ISA 2006 how not to ask for authentication

MS ISA2006
when an unauthenticated user sets his browser to my ms isa 2006 proxy the proxy server popups a webpage with logon screen

i need to disable this screen so the not authenticated users in AD (logged on to computer) will not get the availability to authenticate to be able to browse
LVL 14
theruckAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BusbarSolutions ArchitectCommented:
either remove the authentication or install the firewall clients on the PC machines
0
theruckAuthor Commented:
none of the above is possible either because of administratove effort or because the required functionality for authenticated users
0
Keith AlabasterEnterprise ArchitectCommented:
No offence but it is certainly possible - whether it can be done given the asker's environment is another.

Is the ISA deployed as a firewall or just a proxy server?
How have you published the outbound rule in the first place?
Have you used the authenticated users or the All Users?
Have you ticked the all users must authenticate tick box?
if its in firewall mode, are you also using the ISA2006 firewall client as well?

Keith
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

theruckAuthor Commented:
- isa is deployed as a proxy with a single network adapter
- i am suer the rules are ok i got only 1 rule and the behaviour is the same
- i used my own group of users
- all user must authenticate is unchecked (but the logon popup still appears), i use integrated authentication


i think that this behaviour is by design and that i will have to use certificate authentication

to make it more clear here is the scenario:
a customer uses domain accounts for internet browsing and logon to computer for general work on pc and he needs the users not to be requested to give the password for isa because they would be able to browse the internet in the local pc account.
with the isa2000 it was ok - it did not popup the authentication dialog

i know this is completely crazy and has no security meaning because the users are allways able to run the Iexplorer with the "runas" command but i just came into this enviroment with 400 users and i am supposed to setup the isa2006 only not changing the entire enviroment
0
Keith AlabasterEnterprise ArchitectCommented:
No sweat. I'll have to set this up and give a try myself this evening.
0
Keith AlabasterEnterprise ArchitectCommented:
Just setting up the environment now.

To confirm the requirement then.....

you are using ISA as a proxy only so we are only interested in web traffic.
You want authenticated users to gain Internet access but non-authenticated users to be denied access rather than be prompted for credentials.

0
Keith AlabasterEnterprise ArchitectCommented:
Confirmed....

On the outbound rule, is this a manual group you have set up or is it an AD group?

I have added the standard outbound rules to a new 2006 install.
ie allow dns, smtp, ntp etc from the respective servers then a single outbound rule for

allow http, https, ftp from internal & local host to external - users = domain users & domain admins

I then connected my two standalone pc's to the network and set them to point to the prox ip and port 8080. They get the satndard ISA 'on your bike' message that the connection is denied.

Do you have any other outbound interne rules applied? ISA applies the rule top-down in 2004 and 2006. O, and I added a rule to the firewall to only accept http, https and ftp from the ISA ip.
0
theruckAuthor Commented:
it is an AD group
i solved it for now for internet explorer anyway the alternative browsers still ask for authentication

i made these steps

- disabled all authentification types
- enabled integrated auth
- detach http application filter on  http protocol
- set ReturnAuthRequiredIfAuthUserDenied to False

IE does not asks for credentials. if the user is form the enabled group, it allows him to pass. if not error 502 is displayed (URL blocked/denied)
alternativne browsers still ask for credentials

for the customer it is enough as a solution...
0
Computer101Commented:
PAQed with points refunded (500)

Computer101
EE Admin
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.