• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion of Anonymous Access article

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> RE: Discussion of Anonymous Access article Page: <<   < prev  1 2 [3]
Login
Message << Older Topic   Newer Topic >>
RE: Discussion of Anonymous Access article - 4.Sep.2003 3:21:00 PM   
bernied

 

Posts: 25
Joined: 2.Jan.2002
Status: offline
[I tried to signin - - but could not--- even after requesting e-mailing of id & password??]

Tom.... I read your article on configuring ISA for disabling anonymous Outbound Access and set site and content rules accordingly.

Should I also set rules the same way for protocol access - i.e. blocking anonymous use??

Or is this overkill ?? !

(in reply to tshinder)
Post #: 41
RE: Discussion of Anonymous Access article - 4.Sep.2003 4:51:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Benie,

You can set user/group based controls on protocol rules, but you don't need to do it just to prevent anonynmous access. The Site and Content Rule will take care of that.

HTH,
Tom

(in reply to tshinder)
Post #: 42
RE: Discussion of Anonymous Access article - 11.Sep.2003 3:51:00 AM   
gubrazil

 

Posts: 9
Joined: 9.Aug.2002
From: Brazil
Status: offline
I read all the document but how I can block authentication pop-up window?

Sorry the English

News from Brazil ask to me!

Thanks all

(in reply to tshinder)
Post #: 43
RE: Discussion of Anonymous Access article - 13.Sep.2003 6:48:00 PM   
JohnBullinger

 

Posts: 53
Joined: 25.Apr.2003
From: Texas
Status: offline
Tom,

Thanks for all the help and information on the problems I was having. I now have it configured to use the AutoConfig and the configuration for disabling anonymous outbound access. It seems to be working good so far, Will find out for sure on Monday. I am hoping this will fix the problem I am having with some emails that come in have a logon box for every picture. This is really annoying to the users and me (I am the one who gets the calls!)

I did find it interesting how the Sessions view under Monitoring shows an Anonymous connection but when you have the Ask unauthenticated users box checked you do not get that.

Fill you in more if I run into any more problems.

(in reply to tshinder)
Post #: 44
RE: Discussion of Anonymous Access article - 14.Sep.2003 11:29:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by gubrazil:
I read all the document but how I can block authentication pop-up window?

Sorry the English

News from Brazil ask to me!

Thanks all

Hi GU,

Make sure the client is logged into the domain, and that you do not enable the "ask unauthenticated users to authetnicate" option in the Outgoing Web Requests listener.

HTH,
Tom

(in reply to tshinder)
Post #: 45
RE: Discussion of Anonymous Access article - 14.Sep.2003 11:31:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by TheBull:
Tom,

Thanks for all the help and information on the problems I was having. I now have it configured to use the AutoConfig and the configuration for disabling anonymous outbound access. It seems to be working good so far, Will find out for sure on Monday. I am hoping this will fix the problem I am having with some emails that come in have a logon box for every picture. This is really annoying to the users and me (I am the one who gets the calls!)

I did find it interesting how the Sessions view under Monitoring shows an Anonymous connection but when you have the Ask unauthenticated users box checked you do not get that.

Fill you in more if I run into any more problems.

Hi Bull,

That's interesting! But they're always logged, so whether they appear in the console is more of a cosmetic issue.

Thanks!
Tom

(in reply to tshinder)
Post #: 46
RE: Discussion of Anonymous Access article - 16.Sep.2003 2:41:00 AM   
bshoe24

 

Posts: 11
Joined: 25.Dec.2001
From: Las Vegas, NV USA
Status: offline
I had this exact same problem below.

I allowed out my servers for DNS lookup and I allowed out a "managers" global group.

Unusably slow and lots of websites wouldn't come up at all.

ISA was running latest updates.

Did you ever figure this out?

Brandon
__________________

"I turned off Ask Unauthenticated Users and changed my default allow S&C to check to see if a user is in a specific group and the web starting running really slow and did not work 99% of the time. I would get errors galore (they changed but mostly could not find sites).

My config is:

4 S&C Rules. One with the allow all but check users group access. I have 3 other Deny rules that are for Porn sites and ad blocking.

I also have protocol rules setup. The protocol rules check check for HTTP and HTTPS to see if a user is in a specific group. I have protocol rules for my servers and what not.

Any idea why this may not have worked? I didnt have a lot of time to troubleshoot it before the users came in. I checked my ISA Web Proxy log and I see a lot of 11004 and 12209 errors when I was trying o surf.

Any ideas please let me know.

THanks

John "

(in reply to tshinder)
Post #: 47
RE: Discussion of Anonymous Access article - 17.Sep.2003 3:56:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Brandon,

Sounds like a DNS configuration issue. How is your DNS server configured to resolve Internet host names and how is the firewall configured to support that?

What are the DNS settings on the firewall's interface(s)?

Thanks!
Tom

(in reply to tshinder)
Post #: 48
RE: Discussion of Anonymous Access article - 18.Sep.2003 1:14:00 AM   
benjas

 

Posts: 1
Joined: 18.Sep.2003
Status: offline
Hi Tom ...

For Mac, the ISA need this option for ask User/Pass and Domain in IE also in SAFARI or I am wrong

Regards
Ben

(in reply to tshinder)
Post #: 49
RE: Discussion of Anonymous Access article - 18.Sep.2003 2:47:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ben,

If you configure the firewall as described in the article, you NEVER need to enable that option.

HTH,
Tom

(in reply to tshinder)
Post #: 50
RE: Discussion of Anonymous Access article - 12.Apr.2004 7:15:00 PM   
vega

 

Posts: 2
Joined: 10.Apr.2004
From: Culver City
Status: offline
I have read both this article and the one related to the HTTP Redirector (S. Pouseele). I am curious as to what would be the recommened settings for the HTTP Redirector in this scenario? Do I disable it, let it redirect to the web service?. Ultimately I saw a combination of atributes from both articles.

My intention is to have validated access on the ISA box with the web proxy client and protocol control via the FC, but I also have servers with no logins to consider as Secure NAT clients.

Goals:
Clients: All Authenticate with proxy and Protocol control via FC
Securenat: Access to all HTTP and Required Protocols.

Thanks,
Carlos

(in reply to tshinder)
Post #: 51
RE: Discussion of Anonymous Access article - 16.Apr.2004 12:34:00 AM   
ScottJ

 

Posts: 6
Joined: 16.Apr.2004
From: Queensland, Australia
Status: offline
Hi,

I've followed the tutorial without problems (thanks Tom for another great doc). I want to stop some users from directly accessing the internet by turning the proxy server off in IE. If I don't setup a protocol rule for HTTP(80) and only allow port 8000 (our upstream proxy/content scanner) it breaks the integrated login. The password screen comes up and won't go away. If I enable port 80 for the users the integrated security works fine. I've got redirector turned off, I need some user to be able to bypass the proxy server.

Hope this makes sense

Thanks for any help.

Scott.

(in reply to tshinder)
Post #: 52
RE: Discussion of Anonymous Access article - 7.May2004 8:21:00 PM   
ewgny

 

Posts: 4
Joined: 24.Dec.2002
Status: offline
Greetings,
I have been trying to disable anonymous
access, so that the logs include usernames.
Easy enough, just changing the Default Site and Content rule
from any request to Domain Users.
Problem is that a few sites will not function. To get them to function,
I have to make a client address set with the IP addresses of the PCĂs that
need access to the few sites, and create a site and content rule for outbound access for that set.
ISA is a member Server set up in integrated mode on the perimeter of the internal network for proxy and server publishing
The computers are set up as Web proxy clients only, since they use ISA only as a proxy
I have tried using auto configuration
script for clients via GP. I tried using DHCP WPAD. Do I need to have the computers
configured as firewall clients as well ? Does the WPAD config work only if they are firewall clients as well ? Since the direct access for *.hotmail (in Client Configuration) still does not solve the outlookxpress/hotmail issue.
Also I am running Trend Micro IWSSS. So clients need to be configured with port 8081
to pass through trend scanning. Are there any articles on how to modify the
Routing.Script to give client a different port ?

Thanks
-Evan

(in reply to tshinder)
Post #: 53
RE: Discussion of Anonymous Access article - 9.May2004 8:29:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi BaanMan,

I believe there is a KB article on this issue. You might want to give PSS a call. Remember that ISA cannot see inside SSL connections, so you can't control the path that users use within allowed SSL sites, so don't include paths for allowed or blocked SSL sites.

HTH,
Tom

(in reply to tshinder)
Post #: 54
RE: Discussion of Anonymous Access article - 12.Mar.2005 12:04:00 AM   
xuttah

 

Posts: 2
Joined: 11.Mar.2005
Status: offline
Ok, so it's been awhile since anyone's posted here, but I'll give it a shot.

I have 2 customers, each with ISA 2000 SP1. I'm having the same problem on each, in that I cannot seem to enforce Site & Content Rules via Groups. Here are my current rules:

Site & Content Rules:
- Allow All Destinations to "Unrestricted_Web_Users"
- Allow All Destinations to Client Set "Servers"
- Allow Selected Destinations w/ specified Dest. Set to "Restricted_Web_Users"
- Deny Selected Destintations w/ specified Dest. Set to All Requests

Procotol Rules:
- Allow All Protocols to "Domain Users"
- Allow All Protocols to Client set "Servers"

I have unchecked "Ask User for Authentication" also. Any help is greatly appreciated. Thanks!

(in reply to tshinder)
Post #: 55
RE: Discussion of Anonymous Access article - 15.Mar.2005 4:38:00 PM   
xuttah

 

Posts: 2
Joined: 11.Mar.2005
Status: offline
To provide additional info:

- All sessions on ISA are seen as "anonymous"
- Clients can surf anywhere, regardless of whether an ISA client is present & enabled, or if Web Proxy is set via Internet Explorer.

(in reply to tshinder)
Post #: 56

Page:   <<   < prev  1 2 [3] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> RE: Discussion of Anonymous Access article Page: <<   < prev  1 2 [3]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts