Solved

ISA2006 - Creating Rules/Exceptions

Posted on 2007-03-23
8
397 Views
Last Modified: 2011-10-03
Hi,
I'm kind of new to ISA2006 and I'm trying to create a firewall policy rule on our ISA2006 server to allow certain users access to an application via a certain url without the need for NTLM authentication. Currently we have "Integrated" and "Require all users to authenticate" enabled within Configuration - Networks - Internal - Web Proxy. We were able to get the application in question to work with "Basic" enabled and "Require all users to authenticate" disabled, basically no authentication enabled. I would ideally like to have all our users authenticate with "Integrated" and "Require all users to authenticate" enabled but at the same time have a rule/exception to allow certain users access a url without any NTLM authentication because this seems to be the only way the application will work as we have discovered.

Any help with this question would be greatly appreciated.
Regards,
John O'Connor.
0
Comment
Question by:davystocks
  • 5
  • 3
8 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18784530
The require all users to authenticate is, in my view, the last resort when you have devices using the Internet that simply cannot authenticate any other way. The only time I have needed to use that option was for a site where one of the directors had his Sony PSP and xbox live connecting to an internal WAP and out through to the internet on his production network. (I know, tell me about it, these people exist...).

Can you give me a few more details?
The application is out on the Internet and you want your internal users to get to it?
Do you have ISA installed as a firewall or just as a Proxy?
What is the relationship, if any, with your network and the application server?
0
 
LVL 4

Author Comment

by:davystocks
ID: 18799008
Hi Keith,

Tks for coming back to me.

The application is setup by running an exe. Each time you start the app it pulls it's updates down from it's website if it has any updates, and the presents you with a logon box at which stage you enter your credentials provided by the company that own the app. It's at this stage that it returns a "407 proxy authentication required" error.

 I have ISA installed as a Proxy server.

The relationship with the network and the app server is that we have a couple of ports open on our FW in order to communicate with the app.

The company that own the app have come back to me and said that NTLM will not work with the app, the app cannot carry the NTLM with it.

This is the reason I was trying to create a FW rule (if that's what's needed) on the ISA that would allow users to access the app without the need for NTLM. We have been told by the company that if we enter two url's in the "bypass exceptions list" that the app will work. However, we are limited to teh amount of characters taht we can enter in here due to teh fact taht we have other apps in here and the list is restricted to 255 characters within GPO I think. Just on that note, is there a way this list can be increased, it maybe the reg key taht has to have it's value increased.

Thanks,
John.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18801556
John, do an nslookup of the urls being contacted.
In the exceptions, put in the IP addresses instead of the fully-qualified domain names and path.

In my exceptions for example I use 10.*;192.168.*;others  where others are urls or other ip's

the 10.* means anything beginning with 10 as the first octet bypasses the proxy. The 192.168.* means the same for anything beginning with 192.168. You can also put in the exact ip addresses if you wanted to. If that doesn't work then let me know and we can try looking at the authentication routines.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 4

Author Comment

by:davystocks
ID: 18817808
Hi Keith,

Tks for that, but unfortunatley I can't get the IP address exceptions to work, it requires the hostnames in the exceptions to work which kind of leads me back to the original authentication question or else how to increase the registry value which seems to be set to a max of 255 characters within GPO. I'm just about maxed out now with these two url's included for the app in question to work.

Thanks,
John.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18817917
Then we are doing something wrong. IP addresses in exceptions are fine; is there a redirect taking place to another ip after the first is called?

0
 
LVL 4

Author Comment

by:davystocks
ID: 18842120
Hi Keith,

Whatever the client enters in their browser address bar is what's resolved in the "bypass proxy list" it won't resolve url's to ip address's to the best of my knowledge.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 18846205
Then we have to agree to differ :)

A url is stripped into its two components by the browser, fqdn and path - the fqdn (www.server.com) is looked up by the dns client first to identify the IP address it needs to send the request to. If you think about it, the dns lookup would not know what www.server.com/blah/blah/blah resolves to. If you are unsure of my view on things, see Microsofts opinion instead.

http://www.microsoft.com/technet/prodtechnol/ie/ieak/techinfo/deploy/60/en/corpprox.mspx?mfr=true

I can tell you now though that 255 characters is the maximum in the registry field. There are items you can play with that amends it by a few characters either way but thats all

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18852052
Thanks Davy.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question