Solved

ISA2006 - Creating Rules/Exceptions

Posted on 2007-03-23
8
393 Views
Last Modified: 2011-10-03
Hi,
I'm kind of new to ISA2006 and I'm trying to create a firewall policy rule on our ISA2006 server to allow certain users access to an application via a certain url without the need for NTLM authentication. Currently we have "Integrated" and "Require all users to authenticate" enabled within Configuration - Networks - Internal - Web Proxy. We were able to get the application in question to work with "Basic" enabled and "Require all users to authenticate" disabled, basically no authentication enabled. I would ideally like to have all our users authenticate with "Integrated" and "Require all users to authenticate" enabled but at the same time have a rule/exception to allow certain users access a url without any NTLM authentication because this seems to be the only way the application will work as we have discovered.

Any help with this question would be greatly appreciated.
Regards,
John O'Connor.
0
Comment
Question by:davystocks
  • 5
  • 3
8 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18784530
The require all users to authenticate is, in my view, the last resort when you have devices using the Internet that simply cannot authenticate any other way. The only time I have needed to use that option was for a site where one of the directors had his Sony PSP and xbox live connecting to an internal WAP and out through to the internet on his production network. (I know, tell me about it, these people exist...).

Can you give me a few more details?
The application is out on the Internet and you want your internal users to get to it?
Do you have ISA installed as a firewall or just as a Proxy?
What is the relationship, if any, with your network and the application server?
0
 
LVL 4

Author Comment

by:davystocks
ID: 18799008
Hi Keith,

Tks for coming back to me.

The application is setup by running an exe. Each time you start the app it pulls it's updates down from it's website if it has any updates, and the presents you with a logon box at which stage you enter your credentials provided by the company that own the app. It's at this stage that it returns a "407 proxy authentication required" error.

 I have ISA installed as a Proxy server.

The relationship with the network and the app server is that we have a couple of ports open on our FW in order to communicate with the app.

The company that own the app have come back to me and said that NTLM will not work with the app, the app cannot carry the NTLM with it.

This is the reason I was trying to create a FW rule (if that's what's needed) on the ISA that would allow users to access the app without the need for NTLM. We have been told by the company that if we enter two url's in the "bypass exceptions list" that the app will work. However, we are limited to teh amount of characters taht we can enter in here due to teh fact taht we have other apps in here and the list is restricted to 255 characters within GPO I think. Just on that note, is there a way this list can be increased, it maybe the reg key taht has to have it's value increased.

Thanks,
John.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18801556
John, do an nslookup of the urls being contacted.
In the exceptions, put in the IP addresses instead of the fully-qualified domain names and path.

In my exceptions for example I use 10.*;192.168.*;others  where others are urls or other ip's

the 10.* means anything beginning with 10 as the first octet bypasses the proxy. The 192.168.* means the same for anything beginning with 192.168. You can also put in the exact ip addresses if you wanted to. If that doesn't work then let me know and we can try looking at the authentication routines.
0
 
LVL 4

Author Comment

by:davystocks
ID: 18817808
Hi Keith,

Tks for that, but unfortunatley I can't get the IP address exceptions to work, it requires the hostnames in the exceptions to work which kind of leads me back to the original authentication question or else how to increase the registry value which seems to be set to a max of 255 characters within GPO. I'm just about maxed out now with these two url's included for the app in question to work.

Thanks,
John.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18817917
Then we are doing something wrong. IP addresses in exceptions are fine; is there a redirect taking place to another ip after the first is called?

0
 
LVL 4

Author Comment

by:davystocks
ID: 18842120
Hi Keith,

Whatever the client enters in their browser address bar is what's resolved in the "bypass proxy list" it won't resolve url's to ip address's to the best of my knowledge.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 18846205
Then we have to agree to differ :)

A url is stripped into its two components by the browser, fqdn and path - the fqdn (www.server.com) is looked up by the dns client first to identify the IP address it needs to send the request to. If you think about it, the dns lookup would not know what www.server.com/blah/blah/blah resolves to. If you are unsure of my view on things, see Microsofts opinion instead.

http://www.microsoft.com/technet/prodtechnol/ie/ieak/techinfo/deploy/60/en/corpprox.mspx?mfr=true

I can tell you now though that 255 characters is the maximum in the registry field. There are items you can play with that amends it by a few characters either way but thats all

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18852052
Thanks Davy.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now