Link to home
Start Free TrialLog in
Avatar of RDeWolfe
RDeWolfe

asked on

ISA 2004 "Anonymous" Issue

I have recently installed ISA 2004 sp2 on a Windows 2003 Server platform.  ISA 2004 seems to have many improvements over ISA 2000, but I am having a problem with authentication.  I have an Access Policy created that should allow all users who exist in a certain domain group unlimited Internet access.  The rule stats that all traffic from the 'Internal' network and the 'Local Host' should be allowed to pass to the 'External' network if the user is a member of a domain group called "Internet Access".  If I try to open IE and go to any Internet site, it is blocked ... the log shows activity from the local host to the site's IP address is "Denied" based on the Access Policy that I created.  The username says "anonymous" which is why it is blocking ... if I allow "All Users" in this same Access Policy it works fine.  I have gone into the security settings of IE and specified to use "current username and password".  Why is it trying to access the site under "anonymous"?  Any ideas?  Thanks in advance!
Avatar of RDeWolfe
RDeWolfe

ASKER

No ISA experts?  Surely I am not the first person who has run into this problem since the beginning of this most recent ISA ....
Avatar of Keith Alabaster
Sorry mate. I must have missed this one completely.

have you installed the ISA firewall client? If not, you cannot use Active Directory for example to limit/control the access.
PS You can test this by installing the FWC on one work station and giving it a go. It is the client that will authenticate your user/group against AD to allow the processing of the rule (this is why it shows as anonymous).
I don't have the FWC installed on the clients, because my company has a policy that states no third party firewalls can be installed on our machines.  We have our own fw that we use.  The log shows that it opens up a connection based on the 'Internet' rule (only allows user's belong to this group access), then denies a connection based on this rule (username = annonymous), then closes the connection.  Is there a way to do this short of installing the FWC on my clients?  Thanks for the answer ... much appreciated.  
Not a problem and no, to be frank. Would your company classify MS as third-party?

The act of authenticating against the ISA firewall is performed by the ISA Firewall Client. If you do not use the client, it uses the 'all users' group by default. As the firewall does not talk directly to AD, You can also add machines (by IP) and block/allow that way but its not really the cleanest way of doing things.
Are you using SecureNAT (pointing the clients default gateway at the ISA server servier internal NIC) or just using the web client (setting IE Proxy to point to the internal NIC on ISA)?

I am just trying a few work arounds but ......

Actually, just found something.... Give me 20 minutes :)
Well, MS isn't considered "third-party" I guess, but we even disable the Windows Firewall according to our policies.  I have thought about the IP auth, but we use DHCP and have over 500 users at this site, so that probably wouldn't be an acceptable solution.  I am using the web client (pointing the clients to the NIC on the ISA via IE).  Do you think I am out of luck?
I've tried doing it a different way by using RADIUS & certificates which works but a little inconsistently. Just getting it right before posting it.
ASKER CERTIFIED SOLUTION
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If it can't be done, it can't be done ... Thanks for the time you spent researching it!
Not a problem. I will continue with this one though; if nothing else but for my own interest. I have bookmarked the call so I will be able to find it again. You never know, you might a suprise email :)
Regards
keith
Is there any advance on this issue? -
I have the same issue.  I am trying to provide outbound access to an external site for a bunch of internal users.  When I create rule for all user then it's fine, but when I just tie it down to a AD group I get anonymous error messages.
I thought this would be simple i.e. creating a rule which allow many sites to be added to that may require anonymous access.
If you go down the firewall client route, it doesn't stay fixed to the IP, is it not just hostname associated?