[isalist] Re: SurfControl and User Authentication
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Sun, 21 Jan 2007 23:28:48 -0500
Thanks, I think that was what I remember hearing said before, and why I
never did that in the first place.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Eric Poole, CISSP
Sent: Friday, January 19, 2007 2:41 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SurfControl and User Authentication
Dan,
The ramifications, at least here at Community Medical, are that all
users will always get a prompt when attempting to access the internet.
When I say always, I mean constantly. We do not have this selected, we
have SurfControl 5.0 and are able to capture all user information. If
you select the option of "require all users to authenticate", it will
more or less cause headaches. I know this probably isn't the technical
answer you were looking for, but hopefully Tom will fill in the blanks.
_______________________________________________
Eric Poole, CISSP
Senior Information Security Analyst
Community Medical Centers <http://communitymedical.org/>
1140 "T" Street, Fresno, California 93721
559-459-6784 (phone) 559-459-2045 (fax)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Friday, January 19, 2007 11:09 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] SurfControl and User Authentication
Looking through the SurfControl help, I ran across this tidbit:
Monitoring Users with Microsoft ISA Server
________________________________
With ISA Server you can either use NetBIOS, EUM or use ISA Server
authentication.
ISA Server Authentication is the preferred method if monitoring traffic
from firewall clients. This prevents having to install EUM on all your
domain controllers.
To configure your ISA Server for user authentication:
1.Open the ISA Management Console from the Start > Programs menu.
2.Find your machine name within the ISA tree. This will be listed within
Internet Security and Acceleration Server\Servers and Arrays.
3.Right-click on your machine name and choose Properties from the pop-up
menu.
4.Select the Outgoing Web Requests tab.
5.Select the Ask unauthenticated users for identification check-box.
6.In the same dialog double-click your machine name in the Server column
of the identification pane. This can be found in the Identification
Section. The Add/Edit Listeners dialog appears.
7.Select the Integrated authentication check box.
8.Select the Basic with this domain check-box and click Yes on the ISA
Server Configuration pop-up.
9.Click the Select Domain dialog. Alternatively, use the Browse button
to navigate to your domain.
10.Click OK and close all of the open dialogs until you are back at the
Properties dialog for your ISA Server.
11.Click OK on this dialog and select the Save Changes and restart the
service(s) radio button on the ISA Server Warning pop-up. Click OK
again.
For ISA Server 2004 and above <javascript:kadovTextPopup(this)>
1. Open the ISA Management Console from the Start > Programs >
Microsoft ISA Server menu.
2. Find your machine name within the ISA tree. This will be
listed within Internet Security and Acceleration Server 2004 (or 2006).
3. Expand the Configuration option.
4. Select Networks.
5. Select the network you want to monitor and select Edit
Selected Network from the Tasks pane.
6. From the network properties dialog box, select the Web Proxy
tab.
7. Click Authentication.
8. From the Authentication dialog box, select Require all users
to authenticate.
9. Click OK to close the Authentication dialog box.
10. Click OK to close the network properties dialog box.
What are the ramifications of enabling the "Require all users to
authenticate" option? I remember people talking about that on this list
before and it didn't seem to be a good idea in most cases, but I don't
recall why...
Also, SurfControl does appear to be working as a user-group level now,
so why "would" I need to use that option?
-------------------------------------------------------
WARNING/CONFIDENTIAL:
-------------------------------------------------------
This email, including attachments, may contain information that is
privileged, confidential, and/or exempt from disclosure under applicable
law (including, but not limited to, protected health information). It is
not intended for transmission to, or receipt by, any unauthorized
persons. If the reader of this message is not the intended recipient you
are hereby notified that any dissemination, distribution or copying of
this communication is strictly prohibited. If you believe this email was
sent to you in error, do not read it. Reply to the sender informing them
of the error and then destroy all copies and attachments of the message
from your system. Thank you.
Other related posts:
