Solved

ISA Firewall client - Authentication issue

Posted on 2006-07-13
14
247 Views
Last Modified: 2013-11-16
We have set up ISA 2006 to provide firewall protection. We have successfully setup a rule to allow access for all users to browse to the protected server however when we remove the all users group from the rule and apply a user group that we have created, we are unable to browse to the protected server.

 The clients are XP with the firewall client installed and connected to the ISA server with the logged on user being a member of the group permitted in the firewall rule. We have noted that multiple sessions are appearing on the monitoring tab on the server for the client machine and include secureNAT.
0
Comment
Question by:mjcclegg
  • 8
  • 6
14 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17115124
I need a view of your layout. Where is the protected server? DMZ or inside?
What users are you talking about? Internal? External VPN? List of source IP addresses?
0
 

Author Comment

by:mjcclegg
ID: 17137356
The protected server sits in the DMZ and the users attemptiing to access it are from the internal network ( Server 2000 AD)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17149035
It will be an authentication issue.

Use this link as a starting point assuming the server is a web based service.
What exactly are you seeing in the log when you make the connection attempt?
0
 

Author Comment

by:mjcclegg
ID: 17153470
Keith, let me give you a bit more information on our situation as I realise I have been quite vauge thus far.

We have two networks on our local site, a network that most of the staff use (our "Internal" network) and a secure network with an SQL server we would like our staff to be able to access (our "External" network). We first setup the routing and made a firewall rule allowing all data from "internal" to "external".

This works fine and we can access the external network from our internal network without any problems.

The issue arrises when we start to secure the connection. The first, and most important security feature is user authentication. We created a group on the ISA server and added a test user to it. We installed the firewall client onto an "Internal" computer and it automaticly detects the ISA server. However, we now cannot access the "External" network with the test user.

The ISA server is on the same domain as the test user and when the firewall client is connected to the ISA server the following sessions appear:
Session Type       Client IP                 Source Network   Client Username                           Client Host Name
Firewall Client      *TestComputerIP*  Internal               DOMAIN\TestUser                        *TestComputerName*
SecureNAT          *TestComputerIP*  Internal                                                                 *TestComputerIP*
Firewall Client      *TestComputerIP*  Internal               DOMAIN\*TestComputerName*$   *TestComputerName*

We have tried adding the user to the firewall rule as both a "Windows User" and also using "LDAP" but to no avail.

Thanks very much for your help on this, we are totally stumped at this end.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17159621
OK. This is the way I would do this assuming I have your view correct. This is guess work to start with as you habe given me no insight to your environment (servers, locations etc).

                          Internet
                                  |
                            router/adsl
                              192.168.100.1/24
                                  |
                               192.168.100.2/24 (ISA external)
                                  |
                                  |-------------------- 192.168.50.1/24 (ISA Perimeter) ----- 192.168.50.2/24 (SQL Server)
                                  |
                                192.168.10.1/24 (ISA Internal)
                                  |
                     -----------------------------  Internal LAN with DC's etc

open the gui
select configuration - networks
Select network rules
change the rules so that 'internal and perimeter' are routing between each other, not using NAT
change 'perimeter to external' to NAT instead of routing

select firewall policy
click the last icon on the right at the top of the screen (this toggles on/off the system policy rules).
Amend all the options as necessary so that rpc, ladp, kerberos, dhcp etc are allowed between internal and perimter.
crette a new access rule allowing all protocols FROM internal, local host and perimter TO internal, local host and perimter.
Apply the policy.

This now gives you a scenario where the perimeter and the internal are effectively one network looking from the inside.
If you need to allow external users to get to the SQL box, you can publish the SQL box sitting on the 192.168.50.2 address and still not let external users on to your internal network.
Authentication will be performed by AD (as the sql box will have access securely to active directory).
Just make sure that your internal systems either point to the ISA as their default gateway or if you have other subnets, that there are routing table entries so they know how to get to the 192.168.50.0 subnet and back again ewtc.

0
 

Author Comment

by:mjcclegg
ID: 17269901
Hi Keith,

Thanks again for your help on this.

I have setup the ISA server as you suggested but I am still having some problems.

The ISA server will allow traffic from the internal network to the perimiter network when user autentication is not being used (IE All Users is allowed) however the problem comes when we enable user authentication.

The ISA can see our AD on the internal network, so I dont think there is a problem finding the authentication information.

We are using the firewall client for our connections and I have noticed the "Define Firewall Client Settings" under "ISA Server Administration" on the general tab.

For the sake of this test, I would like to allow all protocalls to be allowed from internal to perimiter for one user and no-one else. Once this is done, I can go about locking down protocalls and adding certificate security.

Thanks again for your help, I really feel ISA is the key for our security, and we are so close to getting there.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17285529
Not sure if we are talking the same thing. The client is normally controlled from configuration - networks then from within the properties of the internal network. (or the perimeter of course if an ISA client is running on the DMZ)
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:mjcclegg
ID: 17286047
The Firewall Client is set to be enabled on the internal (and the perimeter) networks.

I am now wondering if there may be a problem with the roles the server has been given by the active directory, and thats why it is having trouble authenticating users that connect from the firewall client.

I will have a look into it, anything else I should look out for?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17289645
Just for clarity, you are not running the ISA client on the servers as well, are you?
0
 

Author Comment

by:mjcclegg
ID: 17294397
No, the client is currently only running on one test laptop.

Should the client be running on the servers?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17297383
God no... :) Will be on again when I get home
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 17350741
How are you doing? Did you find anything regarding the roles?
0
 

Author Comment

by:mjcclegg
ID: 17478017
Thanks for your help. We were able to solve the issue by reinstalling ISA, but your help was useful in making this call.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17483032
Thank you :)
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now