[isalist] Re: Auto Discovery for firewall and webproxy clients
- From: "Gerald G. Young" <g.young@xxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Fri, 13 Apr 2007 15:36:49 -0400
http://www.ISAserver.org
-------------------------------------------------------
To my knowledge, RSA in ISA only allows for RSA authentication separately and
unrelated to any underlying AD authentication (no true two-factor
authentication).
Cordially yours,
Jerry G. Young II
Application Engineer, Platform Engineering and Architecture
NTT America, an NTT Communications Company
22451 Shaw Rd.
Sterling, VA 20166
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA
> ASST MGR
> Sent: Friday, April 13, 2007 3:21 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Auto Discovery for firewall and webproxy clients
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> I would invite you to play with RSA here, but believe me you would quit
> in less than a week.
>
> Regards
> Diego R. Pietruszka
> MSC (USA) - Interlink Transport Technologies
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Friday, April 13, 2007 3:12 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Auto Discovery for firewall and webproxy clients
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> To be fair to Diego, the buttheads at RSA never provided me with demo
> software so that we could work these details out, and the docs on RSA
> support are abysmal at best and sux the big whahooie at worst.
>
> So the fact that he wasn't able to read the minds of whoever knows how
> this works isn't his fault, he just didn't have the extrasensory
> perception the docs team thought he needed.
>
> GMT
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Friday, April 13, 2007 1:41 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Auto Discovery for firewall and webproxy clients
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Diego,
>
> This would be the first time you mentioned anything about VPN clients;
> much less RSA-based login.
> Also,l the issue that I answered was regarding FWC auto-configuration
> requests, not "general traffic authentication".
> ISA has no idea of RSA-authenticated VPN users; there is no "user"
> context as such.
> Also, the VPN-connected FWC *must* use the listener for a separate
> network, since neither the Quarantined nor "normal" VPN client networks
> have a FWC listener.
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx]
> On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
> Sent: Friday, April 13, 2007 5:25 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Auto Discovery for firewall and webproxy clients
>
> Jim
>
>
>
> Well I discovered why the firewall client was not able to authenticate
> with the ISA server.
>
> It is because our users use RSA tokens to connect to the VPN, as soon
> as
> I created a VPN connection without RSA, the firewall client was able to
> do the authentication.
>
>
>
> Anyway I'm still having a little problem even without RSA in the middle,
> for some reason when from the VPN I browse internet I'm seeing all the
> traffic on the ISA log on port 80 instead of port 8080, which is what I
> need and how it works for my internal users.
>
> Do you have any idea why that can be happening?
>
>
>
> Regards
>
> Diego R. Pietruszka
>
> MSC (USA) - Interlink Transport Technologies
>
>
>
>
>
> -----Original Message-----
> From: D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
> Sent: Thursday, April 12, 2007 7:51 PM
> To: 'isalist@xxxxxxxxxxxxx'
> Subject: Re: [isalist] Re: Auto Discovery for firewall and webproxy
> clients
>
>
>
> Yes
>
>
>
> --------------------------
>
> Sent from my BlackBerry Wireless Device
>
>
>
>
>
> -----Original Message-----
>
> From: isalist-bounce@xxxxxxxxxxxxx <isalist-bounce@xxxxxxxxxxxxx>
>
> To: isalist@xxxxxxxxxxxxx <isalist@xxxxxxxxxxxxx>
>
> Sent: Thu Apr 12 18:55:18 2007
>
> Subject: [isalist] Re: Auto Discovery for firewall and webproxy clients
>
>
>
> http://www.ISAserver.org
>
> -------------------------------------------------------
>
>
>
> Did you also restart the firewall service as the KB instructed?
>
>
>
> -----Original Message-----
>
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx]
> On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
>
> Sent: Thursday, April 12, 2007 3:14 PM
>
> To: isalist@xxxxxxxxxxxxx
>
> Subject: [isalist] Re: Auto Discovery for firewall and webproxy clients
>
>
>
> I'm using ISA2004 EE.
>
> And I request for authentication, that is why the I guess the document
> apply to my case.
>
>
>
>
>
> --------------------------
>
> Sent from my BlackBerry Wireless Device
>
>
>
>
>
> -----Original Message-----
>
> From: isalist-bounce@xxxxxxxxxxxxx <isalist-bounce@xxxxxxxxxxxxx>
>
> To: isalist@xxxxxxxxxxxxx <isalist@xxxxxxxxxxxxx>
>
> Sent: Thu Apr 12 16:28:10 2007
>
> Subject: [isalist] Re: Auto Discovery for firewall and webproxy clients
>
>
>
> http://www.ISAserver.org
>
> -------------------------------------------------------
>
>
>
> Are you using ISA 2004 or 2006?
>
> Enterprise or Standard Edition?
>
>
>
> The FWC cannot authenticate for configuration requests - that's the
>
> whole point of this article and the changes to be made.
>
>
>
> -----Original Message-----
>
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx]
>
> On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
>
> Sent: Thursday, April 12, 2007 1:00 PM
>
> To: isalist@xxxxxxxxxxxxx
>
> Subject: [isalist] Re: Auto Discovery for firewall and webproxy clients
>
>
>
> Well since my boss was having some rush on this issue, I crossed my
>
> fingers and executed the VB script mentioned in the article.
>
>
>
>
>
>
>
> Results: ...... well nothing change, but at least what was working is
>
> still working.
>
>
>
>
>
>
>
> Any idea on why the firewall client is not able to authenticate against
>
> the ISA server when the user I connected to the VPN, but work fine
>
> internally?
>
>
>
>
>
>
>
> Thanks
>
>
>
>
>
>
>
> Regards
>
>
>
> Diego R. Pietruszka
>
>
>
> MSC (USA) - Interlink Transport Technologies
>
>
>
>
>
>
>
>
>
>
>
> -----Original Message-----
>
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx]
>
> On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
>
> Sent: Thursday, April 12, 2007 1:21 PM
>
> To: isalist@xxxxxxxxxxxxx
>
> Subject: [isalist] Re: Auto Discovery for firewall and webproxy clients
>
>
>
>
>
>
>
> http://www.ISAserver.org
>
>
>
> -------------------------------------------------------
>
>
>
>
>
>
>
> I have all my internal user's firewall client detecting automatically
>
> the ISA server array.
>
>
>
> The same ISA server array detected for the firewall client is acting as
>
> my VPN server, and the clients connected to that VPN are receiving an
> IP
>
> on the internal subnet range.
>
>
>
>
>
>
>
> But they are having issues using the firewall client, actually the
>
> firewall client is detecting the right ISA server, but can not
>
> authenticate with it.
>
>
>
>
>
>
>
> Of course the rule between my VPN network and my internal network
> (where
>
> the ISA server reside) is ROUTE, I'm wondering if the solution on that
>
> article will fix my issue, without affecting my already working
> internal
>
> authentication with the server.
>
>
>
>
>
>
>
> What you think?
>
>
>
>
>
>
>
> Regards
>
>
>
> Diego R. Pietruszka
>
>
>
> MSC (USA) - Interlink Transport Technologies
>
>
>
>
>
>
>
>
>
>
>
> -----Original Message-----
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx]
>
> On Behalf Of Jim Harrison
>
>
>
> Sent: Wednesday, April 11, 2007 7:28 PM
>
>
>
> To: isalist@xxxxxxxxxxxxx
>
>
>
> Subject: [isalist] Re: Auto Discovery for firewall and webproxy clients
>
>
>
>
>
>
>
> http://www.ISAserver.org
>
>
>
> -------------------------------------------------------
>
>
>
>
>
>
>
> http://support.microsoft.com/kb/885683
>
>
>
>
>
>
>
>
>
>
>
> -----Original Message-----
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx]
>
>
>
> On Behalf Of Stephen Herrera
>
>
>
> Sent: Wednesday, April 11, 2007 8:32 AM
>
>
>
> To: isalist@xxxxxxxxxxxxx
>
>
>
> Subject: [isalist] Auto Discovery for firewall and webproxy clients
>
>
>
>
>
>
>
> http://www.ISAserver.org
>
>
>
> -------------------------------------------------------
>
>
>
>
>
>
>
> I am using ISA2004 with Firewall and Web Proxy clients. I have setup
> the
>
>
>
> information manually in the past without any problems. I would like to
>
>
>
> implement auto discovery and have followed a couple of the articles on
>
>
>
> ISAserver.org. I have:
>
>
>
>
>
>
>
> Created the wpad entry via DNS.
>
>
>
> Set IE to auto detect
>
>
>
> Set the firewall client to auto detect
>
>
>
> Verified ISA is publishing the Auto Discover via the MMC and going to
>
>
>
> http://wpad/wpad.dat
>
>
>
>
>
>
>
> When I couldn't connect with the firewall client I used ISA monitoring
>
>
>
> to see what was going on. When the firewall client or web proxy client
>
>
>
> make the initial connection they are connecting anonymously. IE brings
>
>
>
> up an authentication window so that credentials can be entered but the
>
>
>
> firewall client doesn't so it fails to discover the server because the
>
>
>
> anonymous connection is denied. Did I miss a step somewhere? How can I
>
>
>
> get both IE and the firewall client to use the credentials of the user
>
>
>
> that is logged in? Any help is appreciated.
>
>
>
>
>
>
>
> Steve
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------
>
>
>
> List Archives: //www.freelists.org/archives/isalist/
>
>
>
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>
>
>
> ISA Server Articles and Tutorials:
>
>
>
> http://www.isaserver.org/articles_tutorials/
>
>
>
> ISA Server Blogs: http://blogs.isaserver.org/
>
>
>
> ------------------------------------------------------
>
>
>
> Visit TechGenix.com for more information about our other sites:
>
>
>
> http://www.techgenix.com
>
>
>
> ------------------------------------------------------
>
>
>
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>
>
>
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
>
>
>
>
>
>
>
> All mail to and from this domain is GFI-scanned.
>
>
>
>
>
>
>
> ------------------------------------------------------
>
>
>
> List Archives: //www.freelists.org/archives/isalist/
>
>
>
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>
>
>
> ISA Server Articles and Tutorials:
>
> http://www.isaserver.org/articles_tutorials/
>
>
>
> ISA Server Blogs: http://blogs.isaserver.org/
>
>
>
> ------------------------------------------------------
>
>
>
> Visit TechGenix.com for more information about our other sites:
>
>
>
> http://www.techgenix.com
>
>
>
> ------------------------------------------------------
>
>
>
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>
>
>
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------
>
>
>
> List Archives: //www.freelists.org/archives/isalist/
>
>
>
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>
>
>
> ISA Server Articles and Tutorials:
>
> http://www.isaserver.org/articles_tutorials/
>
>
>
> ISA Server Blogs: http://blogs.isaserver.org/
>
>
>
> ------------------------------------------------------
>
>
>
> Visit TechGenix.com for more information about our other sites:
>
>
>
> http://www.techgenix.com
>
>
>
> ------------------------------------------------------
>
>
>
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>
>
>
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
>
>
>
>
>
>
>
>
>
> All mail to and from this domain is GFI-scanned.
>
>
>
> ------------------------------------------------------
>
> List Archives: //www.freelists.org/archives/isalist/
>
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
>
> ISA Server Blogs: http://blogs.isaserver.org/
>
> ------------------------------------------------------
>
> Visit TechGenix.com for more information about our other sites:
>
> http://www.techgenix.com
>
> ------------------------------------------------------
>
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
>
>
>
>
>
>
>
> All mail to and from this domain is GFI-scanned.
>
>
>
> ------------------------------------------------------
>
> List Archives: //www.freelists.org/archives/isalist/
>
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
>
> ISA Server Blogs: http://blogs.isaserver.org/
>
> ------------------------------------------------------
>
> Visit TechGenix.com for more information about our other sites:
>
> http://www.techgenix.com
>
> ------------------------------------------------------
>
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
>
>
> All mail to and from this domain is GFI-scanned.
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
