• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA Authentication paradox

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> ISA Authentication paradox Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA Authentication paradox - 5.May2005 6:23:00 PM   
Martinin

 

Posts: 13
Joined: 5.May2005
From: Cleveland
Status: offline
I am running ISA 2000 FP! SP@ on Windows 2000 SP4 server in a a Windows 2000 domain (mixed mode).

I have disallowed Anonymous access by changing the default "site and content" rule and protocol rule to apply only to "domain users". I am not asking unautheticated users for identification, as per the article Mr.Shinder published here. My question is, would it be possible to then allow anonymous access to the internet for either certain sites or programs. For example is there a way to allow Lavasoft's Ad-aware to connect to its own download servers for updates. I know there are site and content rules for web pages, but should they work for a application, expecially with the protocol rule being restricted to "domain users" "[Confused]"
Post #: 1
RE: ISA Authentication paradox - 5.May2005 9:07:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Jeff,

you should keep in mind that ISA processes the rules in the following order:

1. Deny rules applying to any request (anonymous).
2. Allow rules applying to any request (anonymous).
3. Deny rules applying to client address sets or users and groups (authenticated).
4. Allow rules applying to client address sets or users and groups (authenticated).

If you don't allow anonymous access and some Web applications can't authenticate, you'll have to create protocol and site&content rules which apply to client address sets.

If you don't like that solution you can also configure those particular destinations for direct access, make sure the Firewall client is installed on the internal clients and that the HTTP Redirector is disable. For more info, check out http://www.isaserver.org/tutorials/The_Mystery_of_the_HTTP_Redirector_and_SiteContent_Rules.html .

HTH,
Stefaan

(in reply to Martinin)
Post #: 2
RE: ISA Authentication paradox - 5.May2005 9:37:00 PM   
Martinin

 

Posts: 13
Joined: 5.May2005
From: Cleveland
Status: offline
Unfortunately, this setup is in an educational environment and I am using Websense as a content filter. If I disable the HTTP redirector, then SecureNAT and firewall clients will not be filtered. the students once figured out that turning off webproxy allowed them to surf unabated. Combine that with the fact that most of the student PCs are windows 98, and locking them down is not exactly easy or consistent. I appreciate the reply though. [Frown]

(in reply to Martinin)
Post #: 3
RE: ISA Authentication paradox - 5.May2005 10:14:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Jeff,

How is the HTTP redirector configured?
Can those applications be configured as Web Proxy clients or do they pickup the Web Proxy settings of IE?

HTH,
Stefaan

(in reply to Martinin)
Post #: 4
RE: ISA Authentication paradox - 5.May2005 10:38:00 PM   
Martinin

 

Posts: 13
Joined: 5.May2005
From: Cleveland
Status: offline
I am just using the default setup of "redirect to the local web proxy service." Ad-aware can use http proxy but i do not think it is providing credentials. With the protocol rule only allowing "domain users" out the atempt to update it fails. If I allow anonymous access in the protocol rule the udate process works. I think the part that annoys me most is the fact that I can see the connection from ad-aware.exe in the ISA logs. i wish Icould just "whitelist" the application.

(in reply to Martinin)
Post #: 5
RE: ISA Authentication paradox - 5.May2005 11:10:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Jeff,

that's funny! You said that you require authentication on the protocol *and* site&content rule. Now you say that only changing the protocol rule back to anonymous solves the problem. [Confused]

What do you see *exactly* in the ISA Firewall *and* Web Proxy log. To get the most info out of them, make sure you have allowed the logging of all fields. We should find out first how the request is made: as from a Web Proxy, Firewall or SecureNAT client. The point is that if the request is redirected to the Web Proxy by the HTTP redirector then all authentication is lost!

Also, is the Firewall client installed on the internal workstations?

HTH,
Stefaan

(in reply to Martinin)
Post #: 6
RE: ISA Authentication paradox - 6.May2005 3:47:00 PM   
Martinin

 

Posts: 13
Joined: 5.May2005
From: Cleveland
Status: offline
The PCs are using the web proxy exclusively at this particular client. I am not opposed to using the firewall client if it will solve the issue at hand. That having been said I am wary of the firewall client for fear that it will make connectivity too easy. The problem with IT in education is that you have to make sure the kids cannot do the things they are not supposed to be doing. Of course when they do things on a PC that they are not supposed to be doing, the sysadmins get blamed for allowing them to do it. [Roll Eyes] Enough whining, here are the ISA logs for ad-aware attempting to connect via web proxy and then attempting to connect via firewall client. This is from a test environment I have setup so that I can tinker with things and not affect the production environment. Yes, the server's name is "scum.pond.local". [Big Grin]

Web proxy
#Software: Microsoft(R) Internet Security and Acceleration Server 2000
#Version: 1.0
#Date: 2005-05-06 14:39:28
#Fields: c-ip cs-username c-agent sc-authenticated date time s-svcname s-computername cs-referred r-host r-ip r-port time-taken cs-bytes sc-bytes cs-protocol cs-transport s-operation cs-uri cs-mime-type s-object-source sc-status s-cache-info rule#1 rule#2
10.1.1.21 BCollins Mozilla/3.0 AAW SE Y 2005-05-06 14:39:28 w3proxy SCUM - - - - - 204 - - TCP GET http://download.lavasoft.de/public/wu.dat - - 12202 0x0 - -
10.1.1.21 BCollins Mozilla/3.0 AAW SE Y 2005-05-06 14:39:28 w3proxy SCUM - - - - - 232 - - TCP GET http://download.lavasoft.de.edgesuite.net/public/wu.dat - - 12202 0x0 - -
10.1.1.21 BCollins Mozilla/3.0 AAW SE Y 2005-05-06 14:39:28 w3proxy SCUM - - - - - 190 - - TCP GET http://207.44.136.40/public/wu.dat - - 12202 0x0 - -
10.1.1.21 anonymous Mozilla/3.0 AAW SE N 2005-05-06 14:39:39 w3proxy SCUM - - - - - 142 - - TCP GET http://download.lavasoft.de/public/wu.dat - - 12209 0x0 - -
10.1.1.21 anonymous Mozilla/3.0 AAW SE N 2005-05-06 14:39:39 w3proxy SCUM - - - - - 170 - - TCP GET http://download.lavasoft.de.edgesuite.net/public/wu.dat - - 12209 0x0 - -
10.1.1.21 anonymous Mozilla/3.0 AAW SE N 2005-05-06 14:39:40 w3proxy SCUM - - - - - 128 - - TCP GET http://207.44.136.40/public/wu.dat - - 12209 0x0 - -

Firewall log

#Software: Microsoft(R) Internet Security and Acceleration Server 2000
#Version: 1.0
#Date: 2005-05-06 14:39:28
#Fields: c-ip cs-username c-agent sc-authenticated date time s-svcname s-computername cs-referred r-host r-ip r-port time-taken cs-bytes sc-bytes cs-protocol cs-transport s-operation cs-uri cs-mime-type s-object-source sc-status s-cache-info rule#1 rule#2 sessionid connectionid
10.1.1.21 bcollins Ad-Aware.exe:3:5.0 Y 2005-05-06 14:39:28 fwsrv SCUM - download.lavasoft.de 209.87.177.246 - 110 - - - - GHBN - - - 0 - Small Business Internet Access Protocol Rule Small Business Server Internet Access Site and Content Rule 2 0
10.1.1.21 bcollins Ad-Aware.exe:3:5.0 Y 2005-05-06 14:39:28 fwsrv SCUM - - 209.87.177.246 80 - - - 80 TCP Connect - - - 0 - Small Business Internet Access Protocol Rule - 2 1
10.1.1.21 bcollins Ad-Aware.exe:3:5.0 Y 2005-05-06 14:39:28 fwsrv SCUM - - 209.87.177.246 80 130 - 2011 80 TCP Connect - - - 20000 - Small Business Internet Access Protocol Rule - 2 1
10.1.1.21 bcollins Ad-Aware.exe:3:5.0 Y 2005-05-06 14:39:28 fwsrv SCUM - download.lavasoft.de.edgesuite.net 63.123.36.95 - 71 - - - - GHBN - - - 0 - Small Business Internet Access Protocol Rule Small Business Server Internet Access Site and Content Rule 2 0
10.1.1.21 bcollins Ad-Aware.exe:3:5.0 Y 2005-05-06 14:39:28 fwsrv SCUM - - 63.123.36.95 80 - - - 80 TCP Connect - - - 0 - Small Business Internet Access Protocol Rule - 2 2
10.1.1.21 bcollins Ad-Aware.exe:3:5.0 Y 2005-05-06 14:39:29 fwsrv SCUM - - 63.123.36.95 80 200 - 2011 80 TCP Connect - - - 20000 - Small Business Internet Access Protocol Rule - 2 2
10.1.1.21 bcollins Ad-Aware.exe:3:5.0 Y 2005-05-06 14:39:29 fwsrv SCUM - - 207.44.136.40 80 10 - - 80 TCP Connect - - - 0 - Small Business Internet Access Protocol Rule - 2 3
10.1.1.21 bcollins Ad-Aware.exe:3:5.0 Y 2005-05-06 14:39:29 fwsrv SCUM - - 207.44.136.40 80 190 - 2011 80 TCP Connect - - - 20000 - Small Business Internet Access Protocol Rule - 2 3

[ May 06, 2005, 04:41 PM: Message edited by: Jeff the NetworkGuy ]

(in reply to Martinin)
Post #: 7
RE: ISA Authentication paradox - 6.May2005 4:52:00 PM   
Martinin

 

Posts: 13
Joined: 5.May2005
From: Cleveland
Status: offline
I also created a site and content rule to allow access to 63.123.36.95, 207.44.136.40 and 209.87.177.249. This is in addition to the rule that allows access to *.lavasoft.de and *.download.lavasoft.de.edgesuite.net. Yes, they are two seperate rules since you are not supposed to mix IPs and URLs. Neither improved things, but at least I felt like I did something. [Wink] Either way it seems like Ad-aware is creating an initial session to check the version of its definition file, and then once it realizes that it is out of date, Ad-aware then tries to contact a download server.

(in reply to Martinin)
Post #: 8
RE: ISA Authentication paradox - 6.May2005 10:40:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Jeff,

If you look into the Web proxy log you see first three entries with sc-authenticated=Y and sc-status=12202. That means '403 Forbidden - The ISA Server denies the specified Uniform Resource Locator (URL)'. Next, you see three entries with sc-authenticated=N and sc-status=12209. That means 'HTTP 407 Proxy Authentication Required - The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. (12209)Internet Security and Acceleration Server'.

In the Firewall log sc-authenticated=Y and sc-status is GHBN (Get host by name request) or 0 (Operation had been successful) or 20000 (Connection terminated normally). However, for the entries with s-operation=connect I don't see a site&content rule (rule #2). So, that means to me that the application sends the request as a Firewall client request and it is then redirected by the HTTP Redirector to the Web Proxy. However, all authentication is lost at that moment and that might explain the sc-status=12209 in the Web Proxy log.

I think you have two ways to solve your problem:

1. don't ask authentication for the HTTP protocol. I assume here everybody may use the HTTP protocol. Next, configure that application as web proxy client and make sure you have a site&content rule in place that allow anonymous access to the required destinations.

2. make sure the firewall client is installed and that the application is not configured as a Web Proxy client. In this case the protocol rule may require authentication. Next, make sure you have a site&content rule in place that allow anonymous access to the required destinations.

HTH,
Stefaan

(in reply to Martinin)
Post #: 9
RE: ISA Authentication paradox - 6.May2005 11:16:00 PM   
Martinin

 

Posts: 13
Joined: 5.May2005
From: Cleveland
Status: offline
I'm not sure I can do #1, but I may try it as an experiment. The problem is if an user does not authenticate while utilizing HTTP, then they may not get filtered properly by Websense. Websense can contain various filtering policies which can be applied on a per user basis, assuming Websense can tell who the user is.

(in reply to Martinin)
Post #: 10
RE: ISA Authentication paradox - 7.May2005 12:17:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Jeff,

I have no experience with Websense but I have heard before that all requests should be authenticated for proper working. Now, if that application can *not* authenticate there is no solution with ISA 2000 if the HTTP Redirector must be configured with "redirect to the local web proxy service". I suggest you contact the vendor of that application to check out if that application can authenticate against a Web Proxy server.

BTW --- when Firewall client requests are redirected by the Web Proxy filter in ISA 2004 then the authentication info is passed through. That's a big improvement! [Smile]

HTH,
Stefaan

[ May 07, 2005, 12:18 AM: Message edited by: spouseele ]

(in reply to Martinin)
Post #: 11
RE: ISA Authentication paradox - 9.May2005 11:58:00 PM   
isawader

 

Posts: 420
Joined: 27.Apr.2005
Status: offline
Just a follow up question. What would happen if a destination URL set has both IP and FQDN?

(in reply to Martinin)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> ISA Authentication paradox Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts