Solved

ISA2006 - Creating Rules/Exceptions

Posted on 2007-03-23
8
401 Views
Last Modified: 2011-10-03
Hi,
I'm kind of new to ISA2006 and I'm trying to create a firewall policy rule on our ISA2006 server to allow certain users access to an application via a certain url without the need for NTLM authentication. Currently we have "Integrated" and "Require all users to authenticate" enabled within Configuration - Networks - Internal - Web Proxy. We were able to get the application in question to work with "Basic" enabled and "Require all users to authenticate" disabled, basically no authentication enabled. I would ideally like to have all our users authenticate with "Integrated" and "Require all users to authenticate" enabled but at the same time have a rule/exception to allow certain users access a url without any NTLM authentication because this seems to be the only way the application will work as we have discovered.

Any help with this question would be greatly appreciated.
Regards,
John O'Connor.
0
Comment
Question by:davystocks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18784530
The require all users to authenticate is, in my view, the last resort when you have devices using the Internet that simply cannot authenticate any other way. The only time I have needed to use that option was for a site where one of the directors had his Sony PSP and xbox live connecting to an internal WAP and out through to the internet on his production network. (I know, tell me about it, these people exist...).

Can you give me a few more details?
The application is out on the Internet and you want your internal users to get to it?
Do you have ISA installed as a firewall or just as a Proxy?
What is the relationship, if any, with your network and the application server?
0
 
LVL 4

Author Comment

by:davystocks
ID: 18799008
Hi Keith,

Tks for coming back to me.

The application is setup by running an exe. Each time you start the app it pulls it's updates down from it's website if it has any updates, and the presents you with a logon box at which stage you enter your credentials provided by the company that own the app. It's at this stage that it returns a "407 proxy authentication required" error.

 I have ISA installed as a Proxy server.

The relationship with the network and the app server is that we have a couple of ports open on our FW in order to communicate with the app.

The company that own the app have come back to me and said that NTLM will not work with the app, the app cannot carry the NTLM with it.

This is the reason I was trying to create a FW rule (if that's what's needed) on the ISA that would allow users to access the app without the need for NTLM. We have been told by the company that if we enter two url's in the "bypass exceptions list" that the app will work. However, we are limited to teh amount of characters taht we can enter in here due to teh fact taht we have other apps in here and the list is restricted to 255 characters within GPO I think. Just on that note, is there a way this list can be increased, it maybe the reg key taht has to have it's value increased.

Thanks,
John.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18801556
John, do an nslookup of the urls being contacted.
In the exceptions, put in the IP addresses instead of the fully-qualified domain names and path.

In my exceptions for example I use 10.*;192.168.*;others  where others are urls or other ip's

the 10.* means anything beginning with 10 as the first octet bypasses the proxy. The 192.168.* means the same for anything beginning with 192.168. You can also put in the exact ip addresses if you wanted to. If that doesn't work then let me know and we can try looking at the authentication routines.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 4

Author Comment

by:davystocks
ID: 18817808
Hi Keith,

Tks for that, but unfortunatley I can't get the IP address exceptions to work, it requires the hostnames in the exceptions to work which kind of leads me back to the original authentication question or else how to increase the registry value which seems to be set to a max of 255 characters within GPO. I'm just about maxed out now with these two url's included for the app in question to work.

Thanks,
John.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18817917
Then we are doing something wrong. IP addresses in exceptions are fine; is there a redirect taking place to another ip after the first is called?

0
 
LVL 4

Author Comment

by:davystocks
ID: 18842120
Hi Keith,

Whatever the client enters in their browser address bar is what's resolved in the "bypass proxy list" it won't resolve url's to ip address's to the best of my knowledge.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 18846205
Then we have to agree to differ :)

A url is stripped into its two components by the browser, fqdn and path - the fqdn (www.server.com) is looked up by the dns client first to identify the IP address it needs to send the request to. If you think about it, the dns lookup would not know what www.server.com/blah/blah/blah resolves to. If you are unsure of my view on things, see Microsofts opinion instead.

http://www.microsoft.com/technet/prodtechnol/ie/ieak/techinfo/deploy/60/en/corpprox.mspx?mfr=true

I can tell you now though that 255 characters is the maximum in the registry field. There are items you can play with that amends it by a few characters either way but thats all

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18852052
Thanks Davy.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question