+ Post New Thread
Results 1 to 11 of 11
Internet Related/Filtering/Firewall Thread, Help - ISA authentication problem in Technical; Hi, We run ISA 2006 mainly because our webfilter (SurfControl) sits on it. At the moment it allows authenticated users ...
  1. #1
    actech's Avatar
    Join Date
    Mar 2008
    Location
    Australia
    Posts
    198
    Thank Post
    50
    Thanked 20 Times in 17 Posts
    Rep Power
    17

    Help - ISA authentication problem

    Hi,

    We run ISA 2006 mainly because our webfilter (SurfControl) sits on it. At the moment it allows authenticated users (integrated) through only. What I am would like is to allow staff members to hook up their laptops to the network wihtou having to connect to the domain and authenticate with their domain usr & pwd to get internet access.

    Is this possible and how? I have tried setting basic authentication to no avail and also using the 'run as' with IE7 with no luck. All help appreciated.

  2. #2

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,078
    Thank Post
    160
    Thanked 940 Times in 732 Posts
    Blog Entries
    3
    Rep Power
    275
    So are you asking how you can get staff to use the ISA as there gateway to the internet internally? if so then you will need to set there proxy in IE as the ISA Server's IP Address.

    Setup a rule to allow internal traffic to external

    If you need any help feel free to PM me and i can forward you over some rules to try

    James.

  3. #3

    Join Date
    Jun 2007
    Location
    London
    Posts
    895
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    56
    Their laptops will have to pick up an ip from your network's dhcp which should also set the laptop's gateway to the proxy's address (if you've got dhcp set up right).

    In IE / Tools / Internet Options / Connections / LAN Settings either choose Automatically Detect Settings or, if that doesn't work (needs setting up a few things on the ISA server first), instead enter in the lower section the network name of your proxy server and the port it uses (probably 8080).

    Your current rule should let your users through since they're authenticating using their network username/password, although they might need to type the domain name as well, e.g. DOMAIN\username in the username box.

  4. #4

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,078
    Thank Post
    160
    Thanked 940 Times in 732 Posts
    Blog Entries
    3
    Rep Power
    275
    Quote Originally Posted by timzim View Post
    Your current rule should let your users through since they're authenticating using their network username/password, although they might need to type the domain name as well, e.g. DOMAIN\username in the username box.
    Users locally will not have to authenticate again, ISA should automatically allow them through depending on how the rule is setup.. if you allow all users then any one internally can pass through... if you only want specific users to be allowed access, then you will need to create a group with a security group from AD selected and only allow that group through rather than all users.

  5. #5
    actech's Avatar
    Join Date
    Mar 2008
    Location
    Australia
    Posts
    198
    Thank Post
    50
    Thanked 20 Times in 17 Posts
    Rep Power
    17
    The DHCP sets the ISA server as the gateway, but I just thought I have it set as a proxy on 8080. This won't automatically be configured will it? I have a feeling that the GPO for the proxy is set via user not machine. Will have to wait till I get to work to check this out.

  6. #6

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,078
    Thank Post
    160
    Thanked 940 Times in 732 Posts
    Blog Entries
    3
    Rep Power
    275
    If IE is set to automatically find the settings, and ISA is configured to do so then yes it will work... if not then you will either need to change the settings on ISA or set the proxy via GPO in User Settings.

    ISA server firewall,proxy,superNAT settings < that should help to configure ISA so IE picks up settings.

    James.

  7. Thanks to EduTech from:

    actech (12th October 2009)

  8. #7
    bio
    bio is offline
    bio's Avatar
    Join Date
    Apr 2008
    Location
    netherlands
    Posts
    520
    Thank Post
    16
    Thanked 130 Times in 102 Posts
    Rep Power
    38
    I would create a seperate subnet ( and use DHCP) for these laptops. Then create a new firewall rule that allows internet from this subnet to external without authentication. Place this rule above your normal internet rule

    regards
    bio..

  9. #8

    Join Date
    Jun 2007
    Location
    London
    Posts
    895
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    56
    I think the actec's original rule is more secure since it only allows authenticated users (eliminates anyone hacking the network/stealing your bandwidth). His/her users will still have to authenticate with username/pw because he/she's only allowing authenticated users. Works successfully like this on our network.

    Setting proxy values in GPO will have no effect since user's not actually logging on when authenticating, i.e. won't be loading any profile so no GPO's applied, so will need set proxy details in browser settings (as I said earlier....zzzzz).

  10. Thanks to timzim from:

    actech (12th October 2009)

  11. #9
    actech's Avatar
    Join Date
    Mar 2008
    Location
    Australia
    Posts
    198
    Thank Post
    50
    Thanked 20 Times in 17 Posts
    Rep Power
    17
    Thanks all for the replies. It was to do with configuring the proxy settings on ISA and within IE7.

    Bio - I did have it like but the boss told me to shut it down and teachers were looking at inappropriate material around students so all traffic now has to go through the filter. I have done up a cheat sheet for staff to show them how to change settings. If they can't be bothered learning then they don't get access. Simple as that!

  12. #10

    Join Date
    Jun 2007
    Location
    London
    Posts
    895
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    56
    Quote Originally Posted by actech View Post
    teachers were looking at inappropriate material around students
    Grounds for dismissal here. Get yourself an AUP!

  13. #11
    actech's Avatar
    Join Date
    Mar 2008
    Location
    Australia
    Posts
    198
    Thank Post
    50
    Thanked 20 Times in 17 Posts
    Rep Power
    17
    Not quite dismissal. The event that sparked it was a teacher was checking emails while supervising a study group. He got one of those joke ads for Durex and several students overheard it. While it was just a joke and a legit ad, one of the students told their parents (who just happen to be on the school board) who complained to the Head.

    It was a case of sh!t happens but we are now making sure that it can't again.



SHARE:
+ Post New Thread

Similar Threads

  1. Moodle Authentication NTLM ISA Server
    By waya01 in forum Virtual Learning Platforms
    Replies: 0
    Last Post: 4th August 2009, 04:16 PM
  2. Authentication Delegation in ISA 2006
    By KWIK in forum Windows
    Replies: 1
    Last Post: 27th March 2008, 12:02 PM
  3. ISA Server 2004 Authentication
    By mrforgetful in forum Windows
    Replies: 6
    Last Post: 16th October 2007, 09:01 AM
  4. Replies: 1
    Last Post: 6th October 2005, 02:49 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •