RE: ISA Server 2004 Issues

  • From: "Jim Harrison" <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 9 Sep 2004 12:10:59 -0700

There is no AD or system policies issue here.
Client-based access is controlled via Array policies.

The "Require all users to authenticate" setting is what I'm referring to as 
"global auth".
If you need to support anonymous rules at this listener, you have to leave this 
setting disabled (it is, by default).

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!

----- Original Message ----- 
From: <vesterby@xxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Cc: <isalist@xxxxxxxxxxxxx>
Sent: Thursday, September 09, 2004 11:43
Subject: [isalist] RE: ISA Server 2004 Issues


http://www.ISAserver.org


Just to make sure I'm on the same page.. are you talking about editing the 
System Policy and disabling the Active Directory 
authentication?

If that is incorrect, then where do I disable the "global auth" setting in ISA 
Server 2004?  Thanks for your help.

-- John

-- "Jim Harrison" <jim@xxxxxxxxxxxx> wrote:
http://www.ISAserver.org

You're trying to use one setting to accomplish two separate tasks.
As you've seen, you can't have "global authentication" and allow anonymous 
connections.
You need to separate your rules into "authenticated" and "anonymous" and 
disable the "global auth" setting.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!

----- Original Message ----- 
From: <vesterby@xxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Cc: <isalist@xxxxxxxxxxxxx>
Sent: Thursday, September 09, 2004 09:30
Subject: [isalist] RE: ISA Server 2004 Issues


http://www.ISAserver.org


I must be missing something in your instructions for creating an anonymous 
access rule for ISA Server 2004.  I created the new
access rule as defined in the instructions you provided, but I don't see any 
way to make the access anonymous.  The only way I know
how to do it is clicking on the Authentication button in the Web Proxy tab of 
the properties of the Internal network object, and
taking the check mark out of "Require all users to authenticate."  
Unfortunately, this disables authentication for -all users-, not
just the ones who are using the specialized java application.

Any ideas?  Thanks.

-- "Jim Harrison" <jim@xxxxxxxxxxxx> wrote:
http://www.ISAserver.org

Take a look at the instructions I just posted for the WU issue.
It contains explicit steps for creating anonymous rules to specific 
destinations.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!

----- Original Message ----- 
From: <vesterby@xxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Cc: <tshinder@xxxxxxxxxxx>
Sent: Wednesday, September 08, 2004 16:53
Subject: [isalist] RE: ISA Server 2004 Issues


http://www.ISAserver.org

Hi - In addition to the below E-mail, I could use some assistance with
the following issue.

I got ISA 2004 running as a proxy server (single NIC).  We have an
application that our users need to access a java applet at a particular
URL, which, for some reason, requires the connection to be an anonymous
one.  However, my company wants to be able to see who is connecting
through the ISA server so they require that the proxy users authenticate.

When I put a check mark in the Authentication section of the Internal
network object to "Require all users to authenticate", the java applet
does not work.  But when I remove that requirement, the java applet
works.

Can you give me some idea of how I can get this working through ISA
server?  Thanks again.

-- John

-- "vesterby@xxxxxxxx" <vesterby@xxxxxxxx> wrote:
http://www.ISAserver.org


Hi,

In order to get things rolling quickly, I've been asked to just
concentrate on the proxy server part of ISA and worry about the firewall
later.  I have a couple more questions, though.

You mentioned the external interface is the one with the gateway.  But if
the internal interface doesn't have a gateway, how will ISA server know
how to get to our different subnets?  That was the reason I asked if I
need to add routes.

The other thing is my company is insisting that we run some other things
on the same server as ISA (to save money on servers) and my
recommendation to not do this has gone unheeded.  They want to run
Microsoft SUS and RIS server.  Can you give me valid reasons I can
present to my management why it isn't a good idea to run these on the
same server?  Our company has about 350 employees.

Lastly, how can I obtain a copy of the Quick Start guide?  The company I
work for seems to want to implement ISA server quickly.  Thanks.

-- "Thomas W Shinder" <tshinder@xxxxxxxxxxx> wrote:
http://www.ISAserver.org

Hi John,

Several tips to help you get up and running with the ISA firewall:

1. Install the ISA firewall as a back-end ISA firewall with at least two
NICs. Running the ISA firewall in unihomed single-NIC mode is like
taking three wheels off a Ferrari because it "goes too fast".

2. Don't run Web sites on the ISA firewall. If you have a Checkpoint
Server, but the Web sites on that. Even better, put them on a protected
network.

3. The ISA firewall doesn't use a LAT.

4. Install as many interfaces on the ISA firewall as you like. Just one
is the External interface and that is the one with the default gateway.

HTH,

Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls



-----Original Message-----
From: vesterby@xxxxxxxx [mailto:vesterby@xxxxxxxx]
Sent: Tuesday, September 07, 2004 8:05 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] ISA Server 2004 Issues


http://www.ISAserver.org

Hi,

I'm new to ISA Server and could use some recommendations regarding some
issues I'm having with installing ISA Server 2004 (Standard Edition).
We
are currently using an NT domain and plan to migrate to an Active
Directory domain within the next 3 months.  I installed ISA Server 2004
with a single network adapter (caching only), but when I try to access
the server for http access to the Internet, I am prompted for
authentication but when I log in, nothing happens.  It is set up for
integrated authentication.

I think part of the problem (which I'll test tomorrow) is that IIS is
also installed and is listening on port 80 - the same port that I have
ISA Server listening on.  We currently have Proxy Server 2.0, which is
integrated with IIS, so I had installed ISA Server with IIS thinking
that
it needed it but then realized it didn't.  There are a couple of other
issues too, including:

1) I'm not sure the LAT table is correct - does the caching server even
need the LAT table?  I'm thinking it needs it if I use the firewall (we
have 2 X Nokia Checkpoint firewalls but I had considered using the
firewall feature in ISA to make it a backend firewall for more
security).
We have a 192.236.x.x/22 network and also a 10.10.1.x/24 network.
2) The server I built has a default gateway but there may be cases with
ISA where I want to take the default gateway out and add static routes.

If you could provide recommendations on the above issues, I'd really
appreciate it.  Thanks.

- John


________________________________________________________________
Get your name as your email address.
Includes spam protection, 1GB storage, no ads and more
Only $1.99/ month - visit http://www.mysite.com/name today!

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



Other related posts: