Solved

ISA 2006 how not to ask for authentication

Posted on 2007-03-20
10
2,514 Views
Last Modified: 2012-06-22
MS ISA2006
when an unauthenticated user sets his browser to my ms isa 2006 proxy the proxy server popups a webpage with logon screen

i need to disable this screen so the not authenticated users in AD (logged on to computer) will not get the availability to authenticate to be able to browse
0
Comment
Question by:theruck
10 Comments
 
LVL 33

Expert Comment

by:Busbar
ID: 18757124
either remove the authentication or install the firewall clients on the PC machines
0
 
LVL 14

Author Comment

by:theruck
ID: 18757634
none of the above is possible either because of administratove effort or because the required functionality for authenticated users
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18758620
No offence but it is certainly possible - whether it can be done given the asker's environment is another.

Is the ISA deployed as a firewall or just a proxy server?
How have you published the outbound rule in the first place?
Have you used the authenticated users or the All Users?
Have you ticked the all users must authenticate tick box?
if its in firewall mode, are you also using the ISA2006 firewall client as well?

Keith
0
 
LVL 14

Author Comment

by:theruck
ID: 18762340
- isa is deployed as a proxy with a single network adapter
- i am suer the rules are ok i got only 1 rule and the behaviour is the same
- i used my own group of users
- all user must authenticate is unchecked (but the logon popup still appears), i use integrated authentication


i think that this behaviour is by design and that i will have to use certificate authentication

to make it more clear here is the scenario:
a customer uses domain accounts for internet browsing and logon to computer for general work on pc and he needs the users not to be requested to give the password for isa because they would be able to browse the internet in the local pc account.
with the isa2000 it was ok - it did not popup the authentication dialog

i know this is completely crazy and has no security meaning because the users are allways able to run the Iexplorer with the "runas" command but i just came into this enviroment with 400 users and i am supposed to setup the isa2006 only not changing the entire enviroment
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18769645
No sweat. I'll have to set this up and give a try myself this evening.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18774105
Just setting up the environment now.

To confirm the requirement then.....

you are using ISA as a proxy only so we are only interested in web traffic.
You want authenticated users to gain Internet access but non-authenticated users to be denied access rather than be prompted for credentials.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18774851
Confirmed....

On the outbound rule, is this a manual group you have set up or is it an AD group?

I have added the standard outbound rules to a new 2006 install.
ie allow dns, smtp, ntp etc from the respective servers then a single outbound rule for

allow http, https, ftp from internal & local host to external - users = domain users & domain admins

I then connected my two standalone pc's to the network and set them to point to the prox ip and port 8080. They get the satndard ISA 'on your bike' message that the connection is denied.

Do you have any other outbound interne rules applied? ISA applies the rule top-down in 2004 and 2006. O, and I added a rule to the firewall to only accept http, https and ftp from the ISA ip.
0
 
LVL 14

Author Comment

by:theruck
ID: 18779199
it is an AD group
i solved it for now for internet explorer anyway the alternative browsers still ask for authentication

i made these steps

- disabled all authentification types
- enabled integrated auth
- detach http application filter on  http protocol
- set ReturnAuthRequiredIfAuthUserDenied to False

IE does not asks for credentials. if the user is form the enabled group, it allows him to pass. if not error 502 is displayed (URL blocked/denied)
alternativne browsers still ask for credentials

for the customer it is enough as a solution...
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 18955914
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now