ISA2006 - Creating Rules/Exceptions

Hi,
I'm kind of new to ISA2006 and I'm trying to create a firewall policy rule on our ISA2006 server to allow certain users access to an application via a certain url without the need for NTLM authentication. Currently we have "Integrated" and "Require all users to authenticate" enabled within Configuration - Networks - Internal - Web Proxy. We were able to get the application in question to work with "Basic" enabled and "Require all users to authenticate" disabled, basically no authentication enabled. I would ideally like to have all our users authenticate with "Integrated" and "Require all users to authenticate" enabled but at the same time have a rule/exception to allow certain users access a url without any NTLM authentication because this seems to be the only way the application will work as we have discovered.

Any help with this question would be greatly appreciated.
Regards,
John O'Connor.
LVL 4
davystocksAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
The require all users to authenticate is, in my view, the last resort when you have devices using the Internet that simply cannot authenticate any other way. The only time I have needed to use that option was for a site where one of the directors had his Sony PSP and xbox live connecting to an internal WAP and out through to the internet on his production network. (I know, tell me about it, these people exist...).

Can you give me a few more details?
The application is out on the Internet and you want your internal users to get to it?
Do you have ISA installed as a firewall or just as a Proxy?
What is the relationship, if any, with your network and the application server?
0
davystocksAuthor Commented:
Hi Keith,

Tks for coming back to me.

The application is setup by running an exe. Each time you start the app it pulls it's updates down from it's website if it has any updates, and the presents you with a logon box at which stage you enter your credentials provided by the company that own the app. It's at this stage that it returns a "407 proxy authentication required" error.

 I have ISA installed as a Proxy server.

The relationship with the network and the app server is that we have a couple of ports open on our FW in order to communicate with the app.

The company that own the app have come back to me and said that NTLM will not work with the app, the app cannot carry the NTLM with it.

This is the reason I was trying to create a FW rule (if that's what's needed) on the ISA that would allow users to access the app without the need for NTLM. We have been told by the company that if we enter two url's in the "bypass exceptions list" that the app will work. However, we are limited to teh amount of characters taht we can enter in here due to teh fact taht we have other apps in here and the list is restricted to 255 characters within GPO I think. Just on that note, is there a way this list can be increased, it maybe the reg key taht has to have it's value increased.

Thanks,
John.
0
Keith AlabasterEnterprise ArchitectCommented:
John, do an nslookup of the urls being contacted.
In the exceptions, put in the IP addresses instead of the fully-qualified domain names and path.

In my exceptions for example I use 10.*;192.168.*;others  where others are urls or other ip's

the 10.* means anything beginning with 10 as the first octet bypasses the proxy. The 192.168.* means the same for anything beginning with 192.168. You can also put in the exact ip addresses if you wanted to. If that doesn't work then let me know and we can try looking at the authentication routines.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

davystocksAuthor Commented:
Hi Keith,

Tks for that, but unfortunatley I can't get the IP address exceptions to work, it requires the hostnames in the exceptions to work which kind of leads me back to the original authentication question or else how to increase the registry value which seems to be set to a max of 255 characters within GPO. I'm just about maxed out now with these two url's included for the app in question to work.

Thanks,
John.
0
Keith AlabasterEnterprise ArchitectCommented:
Then we are doing something wrong. IP addresses in exceptions are fine; is there a redirect taking place to another ip after the first is called?

0
davystocksAuthor Commented:
Hi Keith,

Whatever the client enters in their browser address bar is what's resolved in the "bypass proxy list" it won't resolve url's to ip address's to the best of my knowledge.
0
Keith AlabasterEnterprise ArchitectCommented:
Then we have to agree to differ :)

A url is stripped into its two components by the browser, fqdn and path - the fqdn (www.server.com) is looked up by the dns client first to identify the IP address it needs to send the request to. If you think about it, the dns lookup would not know what www.server.com/blah/blah/blah resolves to. If you are unsure of my view on things, see Microsofts opinion instead.

http://www.microsoft.com/technet/prodtechnol/ie/ieak/techinfo/deploy/60/en/corpprox.mspx?mfr=true

I can tell you now though that 255 characters is the maximum in the registry field. There are items you can play with that amends it by a few characters either way but thats all

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keith AlabasterEnterprise ArchitectCommented:
Thanks Davy.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.