Hi Roy, Unfortunately, this authentication "option" is only required for a very few ISA plug-ins; Surf Control and Web Sense among them. Its this sort of design decision that places folks like you in the bad position of having all web requests authenticated. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] Sent: Wednesday, June 01, 2005 03:49 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Help with the web proxy setup in ISA 2004 http://www.ISAserver.org Dear Jim-san, 1): okay, it is clear for me. Sounds you are working for MS$ for long. 2): noted. 3): again the reason why we need to have authentication at proxy listener is the request by some plug-in i.e.: Surfcontrol, otherwise filter per user does not work. This is in fact the key option for some plug-in software. At this point, I think we shall select the situable way of authentication according to needs and plug-in software. 4): It is somewhat confusing for the new comer for the issue of authentication anyway, so in the next edition there shall be a note/hint mentioning about such a difference. Thanks, Roy Tsao > Let me answer these for you, Roy, > 1. the KB tells you to apply the registry value so that you can have the > new behavior. With few exceptions, ISA patches operate under the "leave > default behavior alone unless it compromises security in some way". > Thus, the "SkipAuthenticationForRoutingInformation" value does Not > change the default behavior. > 2. no - ISA2K and ISA2K4 are completely different products > 3. as Tom pointed out, most ISA admins use authentication at the rule, > not the listener. This allows you to use anonymous rules, such as > described here: > http://support.microsoft.com/default.aspx?scid=kb;en-us;885819 > 4. there is plenty of information in Tom's book about web proxy > authentication; it's just that it centers more on using rules, not > listeners to perform this task. > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] > Sent: Monday, May 30, 2005 06:06 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004 > > http://www.ISAserver.org > > Hi Tom-san, > > Let me say a bit more about this fix > 1) even if MS$ release Kb, it is a little misleading because the 1st > impression to see it is ISA2K4 SP1 already fixs it but actually no. > The kb shall be applied to ISA2k4 sp1 I/O isa2k4 > 2) I never test ISK2K, suppose it is the same as ISA2K1 ever had. > 3) Again, I feel curious why a lot of ISA amdins do not ask for > webauthenticaion or how they settle it when problme comes > 4) I could understand why there is few part in Tom-san's book > mentioning webproxy authentication. > > Actually, I am a little bit frustrated to such kind of bug! > > > > > Hi Roy, > > > > Well, it appears that the KB article fixed by problem. That came out > > quite a bit later than we did the book, but it does fix the "ask > > unauthenticated users to auth" problem, so that is very good!=20 > > > > > > Tom > > www.isaserver.org/shinder > > Tom and Deb Shinder's Configuring ISA Server 2004 > > http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > > > > > -----Original Message----- > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=20 > > Sent: Monday, May 30, 2005 7:14 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004 > > > > http://www.ISAserver.org > > > > > > Hi Tom, > > > > The reason why I need webproxy authentication as essentional > > condition is due to filering plug-in for ISA Box like Surfcontrol > > and GFi download security. This URL is FYR > > > http://kb.surfcontrol.com/display/1/index.asp?c=3D&cpc=3D&cid=3D&r=3D0.8 > 0= > > 53095 > > > > Next I need autoconfig to make FWC direct use Webproxy and have bypass > > function! > > > > I do believe those are quite important setting for not minor party of > > ISA administrators and I don't how they did in the past. > > > > I may wondering why MS$ make this option while it does not work > > consistantly. > > > > Thanks, > > > > Roy Tsao > > > > > > > > > Hi Roy, > > >=20 > > > Well, it was never until KB 885683 fixed the problem! > > >=20 > > > :)=3D20 > > >=20 > > >=20 > > > Tom > > > www.isaserver.org/shinder > > > Tom and Deb Shinder's Configuring ISA Server 2004 > > > http://tinyurl.com/3xqb7 > > > MVP -- ISA Firewalls > > >=20 > > >=20 > > > -----Original Message----- > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=3D20 > > > Sent: Monday, May 30, 2005 7:00 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004 > > >=20 > > > http://www.ISAserver.org > > >=20 > > > Hi Shinder-sama, > > >=20 > > > May I know the reason why for "never"? > > >=20 > > > Thanks, > > >=20 > > > Roy Tsao > > >=20 > > >=20 > > > > Hi Roy, > > > >=3D20 > > > > I think I might understand your problem now. > > > >=3D20 > > > > You should *never* enable the "ask unauthenticated users to > > > > authenticate" option. If you want to force authenticaiton, use > > Access > > > > Rules=3D3D20 > > > >=3D20 > > > > HTH,=3D3D20 > > > >=3D20 > > > >=3D20 > > > > Tom > > > > www.isaserver.org/shinder > > > > Tom and Deb Shinder's Configuring ISA Server 2004 > > > > http://tinyurl.com/3xqb7 > > > > MVP -- ISA Firewalls > > > >=3D20 > > > >=3D20 > > > > -----Original Message----- > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=3D3D20 > > > > Sent: Monday, May 30, 2005 1:56 AM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004 > > > >=3D20 > > > > http://www.ISAserver.org > > > >=3D20 > > > > To All Married Guys, > > > >=3D20 > > > >=3D20 > > > > The disucssion threads caused by me seems to be overflow while > > > > I really want to make sure the correct configuration and get > > > > to know the working merchanism. To summarize the past discussion, > > > > what I want to know is=3D3D20 > > > > - based on Client type: 1) FWC 2)WPC (webproxy) > > > > - at conditions: "webproxy authentication is enabled" > > > > "autoproxy configuration shall be applied" > > > > autodisvoery is properly configured already > > > > - result: right configuration so that no popup ask for > > authencaiton > > > =3D3D20 > > > > in web browsing > > > > =3D3D20 > > > > After verious kinds of test in my VM, the situation is like this: > > > > 1) FWC: > > > > problem 1): if select "autodect ISA server" at FWC, it fails > > > > to find out unless "webproxy authentication is > > > disabled" > > > > problme 2): if only select "autoconfig script" option at FWC > tab > > > > for interal network configuration, popup windows > > > > asking for authentication comes up unless modify > > > > the autoscript URL by replace "ISA_FQDN" into > > > > "isa_host_name" > > > > no popup authentication windows only when select "autodetect" > at > > > > at FWC tab for interal network configuration. > > > >=3D20 > > > > 2) WPC: > > > > problem 3): in addtion to check webproxy agent, enable either > > > > autodectection or autodectation option at brower > > > > will bring up authentication windows (this > > > > must be caused by webproxy authenciation > > requirement), > > > > keep click cancel "Pop-up" so that broswer act > > > > just as natural WPC without autoconfiguration data > to > > > > pass > > > > authentication. > > > > WPC must be manually setup including bypass list at client > brower > > > > side. > > > >=3D20 > > > > As a conclusion, there is setting limitation for > autoproxy/detection > > > > when "webproxy authentication is required for all users". Kindly > > > > let me know your some explanation for above problem 1) -3) if > > you=3D3D20 > > > > think I am wrong. > > > >=3D20 > > > > Thanks, > > > >=3D20 > > > > Roy Tsao > > > >=3D20 > > > > =3D3D20 > > > >=3D20 > > > >=3D20 > > > > > Hi Roy-sama > > > > >=3D3D20 > > > > > The entries in DNS or DHCP provide the client information about > > how > > > to > > > > > get the autoconfiguration information. That information is > > published > > > > on > > > > > the autodiscovery port you configure on the ISA firewall. > > > > >=3D3D20 > > > > > HTH,=3D3D3D20 > > > > >=3D3D20 > > > > >=3D3D20 > > > > > Tom > > > > > www.isaserver.org/shinder > > > > > Tom and Deb Shinder's Configuring ISA Server 2004 > > > > > http://tinyurl.com/3xqb7 > > > > > MVP -- ISA Firewalls > > > > >=3D3D20 > > > > >=3D3D20 > > > > > -----Original Message----- > > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=3D3D3D20 > > > > > Sent: Friday, May 27, 2005 1:00 PM > > > > > To: [ISAserver.org Discussion List] > > > > > Subject: [isalist] RE: Help with the web proxy setup in ISA 2004 > > > > >=3D3D20 > > > > > http://www.ISAserver.org > > > > >=3D3D20 > > > > > Thank you Shinder-san. Yup, I did know the setting for > > autodiscovrey > > > > > through both DHCP and DNS BUT BUT I have not known this kind of > > > > > setting for WPAD also needed for "Autoconfig", if so I have > taken > > > > > a basic wrong concept regarding autocnfig setting, believe > > > > > not small number of ISA guys are the same, then I could > understand > > > > > many posts in local forum here asking about why POPUP window > > > > > for authenciation though autoconfig is setted up.=3D3D3D20 > > > > >=3D3D20 > > > > >=3D3D20 > > > > > > Hi Roy, > > > > > >=3D3D3D20 > > > > > > Works the same in ISA Server 2004 (mostly): > > > > > >=3D3D3D20 > > > > > > =3D3D3D > > > > > > > > > > > > > > > http://www.isaserver.org/img/upl/isaedukit/5automate/5automate.htm=3D3D3 > D= > > 3 > > D=3D > > > 2 > > > 0=3D3D > > > >=3D20 > > > > > >=3D3D3D20 > > > > > >=3D3D3D20 > > > > > > Tom > > > > > > www.isaserver.org/shinder > > > > > > Tom and Deb Shinder's Configuring ISA Server 2004 > > > > > > http://tinyurl.com/3xqb7 > > > > > > MVP -- ISA Firewalls > > > > > >=3D3D3D20 > > > > > >=3D3D3D20 > > > > > > -----Original Message----- > > > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=3D3D3D3D20 > > > > > > Sent: Friday, May 27, 2005 8:14 AM > > > > > > To: [ISAserver.org Discussion List] > > > > > > Subject: [isalist] RE: Help with the web proxy setup in ISA > 2004 > > > > > >=3D3D3D20 > > > > > > http://www.ISAserver.org > > > > > >=3D3D3D20 > > > > > > S guy, > > > > > >=3D3D3D20 > > > > > > To be perfectly honest with you, it is first time for me to > know > > > > > > wpad entry is reuired in dns for "autoproxy" I/O > > "autodectection" > > > > > > (=3D3D3D3D3Dautodisvoery). I never know it shall be prepare > for > > > > webproxy/fwc > > > > > > client! > > > > > >=3D3D3D20 > > > > > > Thanks, > > > > > >=3D3D3D20 > > > > > > Roy Tsao > > > > > >=3D3D3D20 > > > > > > P.S.: why don't you spend you time with you lovely wife, > network > > > is > > > > > not > > > > > > your main after your marriage otherwise your wife shall > complain > > > you > > > > a > > > > > > lot > > > > > > in talking with lot of guys known! Kidding!!! > > > > > >=3D3D3D20 > > > > > >=3D3D3D20 > > > > > > > Roy > > > > > > >=3D3D3D3D20 > > > > > > > Yes you need a wpad entry in dns pointing to the internal ip > > of > > > > isa. > > > > > > >=3D3D3D3D20 > > > > > > > Also make sure your wpad string is http://wpad/wpad.dat > > > > > > >=3D3D3D3D20 > > > > > > >=3D3D3D3D20 > > > > > > > WITH NO PORT NUMBER after the 1st wpad > > > > > > >=3D3D3D3D20 > > > > > > > S > > > > > > >=3D3D3D3D20 > > > > > > > -----Original Message----- > > > > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]=3D3D3D3D20 > > > > > > > Sent: Friday, May 27, 2005 10:03 AM > > > > > > > To: ISA Mailing List > > > > > > > Subject: [isalist] RE: Help with the web proxy setup in ISA > > 2004 > > > > > > >=3D3D3D3D20 > > > > > > > http://www.ISAserver.org > > > > > > >=3D3D3D3D20 > > > > > > > Dear Jim-san, > > > > > > >=3D3D3D3D20 > > > > > > > Sorry for disturbing you a lot but please be advised that I > am > > > not > > > > > > pro. > > > > > > > in network (it is just my private fan to learn computer > > network > > > > > which > > > > > > is > > > > > > > far from my present career), nor I am a native English > speaker > > > but > > > > > > > oriental guy, please be patient! > > > > > > >=3D3D3D3D20 > > > > > > > 1) unfiltered logs: I am not trying to hide it but it will > be > > > very > > > > > > hard > > > > > > > for you to read it out since my ISA version is not > English > > so > > > > you > > > > > > > may not judge what it is. May I try to take it out and > send > > > it > > > > to > > > > > > > your private address. > > > > > > > 2) Brower configuration: the brower at client end has no > > setting > > > > > since > > > > > > > FWC is installed namely initially not setting and it > > becomes > > > > > > > autoconfiguration webproxy client as per FWC's setting. The > > > > > > > autoconfiguration is checked finally with no other options. > > > That's > > > > > why > > > > > > I > > > > > > > did not answer the browser's question > > > > > > > 3) Request merchanisam on http://wpad...: It is really a > > helpful > > > > > > > information for me to know those form you. I can download > > > wpad.dat > > > > > if > > > > > > I > > > > > > > replace "wpad" > > > > > > > into "firewall_host_name:8080". Shall I sent this file to > you? > > > > Also, > > > > > > do > > > > > > > I need to configure DHCP to point WPAD into right ISABOX > > > internal > > > > > > > address, I am getting confused in WPADed things aside from > > > > > > > autodectection. > > > > > > >=3D3D3D3D20 > > > > > > > Thanks, > > > > > > >=3D3D3D3D20 > > > > > > > Roy Tsao > > > > > > >=3D3D3D3D20 > > > > > > > > The discussion centers on "autoconfiguration". > > > > > > > > This functionality is based on a request for > > > > http://wpad/wpad.dat > > > > > > from > > > > > > >=3D3D3D3D20 > > > > > > > > the browser and http://wpad/wspad.dat from the FWC. > > > > > > > > This is why I want you to examine the wpad.dat. > > > > > > > >=3D3D3D3D20 > > > > > > > > You still have not answered the browser question. > > > > > > > > You still have not provided unfiltered log entries. > > > > > > > >=3D3D3D3D20 > > > > > > > > This isn't magic, Roy and I don't read minds. > > > > > > > > I do tire of playing oral surgeon, though. > > > > > > > >=3D3D3D3D20 > > > > > > > > -----Original Message----- > > > > > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] > > > > > > > > Sent: Thursday, May 26, 2005 9:04 PM > > > > > > > > To: [ISAserver.org Discussion List] > > > > > > > > Subject: [isalist] RE: Help with the web proxy setup in > ISA > > > 2004 > > > > > > > >=3D3D3D3D20 > > > > > > > > http://www.ISAserver.org > > > > > > > >=3D3D3D3D20 > > > > > > > > Dear Harrison-san, > > > > > > > > =3D3D3D3D20 > > > > > > > > The setting of my present VM lab ISA box is: > > > > > > > > - Access rules only two: > > > > > > > > 1) allow internal to external/all protocol /all users > > > > > > > > 2) deny all as default > > > > > > > > =3D3D3D3D20 > > > > > > > > - Internal Network Property: > > > > > > > > <Firewall Client>=3D3D3D3D20 > > > > > > > > [CHECK] Enable Firewall Client support > > > > > > > > [UNCHECK] Auto detect setting > > > > > > > > [CHECK] Auto config script > > > > > > > > [SELECT] Use custom URL =3D3D3D3D3D > > > > > > > http://isalocal.firewall.local:8080... > > > > > > > > [UNCHECK] Use a Web Proxy Server > > > > > > > > <Domain> =3D3D3D3D20 > > > > > > > > *.firewall.local > > > > > > > > <Web Brower>=3D3D3D3D20 > > > > > > > > [CHECK] Bypass Proxy for Web server in this network > > > > > > > > [CHECK] Directly Access computer specified in the > > > Domain > > > > > tab. > > > > > > > > Directly Access server & domain: *.firewall.local > > > > > > > > <Web Proxy> > > > > > > > > [CHECK] Enable Web proxy client > > > > > > > > [CHECK] HTTP at 8080 > > > > > > > > Authentication: [CHECK] Integrated/ Require All > User > > > =3D3D3D > > > > > to=3D3D3D3D20 > > > > > > > > authenticate > > > > > > > > <Auto Discovery> > > > > > > > > No setting > > > > > > > > <Address> > > > > > > > > 10.0.0.0-10.0.0.255 > > > > > > > > =3D3D3D3D20 > > > > > > > > Web browser setting at client end will be automatically > > > > configured > > > > > > by > > > > > > > > FCW setting and become WebProxy client for HTTP. > > > > > > > > =3D3D3D3D20 > > > > > > > > I don't know why I need a wpad.dat since no auto > discocery. > > > > > > > > =3D3D3D3D20 > > > > > > > >=3D3D3D3D20 > > > > > > > >=3D3D3D3D20 > > > > > > > >=3D3D3D3D20 > > > > > > > >=3D3D3D3D20 > > > > > > > >=3D3D3D3D20 > > > > > > > >=3D3D3D3D20 > > > > > > > >=3D3D3D3D20 > > > > > > > > > Please stop trimming the thread. > > > > > > > > >=3D3D3D3D20 > > > > > > > > > I advise that you provide more than a single modified > log > > > > entry. > > > > > > > > > I can't help you if you insist on filtering the data. > > > > > > > > >=3D3D3D3D20 > > > > > > > > > Additional questions: > > > > > > > > > Q1 - exactly how is the browser configured? > > > > > > > > > Q2 - exactly what is the web proxy configuration for the > > > > > Internal=3D3D3D3D20 > > > > > > > > > network? > > > > > > > > > Q3 - when you do receive the wpad.dat file, exactly what > > > data > > > > > is=3D3D3D3D20 > > > > > > > > > found between "{" and "}" in: > > > > > > > > > "function MakeIPs" > > > > > > > > > And > > > > > > > > > "function MakeNames()" > > > > > > > > >=3D3D3D3D20 > > > > > > > > >=3D3D3D3D20 > > > > > > > > > -----Original Message----- > > > > > > > > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] > > > > > > > > > Sent: Thursday, May 26, 2005 3:22 AM > > > > > > > > > To: [ISAserver.org Discussion List] > > > > > > > > > Subject: [isalist] RE: Help with the web proxy setup in > > ISA > > > > 2004 > > > > > > > > >=3D3D3D3D20 > > > > > > > > > http://www.ISAserver.org > > > > > > > > >=3D3D3D3D20 > > > > > > > > > I did understand your points, also I have took a examin > at > > > > > whole=3D3D3D3D20 > > > > > > > > > logs before & after changing from FQDN to hostname. > > > > > > > > >=3D3D3D3D20 > > > > > > > > > Anyhow, when FQDN is used, there is POPUP asking for > > > > > > authentication, > > > > > > >=3D3D3D3D20 > > > > > > > > > could you advise any possible reason? > > > > > > > > >=3D3D3D3D20 > > > > > > > > > Thanks, > > > > > > > > >=3D3D3D3D20 > > > > > > > > > Roy Tsao > > > > > > > > >=3D3D3D3D20 > > > > > > > > >=3D3D3D3D20 > > > > > > > > > Try not to "filter" the log data. > > > > > > > > > "Imaginary" information is useless. > > > > > > > > > If you have a problem sending it to the list, then you > > need > > > > > to=3D3D3D3D20 > > > > > > > > > rethink your security model. > > > > > > > > > "Security by obscurity is no security at all". > > > > > > > > >=3D3D3D3D20 > > > > > > > > > Also, you should examine more than a single log entry - > > it's > > > > > just > > > > > > as > > > > > > >=3D3D3D3D20 > > > > > > > > > likely that you're looking at the wrong one. All mail to and from this domain is GFI-scanned.