Hi Dan, I think you shall have been facing pop windows FOR YEARS if depoly IE setting by autodetect or autoconfiguration... Actually I followed that in the beginning then resolved it by either modify registry or put authentication on rule. ----- Original Message ----- From: Ball, Dan To: isalist@xxxxxxxxxxxxx Sent: Monday, January 22, 2007 12:30 PM Subject: [isalist] Re: SurfControl and User Authentication That is the way I've had it running for years, but I ran across that help documentation and was curious about the ramifications of actually following their documentation. ------------------------------------------------------------------------------ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao Sent: Saturday, January 20, 2007 6:36 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: SurfControl and User Authentication Dan, You don't need to request authenticaiton to webproxy listener because you can put access rule by request authentication. If authentication to webproxy listener is required, please check the great article done by Mr. Stefaan Pouseele : http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.html You shall modify registry at ISA so that autoconfig or autodetect can work well without user authentication window popup. ----- Original Message ----- From: Eric Poole, CISSP To: isalist@xxxxxxxxxxxxx Sent: Saturday, January 20, 2007 3:40 AM Subject: [isalist] Re: SurfControl and User Authentication Dan, The ramifications, at least here at Community Medical, are that all users will always get a prompt when attempting to access the internet. When I say always, I mean constantly. We do not have this selected, we have SurfControl 5.0 and are able to capture all user information. If you select the option of "require all users to authenticate", it will more or less cause headaches. I know this probably isn't the technical answer you were looking for, but hopefully Tom will fill in the blanks. _______________________________________________ Eric Poole, CISSP Senior Information Security Analyst Community Medical Centers 1140 "T" Street, Fresno, California 93721 559-459-6784 (phone) 559-459-2045 (fax) ---------------------------------------------------------------------------- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Friday, January 19, 2007 11:09 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] SurfControl and User Authentication Looking through the SurfControl help, I ran across this tidbit: Monitoring Users with Microsoft ISA Server ---------------------------------------------------------------------------- With ISA Server you can either use NetBIOS, EUM or use ISA Server authentication. ISA Server Authentication is the preferred method if monitoring traffic from firewall clients. This prevents having to install EUM on all your domain controllers. To configure your ISA Server for user authentication: 1.Open the ISA Management Console from the Start > Programs menu. 2.Find your machine name within the ISA tree. This will be listed within Internet Security and Acceleration Server\Servers and Arrays. 3.Right-click on your machine name and choose Properties from the pop-up menu. 4.Select the Outgoing Web Requests tab. 5.Select the Ask unauthenticated users for identification check-box. 6.In the same dialog double-click your machine name in the Server column of the identification pane. This can be found in the Identification Section. The Add/Edit Listeners dialog appears. 7.Select the Integrated authentication check box. 8.Select the Basic with this domain check-box and click Yes on the ISA Server Configuration pop-up. 9.Click the Select Domain dialog. Alternatively, use the Browse button to navigate to your domain. 10.Click OK and close all of the open dialogs until you are back at the Properties dialog for your ISA Server. 11.Click OK on this dialog and select the Save Changes and restart the service(s) radio button on the ISA Server Warning pop-up. Click OK again. For ISA Server 2004 and above 1. Open the ISA Management Console from the Start > Programs > Microsoft ISA Server menu. 2. Find your machine name within the ISA tree. This will be listed within Internet Security and Acceleration Server 2004 (or 2006). 3. Expand the Configuration option. 4. Select Networks. 5. Select the network you want to monitor and select Edit Selected Network from the Tasks pane. 6. From the network properties dialog box, select the Web Proxy tab. 7. Click Authentication. 8. From the Authentication dialog box, select Require all users to authenticate. 9. Click OK to close the Authentication dialog box. 10. Click OK to close the network properties dialog box. What are the ramifications of enabling the "Require all users to authenticate" option? I remember people talking about that on this list before and it didn't seem to be a good idea in most cases, but I don't recall why. Also, SurfControl does appear to be working as a user-group level now, so why "would" I need to use that option? ------------------------------------------------------- WARNING/CONFIDENTIAL: ------------------------------------------------------- This email, including attachments, may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law (including, but not limited to, protected health information). It is not intended for transmission to, or receipt by, any unauthorized persons. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you believe this email was sent to you in error, do not read it. Reply to the sender informing them of the error and then destroy all copies and attachments of the message from your system. Thank you.