Fw: RE: ISA Server 2004 Issues
- From: "vesterby@xxxxxxxx" <vesterby@xxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Fri, 10 Sep 2004 18:54:05 GMT
I found the Web Listener under "Network Objects" section in the Firewall Policy
(nothing was there). I then created a new web listener, added the network
object "Internal" to it, went to the Preferences tab and noticed that I can
disable authentication for that web listener and change it to a different port,
which I did. However, when I go to create the new anonymous access rule, it
doesn't seem to allow me to include the web listener anywhere in the access
rule.
The new access rule -does- allow me to enter the domains that I want the users
to browse to, and also allows me to include a group I created that only has
their user names included. But that puts me back to square one again because I
then do not have an option to disable authentication just for those users to
access that web site running the java application.
Any ideas? Thanks.
---------- Forwarded Message ----------
http://www.ISAserver.org
Hi John,
Just disable the "ask unauthenticated users to authentication" option on
the Web listener accepting outbound requests.
Then create an anonymous access rule that allow access *to the required
sites ONLY".
HTH,
Tom
-----Original Message-----
From: vesterby@xxxxxxxx [mailto:vesterby@xxxxxxxx]
Sent: Thursday, September 09, 2004 2:32 PM
To: [ISAserver.org Discussion List]
Cc: isalist@xxxxxxxxxxxxx
Subject: [isalist] RE: ISA Server 2004 Issues
http://www.ISAserver.org
Since we require our users to authenticate, I can't just disable the
global authentication on the Internal network object. However, I think
there may be a workaround (got the idea from Jim) but I haven't been
able to get it to work yet.
The workaround could be to create a new network object called "(appname)
Internal", disable authentication for that network object, add the
domain name of the website where the java app resides, and then add the
new network object to a rule for http and https access.
However! Whenever I go under Configuration, right click Network, click
New Network, select "Internal Network", click the ADD button and add the
starting and ending IP addresses of the network, I always get the same
error: "The internal network includes IP addresses in the range
192.236.1.1-192.236.1.254. Networks cannot contain IP addresses that
overlap with another network." Is this because the current network
object "Internal" that exists already has these IP addresses?
I noticed something else. When I first set this server up, ISA seems to
want to use the following IP address range in the Addresses tab of the
properties of the Internal network object. Start address: 0.0.0.1 End
address: 126.255.255.255. Start address: 128.0.0.0 End Address:
223.255.255.255. If I attempt to take those out and put our actual
network addresses in, it gives me the same error.
-- "Jim Harrison" <jim@xxxxxxxxxxxx> wrote:
http://www.ISAserver.org
There is no AD or system policies issue here.
Client-based access is controlled via Array policies.
The "Require all users to authenticate" setting is what I'm referring to
as "global auth".
If you need to support anonymous rules at this listener, you have to
leave this setting disabled (it is, by default).
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
----- Original Message -----
From: <vesterby@xxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Cc: <isalist@xxxxxxxxxxxxx>
Sent: Thursday, September 09, 2004 11:43
Subject: [isalist] RE: ISA Server 2004 Issues
http://www.ISAserver.org
Just to make sure I'm on the same page.. are you talking about editing
the System Policy and disabling the Active Directory
authentication?
If that is incorrect, then where do I disable the "global auth" setting
in ISA Server 2004? Thanks for your help.
-- John
-- "Jim Harrison" <jim@xxxxxxxxxxxx> wrote:
http://www.ISAserver.org
You're trying to use one setting to accomplish two separate tasks.
As you've seen, you can't have "global authentication" and allow
anonymous connections.
You need to separate your rules into "authenticated" and "anonymous" and
disable the "global auth" setting.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
----- Original Message -----
From: <vesterby@xxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Cc: <isalist@xxxxxxxxxxxxx>
Sent: Thursday, September 09, 2004 09:30
Subject: [isalist] RE: ISA Server 2004 Issues
http://www.ISAserver.org
I must be missing something in your instructions for creating an
anonymous access rule for ISA Server 2004. I created the new
access rule as defined in the instructions you provided, but I don't see
any way to make the access anonymous. The only way I know
how to do it is clicking on the Authentication button in the Web Proxy
tab of the properties of the Internal network object, and
taking the check mark out of "Require all users to authenticate."
Unfortunately, this disables authentication for -all users-, not
just the ones who are using the specialized java application.
Any ideas? Thanks.
-- "Jim Harrison" <jim@xxxxxxxxxxxx> wrote:
http://www.ISAserver.org
Take a look at the instructions I just posted for the WU issue.
It contains explicit steps for creating anonymous rules to specific
destinations.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
----- Original Message -----
From: <vesterby@xxxxxxxx>
Hi - In addition to the below E-mail, I could use some assistance with
the following issue.
I got ISA 2004 running as a proxy server (single NIC). We have an
application that our users need to access a java applet at a particular
URL, which, for some reason, requires the connection to be an anonymous
one. However, my company wants to be able to see who is connecting
through the ISA server so they require that the proxy users
authenticate.
When I put a check mark in the Authentication section of the Internal
network object to "Require all users to authenticate", the java applet
does not work. But when I remove that requirement, the java applet
works.
Can you give me some idea of how I can get this working through ISA
server? Thanks again.
-- John
-- "vesterby@xxxxxxxx" <vesterby@xxxxxxxx> wrote:
http://www.ISAserver.org
Hi,
In order to get things rolling quickly, I've been asked to just
concentrate on the proxy server part of ISA and worry about the firewall
later. I have a couple more questions, though.
You mentioned the external interface is the one with the gateway. But
if
the internal interface doesn't have a gateway, how will ISA server know
how to get to our different subnets? That was the reason I asked if I
need to add routes.
The other thing is my company is insisting that we run some other things
on the same server as ISA (to save money on servers) and my
recommendation to not do this has gone unheeded. They want to run
Microsoft SUS and RIS server. Can you give me valid reasons I can
present to my management why it isn't a good idea to run these on the
same server? Our company has about 350 employees.
Lastly, how can I obtain a copy of the Quick Start guide? The company I
work for seems to want to implement ISA server quickly. Thanks.
-- "Thomas W Shinder" <tshinder@xxxxxxxxxxx> wrote:
http://www.ISAserver.org
Hi John,
Several tips to help you get up and running with the ISA firewall:
1. Install the ISA firewall as a back-end ISA firewall with at least two
NICs. Running the ISA firewall in unihomed single-NIC mode is like
taking three wheels off a Ferrari because it "goes too fast".
2. Don't run Web sites on the ISA firewall. If you have a Checkpoint
Server, but the Web sites on that. Even better, put them on a protected
network.
3. The ISA firewall doesn't use a LAT.
4. Install as many interfaces on the ISA firewall as you like. Just one
is the External interface and that is the one with the default gateway.
HTH,
Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: vesterby@xxxxxxxx [mailto:vesterby@xxxxxxxx]
Hi,
I'm new to ISA Server and could use some recommendations regarding some
issues I'm having with installing ISA Server 2004 (Standard Edition).
We
are currently using an NT domain and plan to migrate to an Active
Directory domain within the next 3 months. I installed ISA Server 2004
with a single network adapter (caching only), but when I try to access
the server for http access to the Internet, I am prompted for
authentication but when I log in, nothing happens. It is set up for
integrated authentication.
I think part of the problem (which I'll test tomorrow) is that IIS is
also installed and is listening on port 80 - the same port that I have
ISA Server listening on. We currently have Proxy Server 2.0, which is
integrated with IIS, so I had installed ISA Server with IIS thinking
that
it needed it but then realized it didn't. There are a couple of other
issues too, including:
1) I'm not sure the LAT table is correct - does the caching server even
need the LAT table? I'm thinking it needs it if I use the firewall (we
have 2 X Nokia Checkpoint firewalls but I had considered using the
firewall feature in ISA to make it a backend firewall for more
security).
We have a 192.236.x.x/22 network and also a 10.10.1.x/24 network.
2) The server I built has a default gateway but there may be cases with
ISA where I want to take the default gateway out and add static routes.
If you could provide recommendations on the above issues, I'd really
appreciate it. Thanks.
________________________________________________________________
Get your name as your email address.
Includes spam protection, 1GB storage, no ads and more
Only $1.99/ month - visit http://www.mysite.com/name today!
Other related posts:
