RE: Help with the web proxy setup in ISA 2004
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 1 Jun 2005 06:04:41 -0700
Hi Roy,
Unfortunately, this authentication "option" is only required for a very
few ISA plug-ins; Surf Control and Web Sense among them.
Its this sort of design decision that places folks like you in the bad
position of having all web requests authenticated.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: Wednesday, June 01, 2005 03:49
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
http://www.ISAserver.org
Dear Jim-san,
1): okay, it is clear for me. Sounds you are working for MS$ for long.
2): noted.
3): again the reason why we need to have authentication at proxy
listener
is the request by some plug-in i.e.: Surfcontrol, otherwise filter
per
user does not work. This is in fact the key option for some plug-in
software. At this point, I think we shall select the situable
way of authentication according to needs and plug-in software.
4): It is somewhat confusing for the new comer for the issue
of authentication anyway, so in the next edition there shall
be a note/hint mentioning about such a difference.
Thanks,
Roy Tsao
> Let me answer these for you, Roy,
> 1. the KB tells you to apply the registry value so that you can have
the
> new behavior. With few exceptions, ISA patches operate under the
"leave
> default behavior alone unless it compromises security in some way".
> Thus, the "SkipAuthenticationForRoutingInformation" value does Not
> change the default behavior.
> 2. no - ISA2K and ISA2K4 are completely different products
> 3. as Tom pointed out, most ISA admins use authentication at the rule,
> not the listener. This allows you to use anonymous rules, such as
> described here:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;885819
> 4. there is plenty of information in Tom's book about web proxy
> authentication; it's just that it centers more on using rules, not
> listeners to perform this task.
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> Sent: Monday, May 30, 2005 06:06
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
>
> http://www.ISAserver.org
>
> Hi Tom-san,
>
> Let me say a bit more about this fix
> 1) even if MS$ release Kb, it is a little misleading because the 1st
> impression to see it is ISA2K4 SP1 already fixs it but actually no.
> The kb shall be applied to ISA2k4 sp1 I/O isa2k4
> 2) I never test ISK2K, suppose it is the same as ISA2K1 ever had.
> 3) Again, I feel curious why a lot of ISA amdins do not ask for
> webauthenticaion or how they settle it when problme comes
> 4) I could understand why there is few part in Tom-san's book
> mentioning webproxy authentication.
>
> Actually, I am a little bit frustrated to such kind of bug!
>
>
>
> > Hi Roy,
> >
> > Well, it appears that the KB article fixed by problem. That came out
> > quite a bit later than we did the book, but it does fix the "ask
> > unauthenticated users to auth" problem, so that is very good!=20
> >
> >
> > Tom
> > www.isaserver.org/shinder
> > Tom and Deb Shinder's Configuring ISA Server 2004
> > http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >
> >
> > -----Original Message-----
> > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=20
> > Sent: Monday, May 30, 2005 7:14 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
> >
> > http://www.ISAserver.org
> >
> >
> > Hi Tom,
> >
> > The reason why I need webproxy authentication as essentional
> > condition is due to filering plug-in for ISA Box like Surfcontrol
> > and GFi download security. This URL is FYR
> >
>
http://kb.surfcontrol.com/display/1/index.asp?c=3D&cpc=3D&cid=3D&r=3D0.8
> 0=
> > 53095
> >
> > Next I need autoconfig to make FWC direct use Webproxy and have
bypass
> > function!
> >
> > I do believe those are quite important setting for not minor party
of
> > ISA administrators and I don't how they did in the past.
> >
> > I may wondering why MS$ make this option while it does not work
> > consistantly.
> >
> > Thanks,
> >
> > Roy Tsao
> >
> >
> >
> > > Hi Roy,
> > >=20
> > > Well, it was never until KB 885683 fixed the problem!
> > >=20
> > > :)=3D20
> > >=20
> > >=20
> > > Tom
> > > www.isaserver.org/shinder
> > > Tom and Deb Shinder's Configuring ISA Server 2004
> > > http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > >=20
> > >=20
> > > -----Original Message-----
> > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=3D20
> > > Sent: Monday, May 30, 2005 7:00 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
> > >=20
> > > http://www.ISAserver.org
> > >=20
> > > Hi Shinder-sama,
> > >=20
> > > May I know the reason why for "never"?
> > >=20
> > > Thanks,
> > >=20
> > > Roy Tsao
> > >=20
> > >=20
> > > > Hi Roy,
> > > >=3D20
> > > > I think I might understand your problem now.
> > > >=3D20
> > > > You should *never* enable the "ask unauthenticated users to
> > > > authenticate" option. If you want to force authenticaiton, use
> > Access
> > > > Rules=3D3D20
> > > >=3D20
> > > > HTH,=3D3D20
> > > >=3D20
> > > >=3D20
> > > > Tom
> > > > www.isaserver.org/shinder
> > > > Tom and Deb Shinder's Configuring ISA Server 2004
> > > > http://tinyurl.com/3xqb7
> > > > MVP -- ISA Firewalls
> > > >=3D20
> > > >=3D20
> > > > -----Original Message-----
> > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=3D3D20
> > > > Sent: Monday, May 30, 2005 1:56 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004
> > > >=3D20
> > > > http://www.ISAserver.org
> > > >=3D20
> > > > To All Married Guys,
> > > >=3D20
> > > >=3D20
> > > > The disucssion threads caused by me seems to be overflow while
> > > > I really want to make sure the correct configuration and get
> > > > to know the working merchanism. To summarize the past
discussion,
> > > > what I want to know is=3D3D20
> > > > - based on Client type: 1) FWC 2)WPC (webproxy)
> > > > - at conditions: "webproxy authentication is enabled"
> > > > "autoproxy configuration shall be applied"
> > > > autodisvoery is properly configured already
> > > > - result: right configuration so that no popup ask for
> > authencaiton
> > > =3D3D20
> > > > in web browsing
> > > > =3D3D20
> > > > After verious kinds of test in my VM, the situation is like
this:
> > > > 1) FWC:
> > > > problem 1): if select "autodect ISA server" at FWC, it fails
> > > > to find out unless "webproxy authentication is
> > > disabled"
> > > > problme 2): if only select "autoconfig script" option at FWC
> tab
> > > > for interal network configuration, popup windows
> > > > asking for authentication comes up unless modify
> > > > the autoscript URL by replace "ISA_FQDN" into
> > > > "isa_host_name"
> > > > no popup authentication windows only when select "autodetect"
> at
> > > > at FWC tab for interal network configuration.
> > > >=3D20
> > > > 2) WPC:
> > > > problem 3): in addtion to check webproxy agent, enable either
> > > > autodectection or autodectation option at brower
> > > > will bring up authentication windows (this
> > > > must be caused by webproxy authenciation
> > requirement),
> > > > keep click cancel "Pop-up" so that broswer act
> > > > just as natural WPC without autoconfiguration
data
> to
> > > > pass
> > > > authentication.
> > > > WPC must be manually setup including bypass list at client
> brower
> > > > side.
> > > >=3D20
> > > > As a conclusion, there is setting limitation for
> autoproxy/detection
> > > > when "webproxy authentication is required for all users". Kindly
> > > > let me know your some explanation for above problem 1) -3) if
> > you=3D3D20
> > > > think I am wrong.
> > > >=3D20
> > > > Thanks,
> > > >=3D20
> > > > Roy Tsao
> > > >=3D20
> > > > =3D3D20
> > > >=3D20
> > > >=3D20
> > > > > Hi Roy-sama
> > > > >=3D3D20
> > > > > The entries in DNS or DHCP provide the client information
about
> > how
> > > to
> > > > > get the autoconfiguration information. That information is
> > published
> > > > on
> > > > > the autodiscovery port you configure on the ISA firewall.
> > > > >=3D3D20
> > > > > HTH,=3D3D3D20
> > > > >=3D3D20
> > > > >=3D3D20
> > > > > Tom
> > > > > www.isaserver.org/shinder
> > > > > Tom and Deb Shinder's Configuring ISA Server 2004
> > > > > http://tinyurl.com/3xqb7
> > > > > MVP -- ISA Firewalls
> > > > >=3D3D20
> > > > >=3D3D20
> > > > > -----Original Message-----
> > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=3D3D3D20
> > > > > Sent: Friday, May 27, 2005 1:00 PM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: Help with the web proxy setup in ISA
2004
> > > > >=3D3D20
> > > > > http://www.ISAserver.org
> > > > >=3D3D20
> > > > > Thank you Shinder-san. Yup, I did know the setting for
> > autodiscovrey
> > > > > through both DHCP and DNS BUT BUT I have not known this kind
of
> > > > > setting for WPAD also needed for "Autoconfig", if so I have
> taken
> > > > > a basic wrong concept regarding autocnfig setting, believe
> > > > > not small number of ISA guys are the same, then I could
> understand
> > > > > many posts in local forum here asking about why POPUP window
> > > > > for authenciation though autoconfig is setted up.=3D3D3D20
> > > > >=3D3D20
> > > > >=3D3D20
> > > > > > Hi Roy,
> > > > > >=3D3D3D20
> > > > > > Works the same in ISA Server 2004 (mostly):
> > > > > >=3D3D3D20
> > > > > > =3D3D3D
> > > > >
> > > >
> > >
> >
>
http://www.isaserver.org/img/upl/isaedukit/5automate/5automate.htm=3D3D3
> D=
> > 3
> > D=3D
> > > 2
> > > 0=3D3D
> > > >=3D20
> > > > > >=3D3D3D20
> > > > > >=3D3D3D20
> > > > > > Tom
> > > > > > www.isaserver.org/shinder
> > > > > > Tom and Deb Shinder's Configuring ISA Server 2004
> > > > > > http://tinyurl.com/3xqb7
> > > > > > MVP -- ISA Firewalls
> > > > > >=3D3D3D20
> > > > > >=3D3D3D20
> > > > > > -----Original Message-----
> > > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=3D3D3D3D20
> > > > > > Sent: Friday, May 27, 2005 8:14 AM
> > > > > > To: [ISAserver.org Discussion List]
> > > > > > Subject: [isalist] RE: Help with the web proxy setup in ISA
> 2004
> > > > > >=3D3D3D20
> > > > > > http://www.ISAserver.org
> > > > > >=3D3D3D20
> > > > > > S guy,
> > > > > >=3D3D3D20
> > > > > > To be perfectly honest with you, it is first time for me to
> know
> > > > > > wpad entry is reuired in dns for "autoproxy" I/O
> > "autodectection"
> > > > > > (=3D3D3D3D3Dautodisvoery). I never know it shall be prepare
> for
> > > > webproxy/fwc
> > > > > > client!
> > > > > >=3D3D3D20
> > > > > > Thanks,
> > > > > >=3D3D3D20
> > > > > > Roy Tsao
> > > > > >=3D3D3D20
> > > > > > P.S.: why don't you spend you time with you lovely wife,
> network
> > > is
> > > > > not
> > > > > > your main after your marriage otherwise your wife shall
> complain
> > > you
> > > > a
> > > > > > lot
> > > > > > in talking with lot of guys known! Kidding!!!
> > > > > >=3D3D3D20
> > > > > >=3D3D3D20
> > > > > > > Roy
> > > > > > >=3D3D3D3D20
> > > > > > > Yes you need a wpad entry in dns pointing to the internal
ip
> > of
> > > > isa.
> > > > > > >=3D3D3D3D20
> > > > > > > Also make sure your wpad string is http://wpad/wpad.dat
> > > > > > >=3D3D3D3D20
> > > > > > >=3D3D3D3D20
> > > > > > > WITH NO PORT NUMBER after the 1st wpad
> > > > > > >=3D3D3D3D20
> > > > > > > S
> > > > > > >=3D3D3D3D20
> > > > > > > -----Original Message-----
> > > > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=3D3D3D3D20
> > > > > > > Sent: Friday, May 27, 2005 10:03 AM
> > > > > > > To: ISA Mailing List
> > > > > > > Subject: [isalist] RE: Help with the web proxy setup in
ISA
> > 2004
> > > > > > >=3D3D3D3D20
> > > > > > > http://www.ISAserver.org
> > > > > > >=3D3D3D3D20
> > > > > > > Dear Jim-san,
> > > > > > >=3D3D3D3D20
> > > > > > > Sorry for disturbing you a lot but please be advised that
I
> am
> > > not
> > > > > > pro.
> > > > > > > in network (it is just my private fan to learn computer
> > network
> > > > > which
> > > > > > is
> > > > > > > far from my present career), nor I am a native English
> speaker
> > > but
> > > > > > > oriental guy, please be patient!
> > > > > > >=3D3D3D3D20
> > > > > > > 1) unfiltered logs: I am not trying to hide it but it will
> be
> > > very
> > > > > > hard
> > > > > > > for you to read it out since my ISA version is not
> English
> > so
> > > > you
> > > > > > > may not judge what it is. May I try to take it out and
> send
> > > it
> > > > to
> > > > > > > your private address.
> > > > > > > 2) Brower configuration: the brower at client end has no
> > setting
> > > > > since
> > > > > > > FWC is installed namely initially not setting and it
> > becomes
> > > > > > > autoconfiguration webproxy client as per FWC's setting.
The
> > > > > > > autoconfiguration is checked finally with no other
options.
> > > That's
> > > > > why
> > > > > > I
> > > > > > > did not answer the browser's question
> > > > > > > 3) Request merchanisam on http://wpad...: It is really a
> > helpful
> > > > > > > information for me to know those form you. I can download
> > > wpad.dat
> > > > > if
> > > > > > I
> > > > > > > replace "wpad"
> > > > > > > into "firewall_host_name:8080". Shall I sent this file to
> you?
> > > > Also,
> > > > > > do
> > > > > > > I need to configure DHCP to point WPAD into right ISABOX
> > > internal
> > > > > > > address, I am getting confused in WPADed things aside from
> > > > > > > autodectection.
> > > > > > >=3D3D3D3D20
> > > > > > > Thanks,
> > > > > > >=3D3D3D3D20
> > > > > > > Roy Tsao
> > > > > > >=3D3D3D3D20
> > > > > > > > The discussion centers on "autoconfiguration".
> > > > > > > > This functionality is based on a request for
> > > > http://wpad/wpad.dat
> > > > > > from
> > > > > > >=3D3D3D3D20
> > > > > > > > the browser and http://wpad/wspad.dat from the FWC.
> > > > > > > > This is why I want you to examine the wpad.dat.
> > > > > > > >=3D3D3D3D20
> > > > > > > > You still have not answered the browser question.
> > > > > > > > You still have not provided unfiltered log entries.
> > > > > > > >=3D3D3D3D20
> > > > > > > > This isn't magic, Roy and I don't read minds.
> > > > > > > > I do tire of playing oral surgeon, though.
> > > > > > > >=3D3D3D3D20
> > > > > > > > -----Original Message-----
> > > > > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> > > > > > > > Sent: Thursday, May 26, 2005 9:04 PM
> > > > > > > > To: [ISAserver.org Discussion List]
> > > > > > > > Subject: [isalist] RE: Help with the web proxy setup in
> ISA
> > > 2004
> > > > > > > >=3D3D3D3D20
> > > > > > > > http://www.ISAserver.org
> > > > > > > >=3D3D3D3D20
> > > > > > > > Dear Harrison-san,
> > > > > > > > =3D3D3D3D20
> > > > > > > > The setting of my present VM lab ISA box is:
> > > > > > > > - Access rules only two:
> > > > > > > > 1) allow internal to external/all protocol /all
users
> > > > > > > > 2) deny all as default
> > > > > > > > =3D3D3D3D20
> > > > > > > > - Internal Network Property:
> > > > > > > > <Firewall Client>=3D3D3D3D20
> > > > > > > > [CHECK] Enable Firewall Client support
> > > > > > > > [UNCHECK] Auto detect setting
> > > > > > > > [CHECK] Auto config script
> > > > > > > > [SELECT] Use custom URL =3D3D3D3D3D
> > > > > > > http://isalocal.firewall.local:8080...
> > > > > > > > [UNCHECK] Use a Web Proxy Server
> > > > > > > > <Domain> =3D3D3D3D20
> > > > > > > > *.firewall.local
> > > > > > > > <Web Brower>=3D3D3D3D20
> > > > > > > > [CHECK] Bypass Proxy for Web server in this
network
> > > > > > > > [CHECK] Directly Access computer specified in the
> > > Domain
> > > > > tab.
> > > > > > > > Directly Access server & domain: *.firewall.local
> > > > > > > > <Web Proxy>
> > > > > > > > [CHECK] Enable Web proxy client
> > > > > > > > [CHECK] HTTP at 8080
> > > > > > > > Authentication: [CHECK] Integrated/ Require All
> User
> > > =3D3D3D
> > > > > to=3D3D3D3D20
> > > > > > > > authenticate
> > > > > > > > <Auto Discovery>
> > > > > > > > No setting
> > > > > > > > <Address>
> > > > > > > > 10.0.0.0-10.0.0.255
> > > > > > > > =3D3D3D3D20
> > > > > > > > Web browser setting at client end will be automatically
> > > > configured
> > > > > > by
> > > > > > > > FCW setting and become WebProxy client for HTTP.
> > > > > > > > =3D3D3D3D20
> > > > > > > > I don't know why I need a wpad.dat since no auto
> discocery.
> > > > > > > > =3D3D3D3D20
> > > > > > > >=3D3D3D3D20
> > > > > > > >=3D3D3D3D20
> > > > > > > >=3D3D3D3D20
> > > > > > > >=3D3D3D3D20
> > > > > > > >=3D3D3D3D20
> > > > > > > >=3D3D3D3D20
> > > > > > > >=3D3D3D3D20
> > > > > > > > > Please stop trimming the thread.
> > > > > > > > >=3D3D3D3D20
> > > > > > > > > I advise that you provide more than a single modified
> log
> > > > entry.
> > > > > > > > > I can't help you if you insist on filtering the data.
> > > > > > > > >=3D3D3D3D20
> > > > > > > > > Additional questions:
> > > > > > > > > Q1 - exactly how is the browser configured?
> > > > > > > > > Q2 - exactly what is the web proxy configuration for
the
> > > > > Internal=3D3D3D3D20
> > > > > > > > > network?
> > > > > > > > > Q3 - when you do receive the wpad.dat file, exactly
what
> > > data
> > > > > is=3D3D3D3D20
> > > > > > > > > found between "{" and "}" in:
> > > > > > > > > "function MakeIPs"
> > > > > > > > > And
> > > > > > > > > "function MakeNames()"
> > > > > > > > >=3D3D3D3D20
> > > > > > > > >=3D3D3D3D20
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> > > > > > > > > Sent: Thursday, May 26, 2005 3:22 AM
> > > > > > > > > To: [ISAserver.org Discussion List]
> > > > > > > > > Subject: [isalist] RE: Help with the web proxy setup
in
> > ISA
> > > > 2004
> > > > > > > > >=3D3D3D3D20
> > > > > > > > > http://www.ISAserver.org
> > > > > > > > >=3D3D3D3D20
> > > > > > > > > I did understand your points, also I have took a
examin
> at
> > > > > whole=3D3D3D3D20
> > > > > > > > > logs before & after changing from FQDN to hostname.
> > > > > > > > >=3D3D3D3D20
> > > > > > > > > Anyhow, when FQDN is used, there is POPUP asking for
> > > > > > authentication,
> > > > > > >=3D3D3D3D20
> > > > > > > > > could you advise any possible reason?
> > > > > > > > >=3D3D3D3D20
> > > > > > > > > Thanks,
> > > > > > > > >=3D3D3D3D20
> > > > > > > > > Roy Tsao
> > > > > > > > >=3D3D3D3D20
> > > > > > > > >=3D3D3D3D20
> > > > > > > > > Try not to "filter" the log data.
> > > > > > > > > "Imaginary" information is useless.
> > > > > > > > > If you have a problem sending it to the list, then you
> > need
> > > > > to=3D3D3D3D20
> > > > > > > > > rethink your security model.
> > > > > > > > > "Security by obscurity is no security at all".
> > > > > > > > >=3D3D3D3D20
> > > > > > > > > Also, you should examine more than a single log entry
-
> > it's
> > > > > just
> > > > > > as
> > > > > > >=3D3D3D3D20
> > > > > > > > > likely that you're looking at the wrong one.
All mail to and from this domain is GFI-scanned.
Other related posts:
