jfreckeltom
asked on
ISA Authentication and Logging
Hi, I've set a 2006 ISA server up on the internal network on a single NIC to act as a proxy server for our users.
Everything is working Ok. What I want to understand is the best way to setup the authentication of my users. At the moment my Web Access rule allows "all authenticated users" this is great as it logs all of the user activity based on their domain username.
We have external clients arriving in the office who need internet access. I also want these to go through the proxy server. These users are not going to be members of the domain. If I add "all users" into my Web access rule it removes all the domain logging for my domain users and just logs it as anonymous.
What's the best way to have all the logging enabled for my domain users but still provide logged internet access for non domain users?
Many thanks....
JIm
Everything is working Ok. What I want to understand is the best way to setup the authentication of my users. At the moment my Web Access rule allows "all authenticated users" this is great as it logs all of the user activity based on their domain username.
We have external clients arriving in the office who need internet access. I also want these to go through the proxy server. These users are not going to be members of the domain. If I add "all users" into my Web access rule it removes all the domain logging for my domain users and just logs it as anonymous.
What's the best way to have all the logging enabled for my domain users but still provide logged internet access for non domain users?
Many thanks....
JIm
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For best practices... I would get a form to be filed by anyone with a "guest" coming on site to create a new temporary account per person. Set each account to expire in xx amount of days (however many is needed).
Just create an account for any new user that comes on site. If you need to you can give someone (manager bringing on-site people) a script to create a temporary account.
Also, any shares available, etc you will need to "DENY" these guest accounts access to as they will be able to read most.
We actually have anyone bringing in a guest file forms on how long they will be on site, whether they need network access, etc. We just add the users to a "DENY" group which denies access to every share on our network, they are only allowed access through IAS to internet that way. (routers force you to authenticate through radius at our site to be allowed any network access)
Just create an account for any new user that comes on site. If you need to you can give someone (manager bringing on-site people) a script to create a temporary account.
Also, any shares available, etc you will need to "DENY" these guest accounts access to as they will be able to read most.
We actually have anyone bringing in a guest file forms on how long they will be on site, whether they need network access, etc. We just add the users to a "DENY" group which denies access to every share on our network, they are only allowed access through IAS to internet that way. (routers force you to authenticate through radius at our site to be allowed any network access)
Another good approach is to use group policy to lock down guest accounts. You can even prevent users logging on locally or over the network via group policy.
ASKER
I've setup a domain user for this purpose and I'm testing it on a non-domain PC. I've configured the proxy setting in IE and i'm prompted to enter a Username and Password for authentication (domain\user) If I try to login with any user on the domain the ISA server blocks it.
The access rule currently has "any authenticated user" and the Internet guest account in the allowed users box for the rule, which was pulled directly from AD.
Any ideas why the ISA server and my Web Access rule is rejecting the request?
Log type: Web Proxy (Forward)
Status: 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
Rule: Web Access
Source: Internal (192.168.2.155)
Destination: Internal (192.168.2.8:8080)
Request: GET http://www.google.co.uk/
Filter information: Req ID: 0ddcb723; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous
Thanks...
The access rule currently has "any authenticated user" and the Internet guest account in the allowed users box for the rule, which was pulled directly from AD.
Any ideas why the ISA server and my Web Access rule is rejecting the request?
Log type: Web Proxy (Forward)
Status: 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
Rule: Web Access
Source: Internal (192.168.2.155)
Destination: Internal (192.168.2.8:8080)
Request: GET http://www.google.co.uk/
Filter information: Req ID: 0ddcb723; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous
Thanks...
ASKER
The laptop is XP Home. I've tested it on an XP Pro machine and it seems to work Ok.
I take it XP Home will be a no no when trying to authenticate to a domain via the ISA due to the networking differences?
I take it XP Home will be a no no when trying to authenticate to a domain via the ISA due to the networking differences?
XP Home cannot be joined to a domain, so that could explain it.
ASKER
Thanks for your help. With the guest domain account what would be the best way of setting this up, so the account has no access to anything on the domain apart from web access?
Would setting up a local user account on the ISA server work, or is that a bad idea?
Jim.