Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1621
  • Last Modified:

How to configure ISA 2006 so domain workstations are able to connect with Microsoft firewall client

I have  Windows domain network with several windows 2003 servers (AD,EXCHANGE,ISA 2006) evironment with locations routing trafic through ISA.
Currently all my clients are curently SecureNat clients, and i have rulles set up and all aplications (http, mail, torrent..) work OK.
I have several "test" workstations that have Microsoft Firewall client for ISA server. All computers are set up as Web proxy clients (IE7, has automaticly detect settings option turned on and WPAN entry in DNS). On this workstations i have problem using torrents, some applications (flashget..)

First thing i need is to  have usernames (not IP addresses) in ISA 2006 logs?
Ok i undertstand that SecureNAT clients are not able to authenticate.

Is it possible to use webproxy clients on domain workstations to automatically authenticate to ISA and have autheticated usernames in logs? I tryed turning on the option "require all users to autheticate" with "integrated" authentication, but then a naggy "enter username with password" screen pops up on every client. I expected that webproxy clients wolud use some NTLM credentials or something else to authenticate to ISA and then have usernames in logs.

Third option is to publish ISA firewall client to all workstations but then i have a lot of "not working" connections (SSH, torrent, flashget). If i disable firewall client all those "not working" connections start working again, so i think "allow" rules just dont work with firewall client connections.

So, the main question is why does domain workstations that have firewall client installed have problems with connections.
What rule sholud i create to allow all fireall client computers access internet resources withot any restrictions?
0
ivugrinec
Asked:
ivugrinec
  • 9
  • 5
1 Solution
 
Hisham_ElkouhaCommented:
create this access rule

Allow - Internal to External - All protocols - for All authenticated users.

the users group shold be All Authenticated Users in you want to see the Usernames in ISA Log files
0
 
EricTVikingCommented:
You shouldn't need to enable "require all users to autheticate" with "integrated" authentication.

Instead make sure your firewall rules are set to allow for "All Authenticated Users" and not "All Users". Rules that allow "All Users" do not request the client to authenticate and you will get blank usernames in your logs. Make the rules allow for "All Authenticated Users" or another specific group of users, and ISA will automatically make sure the clients authenticate.
0
 
ivugrinecAuthor Commented:
Ok, i have tried to set up:

rule #21: Allow - Internal to External - All protocols - for All authenticated users.
rule #22: Allow - Internal to External - All protocols - for All users
last default rule.

but now all my SecureNAT clients are gettting explicitly DENIED CONNECTION for all outbound traffic. (i.e DNS).
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
ivugrinecAuthor Commented:
Ok, i have tried to set up:

rule #21: Allow - Internal to External - All protocols - for All authenticated users.
rule #22: Allow - Internal to External - All protocols - for All users
last default rule.

but now all my SecureNAT clients are gettting explicitly DENIED CONNECTION for all outbound traffic. (i.e DNS) on rule #21!

Original Client IP      192.168.100.101
Server Name      SRV055
Source Port      2957
Result Code      0x800733f5 WSA_RWS_ERROR_ACCESS_DENIED
Log Record Type      Firewall
Client IP      192.168.100.101
Destination IP      213.147.96.4
Destination Port      53
Protocol      DNS
Action      Denied Connection
Rule      Unrestricted Outbound for authorized users
Source Network      Internal
Destination Network      External
0
 
EricTVikingCommented:
Hi, your clients should be using your internal DNS server for DNS. Try setting your clients DNS server to your internal DNS server i.e. go the the TCPIP properties of your NIC and set DNS to the IP address of your internal DNS server, or make the setting in DHCP.
0
 
ivugrinecAuthor Commented:
Well my clients indeed use internal DNS server, but that is not the problem. Denied DNS is just an example of denied connections. Following the advice in previous posts if i set up my firewall rules like this:

rule #21: Allow - Internal to External - All protocols - for All authenticated users.
rule #22: Allow - Internal to External - All protocols - for All users
last default rule.

all my SecureNAT clients are gettting explicitly DENIED CONNECTION for all outbound traffic on rule 21!

Note that my original question is how to enable absolutley all trafic for secureNAT clients and Firewall clients (and stil if possible have username in logs for web proxy and firewall clients).
0
 
ivugrinecAuthor Commented:
Are "anonymous" web proxy clients authenticated?
0
 
EricTVikingCommented:
Your original question was how to enable all traffic for Firewall Client, not SecureNAT.

Rule 21 will block SecureNat clients as the rule requires authentication. As you rightly said in your question SecureNAT clients don't authenticate.

Regarding DNS, your clients shouldn't be making DNS requests themselves, that's the reason I questioned it.

Not sure what you mean by 'Anonymous web proxy clients'?  As long as you have your internal network web proxy settings to include integrated authentication (and don't require all users to authenticate) your web proxy clients will automatically authenticate when they hit a rule that requires authentication (i.e. a rule that doesn't use 'all users').

0
 
ivugrinecAuthor Commented:
Eric, thanks for explanations. So any recomendation how to have web proxy users authenticate ("to have usernames in logs")  while enabling all traffic for SecureNAT and Firewall clients.
0
 
ivugrinecAuthor Commented:
Are "anonymous" web proxy clients authenticated?
If I edit  Log filtering to include:
"Authenticated user - equals - yes"

I get "anonymous" client usernames entries in filtered results. That wolud mean tha ISA cosiders "anonymous" users as authenticated - or it is just the  ONLY FIRST request?
0
 
EricTVikingCommented:
No problem!  The only way I think you can achieve this is to keep rule #21 - this will make your web proxy and firewall clients authenticate so that you can see their names in logs.

Then create a rule *above* this i.e. #20 that allows All outbound traffic, from a computer set, to external for all users.  The computer set would need to contain all your SecureNAT computers.  That way the SecureNat clients would match rule #20 and all other would hit rule #21 and be authenticated.

It's a bit of a kludge but if you can get your SecureNat clients into a pre-defined address range it would work.

The only other way I can think of is to add another NIC to your ISA server and create another internal network "SecureNat Network" for your SecureNAT clients. This network could have an Allow all traffic from "SecureNat Network" to external for all users, then make the IP address of the new NIC your default gateway for SecureNat clients. Then refer your web proxy and firewall clients to the original internal network where they can be authenticated.  Would need a bit of thought and debugging but ought to work.

AFAIK Anonymous clients are not authenticated - not sure why they show in logging when "Authenticated user - equals - yes"?
0
 
ivugrinecAuthor Commented:
So,  Eric you are absolutley right.
Acroding to this article:

http://www.isaserver.org/articles/isa2004_accessrules.html
Furthermore, you should be aware of two interesting situations regarding user authentication:
If the rule applies to the All Users user set, ISA Server will not request user credentials. However, the Firewall client will always send credentials to the ISA Server. You'll see this in effect in the MMC in the session and logging tab when a user name has a question mark (?) next to it. This means in fact that user credentials are presented but that they are not validated.
When you configure access rules that apply to users and the user can not authenticate themselves for any reason, then the request will be !!!!   denied by the rule requiring authentication, even if it is an allow rule.  !!!! This situation can arise if you forget to enable at least one authentication mechanism on the Web Proxy listener. By the same token, ISA server will deny any request from a SecureNAT client, not being a VPN client at that moment, when hitting a rule requiring user authentication.
....
A very important conclusion for this topic is that if ISA Server is unable to authenticate the user for whatever reason, that means that no credentials at all are presented to the ISA Server, then any request from that user will be denied by the first rule requiring user authentication, regardless if it is an allow or a deny rule. In fact, this situation is the first case that an allow rule actually will deny a request. Needless to say that this behaviour can be a little bit confusing at first sight.

0
 
ivugrinecAuthor Commented:
Regarting your suggestion it is almost impossible for me to set up that kind of network because i have 16 diffrent locations with 16 diffrent subnets with complex routing behavior and ISA set up on one central location.
I also have mixed eviroment of Linux and windows workstations, and also a set of diffrent WiFi enabled devices (iPhones, PDAs...).

If you think of an any other idea
In the end all comes to this:

I need to be able to print reports with usernames (where available) and still have ALL outbound trafic enabled for ALL client types.
0
 
EricTVikingCommented:
I know of no other way of acheiving this - as we have discussed the very fact that a rule requires authentication precludes the use of SecureNAT.
0
 
ivugrinecAuthor Commented:
Eric, thanks for helping. Yes you are right, the very fact that a rule requires authentication precludes the use of SecureNAT. I understand that, but i am still trying to figure out a workarond solution. I am reading some documentation. I also asked help from other experts but i have not gathered any new ideas. Well it looks like that ISA in mixed inviroments has some restrictions that can not be easily overcomed. If no new ideas occur in next few days, all points will be rewarded to you.
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 9
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now