..except if the app is proxy-aware, then you get into the "worm ate the bird" problem again... I will stipulate that the SBS community seems to hit this particular wall more often than most; probably due to the cheaposkinflintmothposcketicity of their customers. -------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------- -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Saturday, January 28, 2006 12:34 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Web Client Requests http://www.ISAserver.org Hey Jim, That's what the Firewall client is for, so that you don't have to disable auth. So, I'll have to update my maxim: SecureNAT and Anonymous Access rules are for Losers and Servers. How's that? Tom > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Saturday, January 28, 2006 1:13 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Web Client Requests > > http://www.ISAserver.org > > You're right - I responded in reverse. > If you: > 1. disable the web proxy filter > 2. remove authentication > > ..then no one is forced to authenticate and you are limited > to IP-based access controls. > Bad juju, IMHO... > > -------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > -------------------------------------------- > -----Original Message----- > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] > Sent: Saturday, January 28, 2006 11:02 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Web Client Requests > > http://www.ISAserver.org > > Yes unfortunately? Wouldn't it be no, unfortunately? > > Yes to me would mean that everything would authenticate > except for what you specify. > > No would mean that everything would then go through without > authentication. > > Amy > > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Saturday, January 28, 2006 10:36 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Web Client Requests > > http://www.ISAserver.org > > Yes, unfortunately. > This is exactly why I list this step among the "last line of > defense". > > -------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > -------------------------------------------- > -----Original Message----- > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] > Sent: Saturday, January 28, 2006 7:12 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Web Client Requests > > http://www.ISAserver.org > > Yes, I am. So once you do that does any traffic bother to > authenticate anymore? > > Amy > > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Saturday, January 28, 2006 10:05 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Web Client Requests > > http://www.ISAserver.org > > Contrary to tribal knowledge, there's nothing special about > the SBS installation of ISA other than some rules that make > me nauseous and wizards that remove the burden of > understanding. The SBS version of ISA is ISA Std Edition. > > I think you're referring to disassociating the Web Proxy > filter from the HTTP protocol as is offered for some apps > that can't authenticate at all? > > ..which brings up my next point - while it's true that there > are some apps that think they have a direct link to their > desired destination, this technique should be the *last* line > of defense; not the first. > > -------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > -------------------------------------------- > -----Original Message----- > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] > Sent: Saturday, January 28, 2006 5:59 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Web Client Requests > > http://www.ISAserver.org > > So then in the SBS world once we check the box that allows > apps to bi-pass the web proxy filter won't everything then > bi-pass it? In the first ISA, she says, she would allow > unauthenticated access and everything would then go through? > > Amy > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Saturday, January 28, 2006 1:58 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Web Client Requests > > http://www.ISAserver.org > > I'm not clear on "basic and authenticated", since basic is an > authentication mechanism? If you mean "basic and <anything else > offered>", it's up to the client to choose the strongest method it > supports (RFC 2617). > > In the first "ISA, she say:", ISA advises the client what > auth methods it will accept )Negotiate, NTLM, Kerberos in my example). > In the second "Client, he say:", the client responds with the > auth method it wants to use. In this response, the specified > auth method > *must* be one of the options ISA previously presented, or ISA > will reject the auth attempt. > > -------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > -------------------------------------------- > -----Original Message----- > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] > Sent: Friday, January 27, 2006 5:31 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Web Client Requests > > http://www.ISAserver.org > > I'll probably get your post a day or two from now. They tend > to come in blobs. 20 messages today, 300 tomorrow. I find it > difficult to keep track of a thread. I don't even ask yahoo > to send it out of their own system. It gets delivered to my > yahoo account! Maybe I should sign up under a non-yahoo > address and see if I have any better success. > > I understand that the authentication process starts all over > again. What I'm asking is, if I enable basic and > authenticated access for the listener, what determines > whether ISA will accept basic or authenticated for a > particular packet? > > Amy > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Friday, January 27, 2006 5:24 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Web Client Requests > > http://www.ISAserver.org > > sbs2k@xxxxxxxxxxxxxxx > > The point is that: > 1. the clients know diddly (and maybe even squat) about the > way the proxy is configured 2. unless the client is using > proxy:keepalive in the client-to-proxy connection, each > request is an introduction between the client and the proxy > > Thus, each new connection between the client and proxy incurs > a new authentication requirement and the ball starts bouncing > all over again. > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] > Sent: Friday, January 27, 2006 14:11 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Web Client Requests > > Which forum? > > > > So here is where I get confused. If my web listener allows > both non-authenticated and authenticated requests, then why > after I allow non-authenticated access does ISA ever require > authentication? Won't everything then be accepted with authentication? > > > > Amy > > > > ________________________________ > > From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx] > Sent: Friday, January 27, 2006 3:38 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Web Client Requests > > > > Hey guys, im forwarding this message on behalf of Jim. He > posted it to another list and true to form it was too good an > explanation not to impart on the masses (or the cheesemakers). > > > > This traces the path of your IE (or other) http requests and > explains why you will always see anonymous requests in your > web logs. Thanks Jim > > > > Greg Mulholland > > > >>>>>>>>>>>>>> > > Correct - all web clients do exactly that. > This is also why the logs will forever contain anonymous > requests even if all you allow are authenticated connections, > because ISA will log those denied anonymous requests. > > What you can't tell from the logs is what happens after that > in detail. > This requires a bit of Netmon (or Ethereal, if you swing that > way) sleuthing. > > Here's the bouncing ball: > > ** Client, he say: > GET http://www.isaserver.org/ HTTP/1.1 > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, > application/x-shockwave-flash, application/vnd.ms-excel, > application/vnd.ms-powerpoint, application/msword, */* > Accept-Language: en-us > Accept-Encoding: gzip, deflate > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT > 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1) > Host: www.isaserver.org > Proxy-Connection: Keep-Alive > > ** ISA, she say: > HTTP/1.1 407 Proxy Authentication Required ( The ISA Server > requires authorization to fulfill the request. Access to the > Web Proxy service is denied. ) > Via: 1.1 HEARTOFGOLD > Proxy-Authenticate: Negotiate > Proxy-Authenticate: Kerberos > Proxy-Authenticate: NTLM > Connection: Keep-Alive > Proxy-Connection: Keep-Alive > Pragma: no-cache > Cache-Control: no-cache > Content-Type: text/html > Content-Length: 4113 > > ..note - the ISA in this case (as in yours, probably) logged > this request as anonymous and responded saying that it > allowed three authentication methods: Negotiate, Kerberos and > NTLM. These are the default auth methods for any ISA > installation (including SBS). > > ** Client, he say: > GET http://www.isaserver.org/ HTTP/1.1 > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, > application/x-shockwave-flash, application/vnd.ms-excel, > application/vnd.ms-powerpoint, application/msword, */* > Accept-Language: en-us > Accept-Encoding: gzip, deflate > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT > 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1) > Host: www.isaserver.org > Proxy-Connection: Keep-Alive > Proxy-Authorization: NTLM > TlRMTVNTUAABAAAAB7IIogQABAAzAAAACwALACgAAAAFASgKAAAAD0ZPUkRQUk > VGRUNUSE9N > RQ== > > Note that the client chose NTLM auth and passed the first > part of the handshake in Base-64 encoding. Not to worry, > this isn't like Basic, which is base-64 encoded plain text; > this is base-64 encoded encrypted information. ISA also logs > this request as anonymous. > > ** ISA, she say: > HTTP/1.1 407 Proxy Authentication Required ( Access is denied. ) > Via: 1.1 HEARTOFGOLD > Proxy-Authenticate: NTLM > TlRMTVNTUAACAAAACAAIADgAAAAFgomiWWcfZe6QNCsAAAAAAAAAALQAtABAAA > AABQLODgAA > AA9IAE8ATQBFAAIACABIAE8ATQBFAAEAFgBIAEUAQQBSAFQATwBGAEcATwBMAE > QABAAiAGgA > bwBtAGUALgBqAGEAbABvAGoAYQBzAGgALgBvAHIAZwADADoAaABlAGEAcgB0AG > 8AZgBnAG8A > bABkAC4AaABvAG0AZQAuAGoAYQBsAG8AagBhAHMAaAAuAG8AcgBnAAUAIgBoAG > 8AbQBlAC4A > agBhAGwAbwBqAGEAcwBoAC4AbwByAGcAAAAAAA== > Connection: Keep-Alive > Proxy-Connection: Keep-Alive > Pragma: no-cache > Cache-Control: no-cache > Content-Type: text/html > Content-Length: 0 > > Note that ISA also passed some NTLM data back to the client - > this is part and parcel to NTLM authentication even outside of HTTP > > ** Client, he say: > GET http://www.isaserver.org/ HTTP/1.1 > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, > application/x-shockwave-flash, application/vnd.ms-excel, > application/vnd.ms-powerpoint, application/msword, */* > Accept-Language: en-us > Accept-Encoding: gzip, deflate > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT > 5.1; SV1;.NET CLR 1.1.4322; InfoPath.1) > Host: www.isaserver.org > Proxy-Connection: Keep-Alive > Proxy-Authorization: NTLM > TlRMTVNTUAADAAAAGAAYAG4AAAAYABgAhgAAAAgACABIAAAACAAIAFAAAAAWAB > YAWAAAAAAA > AACeAAAABYKIogUBKAoAAAAPSABPAE0ARQBKAGkAbQBIAEYATwBSAEQAUABSAE > UARgBFAEMA > VABunrbKxTfLxwAAAAAAAAAAAAAAAAAAAABNhP8BkKK3ZR1MXfC2h14+Q4IQaVlWRH8= > > > Note that the client passes the remaining part of the NTLM > handshake - if ISA can resolve the credentials passed by the > client during this process, all will be FD&H. > > ** ISA, she say: > HTTP/1.1 200 OK > Proxy-Connection: Keep-Alive > Connection: Keep-Alive > Content-Length: 40936 > Via: 1.1 HEARTOFGOLD > Date: Fri, 27 Jan 2006 05:49:15 GMT > Content-Type: text/html > Server: Microsoft-IIS/6.0 > X-Powered-By: ASP.NET > Set-Cookie: ASPSESSIONIDCCRRSRBC=EIBLFICAIMCPFBFCEKFFKBEA; path=/ > Cache-control: private > > This is where access is allowed (200 response). > > You should note that I haven't included anything that may > have been passed in the HTTP body - it's not important to > this discussion and only makes for an unweildy thread. > > -------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > amy@xxxxxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > amy@xxxxxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > amy@xxxxxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > amy@xxxxxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.1.375 / Virus Database: 267.14.23/243 - Release > Date: 1/27/2006 > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.