Solved

ISA Authentication and Logging

Posted on 2008-10-16
7
694 Views
Last Modified: 2008-11-17
Hi, I've set a 2006 ISA server up on the internal network on a single NIC to act as a proxy server for our users.

Everything is working Ok. What I want to understand is the best way to setup the authentication of my users. At the moment my Web Access rule allows "all authenticated users" this is great as it logs all of the user activity based on their domain username.

We have external clients arriving in the office who need internet access. I also want these to go through the proxy server. These users are not going to be members of the domain. If I add "all users" into my Web access rule it removes all the domain logging for my domain users and just logs it as anonymous.

What's the best way to have all the logging enabled for my domain users but still provide logged internet access for non domain users?

Many thanks....

JIm
0
Comment
Question by:jfreckeltom
  • 3
  • 3
7 Comments
 
LVL 11

Accepted Solution

by:
EricTViking earned 125 total points
ID: 22729237
The problem you have is that the anonymous "all users" rule will take precedence over the "authenticated users" rule. Having both means that no-one will ever authenticate - even domain users.

AFAIK there is no way around this - you either run with authentication or without it.

You could create a guest domain account though, and have guest users use those credentials to authenticate to your proxy?
0
 

Author Comment

by:jfreckeltom
ID: 22729419
Hi Eric,

Thanks for your help. With the guest domain account what would be the best way of setting this up, so the account has no access to anything on the domain apart from web access?

Would setting up a local user account on the ISA server work, or is that a bad idea?  

Jim.
0
 
LVL 6

Expert Comment

by:JimsZ
ID: 22729951
For best practices...   I would get a form to be filed by anyone with a "guest" coming on site to create a new temporary account per person.   Set each account to expire in xx amount of days (however many is needed).

Just create an account for any new user that comes on site.   If you need to you can give someone (manager bringing on-site people) a script to create a temporary account.  

Also, any shares available, etc you will need to "DENY" these guest accounts access to as they will be able to read most.  

We actually have anyone bringing in a guest file forms on how long they will be on site, whether they need network access, etc.   We just add the users to a "DENY" group which denies access to every share on our network, they are only allowed access through IAS to internet that way.  (routers force you to authenticate through radius at our site to be allowed any network access)

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 11

Expert Comment

by:EricTViking
ID: 22729996
Another good approach is to use group policy to lock down guest accounts. You can even prevent users logging on locally or over the network via group policy.
0
 

Author Comment

by:jfreckeltom
ID: 22731311
I've setup a domain user for this purpose and I'm testing it on a non-domain PC. I've configured the proxy setting in IE and i'm prompted to enter a Username and Password for authentication (domain\user) If I try to login with any user on the domain the ISA server blocks it.

The access rule currently has "any authenticated user" and the Internet guest account in the allowed users box for the rule, which was pulled directly from AD.

Any ideas why the ISA server and my Web Access rule is rejecting the request?

Log type: Web Proxy (Forward)
Status: 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  
Rule: Web Access
Source: Internal (192.168.2.155)
Destination: Internal (192.168.2.8:8080)
Request: GET http://www.google.co.uk/
Filter information: Req ID: 0ddcb723; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous



Thanks...
0
 

Author Comment

by:jfreckeltom
ID: 22732661
The laptop is XP Home. I've tested it on an XP Pro machine and it seems to work Ok.

I take it XP Home will be a no no when trying to authenticate to a domain via the ISA due to the networking differences?
0
 
LVL 11

Expert Comment

by:EricTViking
ID: 22732705
XP Home cannot be joined to a domain, so that could explain it.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now