• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA 2004 - Anonymous Access

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> ISA 2004 - Anonymous Access Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA 2004 - Anonymous Access - 20.Jun.2005 10:15:00 PM   
wjaf

 

Posts: 6
Joined: 20.Jun.2005
From: Australia
Status: offline
I have a requirement for one or two computers to have full anonymous access through ISA's web proxy.

I have set them up in their own network set and have the Require users to authenticate checkbox to off.

The 1st rule is to allow any protocol access to any destination from that network. (once I get this actually working, I will restrict it to the couple sites required).

Now, the ISA server drops every pack from the host computer like a hot potato with a result code of 0cv0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED.

We are running a 1 NIC configuration, so the firewall client is out of the question. Don't tell me to put in a 2nd card... I would have but I don't make the decision and I already consider management idiots for using ISA in the first place for their proxy. I wouldn't have had these issues if they had put in a Mimesweeper for Web server like I told them to.

Any thoughts?
Post #: 1
RE: ISA 2004 - Anonymous Access - 20.Jun.2005 10:20:00 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Well... you insult us by calling us idiots and then you want advice from us?

Put in Mimesweeper.

(in reply to wjaf)
Post #: 2
RE: ISA 2004 - Anonymous Access - 21.Jun.2005 7:12:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi WJ,

Yes, the problem is you need to put your current firewall on eBay and deploy the ISA firewall properly, as a multiNIC firewall. Whoever choose the unihomed ISA firewall config needs some education quick.

HTH,
Tom

(in reply to wjaf)
Post #: 3
RE: ISA 2004 - Anonymous Access - 23.Jun.2005 6:38:00 PM   
wjaf

 

Posts: 6
Joined: 20.Jun.2005
From: Australia
Status: offline
Lligetfa, I didn't call you an idiot. I called management where I work idiots.... and trust me they are. We already had a licence for Mimesweeper and all they had to do was let the software be installed.

Instead, someone who shouldn't make technical decisions made this one for political reasons. Regardless of the fact they didn't have to spend a single dollar. So, after telling them that there would be serious issues with their plans, they still heaped the software on my desk and expect me to make it work.

Yes, ISA is a great firewall product, I won't deny that. But mimesweeper has some serious advantages including built in support for content filtering, built in support for antivirus, a much nicer reporting setup etc. And they didn't need a firewall, they needed a web proxy.

Tom, I know that getting a second NIC into this box will potentially help the situation. Now, the box itself has a second NIC (it's a Dell *yuck*) which is disabled (at their request). I am wondering if I can turn it on give it some IP in the 192.168.xxx.xxx range that won't screw up our internal networks without a default gateway on the NIC. Will I then be able to use this box as a "firewall" even though only one of the NIC's has a connection to anything?

Or am I looking at a complete reinstall of the software to pull this off? The reason being that I have already got the configuration 99% in place and they have this system already in production. So a downtime of more than a few minutes is not kindly looked upon. (you should have seen the storm that erupted when I tried to enable anonymous access for all and the damned thing started asking everyone to authenticate)

(in reply to wjaf)
Post #: 4
RE: ISA 2004 - Anonymous Access - 24.Jun.2005 9:28:00 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

Now, the box itself has a second NIC (it's a Dell *yuck*) which is disabled (at their request). I am wondering if I can turn it on give it some IP in the 192.168.xxx.xxx range that won't screw up our internal networks without a default gateway on the NIC. Will I then be able to use this box as a "firewall" even though only one of the NIC's has a connection to anything?


No, you cannot. You configure the Nic and ISA will expect to use it. There is actually a critial purpose for the NIC,...it isn't something that you just put it there so the ISA sees it and is "happy".


kindly looked upon. (you should have seen the storm that erupted when I tried to enable anonymous access for all and the damned thing started asking everyone to authenticate)


That was because you left the feature enabled that says "Require unauthenticated users to authenticate". This should not be enabled if you expect to have any Anonymous Users. Your Rules themselves, when properly designed, will force authentication where you want it and also allow anonymous when you want it.

(in reply to wjaf)
Post #: 5
RE: ISA 2004 - Anonymous Access - 24.Jun.2005 11:26:00 AM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
quote:
Originally posted by WJAF:
Lligetfa, I didn't call you an idiot.

There are not that many dots to connect, so I don't know how else to enterpret "I already consider management idiots for using ISA". It come across as you having a real distaste for ISA.

There are a lot of us on this board that CHOOSE to use ISA and have recommended it to our managers. That said, not many choose to deploy it with a single NIC since ISA really does not do well lobotomized, so in that context, I cannot dispute you.

I would never deploy ISA with a single NIC and I do not have any advice to offer anyone except to put in a second NIC. I am not saying that a second NIC is the only way to solve your problem.

(in reply to wjaf)
Post #: 6
RE: ISA 2004 - Anonymous Access - 26.Jun.2005 8:59:00 PM   
wjaf

 

Posts: 6
Joined: 20.Jun.2005
From: Australia
Status: offline
quote:

That was because you left the feature enabled that says "Require unauthenticated users to authenticate". This should not be enabled if you expect to have any Anonymous Users.

Ok, I must be blind. But where on earth is this rule? The only place I can find where it talks about authentication in the configuration is in the network configuration where I lay out my internal networks and the box says "Require All Users to Authenticate". Now, when I turn the check box in there to turn off that feature people get asked to Authenticate. I have set a couple machines in a separate network list with this feature disabled, but they still have to authenticate. Is there another location where the fabled "require unauthenticated user to authenticate" is located? because I can't find it... and I can't afford to pull out any more hair as I am bald enough.

(in reply to wjaf)
Post #: 7
RE: ISA 2004 - Anonymous Access - 28.Jun.2005 10:02:00 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

The only place I can find where it talks about authentication in the configuration is in the network configuration where I lay out my internal networks and the box says "Require All Users to Authenticate". Now, when I turn the check box in there to turn off that feature people get asked to Authenticate. I have set a couple machines in a separate network list with this feature


That is the one. When users are not required to authenticate, they should not be prompted for credentials unless your rules are causing it. With that disabled it gives your rules complete control over authentication vs anonymous.

If you are getting the opposite expected behavor, then I don't know what to tell you,...maybe others here can step in and clear that up.

[ June 28, 2005, 10:04 AM: Message edited by: Phillip Windell ]

(in reply to wjaf)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> ISA 2004 - Anonymous Access Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts