Link to home
Start Free TrialLog in
Avatar of jdono89
jdono89

asked on

Users with ISA Firewall Client still required to login

I'm running ISA 2004 Standard on Windows 2003 R2 and using the Firewall Client on Windows XP computers.  I'd like to be able to accomodate Web Proxy users and Firewall Client users, but I'm having some trouble at the moment.  

Right now, the web proxy clients seem to work fine.  They're prompted to login to the ISA server before getting through the firewall.  However, computers with the Firewall Client are also being prompted to login and that's NG.  I was under the impression that authentication should be transparent to end users running the client.  I have the Client installed and have manually pointed it at the ISA Server.  The client successfully connects to the server and is able to reconfigure a users web browser automatically (I've tested), but again, when a user logs in to a domain computer with the client installed and opens a web browser, that client is still prompted for a username and password.  

I know I'm missing something, but I can't figure out what!  Any suggestions?
ASKER CERTIFIED SOLUTION
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jdono89
jdono89

ASKER

>>Have you selected the All users must authenticate option by mistake?

Yes, I do have that set on the web proxy tab.

Quick (probably stupid) question:  If I remove that option, and a computer not on the domain (and without a client) attempts to pass through the firewall, will it still be prompted for credentials?  I'm using Surfcontrol to enforce our Internet Use Policy based on user groups and so I need ot be able to distiguish one user from another.
Avatar of jdono89

ASKER

Hmmm ... now I'm seeing lots of anonymous secureNAT clients, but no firewall clients.  Can I prevent securenat clients altogether?
Avatar of jdono89

ASKER

Actually, the securenat clients don't list a user obviously.  The anonymous clients are all Web Proxy clients.
You can prevent SecureNAT clients by selecting the Authenticated users rather than the default All users on the outbound rule. As SecureNAT simply means having the default gateway pointing at the internal nic of the isa, the authenticated users will be members of the domain only. I am assuming that the machines with the ISA client are already authenticated as well?
Avatar of jdono89

ASKER

Thanks on the SecureNAT front.  That seems better now.

The Clients seem to authenticate, but many of them show the Computer Object as the Client Username.  That's a problem since I'm filtering based on the users, not their computers.
:) I am assuming you have all the ISA and Windows service packs and security roll ups applied?

I also assume that the boxes that have the ISA firewall client installed are showing up properly in the log against the user name rather than the machine name?
Avatar of jdono89

ASKER

Yep, everything's up to date.  After some testing, things seem to be working even though the session log sometimes shows the computer object instead of the username.

I'm conducting some more extensive testing just to make sure everything is behaving as it should, but everything looks OK thus far.  
Thanks Keith!
You're welcome :)
Bear in mind you will see a number of entries in the log that show as the computer which is where the initial call is made, ISA challenges as it should then their is the submission of the credentails and the allowed access by the username. This is part of the process (although that was a rather over-simplified description) :)
Thank you :)