Solved

How to configure ISA 2006 so domain workstations are able to connect with Microsoft firewall client

Posted on 2008-10-04
17
1,599 Views
Last Modified: 2008-11-17
I have  Windows domain network with several windows 2003 servers (AD,EXCHANGE,ISA 2006) evironment with locations routing trafic through ISA.
Currently all my clients are curently SecureNat clients, and i have rulles set up and all aplications (http, mail, torrent..) work OK.
I have several "test" workstations that have Microsoft Firewall client for ISA server. All computers are set up as Web proxy clients (IE7, has automaticly detect settings option turned on and WPAN entry in DNS). On this workstations i have problem using torrents, some applications (flashget..)

First thing i need is to  have usernames (not IP addresses) in ISA 2006 logs?
Ok i undertstand that SecureNAT clients are not able to authenticate.

Is it possible to use webproxy clients on domain workstations to automatically authenticate to ISA and have autheticated usernames in logs? I tryed turning on the option "require all users to autheticate" with "integrated" authentication, but then a naggy "enter username with password" screen pops up on every client. I expected that webproxy clients wolud use some NTLM credentials or something else to authenticate to ISA and then have usernames in logs.

Third option is to publish ISA firewall client to all workstations but then i have a lot of "not working" connections (SSH, torrent, flashget). If i disable firewall client all those "not working" connections start working again, so i think "allow" rules just dont work with firewall client connections.

So, the main question is why does domain workstations that have firewall client installed have problems with connections.
What rule sholud i create to allow all fireall client computers access internet resources withot any restrictions?
0
Comment
Question by:ivugrinec
  • 9
  • 5
17 Comments
 
LVL 6

Expert Comment

by:Hisham_Elkouha
ID: 22640826
create this access rule

Allow - Internal to External - All protocols - for All authenticated users.

the users group shold be All Authenticated Users in you want to see the Usernames in ISA Log files
0
 
LVL 11

Expert Comment

by:EricTViking
ID: 22642371
You shouldn't need to enable "require all users to autheticate" with "integrated" authentication.

Instead make sure your firewall rules are set to allow for "All Authenticated Users" and not "All Users". Rules that allow "All Users" do not request the client to authenticate and you will get blank usernames in your logs. Make the rules allow for "All Authenticated Users" or another specific group of users, and ISA will automatically make sure the clients authenticate.
0
 

Author Comment

by:ivugrinec
ID: 22643597
Ok, i have tried to set up:

rule #21: Allow - Internal to External - All protocols - for All authenticated users.
rule #22: Allow - Internal to External - All protocols - for All users
last default rule.

but now all my SecureNAT clients are gettting explicitly DENIED CONNECTION for all outbound traffic. (i.e DNS).
0
 

Author Comment

by:ivugrinec
ID: 22643601
Ok, i have tried to set up:

rule #21: Allow - Internal to External - All protocols - for All authenticated users.
rule #22: Allow - Internal to External - All protocols - for All users
last default rule.

but now all my SecureNAT clients are gettting explicitly DENIED CONNECTION for all outbound traffic. (i.e DNS) on rule #21!

Original Client IP      192.168.100.101
Server Name      SRV055
Source Port      2957
Result Code      0x800733f5 WSA_RWS_ERROR_ACCESS_DENIED
Log Record Type      Firewall
Client IP      192.168.100.101
Destination IP      213.147.96.4
Destination Port      53
Protocol      DNS
Action      Denied Connection
Rule      Unrestricted Outbound for authorized users
Source Network      Internal
Destination Network      External
0
 
LVL 11

Expert Comment

by:EricTViking
ID: 22643826
Hi, your clients should be using your internal DNS server for DNS. Try setting your clients DNS server to your internal DNS server i.e. go the the TCPIP properties of your NIC and set DNS to the IP address of your internal DNS server, or make the setting in DHCP.
0
 

Author Comment

by:ivugrinec
ID: 22644515
Well my clients indeed use internal DNS server, but that is not the problem. Denied DNS is just an example of denied connections. Following the advice in previous posts if i set up my firewall rules like this:

rule #21: Allow - Internal to External - All protocols - for All authenticated users.
rule #22: Allow - Internal to External - All protocols - for All users
last default rule.

all my SecureNAT clients are gettting explicitly DENIED CONNECTION for all outbound traffic on rule 21!

Note that my original question is how to enable absolutley all trafic for secureNAT clients and Firewall clients (and stil if possible have username in logs for web proxy and firewall clients).
0
 

Author Comment

by:ivugrinec
ID: 22644525
Are "anonymous" web proxy clients authenticated?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 11

Expert Comment

by:EricTViking
ID: 22645740
Your original question was how to enable all traffic for Firewall Client, not SecureNAT.

Rule 21 will block SecureNat clients as the rule requires authentication. As you rightly said in your question SecureNAT clients don't authenticate.

Regarding DNS, your clients shouldn't be making DNS requests themselves, that's the reason I questioned it.

Not sure what you mean by 'Anonymous web proxy clients'?  As long as you have your internal network web proxy settings to include integrated authentication (and don't require all users to authenticate) your web proxy clients will automatically authenticate when they hit a rule that requires authentication (i.e. a rule that doesn't use 'all users').

0
 

Author Comment

by:ivugrinec
ID: 22645961
Eric, thanks for explanations. So any recomendation how to have web proxy users authenticate ("to have usernames in logs")  while enabling all traffic for SecureNAT and Firewall clients.
0
 

Author Comment

by:ivugrinec
ID: 22646001
Are "anonymous" web proxy clients authenticated?
If I edit  Log filtering to include:
"Authenticated user - equals - yes"

I get "anonymous" client usernames entries in filtered results. That wolud mean tha ISA cosiders "anonymous" users as authenticated - or it is just the  ONLY FIRST request?
0
 
LVL 11

Accepted Solution

by:
EricTViking earned 500 total points
ID: 22646185
No problem!  The only way I think you can achieve this is to keep rule #21 - this will make your web proxy and firewall clients authenticate so that you can see their names in logs.

Then create a rule *above* this i.e. #20 that allows All outbound traffic, from a computer set, to external for all users.  The computer set would need to contain all your SecureNAT computers.  That way the SecureNat clients would match rule #20 and all other would hit rule #21 and be authenticated.

It's a bit of a kludge but if you can get your SecureNat clients into a pre-defined address range it would work.

The only other way I can think of is to add another NIC to your ISA server and create another internal network "SecureNat Network" for your SecureNAT clients. This network could have an Allow all traffic from "SecureNat Network" to external for all users, then make the IP address of the new NIC your default gateway for SecureNat clients. Then refer your web proxy and firewall clients to the original internal network where they can be authenticated.  Would need a bit of thought and debugging but ought to work.

AFAIK Anonymous clients are not authenticated - not sure why they show in logging when "Authenticated user - equals - yes"?
0
 

Author Comment

by:ivugrinec
ID: 22647537
So,  Eric you are absolutley right.
Acroding to this article:

http://www.isaserver.org/articles/isa2004_accessrules.html
Furthermore, you should be aware of two interesting situations regarding user authentication:
If the rule applies to the All Users user set, ISA Server will not request user credentials. However, the Firewall client will always send credentials to the ISA Server. You'll see this in effect in the MMC in the session and logging tab when a user name has a question mark (?) next to it. This means in fact that user credentials are presented but that they are not validated.
When you configure access rules that apply to users and the user can not authenticate themselves for any reason, then the request will be !!!!   denied by the rule requiring authentication, even if it is an allow rule.  !!!! This situation can arise if you forget to enable at least one authentication mechanism on the Web Proxy listener. By the same token, ISA server will deny any request from a SecureNAT client, not being a VPN client at that moment, when hitting a rule requiring user authentication.
....
A very important conclusion for this topic is that if ISA Server is unable to authenticate the user for whatever reason, that means that no credentials at all are presented to the ISA Server, then any request from that user will be denied by the first rule requiring user authentication, regardless if it is an allow or a deny rule. In fact, this situation is the first case that an allow rule actually will deny a request. Needless to say that this behaviour can be a little bit confusing at first sight.

0
 

Author Comment

by:ivugrinec
ID: 22647955
Regarting your suggestion it is almost impossible for me to set up that kind of network because i have 16 diffrent locations with 16 diffrent subnets with complex routing behavior and ISA set up on one central location.
I also have mixed eviroment of Linux and windows workstations, and also a set of diffrent WiFi enabled devices (iPhones, PDAs...).

If you think of an any other idea
In the end all comes to this:

I need to be able to print reports with usernames (where available) and still have ALL outbound trafic enabled for ALL client types.
0
 
LVL 11

Expert Comment

by:EricTViking
ID: 22648114
I know of no other way of acheiving this - as we have discussed the very fact that a rule requires authentication precludes the use of SecureNAT.
0
 

Author Comment

by:ivugrinec
ID: 22681648
Eric, thanks for helping. Yes you are right, the very fact that a rule requires authentication precludes the use of SecureNAT. I understand that, but i am still trying to figure out a workarond solution. I am reading some documentation. I also asked help from other experts but i have not gathered any new ideas. Well it looks like that ISA in mixed inviroments has some restrictions that can not be easily overcomed. If no new ideas occur in next few days, all points will be rewarded to you.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now