Avatar of jdono89
 asked on

Users with ISA Firewall Client still required to login

I'm running ISA 2004 Standard on Windows 2003 R2 and using the Firewall Client on Windows XP computers.  I'd like to be able to accomodate Web Proxy users and Firewall Client users, but I'm having some trouble at the moment.  

Right now, the web proxy clients seem to work fine.  They're prompted to login to the ISA server before getting through the firewall.  However, computers with the Firewall Client are also being prompted to login and that's NG.  I was under the impression that authentication should be transparent to end users running the client.  I have the Client installed and have manually pointed it at the ISA Server.  The client successfully connects to the server and is able to reconfigure a users web browser automatically (I've tested), but again, when a user logs in to a domain computer with the client installed and opens a web browser, that client is still prompted for a username and password.  

I know I'm missing something, but I can't figure out what!  Any suggestions?
Software Firewalls

Avatar of undefined
Last Comment
Keith Alabaster

8/22/2022 - Mon
Keith Alabaster

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

>>Have you selected the All users must authenticate option by mistake?

Yes, I do have that set on the web proxy tab.

Quick (probably stupid) question:  If I remove that option, and a computer not on the domain (and without a client) attempts to pass through the firewall, will it still be prompted for credentials?  I'm using Surfcontrol to enforce our Internet Use Policy based on user groups and so I need ot be able to distiguish one user from another.

Hmmm ... now I'm seeing lots of anonymous secureNAT clients, but no firewall clients.  Can I prevent securenat clients altogether?

Actually, the securenat clients don't list a user obviously.  The anonymous clients are all Web Proxy clients.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Keith Alabaster

You can prevent SecureNAT clients by selecting the Authenticated users rather than the default All users on the outbound rule. As SecureNAT simply means having the default gateway pointing at the internal nic of the isa, the authenticated users will be members of the domain only. I am assuming that the machines with the ISA client are already authenticated as well?

Thanks on the SecureNAT front.  That seems better now.

The Clients seem to authenticate, but many of them show the Computer Object as the Client Username.  That's a problem since I'm filtering based on the users, not their computers.
Keith Alabaster

:) I am assuming you have all the ISA and Windows service packs and security roll ups applied?

I also assume that the boxes that have the ISA firewall client installed are showing up properly in the log against the user name rather than the machine name?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

Yep, everything's up to date.  After some testing, things seem to be working even though the session log sometimes shows the computer object instead of the username.

I'm conducting some more extensive testing just to make sure everything is behaving as it should, but everything looks OK thus far.  
Thanks Keith!
Keith Alabaster

You're welcome :)
Keith Alabaster

Bear in mind you will see a number of entries in the log that show as the computer which is where the initial call is made, ISA challenges as it should then their is the submission of the credentails and the allowed access by the username. This is part of the process (although that was a rather over-simplified description) :)
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Keith Alabaster

Thank you :)