Solved

ISA 2006 block media player

Posted on 2011-03-25
9
756 Views
Last Modified: 2012-08-13
I just built an ISA 2006 server running W2K3 with the following settings. The ISA server is just used for web proxy.

Enable HTTP with port 80
Integrated and Basic Authentication
Requires all users to authenticate

When a user outside our network firewall trys to connect to a webcast that is using Windows Media Player, the player show all the correct images but does not start. When I try the webcast internally, it works fine.

My old ISA 2004 server works fine for users outside our network firewall.

The only difference between the 2004 and 2006 is that the 2004 does NOT require users to authenticate. Could this be the issue?

Thanks

0
Comment
Question by:AGenMIS
  • 6
  • 3
9 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 35234552
User authentication should be forced only at the individual Rules,...never Globally.  Disable the Global setting.   MS should have removed that ability from the GUI a long time ago and save everyone a lot of grief.

WMP almost always fails to authenticate properly to a web proxy service,...this has been a historical thing with WMP.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35234587
Since the ISA is only a near meaningless "web caching server" in the configuration model you choose,...you've already thrown away 60% of the ISA capabilities,...you'd be better off to disable the proxy settings in the WMP and let the existing Firewall handle that.

If it were me the ISA would be run as a full firewall and would replace the existing Firewall totally.
0
 

Author Comment

by:AGenMIS
ID: 35260208
I'm behind the State's firewall so there is no need for me to use the Proxy as the firewall. I can't seem to figure out why it works with ISA 2004 and not with ISA 2006. Both networks are setup for Single Network Adapter. I unchecked the option Require All Users to Authenticate in ISA 2006 but still no luck. I'm comparing my ISA 2004 and 2006 settings and I'm not finding any differences.
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 29

Expert Comment

by:pwindell
ID: 35260313
I'm behind the State's firewall so there is no need for me to use the Proxy as the firewall.

That isn't true.  You would just be creating a Back-to-Back DMZ between the ISA and the State's Firewall when you run the ISA/TMG are a real Firewall.  You cannot use the Firewall Client Software in a "Hork Mode" ISA/TMG arrangment,...yet it is the Firewall Client Software (that you can't use) that fixes or overcomes the WMP issue.

In a Hork Mode arrangement you will have to make your HTTP/HTTPS Rules anonyous for WMP to function correctly.
Never ever ever enable the Global "Require All Users to Authenticate". That will wreck things faster than you can imagine.  If you want authentication,..then force it at the individual Rules.
0
 

Author Comment

by:AGenMIS
ID: 35260367
Authentication is forced at the individuals rules. I'm sorry but I'm still new to ISA. How would I create a rule to make HTTP/HTTPS anonymous?

Thanks
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 35260427
In the Users Tab in the rule,....."All Users" = anonymous

Never combine "All Users" with anything else in the Users Tab of a Rule,...it has to either be by itself or not at all.  Mixing it would be telling ISA that you want authentication and anonymous at the same time,..which is impossible.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35260683
Wait a minute.

I'm looking back at the first post.  This is going to be one of those threads that drags on forever with no solid solution.  It is all backwards from what I first believed and I was misled a bit by your description.

1. The Users having the trouble are comming from the Outside,...not the Inside.   The Resource they are trying to reach is on the Inside,...not the Outside.

2. The Webcast does not use WMP,...it is the user watching the webcast that is using WMP (the two are not the same thing).

3. The Webcast is using whatever Streaming/Webcasting Product you are providing the Webcast with.  This product has to be published using a Non-Web Server Publishing Rule in order to be made available to users on the Outside.

4. I wouldn't have a clue what the Streaming/Webcasting Product requires in order to function over the ISA.  If it worked with ISA2004 then you have to look at the Publishing Rule that was using in ISA2004 and make sure it was done the same way.

5. You have to make sure the Webcasting Product is actually using the correct ISA to make the Outbound response.  IT is a pointless exercise if the Publishign comes in through the old ISA2004 but it tries to respond out the ISA2006,...or the reverse of Publishing inbound on the ISA2006 but it tries to respond out the ISA2004.  Just because the Inbound came in a certain path does not mean the Response goes out the same path,...the two are completely independent of each other,...but anyway,..the path must be Synchronous (same in both directions).
0
 

Author Comment

by:AGenMIS
ID: 35260971
Changing the user from our domain users to All Users did the trick. WMP now works for users outside our firewall. I have no clue on why it is working on my ISA 2004 server b/c that server does not have All Users listed. Any how, changing the user to All Users did the trick. Thanks for your help.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35261269
It just means that it is not using the Rule on the 2004 that you think it is.  Just because a Rule exists does not mean it is the one the traffic in question is actually using,...it can be more complex than that.   Anywa,...glad it worked out for you.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question