[isalist] Re: SurfControl and User Authentication
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Sun, 21 Jan 2007 23:29:22 -0500
Isn't it fun reading third-party documentation?
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Friday, January 19, 2007 6:07 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SurfControl and User Authentication
Who the #$% wrote that?
EUM?
Extraterrestrial Urinary Mastication?
"Require all users" will completely nullify any anonymous rules you may
have created for HTTP traffic.
Think in terms of
http://www.microsoft.com/technet/prodtechnol/winxppro/support/updateauth
en.mspx.
If you have an enterprise array, it will likely cause connection
failures or constant auth prompts because neither Web Sense nor Surf
Control understand how to handle intra-array authentication or requests.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Friday, January 19, 2007 11:09 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] SurfControl and User Authentication
Looking through the SurfControl help, I ran across this tidbit:
Monitoring Users with Microsoft ISA Server
________________________________
With ISA Server you can either use NetBIOS, EUM or use ISA Server
authentication.
ISA Server Authentication is the preferred method if monitoring traffic
from firewall clients. This prevents having to install EUM on all your
domain controllers.
To configure your ISA Server for user authentication:
1. Open the ISA Management Console from the Start > Programs menu.
2. Find your machine name within the ISA tree. This will be listed
within Internet Security and Acceleration Server\Servers and Arrays.
3. Right-click on your machine name and choose Properties from the
pop-up menu.
4. Select the Outgoing Web Requests tab.
5. Select the Ask unauthenticated users for identification
check-box.
6. In the same dialog double-click your machine name in the Server
column of the identification pane. This can be found in the
Identification Section. The Add/Edit Listeners dialog appears.
7. Select the Integrated authentication check box.
8. Select the Basic with this domain check-box and click Yes on the
ISA Server Configuration pop-up.
9. Click the Select Domain dialog. Alternatively, use the Browse
button to navigate to your domain.
10. Click OK and close all of the open dialogs until you are back at
the Properties dialog for your ISA Server.
11. Click OK on this dialog and select the Save Changes and restart the
service(s) radio button on the ISA Server Warning pop-up. Click OK
again.
For ISA Server 2004 and above
1. Open the ISA Management Console from the Start > Programs >
Microsoft ISA Server menu.
2. Find your machine name within the ISA tree. This will be listed
within Internet Security and Acceleration Server 2004 (or 2006).
3. Expand the Configuration option.
4. Select Networks.
5. Select the network you want to monitor and select Edit Selected
Network from the Tasks pane.
6. From the network properties dialog box, select the Web Proxy
tab.
7. Click Authentication.
8. From the Authentication dialog box, select Require all users to
authenticate.
9. Click OK to close the Authentication dialog box.
10. Click OK to close the network properties dialog box.
What are the ramifications of enabling the "Require all users to
authenticate" option? I remember people talking about that on this list
before and it didn't seem to be a good idea in most cases, but I don't
recall why...
Also, SurfControl does appear to be working as a user-group level now,
so why "would" I need to use that option?
All mail to and from this domain is GFI-scanned.
Other related posts: