Solved

ISA 2006 block media player

Posted on 2011-03-25
9
713 Views
Last Modified: 2012-08-13
I just built an ISA 2006 server running W2K3 with the following settings. The ISA server is just used for web proxy.

Enable HTTP with port 80
Integrated and Basic Authentication
Requires all users to authenticate

When a user outside our network firewall trys to connect to a webcast that is using Windows Media Player, the player show all the correct images but does not start. When I try the webcast internally, it works fine.

My old ISA 2004 server works fine for users outside our network firewall.

The only difference between the 2004 and 2006 is that the 2004 does NOT require users to authenticate. Could this be the issue?

Thanks

0
Comment
Question by:AGenMIS
  • 6
  • 3
9 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 35234552
User authentication should be forced only at the individual Rules,...never Globally.  Disable the Global setting.   MS should have removed that ability from the GUI a long time ago and save everyone a lot of grief.

WMP almost always fails to authenticate properly to a web proxy service,...this has been a historical thing with WMP.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35234587
Since the ISA is only a near meaningless "web caching server" in the configuration model you choose,...you've already thrown away 60% of the ISA capabilities,...you'd be better off to disable the proxy settings in the WMP and let the existing Firewall handle that.

If it were me the ISA would be run as a full firewall and would replace the existing Firewall totally.
0
 

Author Comment

by:AGenMIS
ID: 35260208
I'm behind the State's firewall so there is no need for me to use the Proxy as the firewall. I can't seem to figure out why it works with ISA 2004 and not with ISA 2006. Both networks are setup for Single Network Adapter. I unchecked the option Require All Users to Authenticate in ISA 2006 but still no luck. I'm comparing my ISA 2004 and 2006 settings and I'm not finding any differences.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35260313
I'm behind the State's firewall so there is no need for me to use the Proxy as the firewall.

That isn't true.  You would just be creating a Back-to-Back DMZ between the ISA and the State's Firewall when you run the ISA/TMG are a real Firewall.  You cannot use the Firewall Client Software in a "Hork Mode" ISA/TMG arrangment,...yet it is the Firewall Client Software (that you can't use) that fixes or overcomes the WMP issue.

In a Hork Mode arrangement you will have to make your HTTP/HTTPS Rules anonyous for WMP to function correctly.
Never ever ever enable the Global "Require All Users to Authenticate". That will wreck things faster than you can imagine.  If you want authentication,..then force it at the individual Rules.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:AGenMIS
ID: 35260367
Authentication is forced at the individuals rules. I'm sorry but I'm still new to ISA. How would I create a rule to make HTTP/HTTPS anonymous?

Thanks
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 35260427
In the Users Tab in the rule,....."All Users" = anonymous

Never combine "All Users" with anything else in the Users Tab of a Rule,...it has to either be by itself or not at all.  Mixing it would be telling ISA that you want authentication and anonymous at the same time,..which is impossible.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35260683
Wait a minute.

I'm looking back at the first post.  This is going to be one of those threads that drags on forever with no solid solution.  It is all backwards from what I first believed and I was misled a bit by your description.

1. The Users having the trouble are comming from the Outside,...not the Inside.   The Resource they are trying to reach is on the Inside,...not the Outside.

2. The Webcast does not use WMP,...it is the user watching the webcast that is using WMP (the two are not the same thing).

3. The Webcast is using whatever Streaming/Webcasting Product you are providing the Webcast with.  This product has to be published using a Non-Web Server Publishing Rule in order to be made available to users on the Outside.

4. I wouldn't have a clue what the Streaming/Webcasting Product requires in order to function over the ISA.  If it worked with ISA2004 then you have to look at the Publishing Rule that was using in ISA2004 and make sure it was done the same way.

5. You have to make sure the Webcasting Product is actually using the correct ISA to make the Outbound response.  IT is a pointless exercise if the Publishign comes in through the old ISA2004 but it tries to respond out the ISA2006,...or the reverse of Publishing inbound on the ISA2006 but it tries to respond out the ISA2004.  Just because the Inbound came in a certain path does not mean the Response goes out the same path,...the two are completely independent of each other,...but anyway,..the path must be Synchronous (same in both directions).
0
 

Author Comment

by:AGenMIS
ID: 35260971
Changing the user from our domain users to All Users did the trick. WMP now works for users outside our firewall. I have no clue on why it is working on my ISA 2004 server b/c that server does not have All Users listed. Any how, changing the user to All Users did the trick. Thanks for your help.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35261269
It just means that it is not using the Rule on the 2004 that you think it is.  Just because a Rule exists does not mean it is the one the traffic in question is actually using,...it can be more complex than that.   Anywa,...glad it worked out for you.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

There are three types of ISA client that can be configured - these can be individual clients or multiples of a client on each PC or server SecureNAT. A SecureNAT client for ISA server is a client machine, work station or server, that has its defa…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now