+ Post New Thread
Results 1 to 9 of 9
Internet Related/Filtering/Firewall Thread, ISA/NTLM auth issues in Technical; So here's a brief synopsis of the problem and what I'm considering of doing to overcome it. Non-Windows based devices ...
  1. #1
    atamakosi's Avatar
    Join Date
    Jun 2011
    Posts
    101
    Thank Post
    5
    Thanked 11 Times in 9 Posts
    Rep Power
    14

    ISA/NTLM auth issues

    So here's a brief synopsis of the problem and what I'm considering of doing to overcome it.

    Non-Windows based devices wishing to access our internet connection are being refused because of the NTLM authentication that our proxy server uses. This means that all the iOS and android devices are being rejected, of which there are many and seem to be proliferating thanks to our wireless network usage policies. Senior management, nearly all seem to own an iOS device, are quite irked they can't make use of the wireless network due to NTLM authentication failure at the proxy.

    I'm considering removing the ISA proxy and replacing with another firewall/filter if possible. (Unless there is an easier work around) I'd rather this not cost anything (I'm an optimist) and be able to handle the traffic that ISA does currently. Has any body else encountered a similar issue and what has worked for you?

    I've looked at Squid but would like more opinions before moving on.

    Just an fyi, I've determined its an authentication with NTLM through trial and error and finally setting up a linux box with NTLMaps and lo and behold started working great! Devices can connect to the wireless and recieve an IP address just fine but when a browser opens we get the ISA rejection page. (Even if you put in the username/password in to the device settings for the connection)

  2. #2


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,458
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    We smoothwall folk offer a range of auth methods - so maybe you'd transparently proxy with a captive portal and the explicit proxy would ntlm. There's no "perfect auth" for Android/IOS but that's a good combination.

    Sadly, free we cannot do (got to keep the lights on somehow!) - but we like to think we offer decent value

    Tom

    PS. PM me if you'd like to talk to our antipodean representatives

  3. #3
    atamakosi's Avatar
    Join Date
    Jun 2011
    Posts
    101
    Thank Post
    5
    Thanked 11 Times in 9 Posts
    Rep Power
    14
    it's debatable if we even need the content filtering with ISA. We tunnel all our traffic through to the NZ MoE's provided filter so we would just need a firewall that would prevent access to our system (except for published sites, etc.) and can route all our traffic through.

  4. #4
    TheScarfedOne's Avatar
    Join Date
    Apr 2007
    Location
    Plymouth, Devon
    Posts
    1,123
    Thank Post
    537
    Thanked 151 Times in 137 Posts
    Blog Entries
    78
    Rep Power
    79
    We have turned on basic as well as Integrated Auth - so that non domain devices will get a logon prompt on internet access. You know when you are at hotspots and under Win7 you get that popup - "May require additional credentials - click here to open browser"... it seems to work fine. Are you using the ISA client, or using GPO to point to the proxy, or using autoconfig?

  5. Thanks to TheScarfedOne from:

    atamakosi (26th February 2012)

  6. #5
    atamakosi's Avatar
    Join Date
    Jun 2011
    Posts
    101
    Thank Post
    5
    Thanked 11 Times in 9 Posts
    Rep Power
    14
    Quote Originally Posted by TheScarfedOne View Post
    We have turned on basic as well as Integrated Auth - so that non domain devices will get a logon prompt on internet access. You know when you are at hotspots and under Win7 you get that popup - "May require additional credentials - click here to open browser"... it seems to work fine. Are you using the ISA client, or using GPO to point to the proxy, or using autoconfig?
    On our staff laptops we use the isa firewall client to control the proxy connection but on the workstations on the network we just change the internet options to always have the proxy connection on by gpo.

    student's personal laptops and macbooks are able to handle the proxy connection fine. (i usually install the firewall client on laptops with permission of course to make it easy for them) it is all the other mobile devices, iphones, android phones, ipads, android tablets, etc. that hate authenticating with the proxy. are these working with your set up?

  7. #6
    TheScarfedOne's Avatar
    Join Date
    Apr 2007
    Location
    Plymouth, Devon
    Posts
    1,123
    Thank Post
    537
    Thanked 151 Times in 137 Posts
    Blog Entries
    78
    Rep Power
    79
    Yeah, they are all ok - once you give it the auth details. Differently to you, I set the proxy config on all machines by GPO - and don't use the client. I found it oddly to get in the way more often than not!

    I provide a custom written app to disable proxy when they are at home.

  8. #7
    atamakosi's Avatar
    Join Date
    Jun 2011
    Posts
    101
    Thank Post
    5
    Thanked 11 Times in 9 Posts
    Rep Power
    14
    I've enabled basic as well as integrated authentication in isa 2006 but still getting the same connection refused page....until I turned on wifi proxy within the internet browser settings! so couple changes and it appears to work now, hurray! thanks for the help thescarfedone.

    btw, I've found the firewall client works great. it even helped clear up issues with dreamweaver and other apps trying to negotiate through the proxy. we used to use a vbscript to switch proxy settings on and off and that worked fine but some people would forget if they left them on or not. firewall client doesn't need anything from the users.

  9. #8
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    789
    Thank Post
    79
    Thanked 129 Times in 112 Posts
    Blog Entries
    8
    Rep Power
    31
    We had nothing but issues with ISA when trying to use it as an internal proxy. Like you, our actual content filtering is handled outside the internal network. The only reason for having an internal proxy for us is to log traffic by AD name. The issue we had was ISA was dropping connections when forwarding to the offsite content filter. I spun up a Squid 3.x proxy running on Ubuntu 10.04 in our VCenter cluster and got it working with both basic and NTLM authentication. It handles student traffic with no problems (about 30GB a day) and parses the logs every night with SARG churning them into an easy to read web page principals can access. Firefox and IE both function with NTLM just fine on domain computers, and non domain machines, including iOS and Android will prompt for AD credentials when trying browse the web.

  10. #9
    atamakosi's Avatar
    Join Date
    Jun 2011
    Posts
    101
    Thank Post
    5
    Thanked 11 Times in 9 Posts
    Rep Power
    14
    Now that I've enabled basic and integrated authentication, ISA seems to be doing fine handling the requests from mobile devices. (Except when Autologin is enabled on iOS devices. Freaking hates that for some reason so disable that and it will prompt for credentials.)

    I agree though, the main reason to keep it is for logs. With students able to connect personal devices the only insurance we have they aren't doing anything illegal that could get our school's internet disconnected (thanks copyright amendment act) is by tracking their usernames and web history in isa.

SHARE:
+ Post New Thread

Similar Threads

  1. Moodle : NTLM SSO issue...
    By kennysarmy in forum Virtual Learning Platforms
    Replies: 4
    Last Post: 12th May 2011, 02:09 PM
  2. Netbook - Pre-auth issue
    By contink in forum Windows
    Replies: 3
    Last Post: 3rd February 2010, 03:30 PM
  3. ISA Remote Access Issue
    By jmair in forum Windows Server 2000/2003
    Replies: 4
    Last Post: 7th February 2009, 02:21 AM
  4. NTLM auth squid
    By Jackd in forum *nix
    Replies: 10
    Last Post: 21st April 2008, 09:33 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •