Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 290
  • Last Modified:

ISA Firewall client - Authentication issue

We have set up ISA 2006 to provide firewall protection. We have successfully setup a rule to allow access for all users to browse to the protected server however when we remove the all users group from the rule and apply a user group that we have created, we are unable to browse to the protected server.

 The clients are XP with the firewall client installed and connected to the ISA server with the logged on user being a member of the group permitted in the firewall rule. We have noted that multiple sessions are appearing on the monitoring tab on the server for the client machine and include secureNAT.
0
mjcclegg
Asked:
mjcclegg
  • 8
  • 6
1 Solution
 
Keith AlabasterEnterprise ArchitectCommented:
I need a view of your layout. Where is the protected server? DMZ or inside?
What users are you talking about? Internal? External VPN? List of source IP addresses?
0
 
mjccleggAuthor Commented:
The protected server sits in the DMZ and the users attemptiing to access it are from the internal network ( Server 2000 AD)
0
 
Keith AlabasterEnterprise ArchitectCommented:
It will be an authentication issue.

Use this link as a starting point assuming the server is a web based service.
What exactly are you seeing in the log when you make the connection attempt?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
mjccleggAuthor Commented:
Keith, let me give you a bit more information on our situation as I realise I have been quite vauge thus far.

We have two networks on our local site, a network that most of the staff use (our "Internal" network) and a secure network with an SQL server we would like our staff to be able to access (our "External" network). We first setup the routing and made a firewall rule allowing all data from "internal" to "external".

This works fine and we can access the external network from our internal network without any problems.

The issue arrises when we start to secure the connection. The first, and most important security feature is user authentication. We created a group on the ISA server and added a test user to it. We installed the firewall client onto an "Internal" computer and it automaticly detects the ISA server. However, we now cannot access the "External" network with the test user.

The ISA server is on the same domain as the test user and when the firewall client is connected to the ISA server the following sessions appear:
Session Type       Client IP                 Source Network   Client Username                           Client Host Name
Firewall Client      *TestComputerIP*  Internal               DOMAIN\TestUser                        *TestComputerName*
SecureNAT          *TestComputerIP*  Internal                                                                 *TestComputerIP*
Firewall Client      *TestComputerIP*  Internal               DOMAIN\*TestComputerName*$   *TestComputerName*

We have tried adding the user to the firewall rule as both a "Windows User" and also using "LDAP" but to no avail.

Thanks very much for your help on this, we are totally stumped at this end.
0
 
Keith AlabasterEnterprise ArchitectCommented:
OK. This is the way I would do this assuming I have your view correct. This is guess work to start with as you habe given me no insight to your environment (servers, locations etc).

                          Internet
                                  |
                            router/adsl
                              192.168.100.1/24
                                  |
                               192.168.100.2/24 (ISA external)
                                  |
                                  |-------------------- 192.168.50.1/24 (ISA Perimeter) ----- 192.168.50.2/24 (SQL Server)
                                  |
                                192.168.10.1/24 (ISA Internal)
                                  |
                     -----------------------------  Internal LAN with DC's etc

open the gui
select configuration - networks
Select network rules
change the rules so that 'internal and perimeter' are routing between each other, not using NAT
change 'perimeter to external' to NAT instead of routing

select firewall policy
click the last icon on the right at the top of the screen (this toggles on/off the system policy rules).
Amend all the options as necessary so that rpc, ladp, kerberos, dhcp etc are allowed between internal and perimter.
crette a new access rule allowing all protocols FROM internal, local host and perimter TO internal, local host and perimter.
Apply the policy.

This now gives you a scenario where the perimeter and the internal are effectively one network looking from the inside.
If you need to allow external users to get to the SQL box, you can publish the SQL box sitting on the 192.168.50.2 address and still not let external users on to your internal network.
Authentication will be performed by AD (as the sql box will have access securely to active directory).
Just make sure that your internal systems either point to the ISA as their default gateway or if you have other subnets, that there are routing table entries so they know how to get to the 192.168.50.0 subnet and back again ewtc.

0
 
mjccleggAuthor Commented:
Hi Keith,

Thanks again for your help on this.

I have setup the ISA server as you suggested but I am still having some problems.

The ISA server will allow traffic from the internal network to the perimiter network when user autentication is not being used (IE All Users is allowed) however the problem comes when we enable user authentication.

The ISA can see our AD on the internal network, so I dont think there is a problem finding the authentication information.

We are using the firewall client for our connections and I have noticed the "Define Firewall Client Settings" under "ISA Server Administration" on the general tab.

For the sake of this test, I would like to allow all protocalls to be allowed from internal to perimiter for one user and no-one else. Once this is done, I can go about locking down protocalls and adding certificate security.

Thanks again for your help, I really feel ISA is the key for our security, and we are so close to getting there.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Not sure if we are talking the same thing. The client is normally controlled from configuration - networks then from within the properties of the internal network. (or the perimeter of course if an ISA client is running on the DMZ)
0
 
mjccleggAuthor Commented:
The Firewall Client is set to be enabled on the internal (and the perimeter) networks.

I am now wondering if there may be a problem with the roles the server has been given by the active directory, and thats why it is having trouble authenticating users that connect from the firewall client.

I will have a look into it, anything else I should look out for?
0
 
Keith AlabasterEnterprise ArchitectCommented:
Just for clarity, you are not running the ISA client on the servers as well, are you?
0
 
mjccleggAuthor Commented:
No, the client is currently only running on one test laptop.

Should the client be running on the servers?
0
 
Keith AlabasterEnterprise ArchitectCommented:
God no... :) Will be on again when I get home
0
 
Keith AlabasterEnterprise ArchitectCommented:
How are you doing? Did you find anything regarding the roles?
0
 
mjccleggAuthor Commented:
Thanks for your help. We were able to solve the issue by reinstalling ISA, but your help was useful in making this call.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Thank you :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now