none
ISA 2006 How to add exceptions to web proxy authentication?

    Question

  • I have set up a test of a rule requiring computers to authenticate through the web proxy and it seems to work.

    However, we would also like to use Securenat for some computers that cannot work with web proxy authentications due to incompatible applications or other reasons .  We would like them to use Securenat so we can at least have records of their traffic by IP address instead of having nothing at all if they are allowed to go around the proxy.

    Is it possible to have a web proxy authentication rule for most PCs and simultaneously have another rule that allows a specific list of computers (mostly computers not joined to the domain running processes that need Internet access and are not proxy-aware) to access the network  through Securenat with no user credentials needed?

    I have a Linux laptop that I am trying to add and exception and once it works, I would like to create a computer set that I can add more computers to as we find more computers that need to be excluded from the authentication requirement.  

    I created a new rule allowing all outbound traffic to all networks  from all users and added the computer name and IP to the rule and added it to the top of the list of Firewall Policy Rules.  I set the gateway on the Linux laptop to point to the ISA server and the DNS to point to our DNS server and I cannot get it to connect to Internet that way.  

    Can this be done?

    Sunday, November 25, 2012 9:26 AM

Answers

  • Hi,

    IMHO the Firewall Policy rule is corect (better is to allow only the needed ports for the clients from CLIENT(S) to EXTERNAL for ALL USERS). ISA Server rule will be evaluated from top to down with first match.
    DNS name resoltion works fine? Are you able to do an NSLOOKUP from the client to a public resolvable DNS name?
    To see the reason why ISA Server blocks the client request use the ISA Server realtime monitoring to see which rule blocks the traffic.


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

    • Marked as answer by MyGposts Thursday, November 29, 2012 3:00 AM
    Sunday, November 25, 2012 12:00 PM

All replies

  • Hi,

    IMHO the Firewall Policy rule is corect (better is to allow only the needed ports for the clients from CLIENT(S) to EXTERNAL for ALL USERS). ISA Server rule will be evaluated from top to down with first match.
    DNS name resoltion works fine? Are you able to do an NSLOOKUP from the client to a public resolvable DNS name?
    To see the reason why ISA Server blocks the client request use the ISA Server realtime monitoring to see which rule blocks the traffic.


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

    • Marked as answer by MyGposts Thursday, November 29, 2012 3:00 AM
    Sunday, November 25, 2012 12:00 PM
  • I don't understand how that will help this issue.  We do not want to block any ports with the ISA server.  There are already hardware firewalls configured on the network  to allow only needed ports and we do not want another layer of troubleshooting wondering if maybe ISA has a port blocked that it should not be blocked whenever a connectivity problem comes up.

    We would like all our Windows domain-joined managed computers to be required to authenticate through ISA to get on the Internet so we can log as much information detail about the user, PC and websites visited as possible.  We might deploy ISA firewall client, but if not, we will at least set a GPO to configure browsers to automatically detect proxy settings and use DNS or DHCP to provide the proxy info on the fly.  If proxy settings are set as automatic instead of hard-coded, I assume this should allow laptops to be used at home or on the road without users having to remember to remove the proxy settings. 

    We also need to allow a subset of other computers to go through ISA anonymously as SecureNat clients so they don't require any configuration beyond having their gateway set to the ISA server.  On those PCs (some of these are not Windows computers and some have processes running that will break if proxy authentication is required), I realize we would not get any user or host names in reports.  If we notice an issue from a SecureNat client IP address in reports, we should be able to find which host it was by looking in DHCP audit logs and then determine which user was responsible.

    What I would like to do is set up firewall rules that allow both types of connectivity to happen on the same networks at the same time.  Authenticated connections by default. but a list of IP addresses need to be allowed unauthenticated access, but still have IP addresses logged.

    To test this,  I set up an ISA firewall rule to only allow authenticated users through.  This works as long as the user authenticates.  Then I set up a second firewall rule to allow "all users" to go though if it is from a specific IP address.  I set up a Linux laptop and configured it to use the allowed IP address and set the gateway to point to the ISA server.  This Linux computer still cannot access the Internet when the gateway is pointed to ISA and I'm trying to fix this issue.  

    Sunday, November 25, 2012 5:48 PM
  • I am getting closer to solving this now.  Now, when I add the proxy server settings into the web browser of the Linux computer, it can get online without the browser prompting for user credentials, but this is still not we need.  Some computers that need to be on this exceptions list have applications/scripts running accessing external networks over https and https that do not have any way to add a proxy even if the proxy would let it through anonymously.

    We need to configure the ISA firewall rule so the excluded set of computers can get online without knowing that a proxy exists and so the proxy server IP address does not even need to be entered.  

    Sunday, November 25, 2012 6:27 PM
  • I looks like it cannot work because it is a 1 NIC server.  I read in another thread that Securenat needs 2 NICs on the ISA server.
    Thursday, November 29, 2012 3:00 AM