Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ISA Authentication and Logging

Posted on 2008-10-16
7
Medium Priority
?
817 Views
Last Modified: 2008-11-17
Hi, I've set a 2006 ISA server up on the internal network on a single NIC to act as a proxy server for our users.

Everything is working Ok. What I want to understand is the best way to setup the authentication of my users. At the moment my Web Access rule allows "all authenticated users" this is great as it logs all of the user activity based on their domain username.

We have external clients arriving in the office who need internet access. I also want these to go through the proxy server. These users are not going to be members of the domain. If I add "all users" into my Web access rule it removes all the domain logging for my domain users and just logs it as anonymous.

What's the best way to have all the logging enabled for my domain users but still provide logged internet access for non domain users?

Many thanks....

JIm
0
Comment
Question by:jfreckeltom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 11

Accepted Solution

by:
EricTViking earned 500 total points
ID: 22729237
The problem you have is that the anonymous "all users" rule will take precedence over the "authenticated users" rule. Having both means that no-one will ever authenticate - even domain users.

AFAIK there is no way around this - you either run with authentication or without it.

You could create a guest domain account though, and have guest users use those credentials to authenticate to your proxy?
0
 

Author Comment

by:jfreckeltom
ID: 22729419
Hi Eric,

Thanks for your help. With the guest domain account what would be the best way of setting this up, so the account has no access to anything on the domain apart from web access?

Would setting up a local user account on the ISA server work, or is that a bad idea?  

Jim.
0
 
LVL 6

Expert Comment

by:JimsZ
ID: 22729951
For best practices...   I would get a form to be filed by anyone with a "guest" coming on site to create a new temporary account per person.   Set each account to expire in xx amount of days (however many is needed).

Just create an account for any new user that comes on site.   If you need to you can give someone (manager bringing on-site people) a script to create a temporary account.  

Also, any shares available, etc you will need to "DENY" these guest accounts access to as they will be able to read most.  

We actually have anyone bringing in a guest file forms on how long they will be on site, whether they need network access, etc.   We just add the users to a "DENY" group which denies access to every share on our network, they are only allowed access through IAS to internet that way.  (routers force you to authenticate through radius at our site to be allowed any network access)

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 11

Expert Comment

by:EricTViking
ID: 22729996
Another good approach is to use group policy to lock down guest accounts. You can even prevent users logging on locally or over the network via group policy.
0
 

Author Comment

by:jfreckeltom
ID: 22731311
I've setup a domain user for this purpose and I'm testing it on a non-domain PC. I've configured the proxy setting in IE and i'm prompted to enter a Username and Password for authentication (domain\user) If I try to login with any user on the domain the ISA server blocks it.

The access rule currently has "any authenticated user" and the Internet guest account in the allowed users box for the rule, which was pulled directly from AD.

Any ideas why the ISA server and my Web Access rule is rejecting the request?

Log type: Web Proxy (Forward)
Status: 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  
Rule: Web Access
Source: Internal (192.168.2.155)
Destination: Internal (192.168.2.8:8080)
Request: GET http://www.google.co.uk/ 
Filter information: Req ID: 0ddcb723; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous



Thanks...
0
 

Author Comment

by:jfreckeltom
ID: 22732661
The laptop is XP Home. I've tested it on an XP Pro machine and it seems to work Ok.

I take it XP Home will be a no no when trying to authenticate to a domain via the ISA due to the networking differences?
0
 
LVL 11

Expert Comment

by:EricTViking
ID: 22732705
XP Home cannot be joined to a domain, so that could explain it.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many times while working on a computer regardless of any Operating System, lag and crashes seem to creep in, hindering your working speed. Sometimes, it can also cause your work to be lost unexpectedly and as a result, you are unable to meet your de…
INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question