http://www.ISAserver.org
-------------------------------------------------------
The issue seems to have been resolved..
the problem was if my proxy doesnt require all users to require with ntlm
and i have one rule that says allow outbound http for "gregs ad group" and
another rule that allows http out for only "other servers computer group"
with all users allowed. If i go and logon to the first computer (not a
member of the computers group) as one who is not a member of "gregs ad
group" then i get internet access for free.
Im not sure why or how but the rules didnt seem to apply to the traffic. Im
not 100% sure what fixed it. I might revisit it tomorrow and see if i can
point point what it was but for now if i logon to the first computer as a
non group member i get denied access or better still promtped to
authenticate with an account in that group.
thanks for your help Jim.
http://www.ISAserver.org -------------------------------------------------------
What other rules exist? What place do they have with respect to that rule? If your rules are *all* authenticated (none are "all users"), then no one is getting anonymous access.
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland Sent: Monday, August 07, 2006 9:20 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: NTLM proxy authentication with Linux
http://www.ISAserver.org -------------------------------------------------------
No the outbound http rule applies to a ad users group, not all users
----- Original Message ----- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, August 08, 2006 1:50 PM
Subject: [isalist] Re: NTLM proxy authentication with Linux
http://www.ISAserver.org -------------------------------------------------------
That's because your rules are anonymous.
Sent to you from Black Hat Las Vegas via WM5-enabled PPC-phone
-----Original Message----- From: "Greg Mulholland" <gmulholland@xxxxxxxxxxxx> To: isalist@xxxxxxxxxxxxx Sent: 8/7/06 18:57 Subject: [isalist] Re: NTLM proxy authentication with Linux
http://www.ISAserver.org -------------------------------------------------------
not sure whether its single its the limitation of my single nic solution or not but that doesnt work.
If i untick the "require all users.." button then any users in that group (ad users group) are allowed un authenticated access.
Greg
----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, August 08, 2006 11:31 AM
Subject: [isalist] Re: NTLM proxy authentication with Linux
http://www.ISAserver.org -------------------------------------------------------
Nope. You can have authentication without forcing it at the listener. It's called "user-based rules".
------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------------------
-----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland Sent: Monday, August 07, 2006 16:21 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: NTLM proxy authentication with Linux
http://www.ISAserver.org -------------------------------------------------------
Then my authentication group which is a requirement becomes null and void as the authentication isnt checked. so that doesnt work for me
Greg ----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx> To: <isalist@xxxxxxxxxxxxx> Sent: Tuesday, August 08, 2006 1:11 AM Subject: [isalist] Re: NTLM proxy authentication with Linux
http://www.ISAserver.org -------------------------------------------------------
Disable "require all users..." on the outbound web listener. If you can't, then you can't have anonymous traffic through it.
------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isas
All mail to and from this domain is GFI-scanned.
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx