It's in the properties of local host. S -----Original Message----- From: vesterby@xxxxxxxx [mailto:vesterby@xxxxxxxx] Sent: Friday, September 10, 2004 3:54 PM To: Isa Weblist Subject: [isalist] Fw: RE: ISA Server 2004 Issues http://www.ISAserver.org I found the Web Listener under "Network Objects" section in the Firewall Policy (nothing was there). I then created a new web listener, added the network object "Internal" to it, went to the Preferences tab and noticed that I can disable authentication for that web listener and change it to a different port, which I did. However, when I go to create the new anonymous access rule, it doesn't seem to allow me to include the web listener anywhere in the access rule. The new access rule -does- allow me to enter the domains that I want the users to browse to, and also allows me to include a group I created that only has their user names included. But that puts me back to square one again because I then do not have an option to disable authentication just for those users to access that web site running the java application. Any ideas? Thanks. ---------- Forwarded Message ---------- http://www.ISAserver.org Hi John, Just disable the "ask unauthenticated users to authentication" option on the Web listener accepting outbound requests. Then create an anonymous access rule that allow access *to the required sites ONLY". HTH, Tom -----Original Message----- From: vesterby@xxxxxxxx [mailto:vesterby@xxxxxxxx] Sent: Thursday, September 09, 2004 2:32 PM To: [ISAserver.org Discussion List] Cc: isalist@xxxxxxxxxxxxx Subject: [isalist] RE: ISA Server 2004 Issues http://www.ISAserver.org Since we require our users to authenticate, I can't just disable the global authentication on the Internal network object. However, I think there may be a workaround (got the idea from Jim) but I haven't been able to get it to work yet. The workaround could be to create a new network object called "(appname) Internal", disable authentication for that network object, add the domain name of the website where the java app resides, and then add the new network object to a rule for http and https access. However! Whenever I go under Configuration, right click Network, click New Network, select "Internal Network", click the ADD button and add the starting and ending IP addresses of the network, I always get the same error: "The internal network includes IP addresses in the range 192.236.1.1-192.236.1.254. Networks cannot contain IP addresses that overlap with another network." Is this because the current network object "Internal" that exists already has these IP addresses? I noticed something else. When I first set this server up, ISA seems to want to use the following IP address range in the Addresses tab of the properties of the Internal network object. Start address: 0.0.0.1 End address: 126.255.255.255. Start address: 128.0.0.0 End Address: 223.255.255.255. If I attempt to take those out and put our actual network addresses in, it gives me the same error. -- "Jim Harrison" <jim@xxxxxxxxxxxx> wrote: http://www.ISAserver.org There is no AD or system policies issue here. Client-based access is controlled via Array policies. The "Require all users to authenticate" setting is what I'm referring to as "global auth". If you need to support anonymous rules at this listener, you have to leave this setting disabled (it is, by default). Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ----- Original Message ----- From: <vesterby@xxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Cc: <isalist@xxxxxxxxxxxxx> Sent: Thursday, September 09, 2004 11:43 Subject: [isalist] RE: ISA Server 2004 Issues http://www.ISAserver.org Just to make sure I'm on the same page.. are you talking about editing the System Policy and disabling the Active Directory authentication? If that is incorrect, then where do I disable the "global auth" setting in ISA Server 2004? Thanks for your help. -- John -- "Jim Harrison" <jim@xxxxxxxxxxxx> wrote: http://www.ISAserver.org You're trying to use one setting to accomplish two separate tasks. As you've seen, you can't have "global authentication" and allow anonymous connections. You need to separate your rules into "authenticated" and "anonymous" and disable the "global auth" setting. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ----- Original Message ----- From: <vesterby@xxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Cc: <isalist@xxxxxxxxxxxxx> Sent: Thursday, September 09, 2004 09:30 Subject: [isalist] RE: ISA Server 2004 Issues http://www.ISAserver.org I must be missing something in your instructions for creating an anonymous access rule for ISA Server 2004. I created the new access rule as defined in the instructions you provided, but I don't see any way to make the access anonymous. The only way I know how to do it is clicking on the Authentication button in the Web Proxy tab of the properties of the Internal network object, and taking the check mark out of "Require all users to authenticate." Unfortunately, this disables authentication for -all users-, not just the ones who are using the specialized java application. Any ideas? Thanks. -- "Jim Harrison" <jim@xxxxxxxxxxxx> wrote: http://www.ISAserver.org Take a look at the instructions I just posted for the WU issue. It contains explicit steps for creating anonymous rules to specific destinations. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ----- Original Message ----- From: <vesterby@xxxxxxxx> Hi - In addition to the below E-mail, I could use some assistance with the following issue. I got ISA 2004 running as a proxy server (single NIC). We have an application that our users need to access a java applet at a particular URL, which, for some reason, requires the connection to be an anonymous one. However, my company wants to be able to see who is connecting through the ISA server so they require that the proxy users authenticate. When I put a check mark in the Authentication section of the Internal network object to "Require all users to authenticate", the java applet does not work. But when I remove that requirement, the java applet works. Can you give me some idea of how I can get this working through ISA server? Thanks again. -- John -- "vesterby@xxxxxxxx" <vesterby@xxxxxxxx> wrote: http://www.ISAserver.org Hi, In order to get things rolling quickly, I've been asked to just concentrate on the proxy server part of ISA and worry about the firewall later. I have a couple more questions, though. You mentioned the external interface is the one with the gateway. But if the internal interface doesn't have a gateway, how will ISA server know how to get to our different subnets? That was the reason I asked if I need to add routes. The other thing is my company is insisting that we run some other things on the same server as ISA (to save money on servers) and my recommendation to not do this has gone unheeded. They want to run Microsoft SUS and RIS server. Can you give me valid reasons I can present to my management why it isn't a good idea to run these on the same server? Our company has about 350 employees. Lastly, how can I obtain a copy of the Quick Start guide? The company I work for seems to want to implement ISA server quickly. Thanks. -- "Thomas W Shinder" <tshinder@xxxxxxxxxxx> wrote: http://www.ISAserver.org Hi John, Several tips to help you get up and running with the ISA firewall: 1. Install the ISA firewall as a back-end ISA firewall with at least two NICs. Running the ISA firewall in unihomed single-NIC mode is like taking three wheels off a Ferrari because it "goes too fast". 2. Don't run Web sites on the ISA firewall. If you have a Checkpoint Server, but the Web sites on that. Even better, put them on a protected network. 3. The ISA firewall doesn't use a LAT. 4. Install as many interfaces on the ISA firewall as you like. Just one is the External interface and that is the one with the default gateway. HTH, Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: vesterby@xxxxxxxx [mailto:vesterby@xxxxxxxx] Hi, I'm new to ISA Server and could use some recommendations regarding some issues I'm having with installing ISA Server 2004 (Standard Edition). We are currently using an NT domain and plan to migrate to an Active Directory domain within the next 3 months. I installed ISA Server 2004 with a single network adapter (caching only), but when I try to access the server for http access to the Internet, I am prompted for authentication but when I log in, nothing happens. It is set up for integrated authentication. I think part of the problem (which I'll test tomorrow) is that IIS is also installed and is listening on port 80 - the same port that I have ISA Server listening on. We currently have Proxy Server 2.0, which is integrated with IIS, so I had installed ISA Server with IIS thinking that it needed it but then realized it didn't. There are a couple of other issues too, including: 1) I'm not sure the LAT table is correct - does the caching server even need the LAT table? I'm thinking it needs it if I use the firewall (we have 2 X Nokia Checkpoint firewalls but I had considered using the firewall feature in ISA to make it a backend firewall for more security). We have a 192.236.x.x/22 network and also a 10.10.1.x/24 network. 2) The server I built has a default gateway but there may be cases with ISA where I want to take the default gateway out and add static routes. If you could provide recommendations on the above issues, I'd really appreciate it. Thanks. ________________________________________________________________ Get your name as your email address. Includes spam protection, 1GB storage, no ads and more Only $1.99/ month - visit http://www.mysite.com/name today! ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: steve@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx This E-Mail is confidential. It is not intended to be read, copied, disclosed or used by any person other than the recipient named above. Unauthorised use, disclosure, or copying is strictly prohibited and may be unlawful. Optimum IT Solutions disclaims any liability for any action taken in connection of this E-Mail. The comments or statements expressed in this E-Mail are not necessarily those of Optimum IT Solutions or its subsidiaries or affiliates. administrator@xxxxxxxxxxxxxxxxxxxxxxxxxx