ISA 2006 block media player

I just built an ISA 2006 server running W2K3 with the following settings. The ISA server is just used for web proxy.

Enable HTTP with port 80
Integrated and Basic Authentication
Requires all users to authenticate

When a user outside our network firewall trys to connect to a webcast that is using Windows Media Player, the player show all the correct images but does not start. When I try the webcast internally, it works fine.

My old ISA 2004 server works fine for users outside our network firewall.

The only difference between the 2004 and 2006 is that the 2004 does NOT require users to authenticate. Could this be the issue?

Thanks

AGenMISAsked:
Who is Participating?
 
pwindellConnect With a Mentor Commented:
In the Users Tab in the rule,....."All Users" = anonymous

Never combine "All Users" with anything else in the Users Tab of a Rule,...it has to either be by itself or not at all.  Mixing it would be telling ISA that you want authentication and anonymous at the same time,..which is impossible.
0
 
pwindellCommented:
User authentication should be forced only at the individual Rules,...never Globally.  Disable the Global setting.   MS should have removed that ability from the GUI a long time ago and save everyone a lot of grief.

WMP almost always fails to authenticate properly to a web proxy service,...this has been a historical thing with WMP.
0
 
pwindellCommented:
Since the ISA is only a near meaningless "web caching server" in the configuration model you choose,...you've already thrown away 60% of the ISA capabilities,...you'd be better off to disable the proxy settings in the WMP and let the existing Firewall handle that.

If it were me the ISA would be run as a full firewall and would replace the existing Firewall totally.
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

 
AGenMISAuthor Commented:
I'm behind the State's firewall so there is no need for me to use the Proxy as the firewall. I can't seem to figure out why it works with ISA 2004 and not with ISA 2006. Both networks are setup for Single Network Adapter. I unchecked the option Require All Users to Authenticate in ISA 2006 but still no luck. I'm comparing my ISA 2004 and 2006 settings and I'm not finding any differences.
0
 
pwindellCommented:
I'm behind the State's firewall so there is no need for me to use the Proxy as the firewall.

That isn't true.  You would just be creating a Back-to-Back DMZ between the ISA and the State's Firewall when you run the ISA/TMG are a real Firewall.  You cannot use the Firewall Client Software in a "Hork Mode" ISA/TMG arrangment,...yet it is the Firewall Client Software (that you can't use) that fixes or overcomes the WMP issue.

In a Hork Mode arrangement you will have to make your HTTP/HTTPS Rules anonyous for WMP to function correctly.
Never ever ever enable the Global "Require All Users to Authenticate". That will wreck things faster than you can imagine.  If you want authentication,..then force it at the individual Rules.
0
 
AGenMISAuthor Commented:
Authentication is forced at the individuals rules. I'm sorry but I'm still new to ISA. How would I create a rule to make HTTP/HTTPS anonymous?

Thanks
0
 
pwindellCommented:
Wait a minute.

I'm looking back at the first post.  This is going to be one of those threads that drags on forever with no solid solution.  It is all backwards from what I first believed and I was misled a bit by your description.

1. The Users having the trouble are comming from the Outside,...not the Inside.   The Resource they are trying to reach is on the Inside,...not the Outside.

2. The Webcast does not use WMP,...it is the user watching the webcast that is using WMP (the two are not the same thing).

3. The Webcast is using whatever Streaming/Webcasting Product you are providing the Webcast with.  This product has to be published using a Non-Web Server Publishing Rule in order to be made available to users on the Outside.

4. I wouldn't have a clue what the Streaming/Webcasting Product requires in order to function over the ISA.  If it worked with ISA2004 then you have to look at the Publishing Rule that was using in ISA2004 and make sure it was done the same way.

5. You have to make sure the Webcasting Product is actually using the correct ISA to make the Outbound response.  IT is a pointless exercise if the Publishign comes in through the old ISA2004 but it tries to respond out the ISA2006,...or the reverse of Publishing inbound on the ISA2006 but it tries to respond out the ISA2004.  Just because the Inbound came in a certain path does not mean the Response goes out the same path,...the two are completely independent of each other,...but anyway,..the path must be Synchronous (same in both directions).
0
 
AGenMISAuthor Commented:
Changing the user from our domain users to All Users did the trick. WMP now works for users outside our firewall. I have no clue on why it is working on my ISA 2004 server b/c that server does not have All Users listed. Any how, changing the user to All Users did the trick. Thanks for your help.
0
 
pwindellCommented:
It just means that it is not using the Rule on the 2004 that you think it is.  Just because a Rule exists does not mean it is the one the traffic in question is actually using,...it can be more complex than that.   Anywa,...glad it worked out for you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.