dasmail2000
asked on
Some web site fail to load properly when anonymous access blocked
Hello all -
I have an ISA 2004 implementation that has an issue. All users use IE set to use the ISA server as a proxy. This works well and we are getting usernames in the logs and are able to restrict browsing nicely.
Our setup is fairly basic - we have a simple rule ("Allow All Out") that allows all authenticated users out to all sites EXCEPT the domain names sets we specify. These sets are things like porn sites, gambling sites, etc. If a user goes to one of them, they "fall through" the "Allow All Out" rule and get blocked by the default rule.
However, there are some sites that fail to load properly because we do not allow anonymous connections. For example (not a work related one) - www.sportsline.com. When a user tries to go there we see the request from the user ok, but then there are several anonymous requests that get blocked and the page fails to load properly. Here is a snipit of the ISA monitoring log -
Authenticated Client Service Server Name Destination Host Name Transport HTTP Status Code Destination IP Destination Port Protocol Action Rule Client IP Client Username HTTP Method URL
Yes Proxy ISA-HQ www.sportsline.com TCP 200 OK 64.30.236.34 80 http Allowed Connection Allow all out 192.168.0.8 xxx\Administrator GET http://www.sportsline.com/
No Proxy ISA-HQ images.sportsline.com TCP 12202 The ISA Server denied the specified Uniform Resource Locator (URL). 192.168.0.10 8080 http Denied Connection Default rule 192.168.0.8 anonymous GET http://images.sportsline.com/css/mccfavorites.css
Yes Proxy ISA-HQ www.sportsline.com TCP 200 OK 64.30.236.34 80 http Allowed Connection Allow all out 192.168.0.8 xxx\Administrator GET http://www.sportsline.com/data/community/remote-profile/mcc-top-members?as=json&callback=CBSi_renderMember
No Proxy ISA-HQ images.sportsline.com TCP 12202 The ISA Server denied the specified Uniform Resource Locator (URL). 192.168.0.10 8080 http Denied Connection Default rule 192.168.0.8 anonymous GET http://images.sportsline.com/images/cbss/ui2/h_btn.gif
No Proxy ISA-HQ images.sportsline.com TCP 12202 The ISA Server denied the specified Uniform Resource Locator (URL). 192.168.0.10 8080 http Denied Connection Default rule 192.168.0.8 anonymous GET http://images.sportsline.com/images/cbss/ui2/f_btn.gif
(I know that is hard to read so I attached it as a file as well.)
What you see is the user (xxx\Administrator) going to www.sportline.com and that is allowed by the "allow all out" rule. This is so because the site is not one of our blocked sites and the user was able to authenticate.
Next, there is a request to images.sportsline.com that is denied as it is an anonymous request - hence the authentication rule fails and the default rule blocks it.
The only way I have been able to address this is to create a rule allowing *.sportsline.com for All Users before our authentication rules. This allows the anonymous connection to work. It is as if the page is making these anonymous requests and not the user, hence the lack of authentication and the failures. Of course, we now lose the logging for users going to that site as they are hitting the rule which allows all users and we do not get authentication.
Hope this makes sense.
If anyone could tell me why this is happening and how to correct it I would be most appreciative.
Thanks in advance!
isa-log.xls
I have an ISA 2004 implementation that has an issue. All users use IE set to use the ISA server as a proxy. This works well and we are getting usernames in the logs and are able to restrict browsing nicely.
Our setup is fairly basic - we have a simple rule ("Allow All Out") that allows all authenticated users out to all sites EXCEPT the domain names sets we specify. These sets are things like porn sites, gambling sites, etc. If a user goes to one of them, they "fall through" the "Allow All Out" rule and get blocked by the default rule.
However, there are some sites that fail to load properly because we do not allow anonymous connections. For example (not a work related one) - www.sportsline.com. When a user tries to go there we see the request from the user ok, but then there are several anonymous requests that get blocked and the page fails to load properly. Here is a snipit of the ISA monitoring log -
Authenticated Client Service Server Name Destination Host Name Transport HTTP Status Code Destination IP Destination Port Protocol Action Rule Client IP Client Username HTTP Method URL
Yes Proxy ISA-HQ www.sportsline.com TCP 200 OK 64.30.236.34 80 http Allowed Connection Allow all out 192.168.0.8 xxx\Administrator GET http://www.sportsline.com/
No Proxy ISA-HQ images.sportsline.com TCP 12202 The ISA Server denied the specified Uniform Resource Locator (URL). 192.168.0.10 8080 http Denied Connection Default rule 192.168.0.8 anonymous GET http://images.sportsline.com/css/mccfavorites.css
Yes Proxy ISA-HQ www.sportsline.com TCP 200 OK 64.30.236.34 80 http Allowed Connection Allow all out 192.168.0.8 xxx\Administrator GET http://www.sportsline.com/data/community/remote-profile/mcc-top-members?as=json&callback=CBSi_renderMember
No Proxy ISA-HQ images.sportsline.com TCP 12202 The ISA Server denied the specified Uniform Resource Locator (URL). 192.168.0.10 8080 http Denied Connection Default rule 192.168.0.8 anonymous GET http://images.sportsline.com/images/cbss/ui2/h_btn.gif
No Proxy ISA-HQ images.sportsline.com TCP 12202 The ISA Server denied the specified Uniform Resource Locator (URL). 192.168.0.10 8080 http Denied Connection Default rule 192.168.0.8 anonymous GET http://images.sportsline.com/images/cbss/ui2/f_btn.gif
(I know that is hard to read so I attached it as a file as well.)
What you see is the user (xxx\Administrator) going to www.sportline.com and that is allowed by the "allow all out" rule. This is so because the site is not one of our blocked sites and the user was able to authenticate.
Next, there is a request to images.sportsline.com that is denied as it is an anonymous request - hence the authentication rule fails and the default rule blocks it.
The only way I have been able to address this is to create a rule allowing *.sportsline.com for All Users before our authentication rules. This allows the anonymous connection to work. It is as if the page is making these anonymous requests and not the user, hence the lack of authentication and the failures. Of course, we now lose the logging for users going to that site as they are hitting the rule which allows all users and we do not get authentication.
Hope this makes sense.
If anyone could tell me why this is happening and how to correct it I would be most appreciative.
Thanks in advance!
isa-log.xls
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks!