Link to home
Start Free TrialLog in
Avatar of sheynl
sheynl

asked on

Firewall Client cannot authenticate with ISA Server (ISA 2000)

We have the Firewall client installed on a couple of PC's and laptops. Recently one of our company laptops has been experiencing a problem. When the user either tries to browse the Internet or download mail from Yahoo UK via Outlook Express, the firewall client icon appears with an exclamation mark. The message is "Cannot authenticate with ISA Server servername"

The strange thing is....the user was previously able to download his mail and browse. Not sure what has changed and why the problem is suddenly ocurring.

Also should mention that this machine is NOT a member of the domain, however the user does have a user account in the domain. The laptop is personal and the staff member dials-in to the company to browse and pull external mail.
ASKER CERTIFIED SOLUTION
Avatar of SteveH_UK
SteveH_UK
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sheynl
sheynl

ASKER

Many thanks for getting back to me.

If I put the proxy address in IE7, I can browse fine. But if I DON'T specify the address, then I can't browse. This would normally only work if the Firewall Client was authenticating properly.

Obviously I can do without the web proxy client to browse the internet,  BUT I still want the user to be able to pull external mail i.e. Outlook Express - pull mail from Yahoo UK.

The ONLY way I seem to be able to pull external mail on my company laptop, which is on the domain, is by using the firewall client. NOT sure if there are any rules I could add in ISA 2000 that would enable me to collect this mail without having to use the firewall client?
I'm not sure about ISA 2000 specifically (I've only used 2006) but pull mail normally uses POP3 or IMAP.  POP3 uses TCP/110 and IMAP4 uses TCP/143.  In any case, both should be defined in ISA.  You could then allow a non-authenticating rule to selected (or all) hosts for these protocols.
Had another thought on this.

In ISA Server, when processing the rules, if ISA is checking an authenticated rule, e.g. only some users allowed, and cannot authenticate the client, then all following rules are ignored.  So, the question is, are your POP3/IMAP rules either authenticating (i.e. not All Users) or coming after other rules that require authentication.  Either of those will stop the rule from working with clients that cannot authenticate.