Solved

ISA 2006 block media player

Posted on 2011-03-25
9
798 Views
Last Modified: 2012-08-13
I just built an ISA 2006 server running W2K3 with the following settings. The ISA server is just used for web proxy.

Enable HTTP with port 80
Integrated and Basic Authentication
Requires all users to authenticate

When a user outside our network firewall trys to connect to a webcast that is using Windows Media Player, the player show all the correct images but does not start. When I try the webcast internally, it works fine.

My old ISA 2004 server works fine for users outside our network firewall.

The only difference between the 2004 and 2006 is that the 2004 does NOT require users to authenticate. Could this be the issue?

Thanks

0
Comment
Question by:AGenMIS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
9 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 35234552
User authentication should be forced only at the individual Rules,...never Globally.  Disable the Global setting.   MS should have removed that ability from the GUI a long time ago and save everyone a lot of grief.

WMP almost always fails to authenticate properly to a web proxy service,...this has been a historical thing with WMP.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35234587
Since the ISA is only a near meaningless "web caching server" in the configuration model you choose,...you've already thrown away 60% of the ISA capabilities,...you'd be better off to disable the proxy settings in the WMP and let the existing Firewall handle that.

If it were me the ISA would be run as a full firewall and would replace the existing Firewall totally.
0
 

Author Comment

by:AGenMIS
ID: 35260208
I'm behind the State's firewall so there is no need for me to use the Proxy as the firewall. I can't seem to figure out why it works with ISA 2004 and not with ISA 2006. Both networks are setup for Single Network Adapter. I unchecked the option Require All Users to Authenticate in ISA 2006 but still no luck. I'm comparing my ISA 2004 and 2006 settings and I'm not finding any differences.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 29

Expert Comment

by:pwindell
ID: 35260313
I'm behind the State's firewall so there is no need for me to use the Proxy as the firewall.

That isn't true.  You would just be creating a Back-to-Back DMZ between the ISA and the State's Firewall when you run the ISA/TMG are a real Firewall.  You cannot use the Firewall Client Software in a "Hork Mode" ISA/TMG arrangment,...yet it is the Firewall Client Software (that you can't use) that fixes or overcomes the WMP issue.

In a Hork Mode arrangement you will have to make your HTTP/HTTPS Rules anonyous for WMP to function correctly.
Never ever ever enable the Global "Require All Users to Authenticate". That will wreck things faster than you can imagine.  If you want authentication,..then force it at the individual Rules.
0
 

Author Comment

by:AGenMIS
ID: 35260367
Authentication is forced at the individuals rules. I'm sorry but I'm still new to ISA. How would I create a rule to make HTTP/HTTPS anonymous?

Thanks
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 35260427
In the Users Tab in the rule,....."All Users" = anonymous

Never combine "All Users" with anything else in the Users Tab of a Rule,...it has to either be by itself or not at all.  Mixing it would be telling ISA that you want authentication and anonymous at the same time,..which is impossible.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35260683
Wait a minute.

I'm looking back at the first post.  This is going to be one of those threads that drags on forever with no solid solution.  It is all backwards from what I first believed and I was misled a bit by your description.

1. The Users having the trouble are comming from the Outside,...not the Inside.   The Resource they are trying to reach is on the Inside,...not the Outside.

2. The Webcast does not use WMP,...it is the user watching the webcast that is using WMP (the two are not the same thing).

3. The Webcast is using whatever Streaming/Webcasting Product you are providing the Webcast with.  This product has to be published using a Non-Web Server Publishing Rule in order to be made available to users on the Outside.

4. I wouldn't have a clue what the Streaming/Webcasting Product requires in order to function over the ISA.  If it worked with ISA2004 then you have to look at the Publishing Rule that was using in ISA2004 and make sure it was done the same way.

5. You have to make sure the Webcasting Product is actually using the correct ISA to make the Outbound response.  IT is a pointless exercise if the Publishign comes in through the old ISA2004 but it tries to respond out the ISA2006,...or the reverse of Publishing inbound on the ISA2006 but it tries to respond out the ISA2004.  Just because the Inbound came in a certain path does not mean the Response goes out the same path,...the two are completely independent of each other,...but anyway,..the path must be Synchronous (same in both directions).
0
 

Author Comment

by:AGenMIS
ID: 35260971
Changing the user from our domain users to All Users did the trick. WMP now works for users outside our firewall. I have no clue on why it is working on my ISA 2004 server b/c that server does not have All Users listed. Any how, changing the user to All Users did the trick. Thanks for your help.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35261269
It just means that it is not using the Rule on the 2004 that you think it is.  Just because a Rule exists does not mean it is the one the traffic in question is actually using,...it can be more complex than that.   Anywa,...glad it worked out for you.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
OWA through TMG 2010 3 678
2012 identify is there are active sessions 8 233
TMG 2010 Intrusion prevention system issue 6 200
TMG 2010 is not able access other network 3 202
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question