Internet Related/Filtering/Firewall Thread, Help - ISA authentication problem in Technical; Hi,
We run ISA 2006 mainly because our webfilter (SurfControl) sits on it. At the moment it allows authenticated users ...
11th October 2009, 11:20 AM #1
Help - ISA authentication problem
We run ISA 2006 mainly because our webfilter (SurfControl) sits on it. At the moment it allows authenticated users (integrated) through only. What I am would like is to allow staff members to hook up their laptops to the network wihtou having to connect to the domain and authenticate with their domain usr & pwd to get internet access.
Is this possible and how? I have tried setting basic authentication to no avail and also using the 'run as' with IE7 with no luck. All help appreciated.
11th October 2009, 12:53 PM #2
So are you asking how you can get staff to use the ISA as there gateway to the internet internally? if so then you will need to set there proxy in IE as the ISA Server's IP Address.
Setup a rule to allow internal traffic to external
If you need any help feel free to PM me and i can forward you over some rules to try
11th October 2009, 01:44 PM #3
Their laptops will have to pick up an ip from your network's dhcp which should also set the laptop's gateway to the proxy's address (if you've got dhcp set up right).
In IE / Tools / Internet Options / Connections / LAN Settings either choose Automatically Detect Settings or, if that doesn't work (needs setting up a few things on the ISA server first), instead enter in the lower section the network name of your proxy server and the port it uses (probably 8080).
Your current rule should let your users through since they're authenticating using their network username/password, although they might need to type the domain name as well, e.g. DOMAIN\username in the username box.
11th October 2009, 02:01 PM #4
Users locally will not have to authenticate again, ISA should automatically allow them through depending on how the rule is setup.. if you allow all users then any one internally can pass through... if you only want specific users to be allowed access, then you will need to create a group with a security group from AD selected and only allow that group through rather than all users.
Originally Posted by timzim
11th October 2009, 09:28 PM #5
The DHCP sets the ISA server as the gateway, but I just thought I have it set as a proxy on 8080. This won't automatically be configured will it? I have a feeling that the GPO for the proxy is set via user not machine. Will have to wait till I get to work to check this out.
11th October 2009, 09:56 PM #6
If IE is set to automatically find the settings, and ISA is configured to do so then yes it will work... if not then you will either need to change the settings on ISA or set the proxy via GPO in User Settings.
ISA server firewall,proxy,superNAT settings < that should help to configure ISA so IE picks up settings.
Thanks to EduTech from:
actech (12th October 2009)
12th October 2009, 09:51 AM #7
I would create a seperate subnet ( and use DHCP) for these laptops. Then create a new firewall rule that allows internet from this subnet to external without authentication. Place this rule above your normal internet rule
12th October 2009, 10:16 AM #8
I think the actec's original rule is more secure since it only allows authenticated users (eliminates anyone hacking the network/stealing your bandwidth). His/her users will still have to authenticate with username/pw because he/she's only allowing authenticated users. Works successfully like this on our network.
Setting proxy values in GPO will have no effect since user's not actually logging on when authenticating, i.e. won't be loading any profile so no GPO's applied, so will need set proxy details in browser settings (as I said earlier....zzzzz).
Thanks to timzim from:
actech (12th October 2009)
12th October 2009, 10:23 AM #9
Thanks all for the replies. It was to do with configuring the proxy settings on ISA and within IE7.
Bio - I did have it like but the boss told me to shut it down and teachers were looking at inappropriate material around students so all traffic now has to go through the filter. I have done up a cheat sheet for staff to show them how to change settings. If they can't be bothered learning then they don't get access. Simple as that!
12th October 2009, 10:49 AM #10
Grounds for dismissal here. Get yourself an AUP!
Originally Posted by actech
12th October 2009, 10:28 PM #11
Not quite dismissal. The event that sparked it was a teacher was checking emails while supervising a study group. He got one of those joke ads for Durex and several students overheard it. While it was just a joke and a legit ad, one of the students told their parents (who just happen to be on the school board) who complained to the Head.
It was a case of sh!t happens but we are now making sure that it can't again.
By waya01 in forum Virtual Learning Platforms
Last Post: 4th August 2009, 03:16 PM
Last Post: 27th March 2008, 11:02 AM
By mrforgetful in forum Windows
Last Post: 16th October 2007, 08:01 AM
By Mango_RW in forum Windows
Last Post: 6th October 2005, 01:49 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)