colepc
asked on
SBS 2003 / ISA 2004 and a terminal server...permissions for blocked pages
Hi All,
On a SBS 2003 SP1 premium box, there is installed ISA 2004. The only other domain member on the network is a Windows 2003 Server R2 terminal server. All users use their peer XP workstations and RDP to get to the TS.
ISA seems to work fine for local administrators on the terminal server. But if a user is not a local Admin on the TS box and they encounter a blocked URL or domain (due to an HTTP/HTTPS access rule on ISA), they are prompted with a request for authentication which is never satisfied when the correct username, pwd, and domain are entered. However, if they are an Admin on the TS box, without getting prompted for credentials, they get the redirection page that says access denied (which is the desired behavior).
Here's a screenshot of the login dialog the "non-admin" users get when visiting a blocked page: http://www.colepc.com/not_as_administrator_image.gif
The obvious problem is with security on the TS. If everyone is an admin, someone will do something stupid eventually and harm the box.
Any advise on how or what I've overlooked with this is appreciated.
Thanks,
Terry
On a SBS 2003 SP1 premium box, there is installed ISA 2004. The only other domain member on the network is a Windows 2003 Server R2 terminal server. All users use their peer XP workstations and RDP to get to the TS.
ISA seems to work fine for local administrators on the terminal server. But if a user is not a local Admin on the TS box and they encounter a blocked URL or domain (due to an HTTP/HTTPS access rule on ISA), they are prompted with a request for authentication which is never satisfied when the correct username, pwd, and domain are entered. However, if they are an Admin on the TS box, without getting prompted for credentials, they get the redirection page that says access denied (which is the desired behavior).
Here's a screenshot of the login dialog the "non-admin" users get when visiting a blocked page: http://www.colepc.com/not_as_administrator_image.gif
The obvious problem is with security on the TS. If everyone is an admin, someone will do something stupid eventually and harm the box.
Any advise on how or what I've overlooked with this is appreciated.
Thanks,
Terry
ASKER
The rule is basically, deny HTTP and HTTPS access from the internal network to the domain set "*.abc.com" for all users. Authentication method is Integrated. The SBS box has 2 nics. I've got to look up the last question which I will later today.
I can say this, though, which might help... the isntallation of ISA is literally a 'default' installation. I mean that, other than creating specific computer, URL Set, and Domain set entries to define "end points" relative to ISA, all other settings are default.
I can say this, though, which might help... the isntallation of ISA is literally a 'default' installation. I mean that, other than creating specific computer, URL Set, and Domain set entries to define "end points" relative to ISA, all other settings are default.
ASKER
> How is the TS box seeing ISA? SecureNAT? ISA client? Web or transparent Proxy?
The TS has the firewall client installed and configured. I'm not sure about the SecureNAT or transparent proxy, though.
The TS has the firewall client installed and configured. I'm not sure about the SecureNAT or transparent proxy, though.
ASKER
I'm noticing that the TS user session doesn't care whether the firewall client is enabled, disabled, or not loaded. I get the same behaviour out of the browser no matter what. I've been assuming that I HAD to have the firewall client in order to connect thru ISA to the internet. This is not true?
Any guideance along this line is appreciated; I've apparently been assuming stuff!
Any guideance along this line is appreciated; I've apparently been assuming stuff!
Terry,
How did you join the member server to your domain? Did you follow the directions in the SBS documentation? (http://sbsurl.com/sbstss).
There are some very specific steps that should be taken when deploying a Terminal Server in an SBS environment. If done correctly, then your users would access the TS through Remote Web Workplace.
Also, see this article for the how-to on publishing the TS in ISA: http://www.isaserver.org/articles/2004pubts.html
Jeff
TechSoEasy
How did you join the member server to your domain? Did you follow the directions in the SBS documentation? (http://sbsurl.com/sbstss).
There are some very specific steps that should be taken when deploying a Terminal Server in an SBS environment. If done correctly, then your users would access the TS through Remote Web Workplace.
Also, see this article for the how-to on publishing the TS in ISA: http://www.isaserver.org/articles/2004pubts.html
Jeff
TechSoEasy
No. Lets say, for example that your default gateway points to an internal router. The ISA client forces socks and web proxy traffic to a particular location which may be on another subnet. I definitely do not use ISA clients on a server ever.
ASKER
Although I didn't read that document initially, having just read it from your link, it appears that I added the member TS to the domain by the book. Regarding the internal users accessing the TS via RWW, I disagree. I've can't see a practial reason to require that when the RDP client is available on the inside. All users for this TS are on the inside. Any that want to work from the outside will use RWW.
From the outside of the SBS, with ISA, other than publishing the internal TS box using a different port (which is what the second article mentioned above is discussing), all users will use RWW to access the 'application sharing server'.
I've got one other SBS/TS installation where this is true (actually identical setup as this current one) and these (this) particular issue doesn't occur there. I realize there are differences here and there, but the basics of the problem that must be compared between the two installations for troubleshooting purposes include the domain user's permissions, the access rule details, and the general settings/config of ISA on both boxes. In this case, they compare identically, except for the version of ISA on the 'older' of my two SBS/TS installations (which works as expected) is an older service pack than this current one that is behaving abberantly. The version of the 'working' one is "Version: 4.0.2163.213". The version of the newest one is "Version: 4.0.2165.594"
Another observation last night is that the Firewall Client icon in the tray for doesn't show a green "up" circle/arrow on it when enabled. If the TS is not available, it will change to show it's not connected with a red on the icon. Likewise, if disabled, it shows a red down circle/arrow. On my original TS installation I'm using for reference, this icon behaviour is not true, that is, when enabled and connected, the icon indicates such. On the newest system, the icon doesn't have any modifiying features.
From the outside of the SBS, with ISA, other than publishing the internal TS box using a different port (which is what the second article mentioned above is discussing), all users will use RWW to access the 'application sharing server'.
I've got one other SBS/TS installation where this is true (actually identical setup as this current one) and these (this) particular issue doesn't occur there. I realize there are differences here and there, but the basics of the problem that must be compared between the two installations for troubleshooting purposes include the domain user's permissions, the access rule details, and the general settings/config of ISA on both boxes. In this case, they compare identically, except for the version of ISA on the 'older' of my two SBS/TS installations (which works as expected) is an older service pack than this current one that is behaving abberantly. The version of the 'working' one is "Version: 4.0.2163.213". The version of the newest one is "Version: 4.0.2165.594"
Another observation last night is that the Firewall Client icon in the tray for doesn't show a green "up" circle/arrow on it when enabled. If the TS is not available, it will change to show it's not connected with a red on the icon. Likewise, if disabled, it shows a red down circle/arrow. On my original TS installation I'm using for reference, this icon behaviour is not true, that is, when enabled and connected, the icon indicates such. On the newest system, the icon doesn't have any modifiying features.
ASKER
Keith, you mentioned you don't use the firewall client on servers. Can you offer some advise along those lines? I've always assumed (had no reason to think otherwise until now) that the Firewall Client was a requirement behind ISA.
ASKER
Here's the answer...
The problem was not with ISA permissions, but rather the redirect page I had entered whenever a "deny" rule was encountered. Although I put the "custom_denied.htm" page in \inetpub\wwwroot, the parent folder's permissions were not inherited by the page resulting in only allowing Administrators to view the page.
Manually inheriting permissions on the redirect page(s) solved the issue.
Duh.
The problem was not with ISA permissions, but rather the redirect page I had entered whenever a "deny" rule was encountered. Although I put the "custom_denied.htm" page in \inetpub\wwwroot, the parent folder's permissions were not inherited by the page resulting in only allowing Administrators to view the page.
Manually inheriting permissions on the redirect page(s) solved the issue.
Duh.
Fine by me. When done Terry, nice find.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What is the user group assigned? All users? Authenticated users? AD group?
What authentication method have you emplyed? Integrated? Basic? digest?
Ids the SBS box using two or a single NIC?
How is the TS box seeing ISA? SecureNAT? ISA client? Web or transparent Proxy?
Keith