Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ISA2006 - Creating Rules/Exceptions

Posted on 2007-03-23
8
Medium Priority
?
402 Views
Last Modified: 2011-10-03
Hi,
I'm kind of new to ISA2006 and I'm trying to create a firewall policy rule on our ISA2006 server to allow certain users access to an application via a certain url without the need for NTLM authentication. Currently we have "Integrated" and "Require all users to authenticate" enabled within Configuration - Networks - Internal - Web Proxy. We were able to get the application in question to work with "Basic" enabled and "Require all users to authenticate" disabled, basically no authentication enabled. I would ideally like to have all our users authenticate with "Integrated" and "Require all users to authenticate" enabled but at the same time have a rule/exception to allow certain users access a url without any NTLM authentication because this seems to be the only way the application will work as we have discovered.

Any help with this question would be greatly appreciated.
Regards,
John O'Connor.
0
Comment
Question by:davystocks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18784530
The require all users to authenticate is, in my view, the last resort when you have devices using the Internet that simply cannot authenticate any other way. The only time I have needed to use that option was for a site where one of the directors had his Sony PSP and xbox live connecting to an internal WAP and out through to the internet on his production network. (I know, tell me about it, these people exist...).

Can you give me a few more details?
The application is out on the Internet and you want your internal users to get to it?
Do you have ISA installed as a firewall or just as a Proxy?
What is the relationship, if any, with your network and the application server?
0
 
LVL 4

Author Comment

by:davystocks
ID: 18799008
Hi Keith,

Tks for coming back to me.

The application is setup by running an exe. Each time you start the app it pulls it's updates down from it's website if it has any updates, and the presents you with a logon box at which stage you enter your credentials provided by the company that own the app. It's at this stage that it returns a "407 proxy authentication required" error.

 I have ISA installed as a Proxy server.

The relationship with the network and the app server is that we have a couple of ports open on our FW in order to communicate with the app.

The company that own the app have come back to me and said that NTLM will not work with the app, the app cannot carry the NTLM with it.

This is the reason I was trying to create a FW rule (if that's what's needed) on the ISA that would allow users to access the app without the need for NTLM. We have been told by the company that if we enter two url's in the "bypass exceptions list" that the app will work. However, we are limited to teh amount of characters taht we can enter in here due to teh fact taht we have other apps in here and the list is restricted to 255 characters within GPO I think. Just on that note, is there a way this list can be increased, it maybe the reg key taht has to have it's value increased.

Thanks,
John.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18801556
John, do an nslookup of the urls being contacted.
In the exceptions, put in the IP addresses instead of the fully-qualified domain names and path.

In my exceptions for example I use 10.*;192.168.*;others  where others are urls or other ip's

the 10.* means anything beginning with 10 as the first octet bypasses the proxy. The 192.168.* means the same for anything beginning with 192.168. You can also put in the exact ip addresses if you wanted to. If that doesn't work then let me know and we can try looking at the authentication routines.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 4

Author Comment

by:davystocks
ID: 18817808
Hi Keith,

Tks for that, but unfortunatley I can't get the IP address exceptions to work, it requires the hostnames in the exceptions to work which kind of leads me back to the original authentication question or else how to increase the registry value which seems to be set to a max of 255 characters within GPO. I'm just about maxed out now with these two url's included for the app in question to work.

Thanks,
John.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18817917
Then we are doing something wrong. IP addresses in exceptions are fine; is there a redirect taking place to another ip after the first is called?

0
 
LVL 4

Author Comment

by:davystocks
ID: 18842120
Hi Keith,

Whatever the client enters in their browser address bar is what's resolved in the "bypass proxy list" it won't resolve url's to ip address's to the best of my knowledge.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 1500 total points
ID: 18846205
Then we have to agree to differ :)

A url is stripped into its two components by the browser, fqdn and path - the fqdn (www.server.com) is looked up by the dns client first to identify the IP address it needs to send the request to. If you think about it, the dns lookup would not know what www.server.com/blah/blah/blah resolves to. If you are unsure of my view on things, see Microsofts opinion instead.

http://www.microsoft.com/technet/prodtechnol/ie/ieak/techinfo/deploy/60/en/corpprox.mspx?mfr=true

I can tell you now though that 255 characters is the maximum in the registry field. There are items you can play with that amends it by a few characters either way but thats all

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18852052
Thanks Davy.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Know what services you can and cannot, should and should not combine on your server.
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question