Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
secure NAT & authentication
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
secure NAT & authentication - 7.Aug.2002 7:16:00 PM
|
|
|
networkone
Posts: 52
Joined: 13.Dec.2001
From: Toronto, Ontario, Canada
Status: offline
|
OK, if I set ISA to require authentication to access internet ie. basic + integrated, I understand that Secure NAT clients are unable to access the web.
My question is... with authentication required, is it possible (is there a work-around solution) to allow specific workstations to access ports/protocols in addition to those provided by the proxy service... implicit http, https, ftp????
Please Help.
|
|
|
|
RE: secure NAT & authentication - 7.Aug.2002 7:30:00 PM
|
|
|
skipster
Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
|
Create a client address set for the SNAT clients, then creat a protocol rule, and a site and content rule, apply both to the client in the address set.
|
|
|
|
|
RE: secure NAT & authentication - 7.Aug.2002 7:35:00 PM
|
|
|
networkone
Posts: 52
Joined: 13.Dec.2001
From: Toronto, Ontario, Canada
Status: offline
|
I would assume, then, that these users would require static IPs, correct??
|
|
|
|
RE: secure NAT & authentication - 7.Aug.2002 7:55:00 PM
|
|
|
skipster
Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
|
Yes
|
|
|
|
|
RE: secure NAT & authentication - 7.Aug.2002 8:56:00 PM
|
|
|
networkone
Posts: 52
Joined: 13.Dec.2001
From: Toronto, Ontario, Canada
Status: offline
|
thanx for the quick bit of education.
JPA
|
|
|
|
|
RE: secure NAT & authentication - 8.Aug.2002 3:49:00 AM
|
|
|
networkone
Posts: 52
Joined: 13.Dec.2001
From: Toronto, Ontario, Canada
Status: offline
|
I tried out your scenario, but was unsuccessful.
|
|
|
|
|
RE: secure NAT & authentication - 8.Aug.2002 4:20:00 PM
|
|
|
skipster
Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
|
It does work, I have all of my severs setup this way, they have to be if you are requiring authentification, by using user/groups. I would make sure that your LAT is setup correctly, all internal clients should be in your LAT. Also check your HTTP redirector, how do you have this set?
|
|
|
|
|
RE: secure NAT & authentication - 8.Aug.2002 6:28:00 PM
|
|
|
networkone
Posts: 52
Joined: 13.Dec.2001
From: Toronto, Ontario, Canada
Status: offline
|
Ok, my LAT is setup correctly. What I have is as follows...
1. a workstation with a static IP
2. a client address set(CAS) of the workstations static IP
3. a site and content rule allowing the CAS outbound on any protocol.
4. a protocol rule allowing the (CAS) full outbound.
What am I missing?
|
|
|
|
|
RE: secure NAT & authentication - 8.Aug.2002 7:33:00 PM
|
|
|
skipster
Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
|
3. a site and content rule allowing the CAS outbound on any protocol.
This should read Outbound to any site, not any protocol. How is your HTTP redirector set? also are you requiring aithentification on the outbound web listener as well, as user/groups for outbound access? I would use one or the other. From the SNAT machine, see if you can ping the internal interface of the ISA server. Whats the error say when you try to make a connection using the SNAT client?
|
|
|
|
|
RE: secure NAT & authentication - 8.Aug.2002 8:46:00 PM
|
|
|
networkone
Posts: 52
Joined: 13.Dec.2001
From: Toronto, Ontario, Canada
Status: offline
|
You mention HTTP redirector. Is that not for web publishing?
Just so we're both clear. I have authentication applied to my outbound listener, (integrated and Basic). With this setup, obviously, all users must use the proxy service, which we both know is restricted to port 80, 443, and 21.
What I need is a way to allow specific computers or on my network to access additional ports ie. 708, 5631 etc... Will this provide me with what I need?
I just don't want you to waste any time on my confusion.
JPA
P.S. Thanx for your continuing help.
|
|
|
|
|
RE: secure NAT & authentication - 8.Aug.2002 9:07:00 PM
|
|
|
skipster
Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
|
I understand what you are trying to do, however the outboubnd weblistener is a global option, so if you require authentification on your outbound weblistener, then your SNAT clients wont be able to provide the credentials, because they will have none. Do this and see if it will work for you.
Configure your outbound weblistener to not require authentification, then create a site and content rule, and a protocol rule, give them the acces that they need in the rules, and apply both rules to domain users. This way all users who are part of the domain will still have to authenticate before they can get access to the internet. I'm assuming you want this for logging purposes. Then follow my steps in my previous posts, for creating the site and content rules, and protocol rules for your SNAT clients. Set your HTTP redirector to redirect to local web proxy service and check the box for if unavailable.
You mention HTTP redirector. Is that not for web publishing?
No You use the Web publishing wizard to configure publishing servers on the internal network. The HTTP redirector is an application filter that controls requests from firewall and SNAT clients. Also make sure your internal users that are not SNAT clients have the proxy address defined in ther browser, or they wont be able ot get out.
Peace
|
|
|
|
|
RE: secure NAT & authentication - 9.Aug.2002 3:34:00 AM
|
|
|
networkone
Posts: 52
Joined: 13.Dec.2001
From: Toronto, Ontario, Canada
Status: offline
|
Finally I got the chance to test what you recommended. I sware I have this setup exactly as you suggested, but still no success.
If you say this works for certain, I must be missing at least 1 thing here. I'm losing my mind! I'll review everything in the morning, my mind should be clearer.
JPA
|
|
|
|
|
RE: secure NAT & authentication - 10.Aug.2002 4:00:00 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Networkone,
I'd remove the force authentication option, and create all site and content and protocols rules to either require authentication, or apply them to a client address set.
If you're just talking about Web Proxy clients, then make sure all Site and Content rules require authentication, and then enable basic authetication on the Outgoing Web Requests listener. A log on dialog box will appear and the users can enter their information.
HTH,
Tom
quote:
Originally posted by networkone:
OK, if I set ISA to require authentication to access internet ie. basic + integrated, I understand that Secure NAT clients are unable to access the web.
My question is... with authentication required, is it possible (is there a work-around solution) to allow specific workstations to access ports/protocols in addition to those provided by the proxy service... implicit http, https, ftp????
Please Help.
|
|
|
|
|
RE: secure NAT & authentication - 12.Aug.2002 10:38:00 PM
|
|
|
skipster
Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
|
This is because you are requiring authentification for your protocol, and site and content rules. If you disable the proxy client, in IE, then how will the client be able to authenticate to the web proxy service? Evan if you ahve the firewall client installed and you disable the proxy settings in IE you are still not going out. Is this making sence now?
|
|
|
|
|
RE: secure NAT & authentication - 12.Aug.2002 10:39:00 PM
|
|
|
networkone
Posts: 52
Joined: 13.Dec.2001
From: Toronto, Ontario, Canada
Status: offline
|
OK, I finally was able to get this config to work. However, the secureNAT client only works with an EXTERNAL DNS. Is there a way to use my internal DNS instead?
Please advise.
JPA
|
|
|
|
|
RE: secure NAT & authentication - 12.Aug.2002 10:56:00 PM
|
|
|
skipster
Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
|
Yes, but your internal DNS server has to be setup so that it can forward names that it cant resolve to a DNS server that can, like your ISP DNS server. This is called using forwarders in DNS. I'm assuming your running DNS on your domain controller???
|
|
|
|
|
RE: secure NAT & authentication - 13.Aug.2002 2:45:00 AM
|
|
|
networkone
Posts: 52
Joined: 13.Dec.2001
From: Toronto, Ontario, Canada
Status: offline
|
Thanks a million for the ongoing assistance. I'm almost there.
I enabled DNS forwarders and added my IPS's DNS (primary and secondary), but no go. is there anything I need to do in addition to this?
JPA
|
|
|
|
|
RE: secure NAT & authentication - 13.Aug.2002 4:19:00 AM
|
|
|
skipster
Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
|
Yes, you will need to create a protocol rule for your DNS server, you must give it DNS query, and DNS zone transfer. Apply the rule to your client address set that belongs to your DNS server. If you want to surf the net with your DNS server then you must also add http to your protocol rule. starting to make sence now?
|
|
|
|
|
RE: secure NAT & authentication - 13.Aug.2002 2:22:00 PM
|
|
|
networkone
Posts: 52
Joined: 13.Dec.2001
From: Toronto, Ontario, Canada
Status: offline
|
I created a protocol rule allowing "DNS Querey" and "DNS Zone Transfer", applied it to my DC, but no go.
I tried changing DNS Querey to DNS Querey Server and the same for DNS Zone transfer, but still no go.
I also added my ISP's DNS ip's to the DNS forwarders tab and enabled DNS forwarding. I then restarted my server.
Any idea what I'm missing?? I'm soooo close here.
JPA
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
RE: secure NAT & authentication - ![[Smile]](/image/smiles/smile.gif)
