP 9.0 has a problem with this, as I read a post on this earlier searching the site. Looking at the log files WMP is not sending the credintials along with the request. It's going out as anonymous. And the non-anonymous S&C rule is doing it's job.

I have an XP box with WMP v.8 and it works fine sending credentials to the proxy service.

The only way I can get Real Player and WMP v9 to all work together was to use the following config. Please take a look at it and see if there is a better way, as I'm not able to force everybody to be a proxy client. They can still access the internet without being one. You'll see why that's the case when you look at the setup.

Config:
Client running Firewall client software.

3 S&C rules (EXACT config)
Allow Domain Users - All Destinations, Always, Allowed, applied to Domain Users, and all content.

Allow Servers - all destinations, always, allowed, applied to client address set of the DNS, web, ftp, etc. servers, and all content.

wack porn - applied to destination set, always, denied with a redirection, applied to ANY request, and all content.

HTTP redirector is disabled. (The only way I've found that allowed Real Player and WMP v.9 to work AND didn't allow the non-web proxy clients to bypass the wack porn S&C rule.

Real Player and WMP v.9 are configured not to use a proxy (WMP v.8 doesn't matter if you configure it to use a proxy or not.)

My goals were 1. to allow Real Player and WMP to work and 2. for there to be User info in the web proxy log files and 3. to force ALL users to be a web proxy client in order to get access the the internet and 4. to disallow users to as much porn as I can.

I got 3 out of 4. I wasn't able to force users to be proxy clients in order to access the internet because I disabled the HTTP redirector, thus allowing my Firewall clients access.

Doing research for this problem eased my mind a little when I saw titles on this website like "Mystery of the HTTP Redirector" and "How to give yourselft a headache" etc...

Please correct anything I've said that may be wrong, as I don't want to confuse anybody. This configuration is the only thing that I could come up with to try and meet all my goals. If there is something better, I'm all eyes.

Thanks for reading.

(in reply to tshinder)
  Post #: 21
RE: Discussion of Anonymous Access article - 21.Aug.2003 4:53:00 AM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
macruz wrote:
quote:
Now, I kept on getting random requests for authentication! Even on msn.com I would get 2 requests for authentication. I would cancel out of'em, but they kept on coming back. So, I deleted the S&C wack porn rule, and guess what? No more request for authentication. Recreated it and now it requests authentication.
Hi macruz,

This is documented in Microsoft knowledge base article 297324. It says:

quote:
SYMPTOMS
When a destination set is configured, the client receives an HTTP 407 error for each domain that is restricted. As a result, the client browser is prompted for authentication. If the destination that is set is restricted to a domain that contains multiple links to other domains, an authentication dialog box appears for each unauthorized link.

This appears to happen if the following are true:

1. You don't have any anonymous access rules (the point of Tom's article).
2. You have a deny destination set.
3. Somebody visits a site that contains one or more links to destinations you have denied.

Rather than deny, you should try a redirect. Enabling the registry key mentioned in the KB article is too restrictive for my taste.

HTH,

Bill

(in reply to tshinder)
Post #: 22
RE: Discussion of Anonymous Access article - 21.Aug.2003 5:07:00 AM   
Guest
Thank you Mr. Stewart. I'll take a look at the Q article.

(in reply to tshinder)
  Post #: 23
RE: Discussion of Anonymous Access article - 21.Aug.2003 3:12:00 PM   
ilya_f

 

Posts: 19
Joined: 22.Feb.2002
Status: offline
Hi all,

I have ˘ask unauthenticatedÓ÷ unchecked, by default. I have default S&C rule. And I have my custom protocol rules. Protocol rules define what windows groups can use what protocols. I suppose its enough to disable anonymous access, isnĂt it? Protocol rules more restrictive in my situation. Is it necessary to change default S&C rule here?

I not fill like changing default S&C rule because I have several servers (NAT clients) so for me it is complex procedure.

And, finally, what does this checkbox (ask unauthenticatedÓ) mean?

Ilya.

(in reply to tshinder)
Post #: 24
RE: Discussion of Anonymous Access article - 21.Aug.2003 3:42:00 PM   
JohnBullinger

 

Posts: 53
Joined: 25.Apr.2003
From: Texas
Status: offline
I turned off Ask Unauthenticated Users and changed my default allow S&C to check to see if a user is in a specific group and the web starting running really slow and did not work 99% of the time. I would get errors galore (they changed but mostly could not find sites).

My config is:

4 S&C Rules. One with the allow all but check users group access. I have 3 other Deny rules that are for Porn sites and ad blocking.

I also have protocol rules setup. The protocol rules check check for HTTP and HTTPS to see if a user is in a specific group. I have protocol rules for my servers and what not.

Any idea why this may not have worked? I didnt have a lot of time to troubleshoot it before the users came in. I checked my ISA Web Proxy log and I see a lot of 11004 and 12209 errors when I was trying o surf.

Any ideas please let me know.

THanks

John

(in reply to tshinder)
Post #: 25
RE: Discussion of Anonymous Access article - 21.Aug.2003 3:46:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi John,

What ISA client type are you using?

How are you supporting DNS name resolution for your clients?

Thanks!
Tom

(in reply to tshinder)
Post #: 26
RE: Discussion of Anonymous Access article - 21.Aug.2003 8:20:00 PM   
tpo

 

Posts: 3
Joined: 21.Aug.2003
From: Denmark
Status: offline
After I have read your excellent article: ˘Disabling Anonymous Outbound Access in ISA Server 2000÷, I decided to follow your advice, and disabled anonymous outbound access.

But now I have a problem: When I access OWA on a foreign domain, it keeps asking for username and password.

(in reply to tshinder)
Post #: 27
RE: Discussion of Anonymous Access article - 21.Aug.2003 8:52:00 PM   
tpo

 

Posts: 3
Joined: 21.Aug.2003
From: Denmark
Status: offline
quote:
Originally posted by tpo:
After I have read your excellent article: ˘Disabling Anonymous Outbound Access in ISA Server 2000÷, I decided to follow your advice, and disabled anonymous outbound access.

But now I have a problem: When I access OWA on a foreign domain, it keeps asking for username and password.

I have found a solution, a Site and Content Rule allowing anonymous access to that particular site.

Is there a better solution?

(in reply to tshinder)
Post #: 28
RE: Discussion of Anonymous Access article - 21.Aug.2003 9:19:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi tpo,

Read my response to another poster earlier in this thread. (Lesson: Read entire thread before posting more questions. [Smile] )

HTH,

Bill

(in reply to tshinder)
Post #: 29
RE: Discussion of Anonymous Access article - 21.Aug.2003 9:49:00 PM   
tpo

 

Posts: 3
Joined: 21.Aug.2003
From: Denmark
Status: offline
quote:
Originally posted by Bill Stewart:
Hi tpo,

Read my response to another poster earlier in this thread. (Lesson: Read entire thread before posting more questions. [Smile] )

HTH,

Bill

I have read your post about Q297324, and applied ISA Service Pack 1, and:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W3proxy\Parameters
Value Name: ReturnDeniedIfAuthenticated
Data Type: REG_DWORD
Radix: Hex
Value Data: 1

Now OWA load, but no messages is displayed (error on page, access denied).

Regards

Thomas

(in reply to tshinder)
Post #: 30
RE: Discussion of Anonymous Access article - 22.Aug.2003 6:09:00 PM   
JohnBullinger

 

Posts: 53
Joined: 25.Apr.2003
From: Texas
Status: offline
quote:
Originally posted by tshinder:
Hi John,

What ISA client type are you using?

How are you supporting DNS name resolution for your clients?

Thanks!
Tom

Tom,
The clients are configured for both Web Proxy and Firewall clients. I have an internal DNS server that forwards requests on to other DNS servers on the Internet for any site it does not have in its database. I also have the http redirector configured for disabled.

[ August 22, 2003, 06:11 PM: Message edited by: TheBull ]

(in reply to tshinder)
Post #: 31
RE: Discussion of Anonymous Access article - 22.Aug.2003 6:20:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi John,

Configure the Web Proxy clients to use the autoconfiguration script and see what happens.

HTH,
Tom

(in reply to tshinder)
Post #: 32
RE: Discussion of Anonymous Access article - 22.Aug.2003 11:48:00 PM   
JohnBullinger

 

Posts: 53
Joined: 25.Apr.2003
From: Texas
Status: offline
quote:
Originally posted by tshinder:
Hi John,

Configure the Web Proxy clients to use the autoconfiguration script and see what happens.

HTH,
Tom

I spent several hours with Microsoft trying to get the autoconfiguration script to work and it doesnt work. I dont really understand how that would fix the problem anyways? Wouldnt the autoconfig script just set them up to use the proxy server? All my users already have that configured through GPO.

(in reply to tshinder)
Post #: 33
RE: Discussion of Anonymous Access article - 27.Aug.2003 2:37:00 PM   
ilya_f

 

Posts: 19
Joined: 22.Feb.2002
Status: offline
Hi all,

May anyone answer my question posted August 21, 2003 03:12 PM? My English is not very good, I will try to repeat with another words if needed...

Ilya

(in reply to tshinder)
Post #: 34
RE: Discussion of Anonymous Access article - 28.Aug.2003 9:02:00 PM   
BaanMan

 

Posts: 20
Joined: 15.Apr.2002
From: Germany
Status: offline
hello 2 @ll,

I've tried for 2 weeks with several configurations but I don't get a solution.

Here my problem.

Always when I create a S&C Rule for authenticated access for a User-Group (AD)all things are fine till the clients surf to SSL-Sites. After browsing some SSL-Sites the WebProxieService crashes and stop working !
I think it's a problem with the urlcache - in eventlog are messages that the urlcache failed to initialize. I had read something in MS KB to give permission to the UserGroup to the urlcache-directory on the ISA-Box, but still not works!

Any ideas ?

So long BaanMan

(in reply to tshinder)
Post #: 35
RE: Discussion of Anonymous Access article - 28.Aug.2003 9:10:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by TheBull:
quote:
Originally posted by tshinder:
Hi John,

Configure the Web Proxy clients to use the autoconfiguration script and see what happens.

HTH,
Tom

I spent several hours with Microsoft trying to get the autoconfiguration script to work and it doesnt work. I dont really understand how that would fix the problem anyways? Wouldnt the autoconfig script just set them up to use the proxy server? All my users already have that configured through GPO.
Hi Bull,

There is a big different between using the autoconfig script and just configuring it to use the proxy address. For example, check out my article on configuring Web Proxy clients for Direct Access. You don't have this kind of flexibilty without the autoconfig script. You can configure Group Policy to assign them the address of the autoconfig script. I do this all the time and it works great (one of the few AD things that work great, IMO :-)

HTH,
Tom

(in reply to tshinder)
Post #: 36
RE: Discussion of Anonymous Access article - 28.Aug.2003 9:12:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Finkelstain, Ilya:
Hi all,

I have ˘ask unauthenticatedÓ÷ unchecked, by default. I have default S&C rule. And I have my custom protocol rules. Protocol rules define what windows groups can use what protocols. I suppose its enough to disable anonymous access, isnĂt it? Protocol rules more restrictive in my situation. Is it necessary to change default S&C rule here?

I not fill like changing default S&C rule because I have several servers (NAT clients) so for me it is complex procedure.

And, finally, what does this checkbox (ask unauthenticatedÓ) mean?

Ilya.

Hi Ilya,

Do it EXACTLY how I mention in the article. The methods I use in the article are standard for dozens of organizations I've set up and it ALWAYS works.

HTH,
Tom

(in reply to tshinder)
Post #: 37
RE: Discussion of Anonymous Access article - 28.Aug.2003 9:14:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by BaanMan:
hello 2 @ll,

I've tried for 2 weeks with several configurations but I don't get a solution.

Here my problem.

Always when I create a S&C Rule for authenticated access for a User-Group (AD)all things are fine till the clients surf to SSL-Sites. After browsing some SSL-Sites the WebProxieService crashes and stop working !
I think it's a problem with the urlcache - in eventlog are messages that the urlcache failed to initialize. I had read something in MS KB to give permission to the UserGroup to the urlcache-directory on the ISA-Box, but still not works!

Any ideas ?

So long BaanMan

Hi BaanMan,

Keep in mind that if you have a path in the Desttination Sets that you're limiting users access to, then the firewall will block the connection. Since the connection is tunneled in an SSL tunnel between the SSL server and client, who could the firewall determine the path? Since you're limited the client's access on a path basis, the firewall decides to play it safe.

HTH,
Tom

(in reply to tshinder)
Post #: 38
RE: Discussion of Anonymous Access article - 3.Sep.2003 5:39:00 PM   
JohnBullinger

 

Posts: 53
Joined: 25.Apr.2003
From: Texas
Status: offline
quote:
Originally posted by tshinder:
quote:
Originally posted by TheBull:
quote:
Originally posted by tshinder:
Hi John,

Configure the Web Proxy clients to use the autoconfiguration script and see what happens.

HTH,
Tom

I spent several hours with Microsoft trying to get the autoconfiguration script to work and it doesnt work. I dont really understand how that would fix the problem anyways? Wouldnt the autoconfig script just set them up to use the proxy server? All my users already have that configured through GPO.
Hi Bull,

There is a big different between using the autoconfig script and just configuring it to use the proxy address. For example, check out my article on configuring Web Proxy clients for Direct Access. You don't have this kind of flexibilty without the autoconfig script. You can configure Group Policy to assign them the address of the autoconfig script. I do this all the time and it works great (one of the few AD things that work great, IMO :-)

HTH,
Tom

Two questions/comments. I guess the problem I am having them is I can not seem to follow all the ways of doing things. What I mean is I read articles on here on how to configure your ISA server and to get everything I want it seems some end up contradicting themselves.

Can you recommend a good tutorial or article on how to properly configure the autoconfig script to work with ISA? As I mentioned I spent quite some time working on it and I could not get it to work for me. This is most likely due to my limited knowledge of the AutoConfig script.

Thanks

John

(in reply to tshinder)
Post #: 39
RE: Discussion of Anonymous Access article - 3.Sep.2003 6:53:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi John,

You just enter the autoconfig script address in the browser, such as one of mine:

http://HARDNAD2050.tacteam.net:8080/array.dll?Get.Routing.Script

This can be done manually, via IEAK, or via Group Policy.

You don't create the autoconfig script, its automatically generated by the ISA Server and sent to the client when it requests it. The settings you create in the clients node and in other places on the ISA Server determine the contents of the autoconfig script.

Unless you have some very special requirements, there is no reason to write your own proxy config script.

HTH,
Tom

(in reply to tshinder)
Post #: 40

Page:   <<   < prev  1 [2] 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> RE: Discussion of Anonymous Access article Page: <<   < prev  1 [2] 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts