[isalist] Re: Auto Discovery for firewall and webproxy clients
- From: "D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR" <DPietruszka@xxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Fri, 13 Apr 2007 15:53:20 -0400
http://www.ISAserver.org
-------------------------------------------------------
Of course is IE, we are not, but we look pretty much like a Microsoft
subsidiary here. I'm wondering what will happen if one they Microsoft decided
to start selling servers!!!
Anyway, internet VPN connections, there is still dial up VPN connections?
And the browser configuration is the firewall client job; it must configure the
browser when it connected with the ISA server.
Regards
Diego R. Pietruszka
MSC (USA) - Interlink Transport Technologies
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Friday, April 13, 2007 3:29 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Auto Discovery for firewall and webproxy clients
http://www.ISAserver.org
-------------------------------------------------------
I'm guessing that the browser is IE?
Have you configured the browser to use a proxy for the VPN dial-up
connection?
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
Sent: Friday, April 13, 2007 12:09 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Auto Discovery for firewall and webproxy clients
Hmmmmmm!!!!
Jim, I know is Friday, and to make it worse is Friday 13th but since I
started with this I mentioned my VPN clients :-)
What you are right is about the RSA, I never mentioned that part. But we
can focus on the problem without RSA, since I discovered that the
firewall client can not authenticate with the ISA server when you login
on the VPN with RSA (it is pretty normal if you worked with RSA for some
time).
Anyway, probably I weren't clear, so this is my scenario.
VPN user -----> VPN ISA with VPN access configure -----> Internal LAN
-----> ISA server (proxy) -----> Internet
What I want is that my user connected using the VPN can browse the
internet using the same proxy my internal users are using.
Actually the VPN users are doing that right now, but I want to traffic
being send on port 8080 (my proxy port).
When the internal users browse the web, I'm seeing the traffic sent to
the proxy on port 8080.
But when my VPN (without RSA) users browse the web, I'm seeing their
traffic sent directly to the web page IP address on port 80. My problem
is, why that is happening? I need it on port 8080.
Sorry for changed of the topic, but one thing took me to the other one.
Regards
Diego R. Pietruszka
MSC (USA) - Interlink Transport Technologies
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Friday, April 13, 2007 2:41 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Auto Discovery for firewall and webproxy clients
http://www.ISAserver.org
-------------------------------------------------------
Diego,
This would be the first time you mentioned anything about VPN clients;
much less RSA-based login.
Also,l the issue that I answered was regarding FWC auto-configuration
requests, not "general traffic authentication".
ISA has no idea of RSA-authenticated VPN users; there is no "user"
context as such.
Also, the VPN-connected FWC *must* use the listener for a separate
network, since neither the Quarantined nor "normal" VPN client networks
have a FWC listener.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
Sent: Friday, April 13, 2007 5:25 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Auto Discovery for firewall and webproxy clients
Jim
Well I discovered why the firewall client was not able to authenticate
with the ISA server.
It is because our users use RSA tokens to connect to the VPN, as soon as
I created a VPN connection without RSA, the firewall client was able to
do the authentication.
Anyway I'm still having a little problem even without RSA in the middle,
for some reason when from the VPN I browse internet I'm seeing all the
traffic on the ISA log on port 80 instead of port 8080, which is what I
need and how it works for my internal users.
Do you have any idea why that can be happening?
Regards
Diego R. Pietruszka
MSC (USA) - Interlink Transport Technologies
-----Original Message-----
From: D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
Sent: Thursday, April 12, 2007 7:51 PM
To: 'isalist@xxxxxxxxxxxxx'
Subject: Re: [isalist] Re: Auto Discovery for firewall and webproxy
clients
Yes
--------------------------
Sent from my BlackBerry Wireless Device
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx <isalist-bounce@xxxxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx <isalist@xxxxxxxxxxxxx>
Sent: Thu Apr 12 18:55:18 2007
Subject: [isalist] Re: Auto Discovery for firewall and webproxy clients
http://www.ISAserver.org
-------------------------------------------------------
Did you also restart the firewall service as the KB instructed?
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
Sent: Thursday, April 12, 2007 3:14 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Auto Discovery for firewall and webproxy clients
I'm using ISA2004 EE.
And I request for authentication, that is why the I guess the document
apply to my case.
--------------------------
Sent from my BlackBerry Wireless Device
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx <isalist-bounce@xxxxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx <isalist@xxxxxxxxxxxxx>
Sent: Thu Apr 12 16:28:10 2007
Subject: [isalist] Re: Auto Discovery for firewall and webproxy clients
http://www.ISAserver.org
-------------------------------------------------------
Are you using ISA 2004 or 2006?
Enterprise or Standard Edition?
The FWC cannot authenticate for configuration requests - that's the
whole point of this article and the changes to be made.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
Sent: Thursday, April 12, 2007 1:00 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Auto Discovery for firewall and webproxy clients
Well since my boss was having some rush on this issue, I crossed my
fingers and executed the VB script mentioned in the article.
Results: ...... well nothing change, but at least what was working is
still working.
Any idea on why the firewall client is not able to authenticate against
the ISA server when the user I connected to the VPN, but work fine
internally?
Thanks
Regards
Diego R. Pietruszka
MSC (USA) - Interlink Transport Technologies
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR
Sent: Thursday, April 12, 2007 1:21 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Auto Discovery for firewall and webproxy clients
http://www.ISAserver.org
-------------------------------------------------------
I have all my internal user's firewall client detecting automatically
the ISA server array.
The same ISA server array detected for the firewall client is acting as
my VPN server, and the clients connected to that VPN are receiving an IP
on the internal subnet range.
But they are having issues using the firewall client, actually the
firewall client is detecting the right ISA server, but can not
authenticate with it.
Of course the rule between my VPN network and my internal network (where
the ISA server reside) is ROUTE, I'm wondering if the solution on that
article will fix my issue, without affecting my already working internal
authentication with the server.
What you think?
Regards
Diego R. Pietruszka
MSC (USA) - Interlink Transport Technologies
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Wednesday, April 11, 2007 7:28 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Auto Discovery for firewall and webproxy clients
http://www.ISAserver.org
-------------------------------------------------------
http://support.microsoft.com/kb/885683
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Stephen Herrera
Sent: Wednesday, April 11, 2007 8:32 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Auto Discovery for firewall and webproxy clients
http://www.ISAserver.org
-------------------------------------------------------
I am using ISA2004 with Firewall and Web Proxy clients. I have setup the
information manually in the past without any problems. I would like to
implement auto discovery and have followed a couple of the articles on
ISAserver.org. I have:
Created the wpad entry via DNS.
Set IE to auto detect
Set the firewall client to auto detect
Verified ISA is publishing the Auto Discover via the MMC and going to
http://wpad/wpad.dat
When I couldn't connect with the firewall client I used ISA monitoring
to see what was going on. When the firewall client or web proxy client
make the initial connection they are connecting anonymously. IE brings
up an authentication window so that credentials can be entered but the
firewall client doesn't so it fails to discover the server because the
anonymous connection is denied. Did I miss a step somewhere? How can I
get both IE and the firewall client to use the credentials of the user
that is logged in? Any help is appreciated.
Steve
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
