isa 2006 std authenticating users

clynch302
clynch302 used Ask the Experts™
on
OK, I am still fairly new to ISA.
I have ISA 2006 STD on a Win2k3 Std box. The ISA server is a domain member.

What I would like to do is to be able to log users by their AD user names instead of their IP address. I have the ISA FWC installed on my computer (WinXP Pro). It is set for auto discovery and the ISA server is discovered with no problems. I have Wpad in DHCP and DNS. When I launch IE all I see is anonymous user name. When I launch Firefox it logs my user name just fine...??? My outbound rule is set for All users. I cannot change this unless I put the FWC on all machines, correct?
Why would Firefox be logged with my user name and not IE which has the proxy settings?
Does anyone have a clear how to that can show how to configure the policy rules by AD user accounts???

Thanks in advance..
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
AkhaterSolutions Architect

Commented:
1) if your outbound rule is set to "All Users" then you are allowing anonymous users to go out and ISA won't force them to authenticate.

2)  IE is logging anonymous probably because you put proxy settings on it and ISA is allowing anonymous (again)

3) Firefox is logging user probably because you don't have proxy settings on FF and it is the firewall client kicking in instead and authenticating the user

4) to replace the "all users" you need either FWC or proxy settings on all clients

Enterprise Architect
Top Expert 2008
Commented:
The above is correct in many respects but your original assumption that you must install the fwc on all machines is incorrect.

If you remove all users then you can add an active directory group, local group, authenticated users etc and this can be done on a per-rule basis - it is up to you.

The firewall client comes into its own when dealing with software that has no understanding about credentials. An FTP client application is such a package.
If you take off the all users element and put in an ad group for example....
The ftp client will try and connect to the external ftp server - isa will see the request and log it as anonymous first. ISA checks the rule and sees that only authenticated users are allowed to pass ftp so ISA sends a credential request back to the client PC. The ftp package has no idea about this request and so ignores it. - result, traffic dropped. With the firewall client installed, when ISA requests the user credentials, the firewall client intercepts the request and responds with the users name and windows password on behalf of the ftp client software. ISA receives the credentials, validates them against AD and makes sure this user is a member of the AD group specified and the traffic passes through after logging it with the username/password the fwc has passed to it.

For the web proxy traffic, akhaters comment is close enough to explain the logic.

In respect to configuring - and assuming your ISA is a domain member of you have configured an ldap connection through to the AD servers, then edit your access rule and select the users tab.
Remove the all users, then click add then follow the options to select an ad group or user that is allowed for the rule.

Keith

Author

Commented:
Thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial