• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA in domain - FWC in workgroup = no authentication passed !

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> ISA in domain - FWC in workgroup = no authentication passed ! Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA in domain - FWC in workgroup = no authentication pa... - 5.Jun.2003 2:52:00 PM   
neurhaus

 

Posts: 5
Joined: 1.Dec.2002
From: amman, jordan
Status: offline
Heya,
I am having a headached, i tried the articles, and i looked the in the forums, but i found nothing.
my problem is as following:
my isa server is a domain controller in a domain. i have domain computers, plus 4 computers that are in a workgroup, but on the same physical network.
each one of these pcs have the firewall client installed.
my isa config is as follow:
1. integrated authentication - plus "ask unathenticated users for ..." checked.
2. access policies that allow everyone to do basicly everything ( heh, talking about security "[Smile]"
my 4 workgroup clients run firewall applications as usual, everything's alright.
now i have to deny some users from inside the domain of using some protocols, so i create a protocol rule denying that based on domain user accounts. everything's fine, except that:
now my 4 firewall-clients-in-the-workgroup are being asked for authentication, since they are out of the domain, i get that "authentication failed" firewall client icon thing.
those 4 firewall-clients-in-the-workgroup are supposed to be allowed to run anything.
I think i fully understand what's happening, so i thought that i could do the SMB "trick" (creating domain accounts for my local users - not joining the machines to the domain, so that when my users on the 4-firewall-clients try to get to isa, they pass their username/password to the server, and the server can then find them in AD).
problem: the SMB "trick" doesn't work.

now my questions is: how can i fix it. suppose i have a domain (D1) with an ISA server in it, and firewall clients in another domain (D45). not in the same forest, no trust relationship. how can i make users of D45 authenticate themselves to the ISA server in D1 ?

Thanks a lot in advance, and sorry for taking too much space
eyas
Post #: 1
RE: ISA in domain - FWC in workgroup = no authenticatio... - 5.Jun.2003 8:58:00 PM   
eMan29

 

Posts: 20
Joined: 1.May2003
From: New York
Status: offline
There are several things going on here. I would first suggest taking ISA Server off of your DC and putting it on another server. ISA on a DC is not a great choice for several reasons, security definitely being at the top of the list. If security isn't a concern (which it doesn't really sound like it is here), then the next question to ask is why have machines in another workgroup, particularly if you have a domain with users in it. Typically, if you had your ISA server in one domain and computers or users in another domain, you could setup a 2-way trust and be able to manage/administer ISA across the 2 domains, but using a workgroup here most likely will not work.

The only thing I could suggest in your scenario is to setup everyone in your workgroup as secureNAT clients. There's no user-level authentication, but it'll give them the access out. You'll need to set the workgroup PCs to point to the ISA Server as the Gateway in their TCP/IP settings. Uninstall the fw client from these machines, and remove any proxy server settings you have in the browsers on these machines. Just understand that setting up secureNAT clients gives those clients complete access to the internet (no rules will be processed or followed by these clients).

In your domain, you can still setup your rules and they'll just apply to your domain accounts. Since you're using workgroups, I'm assuming that these machines are using static IP addresses. If not, you'll need to setup static IPs for those workgroup computers, because the ISA server has to be the default gateway in order for this to work. Alternatively, you can set your DHCP server's gateway to the IP address of the ISA Server and get the same results, but it sounds like you have a small network in this workgroup. Plus, if you only have one DHCP server, that may cause issues on the domain side of your network.

Just suggestions, but they should work.

(in reply to neurhaus)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> ISA in domain - FWC in workgroup = no authentication passed ! Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts