Solved

ISA Authentication and Logging

Posted on 2008-10-16
7
739 Views
Last Modified: 2008-11-17
Hi, I've set a 2006 ISA server up on the internal network on a single NIC to act as a proxy server for our users.

Everything is working Ok. What I want to understand is the best way to setup the authentication of my users. At the moment my Web Access rule allows "all authenticated users" this is great as it logs all of the user activity based on their domain username.

We have external clients arriving in the office who need internet access. I also want these to go through the proxy server. These users are not going to be members of the domain. If I add "all users" into my Web access rule it removes all the domain logging for my domain users and just logs it as anonymous.

What's the best way to have all the logging enabled for my domain users but still provide logged internet access for non domain users?

Many thanks....

JIm
0
Comment
Question by:jfreckeltom
  • 3
  • 3
7 Comments
 
LVL 11

Accepted Solution

by:
EricTViking earned 125 total points
ID: 22729237
The problem you have is that the anonymous "all users" rule will take precedence over the "authenticated users" rule. Having both means that no-one will ever authenticate - even domain users.

AFAIK there is no way around this - you either run with authentication or without it.

You could create a guest domain account though, and have guest users use those credentials to authenticate to your proxy?
0
 

Author Comment

by:jfreckeltom
ID: 22729419
Hi Eric,

Thanks for your help. With the guest domain account what would be the best way of setting this up, so the account has no access to anything on the domain apart from web access?

Would setting up a local user account on the ISA server work, or is that a bad idea?  

Jim.
0
 
LVL 6

Expert Comment

by:JimsZ
ID: 22729951
For best practices...   I would get a form to be filed by anyone with a "guest" coming on site to create a new temporary account per person.   Set each account to expire in xx amount of days (however many is needed).

Just create an account for any new user that comes on site.   If you need to you can give someone (manager bringing on-site people) a script to create a temporary account.  

Also, any shares available, etc you will need to "DENY" these guest accounts access to as they will be able to read most.  

We actually have anyone bringing in a guest file forms on how long they will be on site, whether they need network access, etc.   We just add the users to a "DENY" group which denies access to every share on our network, they are only allowed access through IAS to internet that way.  (routers force you to authenticate through radius at our site to be allowed any network access)

0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 11

Expert Comment

by:EricTViking
ID: 22729996
Another good approach is to use group policy to lock down guest accounts. You can even prevent users logging on locally or over the network via group policy.
0
 

Author Comment

by:jfreckeltom
ID: 22731311
I've setup a domain user for this purpose and I'm testing it on a non-domain PC. I've configured the proxy setting in IE and i'm prompted to enter a Username and Password for authentication (domain\user) If I try to login with any user on the domain the ISA server blocks it.

The access rule currently has "any authenticated user" and the Internet guest account in the allowed users box for the rule, which was pulled directly from AD.

Any ideas why the ISA server and my Web Access rule is rejecting the request?

Log type: Web Proxy (Forward)
Status: 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  
Rule: Web Access
Source: Internal (192.168.2.155)
Destination: Internal (192.168.2.8:8080)
Request: GET http://www.google.co.uk/ 
Filter information: Req ID: 0ddcb723; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous



Thanks...
0
 

Author Comment

by:jfreckeltom
ID: 22732661
The laptop is XP Home. I've tested it on an XP Pro machine and it seems to work Ok.

I take it XP Home will be a no no when trying to authenticate to a domain via the ISA due to the networking differences?
0
 
LVL 11

Expert Comment

by:EricTViking
ID: 22732705
XP Home cannot be joined to a domain, so that could explain it.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many times while working on a computer regardless of any Operating System, lag and crashes seem to creep in, hindering your working speed. Sometimes, it can also cause your work to be lost unexpectedly and as a result, you are unable to meet your de…
This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question