How to configure ISA 2006 so domain workstations are able to connect with Microsoft firewall client
I have Windows domain network with several windows 2003 servers (AD,EXCHANGE,ISA 2006) evironment with locations routing trafic through ISA.
Currently all my clients are curently SecureNat clients, and i have rulles set up and all aplications (http, mail, torrent..) work OK.
I have several "test" workstations that have Microsoft Firewall client for ISA server. All computers are set up as Web proxy clients (IE7, has automaticly detect settings option turned on and WPAN entry in DNS). On this workstations i have problem using torrents, some applications (flashget..)
First thing i need is to have usernames (not IP addresses) in ISA 2006 logs?
Ok i undertstand that SecureNAT clients are not able to authenticate.
Is it possible to use webproxy clients on domain workstations to automatically authenticate to ISA and have autheticated usernames in logs? I tryed turning on the option "require all users to autheticate" with "integrated" authentication, but then a naggy "enter username with password" screen pops up on every client. I expected that webproxy clients wolud use some NTLM credentials or something else to authenticate to ISA and then have usernames in logs.
Third option is to publish ISA firewall client to all workstations but then i have a lot of "not working" connections (SSH, torrent, flashget). If i disable firewall client all those "not working" connections start working again, so i think "allow" rules just dont work with firewall client connections.
So, the main question is why does domain workstations that have firewall client installed have problems with connections.
What rule sholud i create to allow all fireall client computers access internet resources withot any restrictions?
Currently all my clients are curently SecureNat clients, and i have rulles set up and all aplications (http, mail, torrent..) work OK.
I have several "test" workstations that have Microsoft Firewall client for ISA server. All computers are set up as Web proxy clients (IE7, has automaticly detect settings option turned on and WPAN entry in DNS). On this workstations i have problem using torrents, some applications (flashget..)
First thing i need is to have usernames (not IP addresses) in ISA 2006 logs?
Ok i undertstand that SecureNAT clients are not able to authenticate.
Is it possible to use webproxy clients on domain workstations to automatically authenticate to ISA and have autheticated usernames in logs? I tryed turning on the option "require all users to autheticate" with "integrated" authentication, but then a naggy "enter username with password" screen pops up on every client. I expected that webproxy clients wolud use some NTLM credentials or something else to authenticate to ISA and then have usernames in logs.
Third option is to publish ISA firewall client to all workstations but then i have a lot of "not working" connections (SSH, torrent, flashget). If i disable firewall client all those "not working" connections start working again, so i think "allow" rules just dont work with firewall client connections.
So, the main question is why does domain workstations that have firewall client installed have problems with connections.
What rule sholud i create to allow all fireall client computers access internet resources withot any restrictions?
You shouldn't need to enable "require all users to autheticate" with "integrated" authentication.
Instead make sure your firewall rules are set to allow for "All Authenticated Users" and not "All Users". Rules that allow "All Users" do not request the client to authenticate and you will get blank usernames in your logs. Make the rules allow for "All Authenticated Users" or another specific group of users, and ISA will automatically make sure the clients authenticate.
Instead make sure your firewall rules are set to allow for "All Authenticated Users" and not "All Users". Rules that allow "All Users" do not request the client to authenticate and you will get blank usernames in your logs. Make the rules allow for "All Authenticated Users" or another specific group of users, and ISA will automatically make sure the clients authenticate.
ASKER
Ok, i have tried to set up:
rule #21: Allow - Internal to External - All protocols - for All authenticated users.
rule #22: Allow - Internal to External - All protocols - for All users
last default rule.
but now all my SecureNAT clients are gettting explicitly DENIED CONNECTION for all outbound traffic. (i.e DNS).
rule #21: Allow - Internal to External - All protocols - for All authenticated users.
rule #22: Allow - Internal to External - All protocols - for All users
last default rule.
but now all my SecureNAT clients are gettting explicitly DENIED CONNECTION for all outbound traffic. (i.e DNS).
ASKER
Ok, i have tried to set up:
rule #21: Allow - Internal to External - All protocols - for All authenticated users.
rule #22: Allow - Internal to External - All protocols - for All users
last default rule.
but now all my SecureNAT clients are gettting explicitly DENIED CONNECTION for all outbound traffic. (i.e DNS) on rule #21!
Original Client IP 192.168.100.101
Server Name SRV055
Source Port 2957
Result Code 0x800733f5 WSA_RWS_ERROR_ACCESS_DENIE
Log Record Type Firewall
Client IP 192.168.100.101
Destination IP 213.147.96.4
Destination Port 53
Protocol DNS
Action Denied Connection
Rule Unrestricted Outbound for authorized users
Source Network Internal
Destination Network External
rule #21: Allow - Internal to External - All protocols - for All authenticated users.
rule #22: Allow - Internal to External - All protocols - for All users
last default rule.
but now all my SecureNAT clients are gettting explicitly DENIED CONNECTION for all outbound traffic. (i.e DNS) on rule #21!
Original Client IP 192.168.100.101
Server Name SRV055
Source Port 2957
Result Code 0x800733f5 WSA_RWS_ERROR_ACCESS_DENIE
Log Record Type Firewall
Client IP 192.168.100.101
Destination IP 213.147.96.4
Destination Port 53
Protocol DNS
Action Denied Connection
Rule Unrestricted Outbound for authorized users
Source Network Internal
Destination Network External
Hi, your clients should be using your internal DNS server for DNS. Try setting your clients DNS server to your internal DNS server i.e. go the the TCPIP properties of your NIC and set DNS to the IP address of your internal DNS server, or make the setting in DHCP.
ASKER
Well my clients indeed use internal DNS server, but that is not the problem. Denied DNS is just an example of denied connections. Following the advice in previous posts if i set up my firewall rules like this:
rule #21: Allow - Internal to External - All protocols - for All authenticated users.
rule #22: Allow - Internal to External - All protocols - for All users
last default rule.
all my SecureNAT clients are gettting explicitly DENIED CONNECTION for all outbound traffic on rule 21!
Note that my original question is how to enable absolutley all trafic for secureNAT clients and Firewall clients (and stil if possible have username in logs for web proxy and firewall clients).
rule #21: Allow - Internal to External - All protocols - for All authenticated users.
rule #22: Allow - Internal to External - All protocols - for All users
last default rule.
all my SecureNAT clients are gettting explicitly DENIED CONNECTION for all outbound traffic on rule 21!
Note that my original question is how to enable absolutley all trafic for secureNAT clients and Firewall clients (and stil if possible have username in logs for web proxy and firewall clients).
ASKER
Are "anonymous" web proxy clients authenticated?
Your original question was how to enable all traffic for Firewall Client, not SecureNAT.
Rule 21 will block SecureNat clients as the rule requires authentication. As you rightly said in your question SecureNAT clients don't authenticate.
Regarding DNS, your clients shouldn't be making DNS requests themselves, that's the reason I questioned it.
Not sure what you mean by 'Anonymous web proxy clients'? As long as you have your internal network web proxy settings to include integrated authentication (and don't require all users to authenticate) your web proxy clients will automatically authenticate when they hit a rule that requires authentication (i.e. a rule that doesn't use 'all users').
Rule 21 will block SecureNat clients as the rule requires authentication. As you rightly said in your question SecureNAT clients don't authenticate.
Regarding DNS, your clients shouldn't be making DNS requests themselves, that's the reason I questioned it.
Not sure what you mean by 'Anonymous web proxy clients'? As long as you have your internal network web proxy settings to include integrated authentication (and don't require all users to authenticate) your web proxy clients will automatically authenticate when they hit a rule that requires authentication (i.e. a rule that doesn't use 'all users').
ASKER
Eric, thanks for explanations. So any recomendation how to have web proxy users authenticate ("to have usernames in logs") while enabling all traffic for SecureNAT and Firewall clients.
ASKER
Are "anonymous" web proxy clients authenticated?
If I edit Log filtering to include:
"Authenticated user - equals - yes"
I get "anonymous" client usernames entries in filtered results. That wolud mean tha ISA cosiders "anonymous" users as authenticated - or it is just the ONLY FIRST request?
If I edit Log filtering to include:
"Authenticated user - equals - yes"
I get "anonymous" client usernames entries in filtered results. That wolud mean tha ISA cosiders "anonymous" users as authenticated - or it is just the ONLY FIRST request?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So, Eric you are absolutley right.
Acroding to this article:
http://www.isaserver.org/articles/isa2004_accessrules.html
Furthermore, you should be aware of two interesting situations regarding user authentication:
If the rule applies to the All Users user set, ISA Server will not request user credentials. However, the Firewall client will always send credentials to the ISA Server. You'll see this in effect in the MMC in the session and logging tab when a user name has a question mark (?) next to it. This means in fact that user credentials are presented but that they are not validated.
When you configure access rules that apply to users and the user can not authenticate themselves for any reason, then the request will be !!!! denied by the rule requiring authentication, even if it is an allow rule. !!!! This situation can arise if you forget to enable at least one authentication mechanism on the Web Proxy listener. By the same token, ISA server will deny any request from a SecureNAT client, not being a VPN client at that moment, when hitting a rule requiring user authentication.
....
A very important conclusion for this topic is that if ISA Server is unable to authenticate the user for whatever reason, that means that no credentials at all are presented to the ISA Server, then any request from that user will be denied by the first rule requiring user authentication, regardless if it is an allow or a deny rule. In fact, this situation is the first case that an allow rule actually will deny a request. Needless to say that this behaviour can be a little bit confusing at first sight.
Acroding to this article:
http://www.isaserver.org/articles/isa2004_accessrules.html
Furthermore, you should be aware of two interesting situations regarding user authentication:
If the rule applies to the All Users user set, ISA Server will not request user credentials. However, the Firewall client will always send credentials to the ISA Server. You'll see this in effect in the MMC in the session and logging tab when a user name has a question mark (?) next to it. This means in fact that user credentials are presented but that they are not validated.
When you configure access rules that apply to users and the user can not authenticate themselves for any reason, then the request will be !!!! denied by the rule requiring authentication, even if it is an allow rule. !!!! This situation can arise if you forget to enable at least one authentication mechanism on the Web Proxy listener. By the same token, ISA server will deny any request from a SecureNAT client, not being a VPN client at that moment, when hitting a rule requiring user authentication.
....
A very important conclusion for this topic is that if ISA Server is unable to authenticate the user for whatever reason, that means that no credentials at all are presented to the ISA Server, then any request from that user will be denied by the first rule requiring user authentication, regardless if it is an allow or a deny rule. In fact, this situation is the first case that an allow rule actually will deny a request. Needless to say that this behaviour can be a little bit confusing at first sight.
ASKER
Regarting your suggestion it is almost impossible for me to set up that kind of network because i have 16 diffrent locations with 16 diffrent subnets with complex routing behavior and ISA set up on one central location.
I also have mixed eviroment of Linux and windows workstations, and also a set of diffrent WiFi enabled devices (iPhones, PDAs...).
If you think of an any other idea
In the end all comes to this:
I need to be able to print reports with usernames (where available) and still have ALL outbound trafic enabled for ALL client types.
I also have mixed eviroment of Linux and windows workstations, and also a set of diffrent WiFi enabled devices (iPhones, PDAs...).
If you think of an any other idea
In the end all comes to this:
I need to be able to print reports with usernames (where available) and still have ALL outbound trafic enabled for ALL client types.
I know of no other way of acheiving this - as we have discussed the very fact that a rule requires authentication precludes the use of SecureNAT.
ASKER
Eric, thanks for helping. Yes you are right, the very fact that a rule requires authentication precludes the use of SecureNAT. I understand that, but i am still trying to figure out a workarond solution. I am reading some documentation. I also asked help from other experts but i have not gathered any new ideas. Well it looks like that ISA in mixed inviroments has some restrictions that can not be easily overcomed. If no new ideas occur in next few days, all points will be rewarded to you.
Allow - Internal to External - All protocols - for All authenticated users.
the users group shold be All Authenticated Users in you want to see the Usernames in ISA Log files