Using ISA as a guest network proxy
-
Thursday, May 24, 2012 8:03 AM
Hi all,
I have customer who has a "guest" wireless network, which is actually more of a BYOD scenario. Guests all have active directory account but the devices are their own and can be phones, tablets, windows PC, OSX etc..
The customer is required to proxy all traffic out of their network and also must be able to provide details of what websites all users are visiting (upon request). E.g. provide all sites that job bloggs access on 24th May 2012.
The customer is using ISA 2006 as a proxy.
I'm aware that it's possible to configure clients proxy setting automatically by using the WPAD functionality however I know that not all devices support this.
I'm also aware that it's possible to configure ISA as a transparent proxy then we can simply route the "guest" network traffic to ISA to proxy it. This, I believe, is called SecureNAT. The problem here is that SecureNAT clients do not, can not and will not authenticate to ISA.
Adding proxy setting manually is not practical as most users will not be happy or capable to do this. Also a large number of the users will be kids so this solution must be simple for the end user to configure, preferably zero configuration.
In this scenario is ISA a viable solution?
If so please let me know how you would configure it.
Many thanks
James
- Edited by i-ras-goose Thursday, May 24, 2012 8:09 AM
All Replies
-
Thursday, May 24, 2012 8:20 AM
Hi,
as this is a BYOD scenario and you can assume that the clients are not domain members and that many of them do not understand integrated authentication at all, then your best choice (witout add-on products) is to turn on basic authentication on the network in ISA that the clients connects through. This means that the clients has to authenticate each session manually and you run the risk of users saving their credentials on their devices (with the inherent risks that comes with that). In this scenario, ISA acts as a transparent proxy.
Otherwise, you should look into other solutions that will authenticate the client for a duration of time, from the top of my head I can't tell you what solution will do this (if any for ISA 2006).
Hth, Anders Janson Enfo Zipper
-
Thursday, May 24, 2012 10:09 AM
Hi,
as this is a BYOD scenario and you can assume that the clients are not domain members and that many of them do not understand integrated authentication at all, then your best choice (witout add-on products) is to turn on basic authentication on the network in ISA that the clients connects through. This means that the clients has to authenticate each session manually and you run the risk of users saving their credentials on their devices (with the inherent risks that comes with that). In this scenario, ISA acts as a transparent proxy.
Otherwise, you should look into other solutions that will authenticate the client for a duration of time, from the top of my head I can't tell you what solution will do this (if any for ISA 2006).
Hth, Anders Janson Enfo Zipper
Thanks for the reply Anders. My understanding (though it is admittedly limited) is that when ISA is in transparent proxy mode (SecureNAT client) it doesn't not support any kind of user authentication.
Source http://msdn.microsoft.com/en-us/library/aa503379
Because requests from SecureNAT clients are handled by the Firewall service, SecureNAT clients can benefit from many of the features of ISA Server. These include most access control features, with the exception of high-level protocol support and user-level authentication. -
Friday, May 25, 2012 12:03 AMModerator
You cannot do it natively, so you may want to look at Collective Software's Captivate solution: http://www.collectivesoftware.com/Products/Captivate
Cheers
JJ
Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
- Marked As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Friday, June 08, 2012 4:53 AM
- Unmarked As Answer by i-ras-goose Thursday, June 14, 2012 9:40 AM
- Marked As Answer by i-ras-goose Thursday, June 14, 2012 9:45 AM
.png)
