Re: Help!!! Problems with Web Proxy/Firewall Client s Authentication
- From: Hugh.Roberts@xxxxxxxxxxxx
- To: isalist@xxxxxxxxxxxxx
- Date: Tue, 4 Sep 2001 19:38:31 +0200
I have exactly the same issue but with 2 Site and Content Rules. 1st rule
for a group of users allowed to any URL. 2nd rule for a group of users
allowed only to a list of URLs approved by management.
I applied the reg fix mentioned
http://support.microsoft.com/support/kb/articles/Q297/3/24.ASP as once you
run hf68 ( I think ) for ISA is uodates the w3proxy.dll to the required
version mentioned and all is working well now. ( b.t.w all users IE 5.5 and
up as web proxy clients on a 2k domain )
BUT ...
here is my problem the limited user group can't get to HTTPS URLs although
they are allowed by protocol rules, site and content and destination sets.
The ISA server is chaining to an upstream ISA server that accepts any
connection ( downstream - auth by domain groups ---> upstream any
connection, destination or protocol with firewall chaining and default
routing rule pointing at upstream ISA)
Any assistance will help
Thanks
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: 04 September 2001 18:53
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Help!!! Problems with Web Proxy/Firewall Clients
Authentication
http://www.ISAserver.org
It sounds like you have this issue:
http://support.microsoft.com/support/kb/articles/Q297/3/24.ASP
Call MS PSS and they'll point you to the hotfix for free.
Jim Harrison
MCP(2K), A+, Network+, PCG
----- Original Message -----
From: "Carlos Mauricio Perez Cortes" <mauriciop@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, September 04, 2001 09:03
Subject: [isalist] Help!!! Problems with Web Proxy/Firewall Clients
Authentication
http://www.ISAserver.org
This is a multi-part message in MIME format.
----------------------------------------------------------------------------
----
Hello Friends,
I'm needing your valuable help with te following problem. I hope you can
give me some clues:
I have ISA Server working in integrated mode (stand-alone) with 2 NIC's
(LAN and Internet). I'ts a member server of our Windows 2000 domain.
During initial configuration we created Client Address Sets and then
applied rules to that objects. Everything was working good until our
boss said us we had to restrict Internet access on a per-user/group
basis. We had to modify all rules and apply them to Windows 2000 domain
groups. Then we deleted all Client Address Sets. The outgoing web
requests listener is configured to use Integrated Authentication. There
is only one Site and Content Rule (default) allowing all destinations to
any request.
The problem we're having is that when a Web Proxy or Firewall client
(even with both) tries to access HTTP content from the browser it always
get an authentication dialog box even though the user is already logged
on at the Windows 2000 domain. When user provides his account
information, the authentication dialog box appears again and again.
Firewall clients also have problems to open sockets sessions (FTP,
Telnet, etc..) even though that protocols are allowed in a rule applied
to the right group of users.I don't know what else to do. It seems that
browser is not passing logon credentials to ISA Server. All clients are
using IE 5.0.
I found the following information in ISA Server's Help:
When a Web Proxy or Firewall client requests HTTP content, ISA Server
checks the rules to determine if a specific rule allows anonymous users
access (either because it applies to all users or it applies to a client
address set that includes the IP address of the client). If so, then the
request will be allowed. Otherwise, if no rule has been configured to
allow anonymous users access, ISA Server will require that the client
authenticate itself, to determine if a rule applies to the specific,
authenticated user.
In other words, when a client requests HTTP content, authentication
information is not passed to the ISA Server computer, unless ISA Server
requires it. This happens when the Web Proxy service must identify the
user in order to allow the request.
Ok...In our case ISA Server requires authentication information because
Web Proxy Service must identify the user to validate the request. My
question is...........Can the browser pass authentication information to
ISA Server automatically ?? Because It would be
terrible to provide that information manually each time a user opens the
web browser.
Please I'd be grateful if you can send me some information as soon as
possible...
CARLOS MAURICIO PEREZ C.
Technical Support
s: mauriciop@xxxxxxxxxxxx
http://www.solosoft.com <http://www.solosoft.com/>
SoloSoft Ltda.
----------------------------------------------------------------------------
----
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
hugh.roberts@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Engen Petroleum Limited disclaim all liability for any loss, damage or
expense however caused, arising from the sending, receipt, or use of this
e-mail communication and on any reliance placed upon the information
provided through this service and does not guarantee the completeness or
accuracy of the information.
Other related posts:
- » Re: Help!!! Problems with Web Proxy/Firewall Client s Authentication
