From: Middelburg, South Africa
I have been using GFI LanGuard RealTime Monitor for ISA and have noted that I have a lot of UNAUTHENTICATED traffic permitted through my firewall. Now I understand that the "...array.dll?Get.Routing.Script" traffic will be shown as unauthenticated as that is the first method that the browser tries, but thereafter it is then authenticated and I can see the usernames of the people that are surfing.
Now I know that these are just advertisements used by some download managers and instant messaging clients, but I would have thought that all of this traffic would be denied because of the following: 1) The users whose traffic I am seeing are blocked by an ISA schedule and they may only surf After Hours. So why are they permitted to do anything during office hours. 2) I have setup the HTTP Redirector Filter to "Reject HTTP requests from Firewall and SecureNAT clients", so why is the FW Client in any way permitted to surf?
By the way, my Instant Messaging clients (AOL, ICQ etc) are still able to function, even though I have changed the HTTP Redirector (as mentioned above), I would have thought that they would not be able to function. I do however notie that there are some PAcket Filters defined explicitly for these instant messaging tools, so I just need someone to confirm that this is in fact why they are able to function, even though I have denied HTTP requests from FW & SecureNAT clients?
2) I have setup the HTTP Redirector Filter to "Reject HTTP requests from Firewall and SecureNAT clients", so why is the FW Client in any way permitted to surf? Instead of doing this, try controling access based on user\group, set the HTTP redirector back to redirect to local web proxy service. If you have a site and content rule, and a protocol rule in place that requires authentification, then firewall and SNAT clients wont be able to authenticate. If your SNAT clients and firewall clietns are web proxy clients as well then they will be able to authenticate, and if there is a deny rule in place for a user or group, then they will be denied.
From: Middelburg, South Africa
I already have a S&C and a Protocol Rule allowing only a specific group of people access to surf the internet.
Based upon your statement: "If you have a site and content rule, and a protocol rule in place that requires authentification, then firewall and SNAT clients wont be able to authenticate." As much as I would love to believe that, I am just not seeing that this is true. As noted, I have rules in place controlling access on group membership. But how will this prevent SNat and FW Client traffic from being accepted. Surely they also pass authentication requests to the ISA Server and depending on what type of request (WEB Proxy, Firewall Client, SNat) it is, it will just get authenticated at a different place. E.g. WEB Proxy request is authenticated against WEB Proxy service, FW Client is authenticated against FW Service and then passed to WEB Proxy service as anonymous/unauthenticated connection, and SNat client is validated against a Client Address Set.
Another thing, if the FW Service passes requests to the WEB Proxy service as anonymous/unathenticated traffic, and I have enabled the tickbox on Outgoing WEB Requests which says "Ask unauthenticated users for identification", then why is all traffic from the FW Service permitted through the WEB Proxy if it is received from the FW Service as anonymous/unauthenticated?
Is it because the WEB Proxy service implicitly trusts the FW Service and therefore doesn't care what the FW Service passes to it?
Hey William are you using WPAD file in your DNS? if so this traffic will be loggedd as unathenticated, it will look like this, unauthenticated 192.168.0.57 9:58:4 1592 /wspad.dat. All my clients use the WSPAD file to automatically detect the ISA server, and ISA logs this traffic as not being able to authenticate.
I do see that the inital connection that a client makes is UNAUTHENTICATED but that is just to get the Routing.Script file, thereafter most of the time it is shown as AUTHENTICATED. It just so happens that every now and then I may see some UNAUTHENTICATEd traffic for actual HTTP websites going through the logs.