Solved

ISA Authentication and Logging

Posted on 2008-10-16
7
719 Views
Last Modified: 2008-11-17
Hi, I've set a 2006 ISA server up on the internal network on a single NIC to act as a proxy server for our users.

Everything is working Ok. What I want to understand is the best way to setup the authentication of my users. At the moment my Web Access rule allows "all authenticated users" this is great as it logs all of the user activity based on their domain username.

We have external clients arriving in the office who need internet access. I also want these to go through the proxy server. These users are not going to be members of the domain. If I add "all users" into my Web access rule it removes all the domain logging for my domain users and just logs it as anonymous.

What's the best way to have all the logging enabled for my domain users but still provide logged internet access for non domain users?

Many thanks....

JIm
0
Comment
Question by:jfreckeltom
  • 3
  • 3
7 Comments
 
LVL 11

Accepted Solution

by:
EricTViking earned 125 total points
ID: 22729237
The problem you have is that the anonymous "all users" rule will take precedence over the "authenticated users" rule. Having both means that no-one will ever authenticate - even domain users.

AFAIK there is no way around this - you either run with authentication or without it.

You could create a guest domain account though, and have guest users use those credentials to authenticate to your proxy?
0
 

Author Comment

by:jfreckeltom
ID: 22729419
Hi Eric,

Thanks for your help. With the guest domain account what would be the best way of setting this up, so the account has no access to anything on the domain apart from web access?

Would setting up a local user account on the ISA server work, or is that a bad idea?  

Jim.
0
 
LVL 6

Expert Comment

by:JimsZ
ID: 22729951
For best practices...   I would get a form to be filed by anyone with a "guest" coming on site to create a new temporary account per person.   Set each account to expire in xx amount of days (however many is needed).

Just create an account for any new user that comes on site.   If you need to you can give someone (manager bringing on-site people) a script to create a temporary account.  

Also, any shares available, etc you will need to "DENY" these guest accounts access to as they will be able to read most.  

We actually have anyone bringing in a guest file forms on how long they will be on site, whether they need network access, etc.   We just add the users to a "DENY" group which denies access to every share on our network, they are only allowed access through IAS to internet that way.  (routers force you to authenticate through radius at our site to be allowed any network access)

0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 11

Expert Comment

by:EricTViking
ID: 22729996
Another good approach is to use group policy to lock down guest accounts. You can even prevent users logging on locally or over the network via group policy.
0
 

Author Comment

by:jfreckeltom
ID: 22731311
I've setup a domain user for this purpose and I'm testing it on a non-domain PC. I've configured the proxy setting in IE and i'm prompted to enter a Username and Password for authentication (domain\user) If I try to login with any user on the domain the ISA server blocks it.

The access rule currently has "any authenticated user" and the Internet guest account in the allowed users box for the rule, which was pulled directly from AD.

Any ideas why the ISA server and my Web Access rule is rejecting the request?

Log type: Web Proxy (Forward)
Status: 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  
Rule: Web Access
Source: Internal (192.168.2.155)
Destination: Internal (192.168.2.8:8080)
Request: GET http://www.google.co.uk/ 
Filter information: Req ID: 0ddcb723; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous



Thanks...
0
 

Author Comment

by:jfreckeltom
ID: 22732661
The laptop is XP Home. I've tested it on an XP Pro machine and it seems to work Ok.

I take it XP Home will be a no no when trying to authenticate to a domain via the ISA due to the networking differences?
0
 
LVL 11

Expert Comment

by:EricTViking
ID: 22732705
XP Home cannot be joined to a domain, so that could explain it.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Log files are useful in diagnosing and repairing problems.  This is a list of common log files and their standard locations that I've compiled.   While this is not exhaustive, it is a pretty good list that I've found to be useful.  I may update it f…
The way I use Experts Exchange to assist me in analyzing and diagnosing a problem is I first enter a Verbose Question at Experts Exchange like: Office 2007 will hang when opening and saving files I then launch WordPad (any text editor will do) an…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now